Open in app

Sign in

Write

Sign in

what’s ‘Networking’ in GCP

paras mamgain
Google Cloud - Community
Published in
9 min readOct 11, 2021

As we know Google is global, therefore as a customer of google cloud platform (GCP) one can easily leverage the benefits of GCP and make there presence felt globally and that too with ease.
With a reliable, secured and a highly available cloud platform that google offers, it enables the users to build a robust service offering on top of GCP Stack. This not only enables them to have a strong and a reliable infrastructure but it also gives them an opportunity to easily integrate the latest solution & services with their product offerings.

Networking is the uttermost important component of any software stack and this fact remains the same for cloud computing as well. Its the networking that connects all your resources and services to one another.

GCP uses a software defined network that is built on top of google’s global fiber infrastructure. In this write up we plan to share some of the most widely used components of GCP. Following is the list of items that are covered as part of this writeup:

  1. Virtual Private Cloud (often referred as VPC)
  2. Load Balancers in Google Cloud
  3. Cloud Identity and Access Management
  4. Hybrid Connectivity

Let’s start with the very most important part of any cloud architecture i.e. setting up the network foundations.

Virtual Private Cloud(VPC)

GCP consists of regions, zones and point of presense(also referred as POP’s). GCP can bring its traffic closer to its peer because of its extensive, widely spread global network. This not only reduces the costs but also helps user with a better experience and lower latency.

A VPC is just a virtual version of your physical network implemented inside of Google’s production network. VPC provides users a level of isolation, this isolation in the cloud are referred to as virtual private clouds where the resources provisioned in cloud infrastructure are not shared with any other users.
Building resources in VPC provides users an opportunity to build a secure environment.

In Google Cloud Platform, you can create your GCP resources, connect them with each other and provide an isolation to them from one another in virtual private cloud.
Following are the VPC Objects that you will often come across while creating a new VPC.

1. Projects - will be holding all the objects and resources that you are going to provision like buckets, compute engine instance etc. They help us to organise the GCP resources. Projects usually contain entire network.

2. Networks - there are 3 type of networking offered in GCP. Each of these have there own reasons to choose for while designing a use case. These 3 types are described below:
2.1. Default : Unless disabled, each new project starts with a default network. Default Network is an auto mode VPC network with pre-populated IPv4 firewall tules.
2.2. Automative : auto mode VPC networks are easy to setup and use. These are well suited for general use cases like where we need the subnets created automatically in each region.
Auto mode networks is useful for the early exploration. However, Custom networks are recommended and more preferred option for the production environment.
2.3. Custom : is the most flexible and a preferred method for production. It provides complete control over the subnets created in your VPC network, including regions and IP address ranges.

3. Subnetworks - are regional resources and each subnet defines a range of IP addresses. This allows you to divide/segregate your environment based on IP ranges.

4. Regions/Zones - represent the google data centre where three resources will be provisioned and they provide secure, reliable and high availability.

5. IP addresses(Internal/External)- In GCP, each VM can have two IP addresses assigned to it: Internal IP and External IP.
- Internal IP which is assigned by DHCP.
- External IP is an optional IP which is required mostly when the application is internet facing application.
As matter of fact, the External IP address is unknown to the OS of the VM. The external IP address is mapped to the VMs internal address transparently by VPC.
Sometimes there is a requirement to disable the access of internet, however you still need to access the google api’s for performing various tasks. In such scenarios you can enable the access for private google api’s in your vpc.

6. Resources in GCP refer to the different objects in google cloud like projects, folders, service account, compute engine instances etc.

7. Routes : Bydefault, every network has routes that let instances in a network send traffic directly to each other. Just ensuring the routes does not ensure transfer of packets. You must also have firewall rules accordinly in place.
The default routes can be disabled by setting up the appropriate organisation policy.

8. Firewall rules protect your instances from unapproved connections both inbound and outbound. Firewall rules are applied at the network as a whole but the connections are allowed or denied at the instance level. Firewall rules are stateful i.e. if a connection is allowed then all subsequent transaction in the same connection will also be allowed.

Following are some of the key parameters that you should keep in mind while configuring the firewall rules:
- Direction : ingress/egress
- Source or Destination : ip addresses, tags or service account
- Protocols and Port
- Action
- Priority
- Rule assignment

Hierarchical firewall policies : A hierarchical firewall policy allow rule overrides any deny rule with a lower priority or at a lower level in the hierarchy.

9. Multiple network interfaces : You can create additional network interfaces attached to your VMs through network interface controllers or NICs. Multiple network interfaces enable you to create configuration in which an instance connects directly to several VPC networks. Each of these instances must also have an internal IP address.
Multiple NIC’s helps to address the situation where communication between different networks is required.

we will now cover the next important item in our list i.e the Load Balancers in google Cloud.

Load Balancers in Google Cloud

Load Balancers sits in front of your servers and routes your client requests across the different configured servers which are capable of fulfilling those requests.

It efficiently distributes incoming traffic across multiple servers.
Cloud load balancing allows you to put your resources behind a single IP address that is externally accessible or internal to the virtual private cloud(VPC) network.

