Google Associate Cloud Engineer – Private Networks in Google Cloud – Cloud VPC

1. Step 01 – Understanding the Need for Google Cloud VPC – Virtual Private Cloud

Welcome back. In the earlier sections we talked about compute storage databases and it’s time now for networking services. In this section, let’s focus on the different networking services which are present in Google Cloud. Let’s get started with VPC. What is the need for Google Cloud VPC in a corporate network or an on premise data center? Can anyone on the Internet see the data exchange between an application and the database? You have an application which is talking to the database. Can anyone see the communication between the application and database outside your corporate data center? The answer is no. Can anyone from Internet directly connect to the database? Can somebody from outside directly connect to the database? Most probably the answer is no.

You need to first connect to your corporate network and then you can access your application or your database. So the corporate network provides a secure internal network protecting your resources, data and communication from external users. How do you create your own private network in the cloud? The way you can do that is by creating a VPC, a virtual private cloud. Google Cloud VPC is your own isolated network. In GCP cloud network, traffic within a VPC is isolated. It is not visible to all other Google cloud VPCs. You can control all the traffic which is coming in and going outside a VPC. The best practice is to create all your GCP resources. Whether you are creating compute resources, storage resources, or databases inside a VPC. Until now, we have been using a default VPC to create our resources. We will look at it a little later.

But the best practice is always create GCP resources within a VPC. This would help you to secure resources from unauthorized access and it will also enable secure communication between your cloud resources. One important thing to remember is in Google Cloud, VPC is a global resource. If you are familiar with AWS, then VPC is associated with a specific region. However, in Google, cloud VPC is a global resource. It can contain resources from any region. Inside the VPCs we also have subnets and these subnets are associated with regions. And inside VPCs you can have subnets in one or more regions. So a VPC is not tied to a region or a zone. VPC resources can be in any region or zone in a step. We got a 10,000ft overview of Google Cloud VPC. I’ll see you in the next step.

2. Step 02 – Understanding the Need for VPC Subnets

In last step, we understood the need for VPC. Now, why do we need subnets? Different types of resources are created on the Cloud databases, compute Load Balancers. Each type of resource has its own access needs. For example, load balancers. Typically, if you are using Load Balancer to expose a web application to the outside world, load Balancers are accessible from Internet, so you should be able to access Load Balancers from Internet. So a Load Balancer is a public resource. Databases or VM instances should not be accessible from the Internet. External users should not be able to directly connect to the database. Or they should not be able to directly connect to the Compute Engine.

They should always go in the right route to the Cloud Load Balancer and the Cloud. Load Balancer would talk to Compute Engine and the Compute Engine would talk to the database. Only applications within your network should be able to access them from the Internet. Compute Engine and Database should not be accessible. They should only be accessible to applications which are inside your network. So these are private resources. How do you separate private and public resources inside a VPC? The recommended option is to create separate subnets for private and public resources. In the subnet where public resources are present, you can allow connection from Internet.

In the subnet where there are private resources, you only allow connections from the other subnets. You will not allow direct connection from Internet. So a subnet helps you to separate public resources from private resources. Another reason that you can create subnets for is to distribute resources across multiple regions. For high availability. Each subnet is associated with a specific region. And if you want to create Compute Instances, for example in multiple regions, then you can create multiple subnets and you can create Compute Instances in each of those subnets. Thereby you are creating Compute Instances in different regions. So what we would do is we would actually create different subnets for private and public resources.

So within a VPC, you would have a public subnet and a private subnet. Resources in public subnet can be accessed from Internet. Resources in private subnet cannot be accessed from Internet. But resources in public subnet can talk to resources in a private subnet. Each subnet is associated with a specific specific region. So if you create a VPC, demo VPC, it is global. However, the specific subnets that you create inside there are associated with a specific region us central One, Europe West One, US West One or one of those regions. In the step we got introduced to the concept of a subnet. We understood why we need subnets and we looked at a few examples. I’ll see you in the next step.

3. Step 03 – Creating VPCs and Subnets in Google Cloud Platform

Welcome back. In this app, let’s look at creating VPCs and subnets. By default, every project has a default VPC. You can create your own VPCs as well. When you create your own VPCs, you have two options. The option one is auto mode VPC network. When you’re using Auto mode VPC network along with the VPC, subnets are automatically created in each region. So in each Google cloud region, there is a subnet which is created inside your VPC. The default VPC which is created automatically inside a new project uses the Auto mode. So you’d see that the default VPC which is created contains subnet in every region. Option two is custom mode VPC network.

