Compute Engine Best Practices

This lesson brings together the key best practices for running production workloads on Compute Engine. Following these guidelines will help you build secure, reliable, cost-efficient, and well-managed VM-based architectures on Google Cloud.

Security Best Practices

Use Least-Privilege Service Accounts

Every VM is associated with a service account. Never use the default Compute Engine service account in production — it has overly broad permissions. Create dedicated service accounts with only the IAM roles your application needs:

# Create a dedicated service account
gcloud iam service-accounts create app-sa \
  --display-name="Application Service Account"

# Grant only the required roles
gcloud projects add-iam-policy-binding my-project \
  --member=serviceAccount:app-sa@my-project.iam.gserviceaccount.com \
  --role=roles/storage.objectViewer

# Use it when creating a VM
gcloud compute instances create app-server \
  --zone=europe-west2-a \
  --machine-type=e2-standard-2 \
  --service-account=app-sa@my-project.iam.gserviceaccount.com \
  --scopes=cloud-platform \
  --image-family=debian-12 \
  --image-project=debian-cloud

Avoid External IP Addresses

Do not assign external (public) IP addresses to VMs unless absolutely necessary. Instead:

Alternative	Use Case
IAP TCP tunnelling	SSH/RDP access without external IPs
Cloud NAT	Outbound internet access without external IPs
Internal Load Balancer	Expose services to other internal workloads
External Load Balancer	Expose services to the internet (LB has the public IP, not the VM)

# Create a VM without an external IP
gcloud compute instances create internal-vm \
  --zone=europe-west2-a \
  --machine-type=e2-standard-2 \
  --no-address \
  --image-family=debian-12 \
  --image-project=debian-cloud

# Connect via IAP tunnel
gcloud compute ssh internal-vm --zone=europe-west2-a --tunnel-through-iap

Enable OS Login

OS Login integrates SSH key management with IAM, eliminating the need to manage SSH keys in project or instance metadata:

# Enable OS Login on a project
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE

Use Shielded VMs

Shielded VMs provide verifiable integrity of your VM instances, protecting against boot-level and kernel-level malware:

gcloud compute instances create secure-vm \
  --zone=europe-west2-a \
  --machine-type=e2-standard-2 \
  --shielded-secure-boot \
  --shielded-vtpm \
  --shielded-integrity-monitoring \
  --image-family=debian-12 \
  --image-project=debian-cloud

Encrypt with Customer-Managed Keys

For sensitive workloads, use Cloud KMS to manage your own encryption keys (CMEK) for boot and data disks:

gcloud compute disks create encrypted-disk \
  --zone=europe-west2-a \
  --size=100GB \
  --kms-key=projects/my-project/locations/europe-west2/keyRings/my-ring/cryptoKeys/my-key

Reliability Best Practices

Use Regional MIGs

Distribute VMs across multiple zones using regional managed instance groups to survive zone-level failures:

gcloud compute instance-groups managed create prod-mig \
  --region=europe-west2 \
  --template=prod-template \
  --size=6 \
  --zones=europe-west2-a,europe-west2-b,europe-west2-c

Configure Health Checks and Autohealing

Always configure health checks so that unhealthy instances are automatically replaced:

gcloud compute health-checks create http app-health \
  --port=8080 \
  --request-path=/healthz \
  --check-interval=10s \
  --unhealthy-threshold=3

gcloud compute instance-groups managed update prod-mig \
  --region=europe-west2 \
  --health-check=app-health \
  --initial-delay=120

Separate Boot and Data Disks

Keep application data on separate Persistent Disks so you can:

Resize, snapshot, and back up data independently
Replace the OS disk without losing data
Use different disk types for OS (pd-balanced) and data (pd-ssd)

Back Up with Snapshots

Create scheduled snapshot policies for all important disks:

gcloud compute resource-policies create snapshot-schedule daily-backup \
  --region=europe-west2 \
  --max-retention-days=30 \
  --start-time=02:00 \
  --daily-schedule

gcloud compute disks add-resource-policies data-disk-1 \
  --zone=europe-west2-a \
  --resource-policies=daily-backup

Cost Optimisation Best Practices

Right-Size VMs

Review right-sizing recommendations regularly and resize over-provisioned VMs:

gcloud recommender recommendations list \
  --recommender=google.compute.instance.MachineTypeRecommender \
  --project=my-project \
  --location=europe-west2-a

Use Committed Use Discounts (CUDs)

For predictable baseline workloads, purchase 1-year or 3-year committed use discounts:

Commitment	Discount
1-year	Up to 37% off on-demand
3-year	Up to 55% off on-demand

Compute Engine Best Practices

Compute Engine Best Practices

Security Best Practices

Use Least-Privilege Service Accounts

Avoid External IP Addresses

Enable OS Login

Use Shielded VMs

Encrypt with Customer-Managed Keys

Reliability Best Practices

Use Regional MIGs

Configure Health Checks and Autohealing

Separate Boot and Data Disks

Back Up with Snapshots

Cost Optimisation Best Practices

Right-Size VMs

Use Committed Use Discounts (CUDs)

More in Cloud