Before you deploy an application in production on Google Cloud Platform, you should test the application and its associated infrastructure to see how it’ll perform under different conditions.

There are at least 3 types of tests you should run:

• Load tests (where you stress your application with a heavy load)

• Resilience tests (where you see what happens when various infrastructure components fail), and

• Vulnerability tests (where you see if your application can withstand hacker attacks)

Ideally, you should run load tests before you put your application into production. Your tests should be designed to simulate real-world traffic as closely as possible. You should test at the maximum load you expect to encounter, which can admittedly be difficult to predict for some applications, but hopefully, you’ll have a reasonably good idea of how much traffic you’re likely to get. You should also measure how your Google Cloud costs increase as the number of users increases.

If you’re expecting a wide variation in how much traffic you get, then you should also test how your application performs when traffic suddenly increases. Resilience testing is similar to disaster recovery testing because you’re testing what happens when infrastructure fails, but the difference is that in resilience testing, you’re expecting your application to keep running, with little or no downtime.

One common testing scenario is to terminate a random instance within an autoscaling instance group. Netflix created software called Chaos Monkey that automates this sort of testing. If your application in the autoscaling instance group is stateless, then it should be able to survive this sort of failure without any noticeable impact on users. Since cyber-attacks are extremely common these days, your organization should put processes in place to test the security of your applications. Here are a few important ones:

First, ideally, your software development team should have a peer review process with developers checking each other's code for security flaws. Second, you should integrate a static code analysis tool, such as the vulnerability scanning feature of Google's Container Analysis service, into your Continuous Integration / Continuous Deployment pipeline to automate security checking.

Third, at least once a year, you should run penetration tests on your applications and infrastructure to see if they are vulnerable. You can either do this yourself or contract a third party to do it. Other cloud providers typically require that you request permission before you perform penetration testing on your cloud infrastructure. Surprisingly, Google does not require that you contact them.

Google also provides a useful tool called the Web Security Scanner. This service connects to the base URL of your application and follows all of the links in it while scanning for vulnerabilities, such as cross-site scripting, mixed content, and outdated libraries. It can scan applications hosted in App Engine, Compute Engine, and Google Kubernetes Engine.

And that’s it for this lesson.