  1. Global load balancers : backends for global load balancers can spans to different regions. Following are the types of global load balancers that are available :
    - HTTP(s) LB
    - SSL Proxy
    - TCP Proxy
  2. Regional load balancers : backends can span to same region but different zones. Following are the types of regional load balancers available in GCP.
    - Network LB
    - Internal L4 LB
    - Internal HTTP(S) LB

Cloud Identity and Access Management(Cloud IAM)

It is a way of identifying who can do what actions on which cloud resources.
This section is focused on controlling the access to VPC networks.

Identity and Access Management is a way of identifying the users/accounts performing actions on the GCP resources. With Cloud IAM we can set policies at different levels where policy contains a set of roles and members.
Once another term that you should be famililar with is “Principle of least privilege” which is often referred to as the best practice in any cloud environment.

Members:
There are 5 different type of members which defines the who part:

(i) Google Accounts : represents developer/administrator or any other individual who interacts with GCP.
(ii) Service Accounts : represents an account that belongs to your application instead to an individual user. Usually different service accounts are created for different logical components of an application to ensure better separation of access and logic.
(iii) Google groups : it is a named collection of google accounts and service accounts having a unique address for each group.
(iv) G Suite domains : this represents a virtual group of all the google accounts that are created in an organisation G Suite account.
(v) Cloud Identity domains : is like a G Suite domain because it represents a virtual group of all the google accounts in an organization.

Roles:
In this section we will discuss more about the which part of cloud IAM. In Cloud IAM there are 3 types of roles:
1. Basic roles : roles that provide access to different resources. There are 4 basic roles : Viewer, Editor, owner and Billing Administrator
2. Predefined roles : these provide granular access for a specific service and are managed by google cloud.
3. Custom roles : these are the user defined roles and allows you to bundle one or more supported permissions to meet your specific needs.

Actions:
Although the actions that can be performed on the cloud resources is an interesting and a wider topic . But to keep it simple i have tried to put it under some commonly used words used to denote the “Action”.
Action basically covers the what part. And this what part comprises of verbs like creation of resources, deletion of resources, editing these resources, viewing the resources.

Hybrid Connectivity

Google supports multiple ways to connect your infrastructre with GCP.
Following are the 4 approaches that we have covered below:
1. Cloud VPN
2. Dedicated Interconnect
3. Partner Interconnect
4. Direct Peering
5. Carrier Peering

  • Dedicated Connection : direct connection between customers onpremise to google networks like direct peering, dedicated interconnect is established.
  • Shared Connection : indirect connection, provides connection to google networks through a partner like carrier peering, partner interconnect.

Cloud VPN : is google’s own virtual private network which uses the public internet but all the traffic that pass through this network is encryted. This is a useful addition to carrier peering/direct peering.
One can also use the Cloud VPN as main connection between your own premise and the GCP VPC network.

Cloud VPN is an offering from GCP, that enables your on-premises network to establish a network with the GCP VPC network through a VPN tunnel. The traffic is encrypted at one end and then decrypted at the other end thus ensuring that the data stays in encrypted form while travelling over the public internet.

There are two options to choose from :
1. Classic VPN gateways
2. HA VPN gateways

Cloud Interconnect

Interconnect provides direct access to RFC1918 IPs in your VPC with SLA. There are two Cloud interconnect services which are available:

1. Dedicated Interconnect : provides direct physical connection between on premises network and google network. This enables you to transfer large amount of data more efficiently.
A cross connect is established between google network and onpremise network at a common colocation facility.

Dedicated Inteconnect can be configured to provide 99.9% or 99.99% SLA.

2. Partner Interconnect : provides connectivity through a supported service provider. This is useful when the physical datacenter cannot connect with dedicated interconnect.

These supported service provider have existing physical connections to google’s network that they make available for their customers to use. After the connection between the customer on-premise and the service provider is established, one can then request a partner interconnect connection from the service provider.

Cloud Peering

Cloud Peering provides access to google public IP’s only without SLA. There are two Cloud Peering services which are being offered in GCP. These services are useful when access to google and google cloud properties are required.

1. Direct Peering: provides a direct connection between your business network and google network. Direct peering with google is done by exchanging BGP routes between google and the peering entity.

2. Carrier Peering: provides a connection through a supported partner. Once a connection is established you can reach all of google suites and services.

Ideally each of these topics deserves an individual writeup to do proper justice however the intention here is to provide quick short summary providing overall idea about these components. we will plan to cover these individual topics in more detail in another article where deep understanding will be.

References:

  1. Networking in google cloud specilization(Coursera): https://www.coursera.org/specializations/networking-google-cloud-platform
  2. Cloud Load Balancer : https://cloud.google.com/load-balancing/docs/
  3. Cloud VPC : https://cloud.google.com/vpc/docs/
  4. Cloud IAM : https://cloud.google.com/iam/docs/
  5. Cloud VPN : https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview
  6. Cloud Interconnect : https://cloud.google.com/network-connectivity/docs/interconnect#docs
Gcp
Networking
Google Cloud Platform
Google Cloud
Cloud

--

--

paras mamgain
Google Cloud - Community

Written by paras mamgain

39 Followers
Writer for

Engineer at Google

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams