GCP Crash Course: Network

Basic Concepts

VPC — Virtual Private Cloud is the network space of your activity or company. It is like your actual Data Center, but just in Cloud. Integrated with your IT resources on-premises (local).
Before diving into the technical definitions, we’ll get the intuition comparing a Network to a big Sporting Village.

The Village will have:

• spots open to the public (bar and restaurant) [public subnet]
• The entrance only for members [gateways and firewalls]
• The internal streets open to pedestrians, bikes or cars [routes]
• Different zone for kids, tennis, swimming pools, basketaball ecc [private subnets]
• Internal Common Services [NAT Gateway, VPN ecc..]
• Internal Names and Addresses [Private IP and DNS]

Moreover, the village may be connected with other Villages around the World….

Now let’s dive a little more into the basic concepts :

Subnets: “boxes” in which resources with IP are placed. Located in different places (Europe USA ecc).
Private IP Addresses: all the resources of the network have and use a private IP
Routes and IP forwarding: the paths in which the traffic may flow
CIDR: groups of IP addresses with this notation 10.10.10.0/24. The last number indicates the initial bits fixed (10.10.10 → 24 bits), that is → prefix ranges. See CIDR (explanations and computing)
Firewall rules: security rules for allowing/blocking traffic in relation to protocol, generic labels and specific addresses.
DNS: a network resource may be referred with a number (IP) or a corresponding name.
Region and Zones : in Cloud you may choose to distribute resources in different data Centers (zones) in the same or different big Regions (US-west, US-east, Europe-west). More distance → more latecncy
NAT: systems that translate internal and external addresses automatically
Load Balancers and Availability Groups: behind the IP Address of your website may sit a fleet of Servers. In this case the IP Address point to a Load Balancer that sends traffic to the fleet (Availability Group).

Ask yourself

Think at the IT Infrastructure of your Company or University or Government Institution.

• How may it fit in this picture?
• How could it be transferred into the Cloud?
• What could be private? What public? How?

Cheatsheet

A quick roadmap to all the most important topics. Refer to the doc Building Blocks (links and definitions) for any doubts.
If you like Videos: Next VCP Dive & Best

A VPC is a private network (global) created in auto or custom mode with:

• Subnets (Regional) 1+ IP range partitions — primary & secondary CIDR range
• Routes manage traffic from VMs to a destination (inside or outside VPC)
  Default route → Private Google Access
  subnet route
  static or dynamic route
• Forwarding rules manage traffic to VMs inside VPC (private IPs) from outside:
  Virtual Hosting
  Load Balancing
• Firewall Routes allow or deny traffic to VMs with priority → stateful
• Private Google Access
• NAT Gateway → private IP ← → public IP advanced: multiple
• Internet Gateway created automatically in the routing table
• TAGs label used to group resources
• Private Google/Services Access Access to Google Service only from inside without public IP and any public exposure
• VPC Flow Logs → IP traffic going to and from network interfaces

An Addressable Resource has a Private IP Address or an Alias IP Range and may be a:

• VM may have a tag
• Network Interface → may be 2+ in 1 VM
• Load Balancer distribute workload to 2+ VMs

Connection with Internet (public):

• valid default Internet gateway route
• Firewall rules allow egress traffic
• external IP address OR NAT Gateway
• CDN Content Delivery Network — caching content near users at the edges of Google’s network

VPCs may be connected :

• Shared VPC — attach subnets to other project → VPCs → host and service
• VCP Peering connectivity directly with IP ranges (CIDR — rfc1918) across VPCs different projects/organizations

Connection with on-premise Data Centers may be made with:

• Classical and economical VPN with IPsec — also redundant → Cloud Router
  Border Gateway Protocol (BGP) Enable dynamic routing, that is, automatic update of routing configuration when there are changes
• Cloud Interconnect — Dedicated — fast & expensive
• Cloud Interconnect — Partner — cheaper that dedicated ( How to choose Cloud Interconnect)

Step by Step Guides

• Create VPC
• Manage firewalls
• use network tags
• using flow logs
• IP: private public alias ip ranges

Demos

• Getting Started: Google Cloud VPC
• Create an HTTP Load Balancer
• Create Managed Instance Group
• Creating Managed Instance Group Templates
• Running a container with Managed Instance Groups
• Command Line Creation of Managed Instance Groups
• Autohealing Instance Groups
• Setting Up Cloud CDN

Labs — Qwiklabs

• VPC Networking Fundamentals
• Multiple VPC Networks
• Creating Cross-region Load Balancing
• Using VPC Network Peering
• Dynamic VPN Gateways — Cloud Routers (advanced)
• Building a High-throughput VPN