Where this fits
The Google Cloud Architecture Framework organizes Google’s guidance into pillars — System Design (part 1), Operational Excellence (part 2), Security/Privacy/Compliance, Reliability, Cost Optimization, and Performance Optimization — and Operational Excellence is the pillar that turns a designed system into one you can run, observe, change, and recover every day. Google frames it around five principles — ensure operational readiness and performance using CloudOps; manage incidents and problems; manage and optimize cloud resources; automate and manage change; continuously improve and innovate — built on a deliberate “embrace automation, orchestration, and data-driven insights” stance. This article walks the six engineering sub-components that operationalize those principles: operational readiness, observability, incident and problem management, release engineering and safe deployments, automation and toil reduction, and capacity and quota planning. It sits before Reliability in the series on purpose — you cannot promise an SLO you cannot see, deploy, or roll back.
Operational readiness — the CloudOps foundation
What it is. Operational readiness is the discipline of proving a workload can actually be operated in production before it carries real traffic, and of keeping that proof true as the system evolves. Google’s first principle — ensure operational readiness and performance using CloudOps — bundles four practices that gate go-live: defining SLOs, comprehensive monitoring, performance testing, and capacity planning. The framework’s mental model is the four readiness dimensions: people (who is on call, are they trained), processes (runbooks, escalation, change control), tooling (observability, deploy, automation), and governance (SLOs agreed, ownership recorded). Readiness is not a one-time checklist; it is a recurring gate at every significant launch and architecture change.
Why it matters. The most expensive incidents are the ones a team cannot diagnose because the service shipped without the operational scaffolding — no SLO to tell whether behavior is even wrong, no dashboard that maps to user journeys, no runbook, no named owner, no load test to reveal the cliff. Readiness front-loads that work into the cheap part of the lifecycle. It is also the connective tissue of the whole pillar: the SLOs you define here become the alerting basis for incident management, the deploy gates for release engineering, and the demand signal for capacity planning. Skip readiness and every later sub-component inherits the gap.
How to do it well. Run launches through a Production Readiness Review (PRR) — Google’s SRE practice — as a structured gate, not a rubber stamp. The PRR interrogates the service against a fixed rubric and produces a signed-off artifact. A pragmatic GCP-flavored rubric:
| Readiness dimension | The question the PRR asks | GCP artifact / evidence |
|---|---|---|
| Ownership | Who owns this service and its on-call? | Entry in service catalog; PagerDuty/Opsgenie schedule; Cloud Asset Inventory labels (owner, team, cost-center) |
| SLOs | What are the user-facing SLIs and their SLO targets? | Cloud Monitoring services & SLOs objects; error-budget policy doc |
| Monitoring | Can we see the critical user journeys? | Dashboards in Cloud Monitoring; alerting policies on SLO burn rate |
| Logging | Are logs structured, retained, and queryable? | Cloud Logging buckets + retention; log-based metrics |
| Runbooks | Is there a documented response for the top failure modes? | Linked runbooks; alert annotations pointing to them |
| Capacity | Have we load-tested to the cliff and reserved headroom? | Load-test report; quota review; autoscaler config |
| Rollback | Can we revert a bad change in minutes? | Cloud Deploy rollback target; documented procedure |
| DR | What is the RTO/RPO and has failover been tested? | Backup config; tested failover record |
Artifacts & GCP tooling. The readiness sub-component produces a PRR document, a service catalog entry, an SLO definition (in code or as a Monitoring object), a load-test report, and an on-call schedule. The signed PRR is the gate the platform team checks before granting production deploy permissions. Codify the rubric as a checklist in your repo so it travels with the service, and re-run it at every architecture change of consequence (new region, new dependency, 10× traffic).