When you are using Custom mode VPC network, no subnets are automatically created.You need to go and create all the subnets manually and thereby you have complete control over subnets. And you can also assign the right IPA ranges to your subnets. The custom mode VPC network is recommended typically for production. When you are creating a subnet, you can also configure a few important options. Number one enable private Google access. If you enable private Google Access, then your VMs inside that subnet can talk to Google APIs using private IPS whenever you would want to talk to any resources, it is better to use private IPS because if you use private IPS, the communication happens within the network.

As soon as you go for public IPS, what would happen? The communication goes over internet and that’s not good. And that’s the reason why it’s better to use private IPS for communication. The other option you also have is to enable flow logs. If you want to see the traffic which is flowing in and out of the subnet, and if you want to troubleshoot any VPC related network issues, I would recommend you to enable flow logs. In this step, we looked at some of the important things that you need to remember when creating VPCs and subnets. I’ll see you in the next step.

4. Step 03a – Understanding CIDR Blocks

Welcome back. In this step we’ll talk about CIDR blocks. Classless interdomain routing blocks. Very complex name, right? What are they related to? Resources in the network use continuous IP addresses to make routing easy resources in a specific network can use IP addresses from 69 2800 to 69 28 00:15. So you can see that these resources have continuous range of IP addresses which are assigned. How do you express a range of addresses that the resources in a network can have? You don’t want to say starting address is this, ending address is this? Is there a simpler way that’s CIDR blocks? A Cr block consists of a starting IP address and a range. So this is the starting IP address of the CIDR block and this is the range. So slash 28.

What does slash 28 mean over here, slash 28 represents the fact that this CIDR block will have 16 addresses. And the 16 addresses range from zero zero to 00:15. Now, you might be wondering what is relation between slash 28 and 16 addresses? The thing is, in 69, dot two, eight, dot zero, dot zero, slash 28. What we mean is the first 28 bits are fixed. When you have I p four IP addresses, you have 32 bits. Out of the 32 bits, the first 28 bits are fixed based on this specific address, the last four bits can vary. And when four bits can change, you can create two to the power of four, which is 16 addresses. And that’s what we have in here. The last four bits of this can change from zero to 15. And that’s why this represents a range from this to this. If you do a Google for CID or XYZ, you’d land upon this page CIDR dot XYZ.

This is the best place to understand how Crdr blocks work. So if I actually, let’s say, type in 32, then it just represents one address because I’m saying all 32 bits are fixed. And this is the specific address I’m representing. If I’m saying 31, then you can see that all these ones which are colored are fixed. And the only bit which can vary is this. This can be zero or one. If I put 30 in here, you can see that these are fixed and these two can vary. And therefore I have four combinations 0001-1011. And if I go for 29, last three can vary. So zero, zero, zero, one, zero, one, zero, zero, one, one, one, zero, zero, one, zero, one, one, zero, one, one. So those are all the options that would be present. What I would recommend you to do is to play around with this a little bit. Understanding this is very, very important whenever you are playing with VPCs or Subnets.

So I’ll recommend you to spend some time with this and then look at the exercises. How many addresses does this represent? Slash 26 means 1st, 26 are fixed, last 632, -26, is six, last six addresses can change. And two to the power of six is 64 addresses. So from zero zero to zero 63. How many addresses does 30 represent? Two to the power of two, which is four addresses. What is the difference between 0. 0. 0 and 0. 0. 0? 32. This is very important to remember. 0. 0 32 represents one IP address, which is 0. 000. However, zero zero represents the entire range of IPV. Four addresses. Zero bytes are fixed in this step. We talked about CIDR addresses. I’ll see you in the next step.

5. Step 03b – Demo – Creating VPCs and Subnets in GCP

Welcome back in the step. Let’s look at the VPC networks in the Google Cloud Console. If you just type in VPC networks, this is the page you’d go to VPC networks and once you are in here, you’d see that there is a default network that is created. I am inside the Myfirst project and you can see that inside the Myfirst project there is a default network. Right now there are 24 regions, and in each of these 24 regions there are 24 subnets which are created in here. You can scroll down and you can see the subnets which are created in each of the regions which are present in here. And you can see that these subnets are assigned with specific range of IP addresses. The mode in which the default network is created in is the auto mode. And that’s the reason why a subnet is created in every region.

What we can also do is to create our own VPC network. So I can say create VPC network. And I can say my first VPC. Configuring the VPC is very, very easy. However, configuring the subnet is a little bit more complex. You can either go for a custom or automatic mode. If you go to automatic mode, a subnet would be created in every region. What we’ll go with is the custom mode. So let’s customize the subnets that we want to create. Let’s go to custom and let’s say I’d want to create a specific subnet in a specific region. I’ll choose Asia South One as the region in which I would want to create the subnet one, and I’ll name the subnet as Asia South One subnet. You can also configure an IP address range in here for example, as it such as 100 zero nine.

