Google Cloud Deployment Manager Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Infrastructure as code

Category

Infrastructure as code

1. Introduction

Cloud Deployment Manager is Google Cloud’s native Infrastructure as code (IaC) service for defining and provisioning Google Cloud resources using declarative configuration files (YAML) and optional templates (Jinja2 or Python).

In simple terms: you write a configuration that describes what cloud resources you want—like VPC networks, firewall rules, and VM instances—and Cloud Deployment Manager creates, updates, and deletes those resources for you in a repeatable way.

Technically, Cloud Deployment Manager is a control-plane orchestration service. You submit a deployment made of resources (typed against Google Cloud APIs), and Deployment Manager calls the underlying Google Cloud APIs to create those resources. It tracks what it created and supports lifecycle actions such as preview, create, update, and delete.

It solves a common problem in cloud operations: manual provisioning doesn’t scale. Click-ops leads to drift, inconsistent environments, slow audits, and hard-to-reproduce deployments. IaC with Cloud Deployment Manager helps you standardize deployments, reduce human error, and make infrastructure changes reviewable and automatable.

Important status note (verify in official docs): Cloud Deployment Manager is widely considered a legacy Google Cloud IaC approach compared to Terraform-based workflows. Many teams on Google Cloud now prefer Terraform (self-managed) or Google Cloud’s managed Terraform offerings (for example, Infrastructure Manager). Cloud Deployment Manager may still be available, but you should verify its current product status and recommendations in official documentation before adopting it for new, large production footprints.

---

2. What is Cloud Deployment Manager?

Official purpose: Cloud Deployment Manager is Google Cloud’s service to create and manage Google Cloud resources using declarative templates. It provides a structured way to define infrastructure, deploy it consistently, and manage updates over time.

Core capabilities

• Define infrastructure in YAML configuration files.
• Use templates (Jinja2 or Python) for reuse and parameterization.
• Manage a deployment lifecycle: preview, create, update, delete.
• Track resources created as part of a deployment and show outputs.

Major components

• Deployment: A named, project-level object representing a set of resources managed together.
• Configuration: YAML that lists resources, their types, and properties.
• Templates (optional): Jinja2 or Python files used to generate configuration dynamically.
• Type: The resource schema, usually tied to a Google Cloud API version, for example compute.v1.instance.
• Outputs (optional): Values you export from a deployment for later reference (like an IP address or a resource URL).
• Preview: A “plan-like” step showing what would change before applying.

Service type

• Managed Google Cloud service (control plane) accessed via:
• Google Cloud Console
• gcloud deployment-manager CLI
• REST API (Deployment Manager API)

Scope (how it’s “scoped” in Google Cloud)

• Project-scoped: deployments live in a specific Google Cloud project.
• Deployments can create global, regional, and zonal resources, depending on the resource type:
• Example: VPC networks are global; subnets are regional; VM instances are zonal.

How it fits into the Google Cloud ecosystem

Cloud Deployment Manager sits above individual Google Cloud services (like Compute Engine, VPC, Cloud DNS). It does not replace those services; it orchestrates them by calling their APIs with the properties you define.

It fits best when you want: – A Google-native IaC workflow without adopting Terraform. – Declarative deployments for a subset of Google Cloud resources where Deployment Manager types exist and work for your needs.

Official documentation entry point: – https://cloud.google.com/deployment-manager/docs

---

3. Why use Cloud Deployment Manager?

Business reasons

• Faster environment provisioning: consistent dev/test/prod stacks from the same templates.
• Reduced risk: fewer manual errors and better repeatability.
• Auditability: infrastructure definitions can be stored in version control, reviewed, and tracked.

Technical reasons

• Declarative desired state: define “what” you want, not every imperative step.
• Dependency handling: resources can reference each other (for example, VM depends on network).
• Preview before apply: reduces surprise changes.

Operational reasons

• Lifecycle management: update and delete deployments as a unit.
• Standardization: enforce repeatable naming patterns and baseline networking/security resources.

Security/compliance reasons

• IAM-controlled provisioning: deployments can be gated by roles and approval processes.
• Consistent controls: firewall rules, network design, and instance settings can be standardized.
• Change management: easier to review and approve IaC changes than console edits.

Scalability/performance reasons

• Scale via automation: spin up multiple similar environments without manual overhead.
• Environment cloning: replicate patterns across projects/regions.

When teams should choose it

Choose Cloud Deployment Manager when: – You need a Google-native IaC tool and your required resources are supported by Deployment Manager types. – Your team prefers YAML + templating and a simple deployment lifecycle. – You already have existing Deployment Manager configurations and want to maintain them.

When teams should not choose it

Avoid (or reconsider) Cloud Deployment Manager when: – You need broad coverage of newer Google Cloud services and features that may not be fully supported. – You want a large ecosystem of modules/providers and strong drift detection workflows. – You’re standardizing on Terraform across clouds or across business units.

In many organizations, Terraform becomes the default IaC standard on Google Cloud. If you’re choosing a new IaC strategy, confirm Google’s current guidance (verify in official docs) and consider long-term maintainability and skill availability.

---

4. Where is Cloud Deployment Manager used?

Industries

• Software/SaaS companies standardizing development environments
• Financial services building repeatable network/security baselines
• Education/research provisioning lab environments
• Media/entertainment for ephemeral rendering or batch environments (where supported)

Team types

• DevOps/platform engineering teams building internal templates
• SRE/operations teams managing standardized infrastructure changes
• Cloud engineering teams supporting multiple application squads
• Security teams codifying baseline networking and firewall policies

Workloads

• Simple to moderate Compute Engine deployments
• Networking primitives (VPC, subnets, firewall rules, routes)
• Supporting services (where types exist and are validated for your needs)

Architectures

• Single-project environments (common for labs and small orgs)
• Multi-project setups (separate projects for dev/test/prod) where each project has its own deployment
• Shared VPC patterns (possible, but ensure types and IAM requirements are satisfied; verify in official docs)

Production vs dev/test usage

• Dev/test: very common, especially for consistent lab stacks and demos.
• Production: possible, especially for stable foundational infrastructure, but validate:
• support for your required resource types,
• update behavior,
• operational practices (rollback strategy, drift management),
• and product status (legacy vs strategic).

---

5. Top Use Cases and Scenarios

Below are realistic scenarios where Cloud Deployment Manager is often used effectively.

1) Standard VPC + subnet baseline

• Problem: Teams create inconsistent networks and subnets across environments.
• Why it fits: Deployment Manager can codify VPC/subnet patterns in YAML.
• Example: Provision a shared-vpc with per-environment subnets (dev, stage, prod) consistently.

2) Repeatable Compute Engine VM stacks

• Problem: VM configurations drift over time and differ by engineer.
• Why it fits: VM properties (machine type, boot disk, tags, metadata) are explicit.
• Example: Create a small fleet of bastion VMs with consistent OS image, tags, and firewall rules.

3) Ephemeral lab environments for training

• Problem: Training sessions require identical setups repeatedly.
• Why it fits: “Create deployment” before class, “delete deployment” after class.
• Example: A student lab stack that includes a network, firewall rule, and one VM.

4) Environment cloning for QA/testing

• Problem: QA needs a copy of an environment with minimal manual work.
• Why it fits: Parameterize names and regions with templates.
• Example: Clone a “standard test environment” into multiple projects.

5) Centralized infrastructure patterns with templates

• Problem: Repetitive YAML across projects becomes hard to manage.
• Why it fits: Jinja2/Python templates enable reuse.
• Example: A template that creates a “standard web VM” with consistent labels and startup scripts.

6) Controlled rollouts using Preview

• Problem: Applying changes directly risks outages.
• Why it fits: Preview shows intended changes before you update.
• Example: Preview firewall rule modifications to ensure no unexpected deletions.

7) Small internal platform “catalog”

• Problem: App teams need self-service but you need guardrails.
• Why it fits: Platform team provides approved DM configs/templates.
• Example: A “service template” repository for common infrastructure components.

8) Migration from manual console to IaC

• Problem: Existing resources were created manually and changes aren’t tracked.
• Why it fits: New infrastructure can be created and managed via DM moving forward.
• Example: New dev environment created via DM while legacy prod remains manual initially.

9) Multi-region network provisioning (limited scope)

• Problem: Building repeatable multi-region subnet patterns is error-prone.
• Why it fits: Use YAML + templates to generate repeated resources.
• Example: Create us-central1 and europe-west1 subnets with consistent ranges.

10) Controlled teardown for cost savings

• Problem: Non-prod resources are left running and waste budget.
• Why it fits: Deployment deletion removes the whole stack (with caveats).
• Example: Delete all dev VMs and firewall rules nightly (ensure delete policies are correct).

---

6. Core Features

Feature availability can evolve; verify specifics in official docs: https://cloud.google.com/deployment-manager/docs

Declarative YAML configurations

• What it does: Lets you define resources with types and properties.
• Why it matters: Declarative configs are reviewable and repeatable.
• Practical benefit: You can recreate an environment reliably.
• Caveat: You must use correct API types/properties; unsupported resources can block adoption.

Templates (Jinja2 and Python)

• What it does: Generates resource definitions programmatically or with macros.
• Why it matters: Reduces duplication and enforces standards.
• Practical benefit: Parameterize names, regions, CIDRs, counts, and labels.
• Caveat: Template logic can become complex; keep templates small and testable.

Resource typing against Google APIs

• What it does: Resource type maps to an API endpoint/version (for example compute.v1.instance).
• Why it matters: You manage infrastructure via official APIs.
• Practical benefit: You can set properties that match the underlying service’s API.
• Caveat: API versions and schemas matter; validate against current service docs.

Preview (“plan-like” output)

• What it does: Shows the proposed changes before applying.
• Why it matters: Safer changes, fewer surprises.
• Practical benefit: Catch destructive changes early.
• Caveat: Preview is not identical to Terraform plan semantics; always read output carefully.

Deployment lifecycle management (create/update/delete)

• What it does: Treats a group of resources as one deployment unit.
• Why it matters: Enables repeatable environment lifecycle operations.
• Practical benefit: One command can delete an entire lab stack.
• Caveat: Deletion behavior depends on resource dependencies and delete policies; verify for each resource.

Outputs

• What it does: Exposes values from created resources (URLs, selfLinks, addresses).
• Why it matters: Helps integrate with downstream scripts or CI/CD.
• Practical benefit: You can fetch an instance’s NAT IP or a network selfLink after deployment.
• Caveat: Outputs depend on what the API returns; ensure outputs match actual fields.

Integration with gcloud and Cloud Console

• What it does: Manage deployments via CLI or UI.
• Why it matters: Fits into automation and also supports manual inspection.
• Practical benefit: Easy to integrate into Cloud Build or other CI tools.
• Caveat: “Console-first” teams still need IaC discipline (version control, PR reviews).

IAM and audit integration

• What it does: Uses Google Cloud IAM to control who can create/update deployments.
• Why it matters: Prevents unauthorized infrastructure changes.
• Practical benefit: Separate duties between template authors and deployers.
• Caveat: IAM for underlying resources still applies; DM must have permission to create each resource type.

---

7. Architecture and How It Works

High-level service architecture

Cloud Deployment Manager operates as a managed control-plane service:

1. You submit a deployment (config + templates).
2. Deployment Manager parses templates and resolves resources.
3. Deployment Manager calls the underlying Google Cloud APIs to create/update/delete resources.
4. Deployment Manager stores deployment state (what it created and the current configuration).
5. You can query deployments, see resource lists, and outputs.

Request/control flow

• Input: YAML configuration and optional template files.
• Processing: Template expansion + dependency graph resolution.
• Execution: API calls to target services (Compute Engine, etc.).
• State: Deployment Manager tracks deployment metadata and resources.
• Logs/Audit: Actions show up in Cloud Audit Logs for relevant services.

Integrations with related services

Common integrations include: – Compute Engine for networks, firewall rules, instances, disks. – Cloud IAM for permissions and service accounts. – Cloud Logging / Audit Logs for tracking who changed what. – Cloud Build / CI systems to run gcloud deployment-manager commands from pipelines (verify best practices with your CI approach).

Dependency services

• Deployment Manager API must be enabled: deploymentmanager.googleapis.com
• For Compute resources: Compute Engine API: compute.googleapis.com
• Any other resource’s API used by your deployment must also be enabled.

Security/authentication model

• Users and CI/CD identities authenticate to Google Cloud (OAuth, service account keys, Workload Identity Federation, etc.).
• Deployment Manager then uses Google Cloud authorization to call service APIs.
• Deployment Manager may rely on a Google-managed service identity/service agent for certain operations (verify the exact service account behavior in official docs for your project and organization).

Networking model

• Deployment Manager is a control-plane service; it does not “live” in your VPC.
• Networking concerns are about what resources you create (VPCs, firewall rules, routes, external IPs).

Monitoring/logging/governance considerations

• Audit Logs: Track deployment create/update/delete operations and underlying API calls.
• Cloud Logging: Investigate API errors surfaced during deployments.
• Policy controls: Organization Policy constraints can prevent certain resources from being created (for example, restricting external IPs). This is good for governance but can cause deployment failures if not accounted for.

Simple architecture diagram

flowchart LR
  Dev[Engineer / CI Pipeline] -->|gcloud / API| DM[Cloud Deployment Manager]
  DM -->|calls APIs| CE[Compute Engine API]
  DM -->|calls APIs| IAM[IAM API]
  CE --> VPC[VPC Network/Subnet]
  CE --> FW[Firewall Rules]
  CE --> VM[VM Instance]

Production-style architecture diagram

flowchart TB
  subgraph Org[Google Cloud Organization]
    subgraph Shared[Shared Services Project]
      Repo[Git Repo: DM configs & templates]
      CI[CI/CD: Cloud Build or external runner]
    end

    subgraph Prod[Production Project]
      DMp[Cloud Deployment Manager Deployment]
      VPCp[VPC + Subnets]
      FWp[Firewall Rules]
      VMp[Compute Instances]
      SA[Service Accounts]
      Logs[Cloud Logging / Audit Logs]
      Policy[Org Policy Constraints]
    end
  end

  Repo --> CI
  CI -->|gcloud deployment-manager| DMp
  DMp -->|Compute API| VPCp
  DMp -->|Compute API| FWp
  DMp -->|Compute API| VMp
  DMp -->|IAM| SA
  Policy -. restricts .-> DMp
  DMp --> Logs
  VMp --> Logs

---

8. Prerequisites

Account/project requirements

• A Google Cloud account with access to a project.
• A Google Cloud project with billing enabled (required for most provisioned resources, especially Compute Engine).

Permissions / IAM roles

At minimum, the identity running deployments needs: – Permissions to use Cloud Deployment Manager (for example, a Deployment Manager role), and – Permissions for each underlying resource type you create (for example, Compute Engine permissions for networks/VMs).

Common role patterns (verify role names and least-privilege mapping in your environment): – Deployment Manager role: roles/deploymentmanager.editor (or admin for full control) – Compute roles for this tutorial: – roles/compute.networkAdmin – roles/compute.securityAdmin (for firewall rules) or equivalent – roles/compute.instanceAdmin.v1 – roles/iam.serviceAccountUser (if attaching service accounts to VMs)

If you’re learning, using Project Owner in a dedicated sandbox project is simplest, but not recommended for production.

Tools

• Cloud Shell (recommended): includes gcloud preinstalled.
• Or local installation:
• Google Cloud CLI: https://cloud.google.com/sdk/docs/install

APIs to enable

• Deployment Manager API: deploymentmanager.googleapis.com
• Compute Engine API: compute.googleapis.com

Region availability

• Deployment Manager is a control-plane service; resource availability depends on the specific services and regions you deploy into.
• For compute resources, pick a region/zone supported by your project.

Quotas/limits

• Compute Engine quotas (CPU, IPs, firewall rules, etc.) apply.
• Deployment Manager may have its own limits (deployment size, number of resources, request rates). Verify current limits in official docs.

Prerequisite services

• For the hands-on lab: Compute Engine (VPC, firewall rule, VM instance).

---

9. Pricing / Cost

Pricing model (accurate framing)

Cloud Deployment Manager typically has no separate line-item cost for using the service itself; you pay for the Google Cloud resources it creates and for their ongoing usage.

You should verify the most current statement in official docs (pricing and billing behavior can change). Start here: – Deployment Manager docs: https://cloud.google.com/deployment-manager/docs – Google Cloud Pricing overview: https://cloud.google.com/pricing – Pricing calculator: https://cloud.google.com/products/calculator

Pricing dimensions (what you actually pay for)

The costs come from deployed resources, commonly: – Compute Engine – VM instance uptime (vCPU/RAM) – Persistent disks (GB-month) – External IP addresses (especially unused/reserved IPs) – Network egress (internet egress is often a major cost driver) – Networking – Load balancers, NAT gateways, forwarding rules (if created) – Inter-region traffic – Logging/Monitoring – Logging ingestion/retention beyond free allocations (varies) – Other APIs – Depending on resources created (Cloud SQL, GKE, etc.)

Free tier (if applicable)

• Some Google Cloud products have free tiers (for example, Compute Engine “Always Free” in specific regions and configurations). Eligibility is strict and can change. Verify in official docs before relying on it.

Cost drivers

• VM size and uptime (24/7 vs ephemeral)
• Disks (size, type, snapshots)
• Public internet egress
• Premium services provisioned unintentionally (load balancers, NAT, reserved IPs)
• Logging volume (verbose startup scripts can generate logs)

Hidden or indirect costs

• Accidental external exposure: enabling external IPs and generating egress.
• Orphaned resources: if a deployment fails mid-flight, you may have partially created resources.
• Delete policy behavior: depending on configuration and resource constraints, some resources may remain.

Network/data transfer implications

• VMs with external IPs can generate internet egress costs quickly.
• Cross-region traffic is commonly billable.

How to optimize cost

• Use the smallest VM type you can for labs.
• Prefer short-lived deployments; delete after use.
• Avoid reserved external IPs unless needed.
• Keep logging at reasonable verbosity; avoid infinite loops in startup scripts.
• Use budgets and alerts:
• Budgets & alerts: https://cloud.google.com/billing/docs/how-to/budgets

Example low-cost starter estimate (qualitative)

A minimal lab deployment might include: – 1 small VM – 1 small boot disk – 1 VPC + subnet + firewall rule

Costs depend on region, machine type, disk type, and whether the VM runs continuously. Use the calculator for accurate numbers: – https://cloud.google.com/products/calculator

Example production cost considerations

In production, costs are dominated by what you deploy: – HA designs (multiple instances, multi-zone) – Load balancing – Managed databases – Observability ingestion – Egress (CDN vs direct egress)

Cloud Deployment Manager affects cost indirectly: it can standardize deployments to avoid expensive mistakes, but it can also scale mistakes quickly if templates are wrong. Use Preview, code review, and budgets.

---

10. Step-by-Step Hands-On Tutorial

Objective

Deploy a small, low-cost Google Cloud environment using Cloud Deployment Manager: – A custom VPC network – A regional subnet – A firewall rule allowing SSH to tagged instances – A small Compute Engine VM instance

Then you will: – Validate that resources were created – Update the deployment (change VM metadata) – Clean up by deleting the deployment

Lab Overview

• Time: 30–60 minutes
• Cost: Low for short runs (VM and disk costs apply)
• Tools: Cloud Shell + gcloud
• APIs: Deployment Manager API, Compute Engine API

Tip: Use a dedicated sandbox project to avoid impacting production resources.

---

Step 1: Select a project and set environment variables

In Cloud Shell, set your project ID:

gcloud config set project YOUR_PROJECT_ID

Pick a region and zone that support your account/project:

export REGION="us-central1"
export ZONE="us-central1-a"

Set a deployment name (must be unique within the project):

export DEPLOYMENT_NAME="dm-lab-1"

Expected outcome: gcloud config get-value project shows your project, and variables are set.

---

Step 2: Enable required APIs

Enable Deployment Manager and Compute Engine APIs:

gcloud services enable deploymentmanager.googleapis.com compute.googleapis.com

Expected outcome: Command completes with no errors. In the Console, APIs appear enabled.

Verification:

gcloud services list --enabled --filter="name:deploymentmanager.googleapis.com OR name:compute.googleapis.com"

---

Step 3: Create a Cloud Deployment Manager configuration

Create a working directory:

mkdir -p dm-lab && cd dm-lab

Create a file named config.yaml:

cat > config.yaml <<'EOF'
resources:
  - name: dm-lab-network
    type: compute.v1.network
    properties:
      autoCreateSubnetworks: false
      routingConfig:
        routingMode: REGIONAL

  - name: dm-lab-subnet
    type: compute.v1.subnetwork
    properties:
      region: us-central1
      network: $(ref.dm-lab-network.selfLink)
      ipCidrRange: 10.10.0.0/24
      privateIpGoogleAccess: true

  - name: dm-lab-allow-ssh
    type: compute.v1.firewall
    properties:
      network: $(ref.dm-lab-network.selfLink)
      direction: INGRESS
      priority: 1000
      sourceRanges:
        - 0.0.0.0/0
      targetTags:
        - dm-lab-ssh
      allowed:
        - IPProtocol: tcp
          ports:
            - "22"

  - name: dm-lab-vm
    type: compute.v1.instance
    properties:
      zone: us-central1-a
      machineType: zones/us-central1-a/machineTypes/e2-micro
      tags:
        items:
          - dm-lab-ssh
      networkInterfaces:
        - subnetwork: $(ref.dm-lab-subnet.selfLink)
          accessConfigs:
            - name: External NAT
              type: ONE_TO_ONE_NAT
      disks:
        - boot: true
          autoDelete: true
          initializeParams:
            # Debian image family reference. Verify current image families in Compute Engine docs if needed.
            sourceImage: projects/debian-cloud/global/images/family/debian-12
      metadata:
        items:
          - key: purpose
            value: "cloud-deployment-manager-lab"

outputs:
  - name: vmSelfLink
    value: $(ref.dm-lab-vm.selfLink)
  - name: vmExternalIp
    value: $(ref.dm-lab-vm.networkInterfaces[0].accessConfigs[0].natIP)
EOF

Notes: – This example hardcodes us-central1 and us-central1-a. If you changed REGION/ZONE, update the YAML accordingly. – e2-micro is used to keep cost low. Availability and free-tier eligibility vary—verify in official docs.

Expected outcome: config.yaml exists and contains 4 resources and 2 outputs.

---

Step 4: Preview the deployment (recommended)

Run a preview to see planned changes:

gcloud deployment-manager deployments create "$DEPLOYMENT_NAME" \
  --config=config.yaml \
  --preview

Expected outcome: A deployment is created in preview state, and output indicates what would be created.

Verification:

gcloud deployment-manager deployments describe "$DEPLOYMENT_NAME"

Look for preview-related fields and resource list.

If the preview looks correct, update the deployment to apply the changes:

gcloud deployment-manager deployments update "$DEPLOYMENT_NAME"

Expected outcome: Deployment is executed and resources begin creating.

