Module 31: Production Deployment Strategies
Theory
Choosing Your Deployment Platform
Deploying an agent to production involves more than just running a command; it requires choosing the right platform based on your specific needs for speed, cost, security, and control. The ADK is designed to be flexible, supporting several deployment targets.
The Decision Framework
Here's a quick framework to help you choose the best platform for your situation:
-
🚀 Quick MVP / Moving Fast? → Use Cloud Run.
- Why: Fastest time-to-market (5-minute deployment), secure by default (HTTPS, DDoS, IAM), and cost-effective pay-per-use model. Ideal for startups, MVPs, and most standard production applications.
-
🛡️ Need Compliance (FedRAMP, HIPAA)? → Use Agent Engine.
- Why: This is the only platform with built-in FedRAMP compliance, making it the best choice for enterprise, government, and highly regulated industries. It provides a fully managed, secure, and auditable environment with zero configuration.
-
⚙️ Have Kubernetes / Need Full Control? → Use GKE.
- Why: If your organization already uses Kubernetes, or if you need fine-grained control over networking, hardware (like GPUs), and security policies, GKE is the right choice. It offers maximum flexibility but requires more operational overhead.
-
🔑 Need Custom Authentication (LDAP, etc.)? → Use a Custom FastAPI Server on Cloud Run.
- Why: If you have specific authentication requirements not natively supported by the cloud platforms, you'll need to build a custom server. Deploying this custom server on Cloud Run gives you the best of both worlds: platform security and application-level flexibility. This is an advanced and less common scenario.
Security is Platform-First
A key design philosophy of the ADK is to leverage the security features of the underlying deployment platform. The ADK's built-in server is intentionally minimal because platforms like Cloud Run and Agent Engine provide production-ready security "out of the box."
| Security Feature | Cloud Run | Agent Engine | GKE |
|---|---|---|---|
| HTTPS/TLS | ✅ Auto | ✅ Auto | ⚙️ Manual |
| DDoS Protection | ✅ Auto | ✅ Auto | ❌ Manual |
| Authentication | ✅ Auto (IAM) | ✅ Auto (OAuth) | ⚙️ Manual |
| Encryption at Rest | ✅ Auto | ✅ Auto | ✅ Manual |
| Audit Logging | ✅ Auto | ✅ Auto | ✅ Manual |
| Compliance | HIPAA, PCI | FedRAMP | All |
Bottom Line: For most use cases, deploying with adk deploy cloud_run or adk deploy agent_engine provides a secure, production-ready agent with zero custom security code required.
Key Takeaways
- Choosing the right deployment platform depends on your project's specific needs for speed, cost, compliance, and control.
- Cloud Run is ideal for rapid development and cost-effective, serverless deployments.
- Agent Engine is the best choice for enterprise and government use cases requiring high compliance standards like FedRAMP.
- GKE offers maximum control and flexibility for complex systems already integrated with Kubernetes.
- The ADK follows a "platform-first" security model, leveraging the built-in security features of the deployment environment.
- Impact of Compliance Requirements: A new compliance requirement like PCI would heavily influence the deployment choice. While platforms like GKE and Cloud Run can be made PCI compliant, the burden of implementing and maintaining all necessary controls falls on the development team. A managed platform like Agent Engine, if certified for the specific compliance standard, would be the simplest choice as the compliance is built-in. In the absence of a certified managed platform, the decision would depend on whether the agent itself handles sensitive data, with a common pattern being to delegate that responsibility to a separate, compliant service.
- Benefits of Platform-First Security: A "platform-first" security model is superior because it reduces operational overhead by offloading complex tasks like TLS certificate rotation, DDoS protection, and IAM authentication to the platform. This leverages the robust, battle-tested, and certified security features of the cloud provider, ensuring a consistent and auditable security posture across all services while minimizing the risk of human error in application-level code.
- Cloud Run Limitations & Migration: While ideal for MVPs, Cloud Run's potential downsides include cold start latency and limited network control. A migration to GKE should be considered when the system evolves into a complex microservices architecture requiring private networking, critical performance that cannot tolerate cold starts, or specialized hardware like GPUs.