Connectivity Test with Network Intelligence Center in Google Cloud
What is GCP Network Intelligence Center?
GCP Network Intelligence Center (NIC) is a suite of tools that provides visibility, monitoring, and troubleshooting capabilities for Google Cloud Platform (GCP) networks. NIC helps you to:
- Diagnose connectivity issues and prevent outages. NIC provides unmatched visibility into your network in the cloud along with proactive network verification. This helps you to quickly identify and resolve network connectivity issues before they cause outages.
- Improve network security and compliance. NIC helps you to verify network security and compliance through a series of connectivity checks. This helps you tighten your security boundaries and ensure that your network complies with industry regulations.
- Save time with intelligent monitoring. NIC monitors real-time performance metrics and easily visualizes network health. T
In this article, We will cover only the Diagnose Connectivity or connectivity test. But there are a lot of other pieces of stuff that NIC offers such as Analyzing Network Topology, Performance Dashboard(intra and Interzone traffic), Firewall Insights, and Network Analyzer.
What is a connectivity test?
A connectivity test is a diagnostic tool that can be used to verify the connectivity between two or more network endpoints. NIC provides a connectivity test tool that can be used to test the connectivity between:
- Virtual machines (VMs) in the same VPC network
- VMs in different VPC networks
- VMs in the GCP network and on-premises networks
- VMs in the GCP network and the internet
The connectivity test tool in NIC uses a variety of methods to test connectivity, including ICMP ping, TCP port probes, UDP packet sends
The Connectivity Tests feature can be used to troubleshoot a variety of network connectivity issues, including:
- Unresolved DNS names
- Firewall rules that are blocking traffic
- Incorrect routing tables
- Faulty network interfaces
The connectivity test tool in NIC provides a variety of reports that can be used to troubleshoot connectivity issues. These reports are:
- Traceroute: This report shows the path that network traffic takes from the source to the destination.
- Packet loss: This report shows the percentage of packets that were lost during the test.
- Latency: This report shows the average latency between the source and the destination.
Connectivity Tests in Network Intelligence Center (NIC) work by simulating the network path that a test packet will take from the source endpoint to the destination endpoint. This is done by analyzing the Google Cloud resources in your testing path against an ideal configuration model.
Let’s do some hands-on demo to understand how connectivity test works within Network Intelligence Center and how you can smartly troubleshoot networking issues with no time and much effort.
Demo 1: Test the connectivity between VMs in the same VPC.
Step1. Create a custom VPC with 2 subnets in different regions. I already created a VPC with two SUBNETS. subnet1-mumbai and subnet2-delhi
Step2. Create a test VM in both subnets. I already created web1 and web2
Step3. Test the connectivity on Port 80 by sending a request from web1 to web2. But here is the hack, you don’t need to SSH to your VM to do it, This task can be accomplished by your Network Intelligence Center.
Navigate to Network Intelligence → Connectivity Tests → Create Connectivity Test → Give it a name → Select Protocol TCP → In the Source, Select the Current Project, VM name(web1) → In the Destination also select the current project and Destination VM (web2), Port 80. Before you Click on create, Here is what your screen looks like if you are following along.
Step4. After your connectivity test is created, it’s time to view the test results, you will immediately notice that the connection is dropped due to ingress rules are not in place as shown in the snippet. This gives you greater visibility and illustration of where and why packets are dropped which might take a huge effort and time-consuming task when you do this in a traditional way, right? So NIC is saving us a lot of our valuable time ⌛️
Please note that, by default, all the ingress traffic is blocked/denied with a priority of 65535 when you create a VPC. So you need to explicitly open it to allow the traffic on port 80 towards subnet2-delhi
Step5. Let’s create a firewall rule to allow traffic on port 80. To create a firewall rule, here is the gcloud command line for your ref.
gcloud compute - project=mindful-marking-388908 firewall-rules create allow-http-80 - description="allow traffic on port 80 from a specific CIDR range which is defined range of subnet1-mumbai" - direction=INGRESS - priority=1000 - network=my-vpc - action=ALLOW - rules=tcp:80 - source-ranges=10.255.188.0/24 - destination-ranges=10.255.196.0/24This is what it looks after the creation is completed:
Step6. Re-take the connectivity test and this time the packets have been delivered. you can clearly see our ingress firewall rule, allowing your incoming traffic to web2. So this is how you can beautifully look at your complex network connectivity with minimal or least effort job.
Demo2: Test the connectivity from the internet to the VM on external IP
Step1. To do this test, I will use my existing machine web1 where an Apache web server has been installed and running. This VM is public facing and has external IP attached.
Setp2. If you try to access the public IP, Page can not be reached. Let’s test this with Network Intelligence Center to troubleshoot. Create another Connectivity test, and follow the same procedure but this time the source would be your public internet.
Step3. View the Test result, again notice that your packets are dropped due to the default ingress firewall, and remember All ingress are denied by default in any VPC. So now you know the details of your traffic, you can easily fix this issue by simply creating a new rule just like we did in our previous demo.
Step4. To fix this issue, Create a new firewall ingress rule and allow port 80 from the internet. Since I already created it, Let’s repeat the connectivity test, and this time it went through. Congratulations! your web server is publicly accessible over the internet
Let’s access it in the browser :)
Demo3: Test connectivity from Private Subnet (VM with Internal IP) to the Internet via Cloud NAT.
Step1. Remove the Public IP from the VM web1.
Step2. Create a Cloud NAT. Already created it. Click here to know how to create Cloud NAT and attach it to the VPC.
Step3: Create and test connectivity in network intelligence. Pay attention that this time the traffic is going through via NAT. Network Intelligence breaks that component on each layer of the traffic and helps you diagnose where the traffic is getting passed or denied.
Step4. What if I remove the cloud NAT and then test it again? You will notice that Network Intelligence has flagged the exact point and the reason why the traffic is not going thru to the internet. Since we removed Cloud NAT, it’s saying that Cloud NAT is not enabled for this subnet and thus your packets are dropped.
Congratulations on completing all three demos and with that concludes our article. Well, you can also try to perform the demo to test connectivity from your Cloud VM to On-Prem but the condition is that you must have some sort of network connectivity established either with a VPN or interconnect.
Conclusion: A connectivity test is a diagnostic tool that can be used to verify the connectivity between two or more network endpoints. By using the Connectivity Tests feature in NIC, you can quickly and easily identify the root cause of a network connectivity issue so that you can take corrective action.
I hope you like this article. Please share it if helpful and don’t forget to follow me :) Please subscribe for upcoming blogs.
I am always happy to help you with your Google Cloud journey or have any questions and need 1:1 support, please do not hesitate to ask.
Thanks for Reading….
Book a call for consulting/assistance: https://topmate.io/sumit_kumar40