---

Step 5: Check deployment status and created resources

List deployments:

gcloud deployment-manager deployments list

Describe the deployment:

gcloud deployment-manager deployments describe "$DEPLOYMENT_NAME"

List resources tracked by the deployment:

gcloud deployment-manager resources list --deployment "$DEPLOYMENT_NAME"

Expected outcome: You should see: – dm-lab-network – dm-lab-subnet – dm-lab-allow-ssh – dm-lab-vm

Now confirm the VM exists in Compute Engine:

gcloud compute instances list --filter="name=dm-lab-vm"

Retrieve the external IP from outputs:

gcloud deployment-manager deployments describe "$DEPLOYMENT_NAME" \
  --format="value(outputs.vmExternalIp)"

Expected outcome: An external IP address is printed.

---

Step 6: SSH into the VM (optional verification)

If your environment supports it, SSH:

gcloud compute ssh dm-lab-vm --zone "$ZONE"

Expected outcome: You get a shell on the VM.

Exit:

exit

---

Step 7: Update the deployment (safe change)

Let’s update metadata to demonstrate a non-destructive update.

Edit config.yaml and add another metadata item under the VM:

grep -n "metadata" -n config.yaml

Use a simple edit approach (Cloud Shell editor is fine) and add:

          - key: owner
            value: "your-name"

So the VM metadata becomes:

      metadata:
        items:
          - key: purpose
            value: "cloud-deployment-manager-lab"
          - key: owner
            value: "your-name"

Apply the update:

gcloud deployment-manager deployments update "$DEPLOYMENT_NAME" --config=config.yaml

Expected outcome: Deployment update completes. Some changes may be applied in-place; if a property forces recreation, DM may attempt to replace the VM. Review update output carefully.

Verify VM metadata:

gcloud compute instances describe dm-lab-vm --zone "$ZONE" \
  --format="yaml(metadata.items)"

---

Validation

Use this checklist:

1. Deployment exists and is not in error state: bash gcloud deployment-manager deployments describe "$DEPLOYMENT_NAME" \ --format="value(name,operation.status)"

2. Network and subnet exist: bash gcloud compute networks describe dm-lab-network gcloud compute networks subnets describe dm-lab-subnet --region "$REGION"

3. Firewall rule exists: bash gcloud compute firewall-rules describe dm-lab-allow-ssh

4. VM exists and has an external IP: bash gcloud compute instances describe dm-lab-vm --zone "$ZONE" \ --format="value(networkInterfaces[0].accessConfigs[0].natIP)"

---

Troubleshooting

Common issues and fixes:

1) API not enabled

Symptom: Errors like “API has not been used in project … before or it is disabled.” – Fix: bash gcloud services enable deploymentmanager.googleapis.com compute.googleapis.com

2) Permission denied (IAM)

Symptom: PERMISSION_DENIED creating networks/firewalls/instances. – Fix: Ensure the deploying identity has required roles for both Deployment Manager and underlying services (Compute Engine). In production, use least privilege; in labs, Project Owner in a sandbox is simplest.

3) Quota exceeded

Symptom: Compute quota errors (CPU, IP addresses). – Fix: Use a smaller region/zone, delete unused resources, or request quota increases: – https://cloud.google.com/compute/quotas

4) Resource already exists

Symptom: Deployment fails because dm-lab-network or VM name already exists. – Fix: Change resource names in the config or delete the existing resources/deployment first.

5) Invalid type or property schema

Symptom: Errors about unknown fields or invalid resource type. – Fix: Confirm the type (for example compute.v1.instance) and properties align with current API schema. Prefer referencing official API docs for the resource.

---

Cleanup

Delete the deployment (this should delete managed resources):

gcloud deployment-manager deployments delete "$DEPLOYMENT_NAME"

Expected outcome: Deployment is removed and resources are deleted.

Verify resources are gone:

gcloud compute instances list --filter="name=dm-lab-vm"
gcloud compute firewall-rules list --filter="name=dm-lab-allow-ssh"
gcloud compute networks list --filter="name=dm-lab-network"

If any resources remain (rare but possible in partial failure scenarios), delete them manually and review delete policies and error logs.

---

11. Best Practices

Architecture best practices

• Use small, composable templates: avoid monolithic “everything” templates that are hard to test.
• Separate foundational from application stacks:
• Foundation: VPC, subnets, shared firewall baselines
• App: VMs, instance groups, app-specific rules
• Design for multiple environments: parameterize environment name, region, and CIDR ranges.

IAM/security best practices

• Least privilege: grant only necessary roles to the identity running deployments.
• Separate duties:
• Template authors can be reviewed/approved via Git PRs.
• Deployers can be a CI service account with limited permissions.
• Use service accounts intentionally: when attaching a service account to a VM, avoid broad scopes/permissions.

Cost best practices

• Delete non-prod deployments quickly.
• Avoid public IPs by default; prefer IAP or bastion designs if appropriate.
• Standardize machine types and disk sizes via templates to prevent accidental oversizing.
• Add labels (labels where supported) for cost allocation and chargeback.

Performance best practices

• Deployment Manager is not the performance bottleneck; underlying service choices are.
• Avoid unnecessary churn: frequent updates that recreate resources can cause downtime and delays.

Reliability best practices

• Use Preview before updates.
• Avoid destructive updates for critical resources unless you have a migration plan.
• Plan rollbacks:
• Keep previous configs in Git.
• Understand which property changes force replacement.

Operations best practices

• Use consistent naming: include env/team/app in resource names.
• Standardize logging and monitoring in the resources you create (VM Ops Agent, etc., where appropriate).
• Document ownership in labels/metadata and in Git repo README.

Governance/tagging/naming best practices

• Apply:
• labels for cost center, env, app, owner (where supported)
• metadata for VM-specific annotations
• Align with organizational naming standards.
• Consider Organization Policy constraints early to avoid repeated deployment failures.

