GCP Crash Course: Network
Basic Concepts
VPC — Virtual Private Cloud is the network space of your activity or company. It is like your actual Data Center, but just in Cloud. Integrated with your IT resources on-premises (local).
Before diving into the technical definitions, we’ll get the intuition comparing a Network to a big Sporting Village.
The Village will have:
- spots open to the public (bar and restaurant) [public subnet]
- The entrance only for members [gateways and firewalls]
- The internal streets open to pedestrians, bikes or cars [routes]
- Different zone for kids, tennis, swimming pools, basketaball ecc [private subnets]
- Internal Common Services [NAT Gateway, VPN ecc..]
- Internal Names and Addresses [Private IP and DNS]
Moreover, the village may be connected with other Villages around the World….
Now let’s dive a little more into the basic concepts :
Subnets: “boxes” in which resources with IP are placed. Located in different places (Europe USA ecc).
Private IP Addresses: all the resources of the network have and use a private IP
Routes and IP forwarding: the paths in which the traffic may flow
CIDR: groups of IP addresses with this notation 10.10.10.0/24. The last number indicates the initial bits fixed (10.10.10 → 24 bits), that is → prefix ranges. See CIDR (explanations and computing)
Firewall rules: security rules for allowing/blocking traffic in relation to protocol, generic labels and specific addresses.
DNS: a network resource may be referred with a number (IP) or a corresponding name.
Region and Zones : in Cloud you may choose to distribute resources in different data Centers (zones) in the same or different big Regions (US-west, US-east, Europe-west). More distance → more latecncy
NAT: systems that translate internal and external addresses automatically
Load Balancers and Availability Groups: behind the IP Address of your website may sit a fleet of Servers. In this case the IP Address point to a Load Balancer that sends traffic to the fleet (Availability Group).
Ask yourself
Think at the IT Infrastructure of your Company or University or Government Institution.
- How may it fit in this picture?
- How could it be transferred into the Cloud?
- What could be private? What public? How?
Cheatsheet
A quick roadmap to all the most important topics. Refer to the doc Building Blocks (links and definitions) for any doubts.
If you like Videos: Next VCP Dive & Best
A VPC is a private network (global) created in auto or custom mode with:
- Subnets (Regional) 1+ IP range partitions — primary & secondary CIDR range
- Routes manage traffic from VMs to a destination (inside or outside VPC)
Default route → Private Google Access
subnet route
static or dynamic route - Forwarding rules manage traffic to VMs inside VPC (private IPs) from outside:
Virtual Hosting
Load Balancing - Firewall Routes allow or deny traffic to VMs with priority → stateful
- Private Google Access
- NAT Gateway → private IP ← → public IP advanced: multiple
- Internet Gateway created automatically in the routing table
- TAGs label used to group resources
- Private Google/Services Access Access to Google Service only from inside without public IP and any public exposure
- VPC Flow Logs → IP traffic going to and from network interfaces
An Addressable Resource has a Private IP Address or an Alias IP Range and may be a:
- VM may have a tag
- Network Interface → may be 2+ in 1 VM
- Load Balancer distribute workload to 2+ VMs
Connection with Internet (public):
- valid default Internet gateway route
- Firewall rules allow egress traffic
- external IP address OR NAT Gateway
- CDN Content Delivery Network — caching content near users at the edges of Google’s network
VPCs may be connected :
- Shared VPC — attach subnets to other project → VPCs → host and service
- VCP Peering connectivity directly with IP ranges (CIDR — rfc1918) across VPCs different projects/organizations
Connection with on-premise Data Centers may be made with:
- Classical and economical VPN with IPsec — also redundant → Cloud Router
Border Gateway Protocol (BGP) Enable dynamic routing, that is, automatic update of routing configuration when there are changes - Cloud Interconnect — Dedicated — fast & expensive
- Cloud Interconnect — Partner — cheaper that dedicated ( How to choose Cloud Interconnect)
Step by Step Guides
Demos
- Getting Started: Google Cloud VPC
- Create an HTTP Load Balancer
- Create Managed Instance Group
- Creating Managed Instance Group Templates
- Running a container with Managed Instance Groups
- Command Line Creation of Managed Instance Groups
- Autohealing Instance Groups
- Setting Up Cloud CDN
Labs — Qwiklabs
- VPC Networking Fundamentals
- Multiple VPC Networks
- Creating Cross-region Load Balancing
- Using VPC Network Peering
- Dynamic VPN Gateways — Cloud Routers (advanced)
- Building a High-throughput VPN