So this is the IP range that I’m configuring. You can also configure if you’d want to enable private Google access or not. Should VMs in this subnet be able to access Google services without assigning external IP addresses? For now I’ll put it at off. You can also configure flow logs. You can either set it on or off. Now I’ll click Done in here and I’ll choose the defaults for the rest of the ones and say Create. So this would create our first VPC. And now you’d see that there is a default VPC and right beneath it there is a My First VPC. The creation of the My first VPC took about a couple of minutes and at the end of which I can say we have a VPC with one subnet which is a custom subnet which is created in ACA South One, and there are a set of IP address ranges that are assigned with it.

How do you make use of this VPC? The thing is, you can actually create resources into this specific VPC. How do we do that? Let’s actually try and create a VM. I’ll type in VM and I’ll open up add VM instance in a new tab. So I’ll open add VM instance three times. So I’m opening up three different ad VM instance screens. What I would want to do is to create a few instances by default. Whenever you create any resource, it would be created in the default network. So this is the network which will be used. So if I go into the Google Cloud platform over here and if you look at the Management, Security, Networking and Sole Tenancy and go to Networking by default, the network which is used is the default network. So what I would do first is I would create an instance in the default network.

Let’s call this default instance one and say Create. So we are creating one VM in the default network. The next one also I would want to create in the default network. So I’ll not make any changes. I’ll just say default instance two and create that. So we have now started the second one which is default instance two. However, this one I won’t actually create in my custom network. So I’ll say custom network one. So this is the custom network instance. How do we assign a custom network to this? Let’s go in here and see the magic. Let’s go to Networking and I can go in here and edit the network. So I can click this and I can say I don’t want to use the default network. I don’t want to use the my first VPC. However, it says no subnetworks in this specific region.

Why? Let’s go above you can look at the zone which is present in here. You can see that this instance is configured to be run in this specific zone, us Central One A. However, do we have a subnet in US central one A? We don’t. So if I’m creating an instance in my first VPC, I can only create it in the regions where there are subnets present. In my first VPC I only have one subnet. So I can only create my instances in this specific region. If I would want, I can add more subnets in other regions as well. For now, what we’ll do is we’ll actually choose this specific region to create our VM instance in. So we’ll create our instance in Asia south One. Let’s go in here and let’s go and choose the region as Asia Southwan Mumbai. Now, the zone does not really matter.

It can be any zone in that specific region. And if I scroll down right now by default this network is automatically chosen and that’s cool. So what we are doing is we are now creating a VM instance in a specific network. You can configure a custom network to be used to create any type of resource. Let’s go ahead and say Create. So we are now creating three different VM instances. Let’s go to the VM instance screen. Let’s refresh and I would see a lot of instances which are present in here I will terminate a couple of instances we don’t really need to worry about right now. I’ll select these two and delete them. As you can see in here I’m facing an error trying to create an instance in Asia South one region. It says the limit in Asia South one region for my account is zero.

So I cannot really create any instances in Asia South one. So what I would do now is actually I’ll try and create a new subnet in here. So I’ll open up the VPC and let’s add a subnet and let’s first choose the region. Let’s choose one of the US regions. Hopefully we’ll not have a problem with that. So US central one and I’ll call this US central one subnet. Let’s take the defaults can enter the IP address range. I’ll enter ten 12809 so there is no overlap. So ten 12809 and I’ll take the defaults for the rest of the ones and I’ll say add and this would actually add another subnet. So you can see that there is a US central one subnet that is being created. So the subnet is now ready and I’ll go over to our VM instances and try to create a new VM instance quickly.

So over here let’s call this custom instance one and I would want to create it in which region? US central one. Right. So that’s where we have the subnet in. So. US Central One, Iowa. That looks good. Let’s go ahead and choose the default network. So let’s go in here and go over to networking oops actually we should choose the custom network. So let’s go ahead and change to custom network. So instead of the default what we would want to do is to use the custom network. Let’s go and say my first VPC and I would want to use the US central one subnet.

That looks cool and let’s see if the creation of the instance NAV will be successful. I have static creation of the instance. Yep, the instance creation is NAV getting triggered off. Let’s hope it would be successful. Now I’ll close all other tabs that we have in here and I would SSH into the default instance one. So we created an instance in the default subnet so I’ll be able to SSH into that. So let’s click that and open a pop up so we’ll be able to SSH into that instance when I say connect. And over here I can see that the custom instance one is also ready. That’s cool. Now what we have set up until now is a couple of instances which are running in the default network and one instance which is in the custom network. What you would see is that instances in the default network are able to talk to each other.

