Saturday, 26 March 2022

Google Virtual Private Cloud

 

  • You can create and manage your own virtual topology network where you can launch your Google Cloud resources using Google Virtual Private Cloud (VPC).
  • Google VPC is the networking layer of Google Cloud resources.
  • A VPC spans all the zones in the region. After creating a VPC, you can add one or more subnets in each zone.

Key Concepts

  • A virtual private cloud (VPC) allows you to specify an IP address range for the VPC, add and expand subnets, and configure firewall rules.
  • You can expand CIDR ranges without downtime.
  • To protect Google Cloud resources, segment your networks by setting up firewall rules.
  • Projects can contain multiple VPC networks unless you create an organizational policy that does not allow it.
  • New projects start with a default network that has one subnetwork.
  • VPC networks including their firewall rules and associated routes are global resources.
  • Subnets are regional resources.
  • Resources inside the same VPC network can communicate with each other by using an internal IPv4 address but is still subject to applicable network firewall rules.
  • Instances with IPv4 addresses can communicate with Google APIs and services.
  • Network administration can be secured by using Identity and Access Management (IAM) roles.

Network and Subnets

  • Each VPC network consists of one or more useful IP range partitions called subnets.
  • Each subnet is associated with a region.
  • A network must have at least one subnet before you can use it.
  • Auto mode VPC networks create subnets in each region automatically. These automatically created subnets use a set of predefined IP ranges that fit within the 10.128.0.0/9 CIDR block.
  • Custom mode VPC networks start with no subnets giving you full control.
  • You can create more than one subnet per region.
  • You can switch a VPC network from auto mode to custom mode. This is a one-way conversion which means custom mode VPC networks cannot be changed to auto mode VPC networks.

Configuring IP Addresses

  • External IP Address
    • You should assign an external IP address to instances if you need them to communicate with the Internet.
    • Instances support static and ephemeral external IP addresses.
  • Internal IP Address
    • You should assign a specific internal IP address when you create a VM instance.
    • You can reserve a static internal IP address for your project and assign that address to your resources.
    • Static external IP addresses can be either a regional or a global resource. A regional static IP address allows resources of that region or resources of zones within that region to use the IP address.

Firewall Rules

  • Firewall rules are defined at the network level.
  • They only apply to the network where they are created but the name defined for each of them must be unique to the project.
  • Firewall rule components
    • The direction of connection:
      • Ingress rules apply to incoming connections from specified sources to Google Cloud targets
      • Egress rules apply to connections going to specified destinations from targets.
    • A numerical priority, which determines whether the rule is applied.
      • Only the highest priority (lowest priority number) rule whose other components match traffic is applied;
      • Conflicting rules with lower priorities are ignored.
    • An action upon match, either allow or deny, decides whether the rule permits or blocks connections.
    • The enforcement status of the firewall rule.
    • A target, which defines the instances to which the rules apply.
    • A source for ingress rules or a destination for egress rules.
    • The protocol (such as TCP, UDP, or ICMP) and destination port.

Routes

  • System-generated default route
    • When you create a VPC network, it includes a system-generated default route which serves as a path out of the VPC network, including the path to the Internet, and provides the standard path for Private Google Access.
  • Subnet routes – define paths to resources like VMs and internal load balancers in a VPC network.
  • Static routes – are defined using static route parameters and support static route next hops.
  • Dynamic routes – are routes managed by Cloud Routers inside the VPC network. Their destinations are IP address ranges outside your VPC network, from a BGP peer. Dynamic routes are utilized by:
    • Dedicated Interconnect
    • Partner Interconnect
    • HA VPN tunnels
    • Classic VPN tunnels that use dynamic routing

Communications and access for App Engine

  • VPC firewall rules apply to resources running in the VPC network. For App Engine instances, firewall rules work as follows:
    • App Engine standard environment
      • Only App Engine firewall rules apply to ingress traffic. App Engine standard environment instances do not run inside your VPC network which means VPC firewall rules do not apply to them.
    • App Engine flexible environment
      • Both App Engine and VPC firewall rules apply to ingress traffic. Inbound traffic is only permitted if it is allowed by both types of firewall rules. For outbound traffic, VPC firewall rules shall apply.

Connecting VPC Networks

  • An organization can use a Shared VPC to keep a VPC network in a common host project. Authorized IAM members from other projects in the same organization can create resources that use the Shared VPC network’s subnet.
  • You can use VPC Network Peering to connect VPCs to other VPC networks located in different projects or organizations.
  • VPC networks can be securely connected in hybrid environments by utilizing Cloud VPN or Cloud Interconnect.

Pricing

  • No charge for egress through network IP addresses. There are charges though for egress traffic through external IP addresses, even if traffic is in the same zone.
  • You are also charged for active and unused static and ephemeral IP addresses inside your VPC.

No comments:

Post a Comment