Observability — Cloud Logging, Cloud Monitoring, Cloud Trace, and Error Reporting
What it is. Observability is the property that lets you ask arbitrary questions about your system’s behavior from its external outputs — without shipping new code to answer each one. It rests on three telemetry signals — metrics, logs, and traces — plus aggregated errors as a fourth, derived view. On Google Cloud these map directly to the Cloud Operations suite (formerly Stackdriver):
| Signal | What it answers | GCP service | The unit |
|---|---|---|---|
| Metrics | “Is something wrong, and how wrong?” (rates, latencies, saturation) | Cloud Monitoring | Time series (e.g. run.googleapis.com/request_count) |
| Logs | “What exactly happened on this request?” | Cloud Logging | Structured LogEntry (JSON payload + resource + severity) |
| Traces | “Where did the latency go across services?” | Cloud Trace | Spans stitched into a distributed trace |
| Errors | “What’s the new/most-frequent crash?” | Error Reporting | Deduplicated error group + count + first/last seen |
| CPU/heap hotspots | “Why is this slow/expensive in code?” | Cloud Profiler | Statistical flame graph |
Why it matters. The pillar’s bias toward data-driven insights is hollow without telemetry that maps to the user’s experience rather than to server internals. A pod at 100% CPU is not an incident if requests still succeed within latency targets; conversely every dependency can report “healthy” while users get 503s. Observability done well lets you build SLIs on the success ratio and latency of user journeys, diagnose a novel failure in minutes by pivoting from a metric spike to the exact logs to the slow span, and do all of this without re-deploying. Done badly — unstructured printf logs, dashboards full of CPU graphs, no trace propagation — it produces the worst failure mode in operations: a war room where nobody can answer “what is actually broken?”
How to do it well — metrics and dashboards (Cloud Monitoring). Instrument the four golden signals — latency, traffic, errors, saturation — for every service, because they generalize across architectures and feed SLOs directly. Adopt OpenTelemetry as the vendor-neutral instrumentation layer and export to Managed Service for Prometheus (Google’s drop-in for Prometheus that ingests PromQL and scales to billions of active series without you running the storage). Build dashboards per critical user journey, not per machine, and keep one “service overview” dashboard that any responder can open cold. Define alerting policies on symptoms (SLO burn rate, elevated error ratio) rather than causes (high CPU), so you page on user pain and not on noise. Use multi-window, multi-burn-rate alerts (e.g. a fast 1-hour window at 14.4× burn for “page now,” a slow 6-hour window at 6× for “ticket”) to catch both sudden and slow budget exhaustion while controlling false pages.
How to do it well — logs (Cloud Logging). Emit structured JSON logs so every field is queryable in the Logs Explorer with the Logging query language (LQL); on GKE, Cloud Run, and App Engine, severity and trace context are auto-extracted. Route logs with the Log Router through sinks into the right destination: keep hot operational logs in log buckets (with Log Analytics enabled so you can query them as a BigQuery dataset via SQL), tier audit and security logs to BigQuery for long-horizon analysis and to Cloud Storage or Pub/Sub for archive and streaming. Turn recurring signals into log-based metrics so a log pattern becomes a graphable, alertable time series. Crucially, correlate logs to traces: when a log entry carries trace/spanId fields, Cloud Logging and Cloud Trace cross-link, so one click takes a responder from an error log to the full distributed trace of that exact request.
How to do it well — traces and errors. Propagate W3C Trace Context (or the legacy X-Cloud-Trace-Context) end-to-end so Cloud Trace can reconstruct the request waterfall across Cloud Run, GKE, and managed back ends; Trace’s latency analysis finds the slow hop and surfaces latency distributions per endpoint. Let Error Reporting do the de-duplication it is built for — it groups stack traces into error groups, tracks first/last-seen and occurrence counts, and notifies on new error types, which is exactly the “what regressed in this release?” signal you want piped into a deploy gate or chat channel. Reach for Cloud Profiler when a service is correctly behaved but expensive or slow, to see CPU and heap attribution down to the function with negligible overhead.
Artifacts & GCP tooling. The observability sub-component produces a telemetry standard (golden signals + structured-log schema + trace-context propagation as a platform contract), dashboards as code (Monitoring dashboards exported to JSON/Terraform), alerting policies as code, a log-retention and routing design (sinks, buckets, BigQuery datasets), and SLO objects in Cloud Monitoring. The platform team should ship a golden instrumentation library / OpenTelemetry baseline so every team inherits correct telemetry by default rather than reinventing it.
Incident and problem management — response, retrospectives, and prevention
What it is. Google’s second principle — manage incidents and problems — separates two related-but-distinct loops. Incident management is the reactive loop: detect, respond, mitigate, and restore service fast when something breaks. Problem management is the proactive loop: find and remove the underlying cause so the incident class never recurs. The pillar names the ingredients explicitly: comprehensive observability (the detection feedstock), clear incident response procedures, thorough retrospectives, and preventive measures.
Why it matters. Mean time to detect and mean time to restore are the metrics your users actually feel; unmanaged incidents stretch both, and chaotic response (no clear commander, no comms, ad-hoc debugging) makes a 5-minute glitch into a 2-hour outage and a trust loss. Equally, an organization that only fights fires — that never closes the problem-management loop — will fight the same fire indefinitely, burning its error budget and its people. The pair is what converts raw observability into durable reliability.
How to do it well — incident response. Adopt a structured Incident Command System (ICS), the model Google’s SRE program uses, with clearly separated roles so cognitive load is distributed:
| ICS role | Responsibility | Anti-pattern it prevents |
|---|---|---|
| Incident Commander (IC) | Owns the incident, makes decisions, delegates; does not debug | One hero doing everything |
| Operations / Ops Lead | The only person changing the system; executes mitigations | Multiple people making conflicting changes |
| Communications Lead | Updates stakeholders and status page on a cadence | Engineers interrupted for status |
| Planning / Scribe | Records the timeline, actions, and decisions | An unreconstructable retrospective |
Drive severity levels (SEV1–SEV4) that map to response expectations and escalation. Detection should be symptom-based alerts on SLO burn rate flowing into an on-call tool (PagerDuty, Opsgenie) with schedules and escalation policies. Maintain runbooks linked directly from alert annotations so the responder lands on “what to check, what to do” without hunting. Declare incidents early and cheaply — a low bar to declare beats a high bar to suffer. Practice with DiRT-style disaster drills and game days so the muscle exists before it is needed.
How to do it well — problem management & retrospectives. Every significant incident gets a blameless postmortem — Google’s signature practice — that focuses on what in the system and process allowed this, never who erred. The artifact has a fixed shape: summary, impact (with SLO/error-budget cost), timeline, root cause (push past the first cause with the “5 Whys”), what went well / what went wrong / where we got lucky, and a list of action items with owners and due dates tracked to completion. The blameless framing is not soft; it is what makes engineers tell the truth about contributing factors, which is the only way to fix them. Feed recurring root causes into problem records and an error-budget policy: when the budget is exhausted, the policy freezes risky change and redirects effort to reliability work — turning the dev-vs-SRE tension into a rule rather than a fight.
Artifacts & GCP tooling. The artifacts are an incident-response plan, severity matrix, on-call schedule, runbook library, postmortem template + archive, action-item tracker, and an error-budget policy. On GCP, alerting policies and SLO burn-rate in Cloud Monitoring are the detection source; Personalized Service Health surfaces Google-side incidents affecting your specific projects (so you do not postmortem an outage that was Google’s, and you do get a verified signal when it was); Cloud Logging’s timeline and Trace reconstruct the technical narrative for the postmortem; and the postmortem archive itself often lives in a doc/wiki linked from the service catalog.
Release engineering and safe deployments — Cloud Build, Cloud Deploy, and progressive rollout
What it is. Release engineering is the discipline of getting a code change from a developer’s commit into production safely, repeatably, and reversibly. It spans the build (compile, test, produce an immutable artifact), the supply-chain controls (provenance, signing, admission), and the deployment strategy that limits blast radius. Google’s fourth principle — automate and manage change — is explicit that CI/CD pipelines and IaC are the mechanism, and that change must be managed, not just automated.
Why it matters. A large share of production incidents are self-inflicted by deployments — a bad config, a regressed binary, a schema change without a backout. The cost of a deploy-induced outage is a direct function of two design choices: how big a population the bad version reaches before you notice (blast radius) and how fast you can revert (recovery time). Progressive delivery plus one-click rollback collapses both. Equally, an unverified supply chain is an open door: if you cannot prove what you deployed and that nothing tampered with it, you cannot trust production.
