This chapter covers Anthos, Google Cloud's hybrid and multi-cloud application platform. Anthos enables you to run applications consistently across on-premises data centers, Google Cloud, and other public clouds like AWS and Azure. For the GCDL exam, understanding Anthos's architecture, key components, and use cases is critical because approximately 10-15% of questions touch on hybrid/multi-cloud topics, and Anthos is the primary Google solution in this space. You will be tested on what Anthos is, its main components (GKE on-prem, Anthos Service Mesh, Config Management, Marketplace), and how it enables workload portability and unified management.
Jump to a section
Imagine a multinational company with factories in three countries: each factory uses different machinery, different electrical standards, and different inventory systems. The CEO wants to deploy a new assembly line that runs identically across all factories. Instead of standardizing all factories (impossible), they hire a team of 'universal technicians' who bring a standardized container of tools and parts to each factory. At each site, they plug into a universal adapter that converts local power and data formats into a common interface. The technicians don't care whether the factory uses 220V or 110V, or whether the inventory system is SAP or Oracle—they just run their containerized process. The adapter handles logging, monitoring, and security for that container, and reports back to a central dashboard. Anthos works the same way: it provides a consistent Kubernetes-based platform that runs on Google Cloud, AWS, Azure, or on-premises. The 'universal adapter' is Anthos Service Mesh and Config Management, which abstracts the underlying infrastructure differences. The central dashboard is Anthos Console, giving unified visibility. Just as the technicians can move between factories without retraining, applications can move between clouds without code changes.
What is Anthos and Why Does It Exist?
Anthos is a hybrid and multi-cloud application platform that extends Google Cloud services—specifically Google Kubernetes Engine (GKE), Cloud Run, and Istio—to run on your own hardware or in other public clouds. It was announced in April 2019 and has since become Google's flagship solution for enterprises that need consistency across environments. The core problem Anthos solves is that Kubernetes clusters on different clouds are not identical: each cloud provider has its own networking, storage, security, and monitoring integrations. Without Anthos, you would need to manually configure and manage each cluster separately, leading to configuration drift, security gaps, and operational overhead. Anthos provides a unified control plane that enforces consistent policies, service mesh, and configuration across all clusters.
How Anthos Works Internally
Anthos consists of several layers:
1. Anthos Clusters (formerly GKE on-prem and GKE on AWS/Azure): These are Kubernetes clusters that run on your infrastructure (bare metal or VMware) or on other clouds. They are managed by Google Cloud's control plane via a secure connection. The clusters use the same GKE software stack, including the same version of Kubernetes, container runtime (containerd), and networking (Cilium).
2. Anthos Config Management (ACM): This is a GitOps-style configuration tool that uses a Git repository as the single source of truth for cluster configuration. ACM runs a controller called config-management-operator that syncs policies, roles, namespaces, and other resources from a Git repo to all registered clusters. It supports hierarchical namespace management and Policy Controller (based on Open Policy Agent) for enforcing constraints.
3. Anthos Service Mesh (ASM): This is a managed Istio distribution that provides traffic management, observability, and security for microservices. ASM runs a sidecar proxy (Envoy) alongside each pod, intercepting all inbound and outbound traffic. It supports mTLS, fine-grained routing, and telemetry (using Google Cloud's Operations Suite).
4. Anthos Identity Service (AIS): This provides a unified authentication layer, allowing users to log in to multiple clusters using their existing identity provider (LDAP, Active Directory, OIDC).
5. Migrate for Anthos: This tool automates the migration of virtual machines (VMs) from on-premises or other clouds into containers running on Anthos. It analyzes VM disk images, extracts application stacks, and generates Dockerfiles and Kubernetes manifests.
6. Anthos Deployments (formerly Cloud Marketplace for Anthos): A curated catalog of pre-built, validated application containers that can be deployed across Anthos clusters.
Key Components, Values, and Defaults
Anthos Clusters (GKE on-prem) version: Typically follows GKE release versions. As of 2024, the latest stable version is 1.28.x. Google supports n-2 versions.
Config Management sync interval: Default is 15 seconds. You can configure it via the spec.syncWait field in the ConfigManagement custom resource.
Policy Controller constraints: Uses OPA Rego language. Google provides a library of built-in constraints (e.g., "require all pods to have resource limits").
Service Mesh mTLS: By default, ASM enables permissive mTLS (accepts both plaintext and TLS). You can set it to strict mTLS for production.
Anthos Identity Service: Supports OIDC providers like Okta, Azure AD, and Google Workspace.