---

12. Security Considerations

Identity and access model

• Access to Cloud Deployment Manager is controlled by IAM.
• Underlying resource creation is still controlled by service IAM (Compute Engine, etc.).
• Prefer:
• A dedicated CI service account to run deployments
• Workload Identity Federation instead of long-lived keys (verify your CI platform integration)

Encryption

• Most Google Cloud services encrypt data at rest by default.
• For Compute Engine disks, consider Customer-Managed Encryption Keys (CMEK) if required (ensure compatibility with your IaC approach and verify in official docs).

Network exposure

• Biggest risk in many deployments is unintended public exposure:
• External IPs on VMs
• Broad firewall source ranges like 0.0.0.0/0
• Prefer:
• Restrict SSH sources to known IP ranges
• Use IAP TCP forwarding for SSH where appropriate (requires additional setup; verify)

Secrets handling

• Do not embed secrets in YAML, templates, or startup scripts in repositories.
• Prefer Secret Manager and runtime access patterns.
• If templates need sensitive values, use secure CI variable injection and avoid logging sensitive values.

Audit/logging

• Use Cloud Audit Logs to trace changes:
• Who created/updated/deleted a deployment
• Who/what created underlying resources
• Centralize logs in a dedicated logging project if required by policy (verify best practice for your org).

Compliance considerations

• Ensure resource locations meet residency requirements.
• Use Organization Policies to enforce:
• restricted external IP usage,
• allowed regions,
• required labels (where possible; label enforcement may require additional tooling).

Common security mistakes

• Opening SSH to the world (0.0.0.0/0) for convenience and forgetting to remove it.
• Giving deployment identities overly broad roles permanently.
• Storing secrets directly in templates.
• Not reviewing Preview output and unintentionally replacing critical resources.

Secure deployment recommendations

• Adopt a “secure by default” template baseline:
• No external IPs unless required
• Minimal firewall rules
• Strong IAM separation
• Require PR review and Preview output review for production changes.
• Use budgets/alerts to detect unusual activity early.

---

13. Limitations and Gotchas

This section highlights common real-world issues. Always verify current behavior and limits in official docs.

1) Coverage gaps for newer services/features

Cloud Deployment Manager may not support every new Google Cloud service or every new feature/version promptly. This can block adoption for modern architectures.

2) Update behavior can be surprising

Some property changes force resource replacement (for example, certain VM properties). Without careful planning, updates can cause downtime.

3) Drift detection is limited compared to Terraform workflows

If a resource is changed manually outside Deployment Manager, your deployment’s understanding of “what’s deployed” may not match reality. Plan governance accordingly.

4) Partial failures can leave orphaned resources

If a deployment fails mid-creation, you may need to clean up leftover resources manually.

5) Name collisions

Resource names are often global/unique within a project/service scope. Re-running deployments with fixed names can collide.

6) Quotas apply (and errors can be indirect)

Deployment errors may come from underlying quota limits (CPU, IPs, firewall rules), not from Deployment Manager itself.

7) Organization Policy constraints

Policies can block resources (for example, disallowing external IPs). Your template must comply, or deployments will fail.

8) Template complexity

Jinja2/Python templates are powerful but can become difficult to maintain without strong standards and tests.

9) Long-term strategy risk (legacy tooling)

If Google’s strategic direction continues to favor Terraform-based tooling, new IaC investments in Deployment Manager may have migration costs later. Verify current recommendations in official docs.

10) Deletion order/dependencies

Deleting a deployment may fail if resources have external dependencies or were modified manually. Understand dependencies (for example, subnets in use).

---

14. Comparison with Alternatives

Cloud Deployment Manager is one option among several IaC approaches.

Key alternatives

• Terraform (Google provider): Most common cross-cloud IaC standard; broad ecosystem.
• Google Cloud Infrastructure Manager (managed Terraform; verify current product scope and naming in official docs): managed execution/state around Terraform.
• Config Connector / Kubernetes-based management (often used with Anthos or GKE): manage GCP resources via Kubernetes CRDs.
• Pulumi: IaC using general-purpose languages.
• CI scripts with gcloud: imperative, simple, but less safe for drift and lifecycle.
• AWS CloudFormation / Azure ARM/Bicep: not for Google Cloud resources, but relevant for multi-cloud comparison.

Comparison table

Option	Best For	Strengths	Weaknesses	When to Choose
Cloud Deployment Manager	Google-native YAML IaC for supported resources	Simple deployment lifecycle; Preview; integrates with Google APIs	Legacy perception; coverage gaps; drift handling limitations	Maintaining existing DM stacks; simple Google Cloud setups
Terraform (self-managed)	Standard IaC across teams/clouds	Broad provider support; strong ecosystem; plan/apply workflow; modules	Requires state management; toolchain complexity	New standardization, multi-cloud, large-scale IaC
Google Cloud Infrastructure Manager (managed Terraform)	Managed Terraform execution on Google Cloud	Reduced ops overhead for Terraform runners/state (verify exact features)	Product capabilities vary; still Terraform learning curve	You want Terraform but prefer managed operations
Config Connector (Kubernetes)	Platform teams using Kubernetes as control plane	GitOps-friendly; K8s-native workflow	Requires Kubernetes/Config Connector expertise; not ideal for all teams	You already run a strong Kubernetes platform and want GitOps for infra
Pulumi	Dev-centric IaC in real languages	Strong language support; reuse code/testing	Tooling and state management still required; learning curve	Developer teams prefer TypeScript/Python/Go for IaC
Imperative gcloud scripts	Quick automation for small tasks	Simple; no templates required	Harder drift control; less safe updates; poor lifecycle tracking	Small one-off automation or bootstrap tasks

---

15. Real-World Example

Enterprise example (regulated industry)