However the instance which we have created in a custom subnet, you will not be able to talk to it from the default network and that is what creating separate networks allows us to do it allows us to separate resources into groups and allow communication between the right group of resources. So let’s go over to the default instance one and I’ll say ping and I would say the internal IP of default instance two. So this is the one which I’ll pick up. You’ll be able to see that I’m able to ping this so there’s no problem in pinging the other instance in the same network. So these two instances can talk to each other easily. However, let’s pick up the IP address of the custom instance and let’s try to ping it.

What would happen? Will the ping work? No. As you can see in here, by creating a network and by assigning resources to the network, you can control the communication between those resources. And that’s one of the reasons why you have to create your resources in networks. Ideally, all the resources that we need to create should be created in a custom VPC. Thereby, you can control the communication between the different resources and you can also control traffic in and outside that specific network. In VPCs. We also have an option where we can actually connect these two networks together. We can actually say the instances in the default network and the custom network can talk to each other.

That concept is something called a network peering. VPC network peering. You can configure peering between two networks. We’ll talk about network peering a little later in the course. For now, let’s go ahead and terminate these instances. Let’s not really have them running for a long time. So let’s go ahead and say delete and delete all the VM instances that are present in here. In this step, we learned how to create a custom network and we learned how to create instances in a custom network. We saw that instances in the custom network cannot talk to instances in the default network by default. I’m sure you’re having a wonderful time and I’ll.

6. Step 04 – Understanding Firewall Rules in Google Cloud Platform

Back in the step. Let’s talk about firewall rules. What is the need for firewall rules? You can control traffic going in and out of the network. The firewall rules are stateful. Basically, that means that if incoming traffic is allowed, then outgoing traffic is automatically allowed. If request is allowed, response is automatically allowed. So it’s stateful. Each firewall rule has a priority priority assigned to it. So a number between zero and 65535 is attached. With every firewall rule, zero has the highest priority. 65535 has the least priority. There is a default implied rule with the lowest priority. This is an implied rule. This is not a physical rule which is present. The Default Implied Rule allows all egress from inside the network.

All external traffic is allowed. All egress is allowed. However, all ingress is denied. Any incoming traffic into a network is automatically denied by the Default Implied Rule and these default rules cannot be deleted. However, if you want to deny any egress or if you want to allow any egress, you can override the default rules. You can create new rules with priority between zero to 65534. This rule has Priority 65535 as soon as you use any number which is less than that, that rule would have higher priority and that would override these default rules. Whenever we create a default VPC, the default VPC has four additional rules with priority 65534. In addition to the Default Implied Rule, there are four additional rules.

These additional rules have Priority 65534 allow incoming traffic from VM instances in the same network inside the same network. VM instances can communicate with each other. The rule is called Default Allow Internal allow incoming SSH traffic on port 22. Earlier, we were able to directly SSH into the VM instances. That is, because of this rule, default Allow SSH. SSH is allowed by default. Allow incoming traffic on port 3389. On Linux machines, we would do an SSH. However, if you are using a Windows machine, you do an RDP Remote Desktop Protocol and RDP is done on port 3389. So this would allow incoming TCP traffic on port 3389. The last rule is Allow ICMP from any source on the network default Allow ICMP.

This would allow you to ping the IP address and check if the resources up and running. Until now, we talked about the default firewall rules. You have a Default Implied Rule which allows all egress and denies all ingress. And the Default VPC has four additional rules to allow traffic between VM instances allow incoming TCP traffic on SSH, port, RDP, port and ICMP ports. Now, in addition to these rules, you can actually define your own rules. You can define ingress and egress rules. Ingress is traffic which is coming from outside to GCP targets. You can configure allow or deny rules to allow or deny ingress traffic. When you are defining an ingress rule, you should define the target. This is basically the destination.

You can say the target is all instances or instances with a specific tag or instances with a specific service account and you can also specify the source defines where the traffic is coming from you can define a range of IP addresses a range of IP addresses is called a CID or block. You can also specify all instances or instances with a specific tag or service account from which source, from which external source, from which range of IP addresses, which targets, which instances, which instances, or which group of instances with specific tags or service accounts do you want to allow or deny traffic to? The egress rules, on the other hand, define rules for outgoing traffic. What outgoing traffic do you want to allow or deny? The target in here defines the source where is the traffic originating from? All instances or instances with a specific tag or a service account and the destination typically is a CIDR block.