Configuration and Verification Commands
To register a cluster with Anthos, you use the gcloud command-line tool:
gcloud container hub memberships register CLUSTER_NAME \
--gke-cluster=CLUSTER_NAME \
--enable-workload-identityTo verify registration:
gcloud container hub memberships listTo install Anthos Config Management:
gcloud alpha container hub config-management apply \
--membership=MEMBERSHIP_NAME \
--config=apply-spec.yamlTo check ACM status:
gcloud alpha container hub config-management status \
--membership=MEMBERSHIP_NAMEHow Anthos Interacts with Related Technologies
Anthos integrates deeply with Google Cloud's operations suite (Cloud Monitoring, Logging, and Trace). Metrics from all clusters are sent to Cloud Monitoring, allowing you to create dashboards and alerts across environments. Anthos also integrates with Cloud Build for CI/CD, and with Cloud Armor for web application firewall policies. For networking, Anthos uses Cloud Interconnect or VPN to connect on-premises clusters to Google Cloud. In multi-cloud setups, Anthos relies on public internet or dedicated interconnects between clouds.
Exam-Relevant Details
Anthos is not a single product; it is a platform comprising multiple components.
Anthos supports bare metal servers (Anthos clusters on bare metal), VMware vSphere (Anthos clusters on VMware), and other clouds (Anthos clusters on AWS, Azure).
Anthos Config Management uses GitOps—the desired state is in a Git repository, and ACM syncs it.
Anthos Service Mesh is based on Istio but is a managed service (Google handles the control plane).
Migrate for Anthos can migrate VMs from any source (on-prem, AWS, Azure) to containers on Anthos.
Anthos is billed per vCPU of cluster nodes, with a minimum of 1 cluster per project. There is also a flat fee for the Anthos platform (as of 2024, approximately $10,000 per month per cluster for 100 vCPUs).
Common Misconfigurations
Not enabling Workload Identity: This breaks integration with Google Cloud services from on-prem clusters.
Using incompatible Kubernetes versions: Anthos requires specific GKE versions.
Not configuring network connectivity properly: On-prem clusters need stable, low-latency connectivity to Google Cloud for the control plane.
Ignoring the 15-second sync delay: ACM is not instantaneous; changes in Git take up to 15 seconds to propagate.
Conclusion
Anthos is Google Cloud's strategic platform for hybrid and multi-cloud. It abstracts infrastructure differences and provides a consistent Kubernetes experience. For the GCDL exam, focus on understanding the components and their roles, not on deep configuration details. Know that Anthos enables workload portability and unified management across environments.
Register an existing GKE cluster
First, you must register your Kubernetes cluster with the Anthos fleet. This is done using the `gcloud container hub memberships register` command. The command creates a membership resource in the Anthos fleet, linking the cluster to a Google Cloud project. This step establishes a secure connection between the cluster and Google Cloud's control plane using Workload Identity. The cluster must have the required API enabled (`gkehub.googleapis.com`). After registration, the cluster appears in the Anthos Console under 'Clusters'. This step is mandatory for all Anthos features.
Install Anthos Config Management
After registration, you install ACM on the cluster. This is done by applying a `ConfigManagement` custom resource to the cluster. The resource specifies the Git repository URL, the branch, and the sync interval (default 15 seconds). ACM then deploys a set of controllers: `config-management-operator`, `policy-controller`, and `hierarchy-config-controller`. These controllers continuously sync the cluster state to the Git repository. If a resource is deleted from Git, ACM will delete it from the cluster. This ensures the cluster is always in the desired state.
Deploy a sample application
Once ACM is syncing, you can deploy applications by adding Kubernetes manifests to the Git repository. For example, you can add a Deployment and Service YAML files. ACM will automatically apply these to the cluster. The application will run in the cluster, and its traffic can be managed by Anthos Service Mesh if installed. This step demonstrates the GitOps workflow: changes are made in Git, not on the cluster directly. The cluster will reflect the repository state within the sync interval.
Enable Anthos Service Mesh
To gain advanced traffic management and security, you enable ASM. This is done by installing the `asm` component using the `gcloud` command or by applying the `ServiceMesh` custom resource. ASM installs Istio's control plane (istiod) and injects Envoy sidecar proxies into pods. You can then define VirtualServices and DestinationRules to control traffic routing, implement canary deployments, and enforce mTLS. ASM also sends telemetry to Cloud Monitoring automatically.
Monitor and enforce policies
Finally, you use Policy Controller (part of ACM) to enforce policies across all clusters. For example, you can create a constraint that requires all pods to have resource limits. If someone tries to create a pod without limits, the constraint will reject the request. Policies are defined in the Git repository using Rego language. The ACM operator enforces these policies in real-time. This centralizes governance across hybrid and multi-cloud environments.