• Problem: A regulated enterprise needs repeatable, auditable network baselines for multiple app teams, with strict controls on external IP usage.
• Proposed architecture:
• Separate projects per environment (dev/test/prod)
• A Deployment Manager “foundation deployment” per project:
  • VPC, subnets, routes
  • baseline firewall rules
  • IAM service accounts (where supported)
• Organization Policies to restrict external IPs and allowed regions
• CI pipeline runs Preview and requires approval before applying updates
• Why Cloud Deployment Manager was chosen:
• Existing investment in DM templates and a smaller scope of supported resources
• Need for a straightforward Google-native workflow without introducing Terraform immediately
• Expected outcomes:
• Standardized networks across environments
• Reduced audit findings due to consistent baseline deployment
• Faster provisioning with fewer manual steps

Startup/small-team example

• Problem: A startup wants a simple way to spin up and tear down demo environments safely to control costs.
• Proposed architecture:
• One deployment per demo environment
• Resources: VPC + subnet + firewall + single VM (or small set)
• Clear cleanup process: delete deployment after demo
• Why Cloud Deployment Manager was chosen:
• Low operational overhead; no separate state tooling to manage
• Easy gcloud-based workflow in Cloud Shell
• Expected outcomes:
• Predictable, repeatable demos
• Reduced cloud spend by deleting environments immediately after use
• Fewer mistakes than manual console setup

---

16. FAQ

1) Is Cloud Deployment Manager still supported?

Cloud Deployment Manager remains present in Google Cloud documentation, but it is often treated as a legacy IaC option compared to Terraform-based approaches. Verify current support status and roadmap in official docs before adopting it for new large-scale production systems.

2) Do I pay for Cloud Deployment Manager itself?

Typically, there is no separate charge for Deployment Manager; you pay for the resources it creates (VMs, disks, networking, etc.). Verify current billing details in official Google Cloud documentation.

3) What file formats does Cloud Deployment Manager use?

Commonly: – YAML for configurations – Jinja2 or Python for templates

4) Can I manage any Google Cloud resource with Deployment Manager?

Not necessarily. Deployment Manager supports many resources via types, but coverage may not match Terraform’s breadth. Validate the types you need before committing.

5) What is a “deployment”?

A deployment is a named collection of resources managed together by Cloud Deployment Manager in a Google Cloud project.

6) What is the difference between configuration and templates?

• Configuration (YAML): declares resources and properties.
• Templates (Jinja2/Python): generate configuration content for reuse and parameterization.

7) Does Cloud Deployment Manager do drift detection?

It can show what it believes is deployed, but robust drift detection/remediation is typically more associated with Terraform workflows. If drift management is critical, evaluate alternatives.

8) Can I use Cloud Deployment Manager with CI/CD?

Yes. A common pattern is to run gcloud deployment-manager commands in a pipeline, with Preview for change review and then apply/update on approval.

9) How do I do “plan” like Terraform?

Use Preview to see proposed changes, then update the deployment to apply.

10) How do I roll back a bad change?

A typical rollback approach is to: – revert the config/template in version control, – run deployments update to apply the previous configuration, – and be aware that some changes may have already replaced resources.

11) Can Deployment Manager create resources in multiple projects?

Deployments are project-scoped. Cross-project operations may be possible via underlying IAM and API behavior, but are not the common model. Prefer one deployment per project and automate across projects with CI.

12) Can I use it for GKE clusters?

Historically, some teams used it, but support and best practice can change. For Kubernetes-related provisioning, Terraform is commonly preferred. Verify current recommended approach in Google Cloud docs.

13) How do I keep configurations reusable across environments?

Use templates and parameters (for example, environment name, region, CIDR). Keep environment-specific values in small config overlays or separate config files.

14) What’s the safest way to test changes?

• Use a sandbox project.
• Run Preview.
• Apply changes during a maintenance window for production if changes could be disruptive.

15) What happens if I delete a deployment?

Deployment Manager attempts to delete resources it created, but dependencies and manual modifications can affect deletion. Always validate cleanup and check for leftovers.

16) How do I troubleshoot failed deployments?

• Check the deployment operation output in CLI/Console.
• Look at underlying API errors in Cloud Logging/Audit Logs.
• Verify IAM permissions, API enablement, quotas, and Organization Policy constraints.

---

17. Top Online Resources to Learn Cloud Deployment Manager

Resource Type	Name	Why It Is Useful
Official documentation	https://cloud.google.com/deployment-manager/docs	Primary source for concepts, configuration structure, and supported workflows
Official quickstarts/tutorials	https://cloud.google.com/deployment-manager/docs/quickstarts	Guided setup steps and examples (verify availability on the page)
Google Cloud CLI docs	https://cloud.google.com/sdk/gcloud/reference/deployment-manager	Command reference for create/update/delete/describe/list
API reference	https://cloud.google.com/deployment-manager/docs/reference/latest/	REST API reference for programmatic interactions
Google Cloud pricing overview	https://cloud.google.com/pricing	Understand that costs come from provisioned resources
Pricing calculator	https://cloud.google.com/products/calculator	Estimate costs for resources your deployment creates
Compute Engine docs	https://cloud.google.com/compute/docs	Needed to understand instance/network/firewall properties used in templates
IAM docs	https://cloud.google.com/iam/docs	Learn roles, service accounts, and least privilege
Cloud Audit Logs docs	https://cloud.google.com/logging/docs/audit	Investigate who changed what during deployments
Samples (search)	https://github.com/GoogleCloudPlatform	Google Cloud Platform GitHub org—search for Deployment Manager examples (verify repo freshness and applicability)
Community learning	https://stackoverflow.com/questions/tagged/google-cloud-deployment-manager	Practical troubleshooting patterns; validate answers against official docs

