GCPDevOpsCloudSQLGKEFinOps

"Oh, and while you're at it — give it access to CloudSQL."

2 min read Русский

“Oh, and while you’re at it — give it access to CloudSQL.” Found a $342/month database. In dev.

Developer asked to set up CI/CD in GKE. And “while you’re at it.” Got to CloudSQL — he’d already created an instance manually. At least his access was dev-only. 250 GB — 25x more than needed. Enterprise Plus — $342/month instead of $32 for dev. Public IP. In a different region from the cluster — cross-region traffic costs money, and adds latency on every request.

Gave him a rap on the knuckles. Fixed it properly. (Including explaining how to use a bastion host to access CloudSQL without a public network.)

Over the next two months, periodically: “we also need to deploy this.” New pipeline, separate GCP permissions, extra resources. New requirements kept surfacing.

LB for HTTP2/gRPC but no TLS on the pod. Then one service suddenly turned out to be WebSocket — “why isn’t it working?” Timeout. You need to set the right one, not leave it at the 30-second default.

Then one service got pulled from GKE — “we moved it to Cloud Function.” Fine. When it’s ready — we’ll do proper IaC.

Friday evening, the developer announced: “I think we’re ready to deploy to prod. Not urgent exactly, but sooner would be better.”

And listed 8 items.

I’d set up 7. One was removed. Should be 6. That’s something.

Turns out.

That “removed” service is “CloudRun Function.” Is that Cloud Run or Cloud Functions? How did you deploy it? Same repo or separate?

Item 8 — a PubSub topic. Also created manually.

Sounds like complaining about incompetence? Well, a little.

But here’s the real point. Without DevOps, this same developer could have launched all of this to prod — and it would have worked. For a while. Genuinely.

The question is the cost. Instance sizing? Either more than needed, or worse — less than needed. Database in the wrong region — cross-region traffic costs money, latency on every request. One service account with maximum permissions for everything. No automation. No redundancy. Public access to everything.

Well done, you made it work. Now let’s check it and make it work reliably — and for a reasonable price.