Enterprise Scenario 1: Retail Chain with On-Prem and Cloud
A large retailer has 200 stores, each with on-premises servers running inventory management applications. They want to migrate to a cloud-native architecture but cannot afford downtime. They use Anthos clusters on bare metal at each store, managed from a central Google Cloud project. Anthos Config Management ensures all stores run identical configurations. Anthos Service Mesh provides mTLS between store applications and cloud-based analytics. The retailer uses Migrate for Anthos to containerize legacy .NET applications. In production, each cluster has 10-20 nodes. The main challenge is network connectivity: each store has a VPN to Google Cloud, and latency must be under 50ms for the control plane. Misconfiguration of VPN routing caused intermittent disconnections, leading to clusters going 'unhealthy' in the Anthos console. The fix was to use Cloud Interconnect for critical stores and implement redundant VPN tunnels.
Enterprise Scenario 2: Financial Services Multi-Cloud Strategy
A bank runs workloads on AWS and Azure due to acquisition history. They want a unified platform without migrating everything to one cloud. They deploy Anthos clusters on AWS (using Amazon EKS as the underlying infrastructure) and on Azure (using AKS). Anthos Config Management syncs policies from a single Git repo, ensuring compliance with PCI-DSS across clouds. Anthos Service Mesh provides mutual TLS and traffic splitting for canary releases. The bank uses Anthos Identity Service with Azure AD for single sign-on. They have 50 clusters across both clouds, each with 30-100 nodes. The biggest issue was cost: Anthos licensing per vCPU adds up quickly. They optimized by using spot instances for non-production clusters. Another challenge was network latency between AWS and Azure—they used a dedicated interconnect between the two clouds to reduce latency to under 10ms.
Enterprise Scenario 3: Healthcare Provider Migrating VMs
A hospital chain has 500 VMs running patient records systems. They want to containerize these to reduce costs and improve scalability. They use Migrate for Anthos to analyze VM images, extract the application, and generate container images. The migration tool handles Windows and Linux VMs. They then deploy the containers on Anthos clusters on-premises (VMware) and in Google Cloud for disaster recovery. The migration process takes 2-3 hours per VM. In production, they run 20 clusters with 50 nodes each. The main issue was that some legacy VMs had hardcoded IP addresses or dependencies on specific hardware. Migrate for Anthos can handle most cases, but some applications required manual refactoring. Also, the hospital had to ensure HIPAA compliance by enabling encryption at rest and in transit (mTLS).
What GCDL Tests on Anthos
The GCDL exam objectives under 'Apps' domain include objective 4.3: "Describe the benefits of Anthos for hybrid and multi-cloud applications." Specifically, you should be able to:
Identify the components of Anthos (GKE on-prem, ASM, ACM, Migrate for Anthos).
Explain how Anthos enables workload portability across environments.
Understand the use cases for Anthos (hybrid cloud, multi-cloud, VM migration).
Recognize that Anthos provides a consistent Kubernetes experience.
Common Wrong Answers and Why Candidates Choose Them
"Anthos is only for on-premises." Candidates see 'on-prem' in the name GKE on-prem and think it's only for on-prem. Reality: Anthos also supports AWS, Azure, and bare metal.
"Anthos replaces Kubernetes." Candidates confuse Anthos with a different orchestrator. Reality: Anthos is built on Kubernetes; it extends it.
"Anthos is free." Candidates assume Google provides it for free. Reality: Anthos has a per-vCPU licensing cost.
"Anthos only works with Google Cloud." Candidates think it's a Google-only tool. Reality: Anthos works with other clouds.
"Anthos Config Management is optional." Candidates think you can skip it. Reality: ACM is a core component for multi-cluster management.
Specific Numbers and Terms
Anthos was announced in April 2019.
Config Management sync interval default: 15 seconds.
Anthos Service Mesh is based on Istio.
Migrate for Anthos supports both Windows and Linux VMs.
Anthos is billed per vCPU per month (approx $10 per vCPU for the platform fee, plus cluster fee).
Edge Cases and Exceptions
Anthos clusters on bare metal do not require a hypervisor.
Anthos on AWS uses EKS as the underlying Kubernetes engine.
Anthos on Azure uses AKS.
If you use Anthos with other clouds, you still need a Google Cloud project for management.
ACM can sync from multiple Git repositories (via multiple ConfigManagement custom resources).
How to Eliminate Wrong Answers
If an answer says Anthos is only for on-prem, look for words like 'multi-cloud' or 'AWS' in other options.
If an answer says Anthos is a separate orchestrator, eliminate it because Anthos is Kubernetes-based.
If an answer says Anthos is free, eliminate it because all Google Cloud premium services have costs.
If an answer says Anthos only works with GKE, eliminate it because Anthos supports other Kubernetes distributions via the 'attach cluster' feature.
Exam Tips
Remember that Anthos provides a consistent experience, not necessarily identical performance.
Understand that ACM uses GitOps—this is a key differentiator.
Know that ASM provides traffic management, security, and observability.