---

18. Training and Certification Providers

Institute	Suitable Audience	Likely Learning Focus	Mode	Website URL
DevOpsSchool.com	DevOps engineers, SREs, platform teams, beginners	IaC fundamentals, Google Cloud DevOps practices, automation	Check website	https://www.devopsschool.com/
ScmGalaxy.com	Students, early-career engineers	SCM + DevOps foundations, process and tooling	Check website	https://www.scmgalaxy.com/
CLoudOpsNow.in	Cloud operations teams	Cloud ops practices, automation, operational readiness	Check website	https://cloudopsnow.in/
SreSchool.com	SREs, operations engineers	Reliability engineering, monitoring, incident response	Check website	https://sreschool.com/
AiOpsSchool.com	Ops teams exploring AIOps	AIOps concepts, operations analytics, automation	Check website	https://aiopsschool.com/

---

19. Top Trainers

Platform/Site	Likely Specialization	Suitable Audience	Website URL
RajeshKumar.xyz	DevOps/cloud training content (verify specific offerings)	Beginners to intermediate practitioners	https://rajeshkumar.xyz/
devopstrainer.in	DevOps tools and practices training (verify course list)	DevOps engineers, students	https://devopstrainer.in/
devopsfreelancer.com	Freelance DevOps services/training (verify scope)	Teams needing hands-on guidance	https://www.devopsfreelancer.com/
devopssupport.in	DevOps support and enablement (verify services)	Ops/DevOps teams	https://www.devopssupport.in/

---

20. Top Consulting Companies

Company Name	Likely Service Area	Where They May Help	Consulting Use Case Examples	Website URL
cotocus.com	Cloud/DevOps consulting (verify current portfolio)	IaC adoption, CI/CD enablement, operations	Standardizing Google Cloud provisioning; building deployment pipelines; governance patterns	https://cotocus.com/
DevOpsSchool.com	DevOps consulting and training	Upskilling + implementation support	IaC templates, CI/CD rollout, operational best practices	https://www.devopsschool.com/
DEVOPSCONSULTING.IN	DevOps consulting services (verify offerings)	DevOps process/tooling implementation	IaC strategy workshops; automation and release engineering	https://devopsconsulting.in/

---

21. Career and Learning Roadmap

What to learn before Cloud Deployment Manager

• Google Cloud fundamentals:
• Projects, billing, IAM, service accounts
• Core infrastructure concepts:
• VPC networks, subnets, firewall rules, routes
• Compute Engine instances and disks
• Basic CLI skills:
• gcloud usage, authentication, setting project/region
• Version control:
• Git basics, branching, PR reviews

What to learn after Cloud Deployment Manager

• Terraform on Google Cloud (widely used in industry)
• Policy-as-code / governance:
• Organization Policy, least privilege IAM patterns
• CI/CD for infrastructure:
• Cloud Build or other CI systems, approvals, artifact management
• Observability:
• Logging, monitoring, alerting, incident response
• Secure access patterns:
• IAP for SSH/RDP, private networking, shared VPC design

Job roles that use it

• Cloud engineer
• DevOps engineer
• Site Reliability Engineer (SRE)
• Platform engineer
• Cloud security engineer (for baseline templating and governance)
• Solutions architect (for designing standard landing zones)

Certification path (Google Cloud)

Cloud Deployment Manager is not usually a dedicated exam topic, but IaC and automation concepts appear across Google Cloud certifications. Consider: – Associate Cloud Engineer – Professional Cloud Architect – Professional Cloud DevOps Engineer
Verify current exam guides on Google Cloud’s certification pages: – https://cloud.google.com/learn/certification

Project ideas for practice

1. Build a “network baseline” deployment (VPC, subnets, firewall).
2. Create parameterized templates for dev/test/prod naming and CIDR ranges.
3. Add an instance template + managed instance group (verify type support and update behavior).
4. Build a CI pipeline that runs Preview on PRs and applies on merge.
5. Implement guardrails: – restrict external IPs (Org Policy), – enforce labels via process checks.

---

22. Glossary

• Infrastructure as code (IaC): Managing infrastructure using machine-readable definition files rather than manual configuration.
• Deployment (Deployment Manager): A project-scoped object representing a set of resources managed together.
• Configuration: YAML file describing resources, their types, and properties.
• Template: Jinja2 or Python file used to generate configuration dynamically.
• Resource type: Identifier mapping to a Google Cloud API endpoint/version (for example, compute.v1.instance).
• Preview: A pre-apply view of changes that would occur if you update/apply the deployment.
• Drift: When real infrastructure differs from what your IaC definitions expect, often due to manual changes.
• IAM (Identity and Access Management): Google Cloud system for permissions and roles.
• Service account: A non-human identity used by applications or automation to access Google Cloud APIs.
• Organization Policy: Governance controls applied at organization/folder/project level to restrict allowed configurations.
• VPC (Virtual Private Cloud): Google Cloud’s virtual network in which resources can communicate.
• Subnet: Regional IP range within a VPC.
• Firewall rule: Rule controlling allowed/denied traffic to/from instances.
• External IP: Public IPv4 address associated with a resource; can introduce exposure and cost.

---

23. Summary

Cloud Deployment Manager is Google Cloud’s native Infrastructure as code service for deploying and managing Google Cloud resources using declarative YAML and optional Jinja2/Python templates. It helps teams standardize infrastructure, reduce manual errors, and manage environment lifecycle with preview/create/update/delete workflows.

Its best fit is straightforward Google Cloud deployments where required resource types are supported and where a Google-native YAML approach is preferred—often for labs, consistent baselines, or maintaining existing Deployment Manager estates. Costs generally come from the resources you deploy (VMs, disks, egress, logging), not from Deployment Manager itself, so cost control depends on template design, safe defaults, and disciplined cleanup.

For security, focus on least-privilege IAM, avoid accidental public exposure (external IPs and broad firewall rules), and use audit logs and organization policies as guardrails. If you are choosing an IaC standard for the long term, verify Google Cloud’s current guidance and consider Terraform-based alternatives for broader ecosystem support and future alignment.

Next step: practice by extending the lab into a reusable template (parameterized region/zone, labels, hardened firewall rules), then evaluate how your organization wants to standardize IaC across projects and teams.