You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson brings together the key best practices for running production workloads on Compute Engine. Following these guidelines will help you build secure, reliable, cost-efficient, and well-managed VM-based architectures on Google Cloud.
Every VM is associated with a service account. Never use the default Compute Engine service account in production — it has overly broad permissions. Create dedicated service accounts with only the IAM roles your application needs:
# Create a dedicated service account
gcloud iam service-accounts create app-sa \
--display-name="Application Service Account"
# Grant only the required roles
gcloud projects add-iam-policy-binding my-project \
--member=serviceAccount:app-sa@my-project.iam.gserviceaccount.com \
--role=roles/storage.objectViewer
# Use it when creating a VM
gcloud compute instances create app-server \
--zone=europe-west2-a \
--machine-type=e2-standard-2 \
--service-account=app-sa@my-project.iam.gserviceaccount.com \
--scopes=cloud-platform \
--image-family=debian-12 \
--image-project=debian-cloud
Do not assign external (public) IP addresses to VMs unless absolutely necessary. Instead:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.