How to do it well — the GCP toolchain. Google provides a coherent, managed path from commit to production:
| Stage | GCP service | What it does |
|---|---|---|
| Source / trigger | Cloud Build triggers (or Cloud Build connected to GitHub/GitLab) | Fires the pipeline on push/PR/tag |
| Build & test | Cloud Build | Runs declarative steps in containers; unit/integration/e2e tests |
| Artifact store | Artifact Registry | Immutable, versioned container images and language packages |
| Provenance | SLSA / Cloud Build attestations + Software Delivery Shield | Generates build provenance (who/what/how built) |
| Admission control | Binary Authorization | Blocks any image lacking required attestations from running on GKE/Cloud Run |
| Vulnerability scan | Artifact Analysis | Scans images for CVEs continuously |
| Progressive delivery | Cloud Deploy | Managed delivery pipeline: dev→staging→prod with approvals, canary, and rollback |
| Fleet config | Config Sync / Policy Controller | GitOps for GKE fleet state and admission policy |
How to do it well — deployment strategies. Pick the rollout pattern by risk and stateful-ness:
| Strategy | Mechanism | Blast radius | Best for |
|---|---|---|---|
| Canary | Route a small % (e.g. 5%) to the new version, watch SLIs, then ramp | A fraction of traffic | Default for stateless services; native in Cloud Deploy and Cloud Run revision traffic splitting |
| Blue-green | Stand up a full new environment, cut over, keep old warm | All-or-nothing but instant rollback | Releases that cannot run two versions side by side |
| Rolling | Replace instances incrementally | Grows with the rollout | GKE Deployments / MIG rolling updates |
| Feature flags | Decouple deploy from release; toggle features at runtime | Per-user/segment | Decoupling shipping code from exposing it |
The decisive practice is automated rollback on SLO regression: wire Cloud Deploy canary phases to Cloud Monitoring verification so a burn-rate breach during the canary automatically aborts and reverts. Treat infrastructure as code as part of releases — Infrastructure Manager (Google’s managed Terraform) or Terraform in the pipeline — so environment changes get the same review, plan, and rollback discipline as application code. Keep artifacts immutable and promote the same artifact through environments (never rebuild per stage), so what you tested is byte-for-byte what you ship.
Artifacts & GCP tooling. This sub-component produces a CI/CD pipeline definition (cloudbuild.yaml), a Cloud Deploy delivery pipeline with named targets and promotion sequence, Binary Authorization policy, deployment-strategy standards per workload tier, a rollback runbook, and IaC modules under version control. The platform team typically ships a golden pipeline template so product teams get canary + verification + rollback by default.
Automation and toil reduction — eliminating manual, repetitive operational work
What it is. Toil is Google’s precise term for operational work that is manual, repetitive, automatable, tactical, devoid of enduring value, and scales linearly with service growth. The fourth principle’s intent — “alleviate the burden of manual labor” — is to drive toil down so engineers spend their time on engineering, not on hand-cranking the same fix. SRE’s well-known guidance caps toil at roughly 50% of an SRE’s time; above that, reliability and morale both decay.
Why it matters. Toil that scales linearly with the fleet is an existential limit on growth: if every new service adds a fixed slice of manual work, headcount must grow with the estate and humans become the bottleneck and the error source. Manual, repetitive operations are also where outages are born — a fat-fingered console change, a forgotten step, an inconsistent environment. Automation removes the human from the repetitive loop, which simultaneously increases reliability, throughput, and the team’s capacity to do work that compounds.
How to do it well. First measure toil (survey on-call load, count manual interventions) so you can target the worst offenders and prove the win. Then attack it in layers:
| Toil source | Automation on GCP |
|---|---|
| Provisioning & environments | Infrastructure Manager / Terraform; project factory; Config Controller |
| Config drift across a fleet | Config Sync (GitOps) so cluster/fleet state self-heals to Git |
| Scaling under load | Cluster Autoscaler, HPA/VPA, MIG autoscaling, Cloud Run concurrency — capacity as a feedback loop, not a ticket |
| Patching & images | VM Manager (OS patch management); rebuild golden images in Cloud Build |
| Scheduled/event ops | Cloud Scheduler + Cloud Run jobs / Cloud Functions; Workflows and Eventarc to orchestrate |
| Remediation | Event-driven auto-remediation: log/finding → Pub/Sub → Cloud Function that fixes the resource |
| Recommendations | Active Assist / Recommender to surface (and optionally auto-apply) rightsizing, idle-resource, and security fixes |
The cultural complement is “automate yourself out of a job” as a virtue, and the error-budget incentive: when reliability work (including toil reduction) competes with features, the budget policy gives it teeth. Treat automation code as production code — it gets review, testing, and observability — because a buggy auto-remediation can do damage faster than any human.
Artifacts & GCP tooling. The sub-component produces a toil inventory and budget, an automation backlog prioritized by toil-hours saved, runbooks converted into runnable automation (the goal is to demote a runbook from “human follows steps” to “a job runs the steps”), IaC modules, and auto-remediation functions. A useful KPI is the share of incidents auto-detected and auto-mitigated versus those needing a human.
Capacity and quota planning — staying ahead of demand without overpaying
What it is. Capacity planning ensures resources are available to meet demand at the required performance and reliability — before the demand arrives — while not paying for idle headroom. On Google Cloud it has a distinctive second half: quota management. Google enforces per-project, per-region quotas (API rates, CPUs, IP addresses, GPUs, etc.) that act as guardrails; a quota ceiling you did not plan for will throttle a launch or a failover even when the underlying capacity exists. Capacity planning on GCP therefore means modeling demand and ensuring quota (and, for guaranteed capacity, reservations) are in place to serve it.
