1. Load Balancing
    1. Overview
      1. Distributes network traffic to backend instances
      2. Single frontend point of access
      3. Multiple backend targets to serve traffic
      4. Software defined, not physical
      5. Global or regional scope depending on type
      6. Backend traffic subject to firewall rules
    2. Types
      1. Global
        1. HTTP(s) Layer 7
        2. SSL Proxy
        3. TCP Proxy
      2. Regional
        1. Network Load Balancer
        2. Internal Load Balancer
        3. Internal HTTP(S) Load Balancer
      3. External
        1. HTTP(s) Layer 7
          1. Ports 80/443
        2. SSL Proxy
          1. TCP with SSL Offload
          2. Set of preset ports
        3. TCP Proxy
          1. TCP with no SSL offload
          2. Set of preset ports
        4. Network Load Balancer
          1. TCP with no SSL offload
          2. Any ports
      4. Internal
        1. Internal HTTP(S) Load Balancer
        2. Internal Load Balancer
        3. Any ports
      5. Proxied
        1. Terminates incoming traffic at Load Balancer
        2. Creates a new connection to backend
        3. All Global Load Balancers
      6. Non-Proxied
        1. Traffic goes though the load balancer (pass-through) and forwarded on to the VM
        2. All regional-only load balancers (Network, Internal)
        3. Does not support IPv6
        4. Preserves client IP
    3. HTTP(S)
      1. Global, Layer 7
      2. Ports 80, 8080, 443
      3. IPv4, IPv6 (terminated by Load Balancer at edge POP)
      4. QUIC protocol support
      5. Native support for websockets protocol
      6. With Session Affinity, client IP routes traffic from client to the same backend instance
      7. Forwarding Rules
        1. Fowards traffic to backend by matching location and URL Map
        2. Location is closest regional backend to user request
        3. URL Map address maps a backend to send traffic to
    4. SSL Proxy
      1. Encrypted non-HTTP traffic
      2. Global scope
      3. Terminates traffic at Load Balancer
      4. Managed SSL certificates
      5. Automatic patching to fix vulnerabilities
      6. Traffic between load balancer and backend is SSL or TCP
    5. TCP Proxy
      1. Unencrypted non-HTTP traffic
      2. Global scope
      3. Terminates traffic at Load Balancer
      4. Automatic patching to fix vulnerabilities
      5. Supports many but not all TCP ports
    6. Network
      1. Regional/external
      2. TCP/UDP traffic (Layer 4 of OSI model)
      3. Balance requests by IP protocol data (IP, port, protocol type)
      4. Forwarding rules matched by IP, protocol, port range
      5. Backend can be a target pool or an instance group
    7. Internal
      1. Regional/internal
      2. Private load balancer within the same VPC
      3. Operates over Internal IP addresses
      4. Same option as Network load balancer but for internal only traffic
      5. Often used by applications with multiple tiers
  2. DNS
    1. Cloud DNS
      1. Managed DNS host
      2. Translates domain names into IP
      3. A record maps host names to IPv4 address
      4. Name server (NS) record delegates DNS queries to an authoritative server
      5. Both public (external) and private (internal) hosting
      6. Not a registrar but an authoritative DNS record host
      7. Requires pointing registrar name servers to Cloud DNS
      8. Only GCP service with 100% SLA
      9. Automatic scaling
      10. Creates millions of DNS records
      11. Managed Zones
        1. Public Zone
          1. Queried over the public Internet
          2. Public website (A record), email routing (MX records)
        2. Private Zone
          1. Not visible or queried over the public Internet
      12. Implementation
        1. Hosted in GCP project
        2. Create one or more managed zones for DNS records
        3. Container for DNS records for domain
        4. Each domain has its own managed zone
        5. Can optionally include delegated subzones
        6. Subdomain requests forwarded to separate set of name server records
    2. DNSSEC
      1. Authenticates responses to domain name lookups
      2. Protects domains from spoofing and cache poisoning attacks
      3. Provides strong authentication (but not encryption) of domain lookups
      4. Both registrar and registry must support DNSSEC for the TLD in use
      5. Prevents spoofing or responses to requests
      6. Provides strong authentication of lookups
      7. Operations
        1. First enable DNSSEC in Cloud DNS
        2. Then enable DNS at registrar
        3. Add DS record to registrat at top level domain TLD
        4. Not all registrars support DNSSEC
        5. Disabling DNSSEC
        6. Order is critically important
        7. First disable DNSSEC at domain registrar
        8. Ensure DNSSEC resolvers can still resolve names in Cloud DNS zone
        9. After DS records expire in registrar cache, turn off DNSSEC in Cloud DNS
      8. Tips
        1. Proper DNSSEC TTL settings prevent resolution errors
        2. Too long and too short can cause problems
        3. Avoid TLSs longer than 3 days