Google Cloud Storage

Google Cloud Storage
(GCS)

A highly-reliable, scalable, and fully-managed object storage service.

Availability: Global

SLA: 99.0% to 99.95%

Author: Michaël Bettan

Core Concepts & Billing

Use Cases

Media storage and delivery: Streaming video, image hosting, content delivery networks (CDNs).
Backup and disaster recovery: Data backups (e.g., regulatory), system images, application backups.
Data lakes and analytics: Storing large datasets for analysis using tools like BigQuery, Dataproc, and Dataflow.
- Hadoop HDFS replacement

Billing Components

Storage Costs: storage class, region, and data volume.
Network Usage: data reads and transfers between regions.
Operations Usage: listing, deleting, and other object operations.
Retrieval Fees: Nearline, Coldline, and Archive storage classes.
Early Deletion Fees: Applicable to data deleted before a minimum storage duration in certain classes.
Autoclass: management fee (+ one-time enablement).
Cost Allocation: Use Bucket and Object Labels to track usage and allocate costs to specific teams, partners, or workflows.

Storage Classes & Replication

Storage Class	Min. Storage	Retrieval Fees	Retrieval Time	Availability (Multiregion)	Durability	Early Deletion Fee	Use Case
Standard	None	None	Milliseconds	>99.99%	99.999999999%	No	Frequently accessed
Nearline	30 days	Yes	Milliseconds	99.95%	99.999999999%	Yes	Infrequently accessed data
Coldline	90 days	Yes	Milliseconds	99.95%	99.999999999%	Yes	Infrequently accessed data
Archive	365 days	Yes	Milliseconds	99.95%	99.999999999%	Yes	Archiving, backup, and DR

Drivers: Storage class choice depends on Availability, Cost, Access, and Performance. Standard class has 99.9% to 99.95% availability SLA depending on location type.

Geographic Placement

Multi-Region: Highest availability in largest area
Dual-Region: Highly-available and low latency
Region: High local performance for single region

Autoclass

Optimizes storage costs and performance by automatically transitioning objects between storage classes based on access patterns.

Frequent access promotes objects to Standard for faster retrieval.
Infrequent access demotes them to Nearline, Coldline, or Archive for cost savings.
Eliminates manual copy-and-delete processes.
No retrieval fees and no early deletion fees when enabled.

Dual-Region: Turbo Replication

Enhanced Data Durability and Availability: Offers faster redundancy across two regions, minimizing data loss risk and ensuring uninterrupted service during regional outages.
Rapid Replication: Replicates 100% of newly written objects to two regions within a 15-min Recovery Point Objective, regardless of object size → low write latency.

Data Model & Namespace

Global Namespace: Unique names for buckets across the entire platform for all clients.

Buckets: Basic containers holding your data.

Objects: Individual files within buckets, accessible through unique URLs.

Flat Namespace (Default): No actual directories; uses object name prefixes to simulate folders.

Hierarchical NameSpace (HNS)

Enabled at bucket creation. Introduces true file-system folder resources.

Benefits: Higher initial QPS (mitigates hotspotting) and atomic folder renames (ensures consistency).
Use cases: Big data (Hadoop/Spark, BigLake Iceberg) and AI/ML workloads (model checkpointing).

Data Protection & Considerations

Data Protection

Object Holds: Prevent objects from being deleted or overwritten, useful for legal or compliance reasons.
Soft Delete: Enabled by default (7 to 90 days retention) to recover deleted or overwritten objects without enabling versioning.
Encryption type: Google-managed, CMEK, CSEK (If CSEK key is lost, data is permanently lost).
Retention policy: Minimum retention period.
Object Versioning: Maintain versions of objects to protect against accidental deletion or overwrites.

Considerations

Object Lifecycle rules: Apply actions to objects when conditions are met (e.g., switching to colder classes based on age). 3 actions: change class, delete, or AbortIncompleteMultipartUpload.
Object conditions: Age, storage class, created before, etc.
Data Processing Integration: Integrates seamlessly with Dataproc, Dataflow, and BigQuery.
Event-Driven Processing: Use Eventarc or Pub/Sub notifications to trigger Cloud Run or Cloud Functions upon object creation/deletion (ideal for spiky ingestion).
CORS: Required if a web application on one domain needs direct access to a bucket on another domain.

Loading & Moving Data

Online transfer: gcloud storage (replaces legacy gsutil), console, APIs, etc. (< 1TB).

Storage Transfer Service: Fully-managed service to move data from clouds (GCS, S3, Azure Blob) and on-premises (docker). Supports event-driven transfers.

STS for on-premises data: Designed for large-scale transfers (up to petabytes of data, billions of files).

Transfer Appliance: High capacity storage server leased from Google to ship to your DC (>20 TiB or takes more than a week to upload).

Source	Scenario	Solution
S3, Azure Blob Storage	-	Storage Transfer Service
GCS bucket	-	Storage Transfer Service
Data Center	Enough bandwidth to meet your project deadline	`gcloud storage` command
Data Center	Enough bandwidth to meet your project deadline (large scale)	Storage Transfer Service for on-premises data
Data Center	Not enough bandwidth to meet your project deadline	Transfer Appliance

Management, Integrity & Security

Storage Intelligence (Management Hub)

Centralizes data management, data exploration, cost optimization, security enforcement, and governance.

Components: Gemini Cloud Assist, Storage Insights datasets, and inventory reports.
Capabilities: Enables bucket relocation and large-scale batch operations.
Availability: Generally Available (including CLI, Dashboards, and Guardrails).

Data Integrity

CRC32C is a cyclic redundancy check algorithm to detect errors during data transfer/storage.
CRC32C hash is calculated for each object and stored as an attribute. Retrieve to verify integrity after download.
Calculate hash using gcloud storage hash (or legacy gsutil hash) or Python's crcmod.
Supports MD5 calculations for compatibility with older systems or stricter security demands.

Access Control & Security

Two Options: Uniform or Fine-grained (legacy method).

Uniform: uniform access to all objects in the bucket by using only bucket-level permissions (IAM).
Fine-grained: Specify access to individual objects using object-level permissions (ACLs) in addition to bucket-level IAM.
Object Tags vs. Labels: Labels are strictly for billing/organization. Tags enforce conditional IAM policies (e.g., granting access only if object has tag "security: confidential").
Signed URLs: Time-limited access via generated URL without requiring IAM.
Signed Policy Documents: Upload policy directly to your bucket.
Control Access Levels: Project, Bucket, Folder (requires HNS), Object level.
Public Access Prevention (PAP): Enforced at bucket or Org Policy level to absolutely guarantee no objects are public (overrides IAM/ACLs).
HMAC Keys: Used via Interoperability API to migrate workloads from AWS S3 without rewriting authentication logic.

Self-Assessment Questions

Q1. What is the main benefit of enabling Autoclass on a GCS bucket?

It optimizes storage costs by automatically transitioning objects between classes based on access patterns, with no retrieval or early deletion fees.

Q2. What is the critical difference between Object Tags and Labels in Cloud Storage?

Labels are strictly used for billing allocation and organization, while Tags are used to enforce conditional IAM security policies.

Q3. Which storage class requires a minimum storage duration of 90 days but still offers millisecond retrieval time?

Coldline. Nearline is 30 days, and Archive is 365 days.

Q4. If you need to migrate an application from AWS S3 to GCS without rewriting its authentication logic, what feature should you use?

HMAC Keys, used via the Interoperability API.

Study Progress — Module Mastery 100%