Introduction to Preemptible VMs and Spot VMs

This section introduces preemptible VMs and spot VMs, which are cost-effective options for running instances on Google Cloud.

Preemptible VMs

• Preemptible VMs offer a significant cost reduction compared to normal instances.

• These VMs can be preempted at any time, but there is no charge if it happens within the first minute.

• Preemptible VMs have a maximum lifespan of 24 hours and provide a 30-second notification before being preempted.

• There are no live migrations or automatic restarts for preemptible VMs, but you can create monitoring and load balancers to start new instances in case of failure.

Use Cases for Preemptible VMs

• Running batch processing jobs: If some instances terminate during processing, the job slows down but doesn't stop completely. This allows completing batch processing tasks without additional workload or full price for normal instances.

Spot VMs

• Spot VMs are the latest version of preemptible VMs with additional features.

• They use the spot provisioning model and have the same pricing model as preemptible VMs.

• Unlike preemptible VM's maximum runtime of 24 hours, Spot VM's do not have a maximum runtime limit.

• [t=118 s] Compute Engine might preempt Spot VMS based on system events, but the probability is generally low and varies depending on conditions.

[t=134 s] Sole-Tenant Nodes for Physical Isolation

This section discusses sole-tenant nodes, which provide physical isolation for workloads that require compliance requirements.

Sole-Tenant Nodes

• Sole-tenant nodes are dedicated physical Compute Engine servers for hosting VM instances of a specific project.

• They can be used to keep instances physically separated from other projects or group them together on the same host hardware.

• Spot VMs cannot live-migrate to become standard VMs while running or automatically restart during maintenance events.

[t=223 s] Shielded VMs for Enhanced Security

This section introduces shielded VMs, which offer verifiable integrity and enhanced security features.

Shielded VMs

• Shielded VMs provide verifiable integrity to ensure instances haven't been compromised by boot or kernel-level malware.

• They are part of the Shielded Cloud Initiative, which aims to provide a more secure foundation for Google Cloud.

• Features like vTPM shielding or sealing help prevent data exfiltration.

Conclusion

In this video, we learned about preemptible VMs and spot VMs as cost-effective options on Google Cloud. Preemptible VMs offer significant cost savings but have limitations in terms of lifespan and automatic restart. Spot VMs, the latest version of preemptible VMs, provide additional features and do not have a maximum runtime limit. Sole-tenant nodes offer physical isolation for workloads with compliance requirements, while shielded VMs enhance security through verifiable integrity.

Confidential VMs

Confidential VMs are a breakthrough technology that allows you to encrypt data in use while it's being processed. Google Cloud's approach to encrypt data in use is simple, easy-to-use deployment without making any code changes to applications or compromising performance. Collaboration can be done while preserving the confidentiality of data.

Confidential VMs

• Confidential VMs are a type of N2D Compute Engine VM instance running on hosts based on the second generation of AMD Epyc processors, code-named "Rome".

• They utilize AMD Secure Encrypted Virtualization (SEV) and provide built-in optimization for both performance and security for enterprise-class high memory workloads.

• Inline memory encryption is used, which does not introduce significant performance penalties on those workloads.

AMD Rome Processor Family

• The AMD Rome processor family is specifically optimized for compute-heavy workloads with high memory capacity, high throughput, and support for parallel workloads.

• AMD SEV provides support for Confidential Computing.

Confidential Execution Environments

• With the confidential execution environments provided by Confidential VM and AMD SEV, Google Cloud keeps customers' sensitive code and other data encrypted in memory during processing.

• Google does not have access to the encryption keys.