Deal yourself a cloud scenario. Flip three cards — platform, difficulty, domain —
and the table draws you a lab to match. Hold the cards you like, re-deal the rest.
Deal13 published labs - generated at buildready
02 - Lab deal
◆ LAB · ROULETTE ◆
Platform
?
Difficulty
?
Domain
?
pull the lever to deal a lab
The lab you're dealt lands here. Hold a reel to lock a facet, then pull again.
Stand up a warm standby in a second region for the read-heavy profile API so DNS fails over automatically when the primary's health check goes red, without paying for a full duplicate stack while the standby is idle.
Put a budget with tiered alerts on the resource group so the team hears at 50/80/100 percent of spend — long before the invoice — and route those alerts somewhere a human actually looks.
Put a sane failure path around an SQS-to-Lambda pipeline: retries, a dead-letter queue, alarms, and least-privilege permissions so bad messages get captured instead of silently draining morale.
Lock the shared cluster down with Pod Security Admission so namespaces reject privileged, host-mounting, and root-running pods by default — and add a network policy so a compromised pod can't freely talk to its neighbors.
Run the status page in both AWS and GCP and put a health-checked DNS layer in front so traffic serves from the healthy provider and fails over to the other within minutes when one goes dark — no human paging required.
Re-platform the app onto a private AKS cluster reachable only through an internal Application Gateway, so nothing — not the API server, not the workloads — answers on a public IP, while the team still deploys via Helm.
Re-cut the ETL pipeline so each stage runs as its own service account with only the permissions that stage needs — read this bucket, write that dataset, nothing more — and prove a stolen key from one stage can't touch the rest.
Add AWS WAF protections to a CloudFront distribution, log every decision, and prove common junk traffic gets blocked without turning the site into a false-positive bonfire.
Deploy a Cloud Run service that reads secrets from Secret Manager, uses a dedicated service account, and sends outbound traffic through a controlled VPC path with explicit egress settings.
Move the static site to an S3 bucket fronted by CloudFront with HTTPS, so it costs cents a month, survives a front-page hug of death, and never exposes the bucket directly to the internet.
Create a project-level log sink that exports admin activity and data access logs into BigQuery, then query for IAM changes and prove the dataset is locked down to the security team.
Add namespace-level quotas, default resource limits, and a deny-by-default posture so each team gets a fair slice of the cluster instead of a buffet with root access.