SHART.CLOUD | DESKTOP | LABROULETTE.WIN
01 - Labroulette - 13 labs
| shart.cloud / labroulette / deal |

Labroulette

Deal yourself a cloud scenario. Flip three cards — platform, difficulty, domain — and the table draws you a lab to match. Hold the cards you like, re-deal the rest.

Deal 13 published labs - generated at build ready
02 - Lab deal
Platform
Difficulty
Domain
pull the lever to deal a lab

The lab you're dealt lands here. Hold a reel to lock a facet, then pull again.

Table pool: 13 labs
03 - Catalog
LR_001 AWS **O

Active-Passive Multi-Region Failover for a Read-Heavy API

Stand up a warm standby in a second region for the read-heavy profile API so DNS fails over automatically when the primary's health check goes red, without paying for a full duplicate stack while the standby is idle.

#networking#resilience#data#dns
~90 min $4-9 Open ->
LR_003 AWS *OO

Catch a Failing Lambda Pipeline Before It Eats the Queue

Put a sane failure path around an SQS-to-Lambda pipeline: retries, a dead-letter queue, alarms, and least-privilege permissions so bad messages get captured instead of silently draining morale.

#serverless#observability#iam
~55 min $0-2 Open ->
LR_004 MULTI **O

Enforce a Pod Security Baseline with Admission Labels

Lock the shared cluster down with Pod Security Admission so namespaces reject privileged, host-mounting, and root-running pods by default — and add a network policy so a compromised pod can't freely talk to its neighbors.

#security#containers
~80 min $0-3 Open ->
LR_005 MULTI ***

Health-Checked DNS Failover Across AWS and GCP

Run the status page in both AWS and GCP and put a health-checked DNS layer in front so traffic serves from the healthy provider and fails over to the other within minutes when one goes dark — no human paging required.

#dns#resilience#networking
~130 min $6-14 Open ->
LR_006 AZURE **O

Hide an AKS Cluster Behind a Private Ingress

Re-platform the app onto a private AKS cluster reachable only through an internal Application Gateway, so nothing — not the API server, not the workloads — answers on a public IP, while the team still deploys via Helm.

#containers#networking#security
~110 min $5-12 Open ->
LR_007 GCP ***

Least-Privilege Service Accounts for a BigQuery Pipeline

Re-cut the ETL pipeline so each stage runs as its own service account with only the permissions that stage needs — read this bucket, write that dataset, nothing more — and prove a stolen key from one stage can't touch the rest.

#iam#data#security
~120 min $1-5 Open ->
LR_009 GCP **O

Run Cloud Run with Secrets and No Surprise Egress

Deploy a Cloud Run service that reads secrets from Secret Manager, uses a dedicated service account, and sends outbound traffic through a controlled VPC path with explicit egress settings.

#serverless#security#networking
~80 min $1-4 Open ->
LR_011 AWS *OO

Ship a Static Site on S3 + CloudFront for Pennies

Move the static site to an S3 bucket fronted by CloudFront with HTTPS, so it costs cents a month, survives a front-page hug of death, and never exposes the bucket directly to the internet.

#networking#cost#dns
~45 min $0-2 Open ->
LR_012 GCP *OO

Ship Audit Logs to BigQuery Before the Incident

Create a project-level log sink that exports admin activity and data access logs into BigQuery, then query for IAM changes and prove the dataset is locked down to the security team.

#observability#data#iam
~60 min $0-3 Open ->
LR_013 MULTI *OO

Stop One Namespace from Eating the Whole Cluster

Add namespace-level quotas, default resource limits, and a deny-by-default posture so each team gets a fair slice of the cluster instead of a buffet with root access.

#containers#cost#reliability
~50 min $0-2 Open ->
Catalog 13 of 13 visible