Why it matters. The failure modes are symmetric and both costly. Under-provisioning (or hitting a quota wall) causes throttling, latency, and outages — and quota limits are an especially nasty surprise because they bite during exactly the surge or regional failover you provisioned hardware for. Over-provisioning quietly burns budget on idle capacity, which the Cost Optimization pillar will charge you for. The pillar’s manage and optimize cloud resources principle (right-sizing, autoscaling, monitoring) is the steady-state half; deliberate capacity planning is the forward-looking half that keeps launches and peak events from falling off a cliff.
How to do it well. Treat capacity as a forecast-and-reserve loop:
| Practice | What to do | GCP mechanism |
|---|---|---|
| Forecast demand | Model organic growth + known events (sales, launches) from historical metrics | Cloud Monitoring history; BigQuery analysis |
| Load-test to the cliff | Find the saturation point and per-instance capacity empirically | Load testing in a prod-like env; document the cliff |
| Right-size | Match machine types/requests to real usage | Active Assist / Recommender rightsizing recommendations |
| Autoscale for variability | Absorb normal variation automatically | HPA/VPA, Cluster Autoscaler, MIG autoscaling, Cloud Run |
| Raise quotas ahead of need | Request increases before the surge or DR test, with lead time | Cloud Quotas API / IAM-managed quota requests; quota alerts at e.g. 80% |
| Guarantee scarce capacity | Reserve when you must not be denied (GPUs, big peaks, DR region) | Compute reservations; CUDs for committed discounts |
| Plan for failover capacity | Ensure the failover region has both quota and headroom for shifted load | Per-region quota review; reservations in the DR region |
The most-missed step is failover capacity and quota: a DR plan that assumes “we’ll just scale up in region B” fails if region B’s project quota was never raised to hold region A’s traffic. Bake quota checks into the readiness PRR and into game days. Use Cloud Quotas to monitor consumption with alerts (e.g. page at 80% of a critical quota) so you raise limits with lead time rather than during an incident.
Artifacts & GCP tooling. This sub-component produces a demand forecast, a capacity model (per-instance capacity × headroom factor), a quota register (which quotas matter, current limit, alert thresholds, DR-region values), a reservation/CUD plan, and autoscaler configurations. The forward review cadence (e.g. quarterly, plus before every major event) is itself an artifact of the operating model.
Real-world enterprise scenario
Company. Saffron Pay — a fictional pan-India digital-payments platform processing UPI and card transactions for 40 million consumers and 2 million merchants. Their workload runs on GKE (transaction services), Cloud Run (merchant APIs and webhooks), Cloud Spanner (ledger), and Pub/Sub + Dataflow (settlement and reconciliation). Regulatory pressure is high, traffic is spiky (festival sales, salary-day peaks), and a payments outage is front-page news. After a 38-minute partial outage during a festival sale — caused by a bad config deploy that nobody could roll back quickly and a CPU dashboard that told them nothing about why payments were failing — leadership chartered an Operational Excellence program against the Architecture Framework.
Operational readiness. Saffron Pay stood up a Production Readiness Review gate owned by a new SRE platform team. No service reaches the production GKE fleet without a signed PRR covering ownership, SLOs, dashboards, runbooks, load-test evidence, and a tested rollback. They populated Cloud Asset Inventory labels (owner, team, tier, pii) across every project, so the catalog and on-call mapping are queryable. The PRR caught that the webhook service had no runbook and the reconciliation Dataflow job had no owner — both fixed before the next launch.
Observability. They standardized on OpenTelemetry + Managed Service for Prometheus and mandated structured JSON logging with trace context across all services. Per critical user journey — “merchant collects a payment,” “consumer pays via UPI,” “settlement file generated” — they built a Cloud Monitoring dashboard on the four golden signals and a request-based SLO of 99.95% success and p99 < 800 ms for the consumer-pay journey. Logs route via Log Router: hot logs in a log bucket with Log Analytics, audit/security logs tiered to BigQuery (400-day retention) and archived to Cloud Storage. Error Reporting posts every new error group into a Chat space; Cloud Trace is used to find the slow hop — which, in one investigation, was a Spanner hotspot that Cloud Profiler then tied to an inefficient query.