I want to allow traffic to specific range of IP addresses along with each ingress rule and each Egress rule you can also define the priority of the rule we saw the priorities range from zero to 65535 and lower the number higher the priority. You can also configure an action do you want to allow or deny traffic? You can configure a protocol which protocol do you want to allow or deny? You can configure which port as well and you can also configure an enforcement status. You can enable or disable the rule so whenever you want to allow traffic or deny traffic into the network in addition to the default rules, you can configure your own rules. These are called firewall rules and this is how you can actually define them. I’m sure you’re having an interesting time and I’ll see you in the next step.

7. Step 05 – Getting Started with Shared VPC

Welcome back. In this step, let’s talk about shade VPC. Your organization might have multiple projects. You want resources in different projects to talk to each other. How do you allow resources in different projects to talk with internal IPS securely and efficiently? That’s where you can create a shade VPC. A shared VPC is created at organization or a shade folder level. The app access that you would need to be able to create a shade VPC is that you should be a shade VPC admin. You need to have this role to create a shade VPC.

Once you create a shade VPC, it allows the shade VPC network to be shade between projects in the same organization. A shade VPC contains one host project and multiple service projects. The host project contains the shade VPC network. The service projects are attached to the host project projects. A shared VPC allows you to achieve separation of concerns. The network administrators are responsible for the host projects and the resource users can use the service project. In this episode, we talk about shade VPC.

8. Step 06 – Getting Started with VPC Peering

Welcome back. In this step, let’s talk about VPC Peering. How do you connect VPC networks across different organizations? Enter VPC Peering networks in same project, different projects or across projects in different organizations can be peered. All communication between peer resources happens using internal IP addresses. This is highly efficient because all communication happens inside the Google network. This is highly secure because the communication is not accessible from Internet and there is no data transfer charges for data transfer between services because all the communication is internal. One important thing to remember is the network administration is not really changed admin of one VPC do not get the role automatically in the peer network. In this step, we talked about VPC Peering. How do you connect VPC networks across different organizations? I’ll see you in the next step.

9. Step 07 – Implementing Hybrid Cloud with Cloud VPN and Cloud Interconnect

Welcome back. In this step, let’s talk about the hybrid cloud options in Google Cloud. How do you connect an on premise network to a cloud network? Let’s start with Cloud VPN. Cloud VPN is implemented using IPsec VPN channel. The traffic goes through Internet, so the traffic is public. However, the traffic is encrypted using Internet Key Exchange protocol. There are two types of Cloud VPN solutions which are supported. One is high availability. VPN. This provides a SLA of 99. 99% with two external IP addresses. However, a high availability VPN only supports dynamic routing. It does not support static routing. The other option is classic VPN. This provides you SLA of 99. 9%. It provides you with a single external IP address and it supports both static and dynamic routing.

So you go for cloud VPN. If you want to connect on premise network to the GCP network over Internet using an IPsec VPN tunnel. What other options are present? The other option you have is Cloud Interconnect. This is High Speed physical direct connection between on premise and VPC networks. This provides you with high availability and high throughput. Two types of connections are possible. One is dedicated interconnect. This is available in ten Gbps or 100 Gbps configurations. The other option is partner interconnect. This is Shared Connection and this is available in 50 Mbps to ten Gbps configurations. You’d want to have a really high speed physical connection, then you would need to go for dedicated interconnect. Otherwise, you can go for a partner interconnect.

The data exchange in the case of Cloud Interconnect happens through a private network. In the case of Cloud VPN, it happens to a public network. It happens through Internet. However, with Cloud Interconnect, the data exchange happens through a private network. If you want to communicate from on premise network to the resources which are present inside the VPC, you can use the VPC network’s internal IP addresses. This will reduce the egress cost because the traffic goes through a private network as the public Internet is not used. Cloud Interconnect also allows you to access supported Google APIs and services privately from on premise applications. So if you want to talk privately to Google APIs and services from your on premise, you can go for Cloud interconnect.

Cloud interconnect is recommended for high bandwidth needs. If you have low bandwidth needs, then Cloud VPN is recommended. The third option that you can establish a hybrid cloud with is Direct Peering. This is used to connect customer network to Google network using something called Network Peering. This is a direct path from onpremise network to Google services. Remember that direct peering is not a GCP service. This is a lower level network connection outside of GCP and therefore direct pairing is typically not recommended. The recommended options typically are cloud interconnect and cloud VPN. In this step, we looked at some of the ways you can establish a hybrid loud.

• Category: Uncategorized