7.2 Deploying GKE Clusters: Autopilot, Regional, Private & GKE Enterprise
Key Takeaways
- GKE Autopilot bills per-Pod resource requests and removes node management; GKE Standard bills per-VM node plus an optional $0.10/hour cluster fee and requires managing node pools
- Regional clusters replicate the control plane across 3 zones for high availability; zonal clusters have a single control-plane replica
- Private clusters (--enable-private-nodes, optionally --enable-private-endpoint) need Cloud NAT for private nodes to reach the public internet
- GKE Enterprise (formerly Anthos, rebranded November 2023) provides fleet-based multi-cluster/multi-cloud policy management via Config Sync and Policy Controller, now bundled into standard GKE
- Production scenarios usually require combining axes (e.g., regional + private + Autopilot), not choosing a single setting
Why Cluster Configuration Choices Dominate This Objective
The official exam guide bullet reads: "Deploying a Google Kubernetes Engine cluster with different configurations (e.g., Autopilot, regional clusters, private clusters, GKE Enterprise)." This is a decision-making objective, not a memorization one — expect scenario questions that describe a business requirement (cost control, high availability, security posture, multi-team governance) and ask which cluster configuration satisfies it. Getting this right means knowing the trade-offs of each axis, because most real clusters combine more than one of these choices at once (e.g., a regional, private, Autopilot cluster).
Axis 1: Standard vs. Autopilot
| GKE Standard | GKE Autopilot | |
|---|---|---|
| Node management | You choose machine types, create node pools, and manage upgrades | Google fully manages nodes; no node pools to configure |
| Billing unit | Per-VM (node) compute cost, plus a $0.10/hour cluster management fee (one zonal cluster/billing account is fee-waived) | Per-Pod resource requests (CPU, memory, ephemeral storage), billed in 1-second increments; no separate cluster fee |
| Customization | Full control: custom machine types, GPUs/TPUs, taints, node-level daemons | Restricted to a curated, hardened configuration; some privileged workloads are blocked by default |
| Ops overhead | You size and scale node pools yourself (or configure autoscaling) | "Hands-off" — Google scales nodes to match Pod demand automatically |
| Best fit | Workloads needing fine-grained node control, GPUs/specialized hardware, legacy DaemonSets | Most new production workloads; teams that want to stop managing nodes entirely |
Creation commands:
# Standard mode
gcloud container clusters create my-cluster --zone us-central1-a
# Autopilot mode
gcloud container clusters create-auto my-cluster --region us-central1
Note that Autopilot clusters are regional by default — Google does not offer a zonal Autopilot cluster.
Axis 2: Zonal vs. Regional
- A zonal cluster runs a single control plane replica in one zone. If that zone has an outage, the control plane (and therefore
kubectlaccess, scaling decisions, and scheduling) becomes unavailable until the zone recovers — though already-running Pods keep serving traffic. - A regional cluster replicates the control plane across three zones in the chosen region, and can also spread worker nodes across those zones. This is the recommended choice for production because it survives a single-zone failure with no control-plane downtime.
gcloud container clusters create my-cluster --region us-central1 # regional
gcloud container clusters create my-cluster --zone us-central1-a # zonal
Zonal clusters are cheaper and faster to provision, which makes them common for dev/test environments in exam scenarios — regional is the answer whenever the scenario says "production" or "high availability."
Axis 3: Public vs. Private Clusters
A private cluster removes public IP addresses from the worker nodes (and optionally the control plane), shrinking the attack surface:
gcloud container clusters create my-cluster \
--region us-central1 \
--enable-private-nodes \
--enable-private-endpoint \
--master-ipv4-cidr-block 172.16.0.16/28
| Flag | Effect |
|---|---|
--enable-private-nodes | Worker nodes get only internal IPs — no direct inbound/outbound internet access |
--enable-private-endpoint | The control plane's endpoint is reachable only from inside the VPC (no public IP for the API server) |
--master-ipv4-cidr-block | Assigns the required /28 CIDR range for the control plane's internal network |
--enable-master-authorized-networks | Restricts which external CIDR ranges may reach the control plane endpoint at all |
Trap to know cold: because private nodes have no public IP, they cannot reach the internet to pull public container images or apply OS patches unless you configure Cloud NAT (or rely on Private Google Access for Google Cloud APIs specifically). If an exam scenario describes a private-nodes cluster where Pods fail to start because images can't be pulled from a public registry, the missing piece is almost always Cloud NAT, not a firewall rule.
Axis 4: GKE Enterprise
GKE Enterprise (rebranded from Anthos in November 2023) adds fleet-based management: a fleet is a logical grouping of one or more GKE clusters — including clusters in other clouds — that lets a platform team apply consistent policy, configuration, and observability across all of them from one control point. Two of its signature capabilities are:
- Config Sync — keeps cluster configuration in sync with a Git repository (GitOps).
- Policy Controller — enforces guardrail policies (e.g., "no Pods with
privileged: true") consistently across every cluster in the fleet.
As of late 2025, Google folded most of these fleet-management capabilities (fleets, Config Sync, Policy Controller) into standard GKE at no additional cost — GKE is now presented as a single offering rather than separate paid editions/tiers. A handful of advanced capabilities (Cloud Service Mesh, multi-cloud Attached Clusters for AWS/Azure, Backup for GKE, Extended Support, Multi-cluster Gateway) remain separately billed add-ons. For the exam, the concept to remember is: choose "GKE Enterprise" / fleet management whenever a scenario describes centralized policy or configuration across many clusters or clouds, not for a single, single-team cluster.
Putting the Axes Together
Exam scenario: "A retail company runs a customer-facing checkout service on GKE. The security team requires that worker nodes have no public IP addresses and that the workload survive the loss of any single zone. The platform team also wants Google to manage node provisioning entirely." → The answer combines all three: a regional, private-nodes, Autopilot cluster.
Exam scenario 2: "An enterprise runs GKE clusters across three different business units and two cloud providers, and needs one team to enforce a single network-policy standard everywhere." → This describes GKE Enterprise fleet management with Policy Controller, not a single cluster configuration change.
Key Takeaways
- Autopilot bills per-Pod resource request and removes node management entirely; Standard bills per-VM plus an optional $0.10/hour cluster management fee and requires you to manage node pools.
- Regional clusters replicate the control plane across 3 zones for high availability; zonal clusters have a single control-plane replica and are common for dev/test.
- Private clusters (
--enable-private-nodes, optionally--enable-private-endpoint) need Cloud NAT for private nodes to reach the public internet. - GKE Enterprise (formerly Anthos) provides fleet-based multi-cluster/multi-cloud policy and configuration management (Config Sync, Policy Controller); its core features are now bundled into standard GKE.
- Real production clusters usually combine multiple axes at once — expect exam questions to require picking the combination, not a single setting.
Which GKE billing model charges based on the CPU, memory, and ephemeral storage requested by running Pods rather than the size of provisioned VM nodes?
A private GKE cluster's Pods are stuck failing to pull a public container image because the worker nodes have no public IP addresses. What should be configured to resolve this?
A platform team needs to enforce one consistent set of admission-control policies across GKE clusters spread across three cloud providers. Which capability addresses this?