Incident & problem management. They adopted ICS with named IC / Ops / Comms / Scribe roles, a SEV1–SEV4 matrix, and PagerDuty schedules fed by multi-burn-rate SLO alerts (page at 14.4× over 1h; ticket at 6× over 6h). Every SEV1/SEV2 gets a blameless postmortem in a fixed template with owned, due-dated action items tracked to closure. They enabled Personalized Service Health so they distinguish “Saffron Pay broke it” from “Google broke it.” Within two quarters, repeat-cause incidents dropped because problem records forced fixes (e.g. the Spanner hotspot became a schema change, not a recurring page).
Release engineering. The festival-sale root cause — an irreversible bad config — drove the biggest change. They moved to Cloud Build → Artifact Registry (immutable images, scanned by Artifact Analysis) → Binary Authorization (only attested images run) → Cloud Deploy delivery pipelines (dev→staging→prod) with canary rollouts and automatic rollback on SLO regression wired to Cloud Monitoring. Infrastructure changes go through Infrastructure Manager. Feature flags now decouple deploy from release for risky changes. Result: a bad canary aborts at 5% traffic in under two minutes instead of reaching 100%.
Automation & toil reduction. A toil survey showed on-call spent ~40% of time on manual scaling tickets, drift fixes, and patching. They moved fleet config to Config Sync (GitOps self-heal), patching to VM Manager, and built auto-remediation Cloud Functions (e.g. a Pub/Sub-triggered function that re-enables a misconfigured firewall rule from a Security finding). Scheduled reconciliation moved to Cloud Run jobs + Cloud Scheduler. Active Assist rightsizing recommendations are reviewed monthly.
Capacity & quota planning. They built a demand forecast for festival and salary-day peaks, load-tested each journey to its cliff, and created a quota register with Cloud Quotas alerts at 80% per critical quota and per region. Crucially, they raised failover-region quotas and placed Compute reservations + CUDs so a regional failover or a 6× festival surge has both quota and warm headroom — the exact gap that caused the original outage.
Measurable outcome (12 months).
| Metric | Before | After |
|---|---|---|
| MTTR (SEV1) | ~95 min | ~18 min |
| Deploy-induced incidents / quarter | 7 | 1 |
| Change failure rate | ~22% | ~6% |
| Time to roll back a bad release | ~25 min (manual) | < 2 min (auto, at 5% canary) |
| On-call toil (% of time) | ~40% | ~14% |
| Quota/capacity-related throttling events | 4 (incl. the festival outage) | 0 |
| Consumer-pay SLO attainment | not measured | 99.96% (target 99.95%) |
Deliverables & checklist
Common pitfalls
-
Monitoring servers instead of journeys. Dashboards full of CPU/memory and alerts on host metrics page the team for non-incidents and miss real user pain. Avoid it: build SLIs and alerts on the success ratio and latency of critical user journeys, alert on SLO burn rate, and reserve resource metrics for diagnosis, not paging.
-
Deploying without a fast, tested rollback. The classic self-inflicted outage: a bad change reaches 100% of traffic and recovery takes 25 minutes of manual scramble. Avoid it: mandate immutable artifacts, canary with Cloud Monitoring verification, and automatic rollback on SLO regression via Cloud Deploy; keep config changes reversible too.
-
Forgetting quota — especially in the failover region. Hardware exists but the per-project, per-region quota throttles a launch or a DR failover. Avoid it: maintain a quota register, set Cloud Quotas alerts at 80%, raise limits with lead time, and verify failover-region quota and reservations in game days.
-
Postmortems that hunt for a culprit. Blameful retrospectives teach engineers to hide contributing factors, so the same incident recurs. Avoid it: run blameless postmortems focused on systemic and process causes, with action items owned and tracked — and feed recurring causes into problem records.
-
Treating toil as “just the job.” Manual scaling tickets, drift fixes, and patching scale linearly with the fleet and become the bottleneck and the error source. Avoid it: measure toil, cap it (~50%), and convert runbooks into runnable automation — Config Sync, VM Manager, Cloud Run jobs, auto-remediation — with toil-hours-saved as the prioritization metric.
-
Unstructured logs and broken trace context.
printflogs and missingtrace/spanIdfields mean a war room cannot pivot from a metric spike to the offending request. Avoid it: enforce structured JSON logging and end-to-end trace propagation as a platform contract so Cloud Logging ↔ Cloud Trace cross-linking works on every request.
What’s next
Part 3 of the Google Cloud Architecture Framework series covers Security, Privacy & Compliance — applying defense-in-depth, identity-first access, data protection, and compliance controls across your Google Cloud estate.