Be aware that Migrate for Anthos is for VM to container migration.
Anthos is a hybrid/multi-cloud platform that provides consistent Kubernetes across environments.
Key components: Anthos Clusters, Config Management, Service Mesh, Identity Service, Migrate for Anthos.
Anthos Config Management uses GitOps with a default sync interval of 15 seconds.
Anthos Service Mesh is based on Istio and provides mTLS, traffic routing, and observability.
Migrate for Anthos converts VMs to containers running on Kubernetes.
Anthos is billed per vCPU per month, with additional cluster fees.
Anthos supports on-premises (bare metal, VMware), AWS, Azure, and Google Cloud.
For the GCDL exam, focus on use cases and components, not deep configuration.
These come up on the exam all the time. Here's how to tell them apart.
Anthos
Provides a unified control plane across multiple clusters and clouds.
Includes built-in GitOps configuration management via Anthos Config Management.
Offers managed Istio service mesh with automatic sidecar injection.
Supports VM migration to containers via Migrate for Anthos.
Has a per-vCPU licensing cost.
Vanilla Kubernetes
Each cluster is managed independently; no built-in multi-cluster management.
No built-in GitOps; you must install ArgoCD or Flux separately.
No built-in service mesh; you must install Istio manually.
No VM migration tool; you must use third-party tools like Velero.
Free and open-source; no licensing cost.
Mistake
Anthos requires you to use Google Cloud as the underlying infrastructure.
Correct
Anthos can run on your own hardware (on-premises), on AWS, on Azure, or on Google Cloud. It is a platform that abstracts the underlying infrastructure.
Mistake
Anthos is a single product you install.
Correct
Anthos is a suite of products: Anthos Clusters, Anthos Config Management, Anthos Service Mesh, Anthos Identity Service, and Migrate for Anthos. You install components based on your needs.
Mistake
Anthos Config Management automatically fixes configuration drift without any user action.
Correct
ACM syncs the cluster state to the desired state defined in Git. If someone manually changes a resource, ACM will revert it within the sync interval (default 15 seconds). However, ACM does not fix drift outside of Kubernetes resources (e.g., node-level changes).
Mistake
Anthos Service Mesh only works with Google Cloud's operations suite.
Correct
ASM can export telemetry to any Prometheus-compatible system, but it integrates natively with Cloud Monitoring, Logging, and Trace.
Mistake
Migrate for Anthos can migrate any VM without modification.
Correct
Migrate for Anthos works best for stateless applications. Stateful applications with specific hardware dependencies or legacy networking may require manual refactoring.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
GKE is Google Cloud's managed Kubernetes service, running only on Google Cloud infrastructure. Anthos extends GKE to run on your own hardware, AWS, Azure, or other environments. Anthos includes additional components like Config Management and Service Mesh that are not part of standard GKE. In short, GKE is a Kubernetes engine; Anthos is a platform that includes GKE and more.
Yes, for management purposes. The Anthos clusters need to connect to Google Cloud's control plane for registration, policy sync, and monitoring. However, the clusters can run workloads even if the connection is temporarily lost; they will continue to operate but will not receive updates. For on-premises clusters, a stable VPN or Cloud Interconnect is recommended.
No. Anthos is fundamentally built on Kubernetes. All workloads run as containers orchestrated by Kubernetes. If you are not using Kubernetes, Anthos is not the right solution. Consider Google Cloud's other offerings like Compute Engine or Cloud Run.
Anthos does not provide its own networking between clouds. You must set up connectivity (VPN, dedicated interconnects) between the clouds. Anthos Service Mesh can manage east-west traffic within a cluster, but north-south traffic between clusters in different clouds requires external networking solutions.
For Anthos clusters on Google Cloud, the minimum is 1 node (for test clusters). For on-premises, the minimum is 3 nodes for a high-availability control plane. However, Anthos licensing typically requires a minimum of 1 cluster per project, and each cluster must have at least 1 node.
Yes, through the 'attach cluster' feature. You can attach any Kubernetes cluster that meets the version requirements (e.g., Amazon EKS, Azure AKS, or self-managed clusters) to the Anthos fleet. However, you will not get the full Anthos experience (e.g., GKE upgrades) but you can still use ACM and ASM.
Anthos has two main costs: a platform fee per vCPU per month (approximately $10 per vCPU) and a cluster fee per cluster per month (approximately $10,000 per cluster for 100 vCPUs). There are also costs for the underlying infrastructure (compute, networking, storage) and for optional components like Cloud Interconnect. Pricing is subject to change; always check the official Google Cloud pricing page.
You've just covered Anthos for Hybrid and Multi-Cloud Apps — now see how well it sticks with free GCDL practice questions. Full explanations included, no account needed.
Done with this chapter?