Google Professional Cloud Network Engineer – Designing, Planning, and Prototyping a GCP Network
- 1.2 Designing a Virtual Private Cloud (VPC) – Subnetworks
Subnetworks and VPC. Subnetworks or subnet in short form is an isolated network within your virtual private cloud and it is specific to region. So VPC is a global in nature, whereas subnetworks are specific to a region. If you look at this particular case here you have two different network. One is the production and second one is dev stage network and both these two networks are global in nature. It has got presence in region one and region two. In region one you have subnetwork which is spanning across multiple zone, zone one and zone two. But in region two it is only to a zone two of that particular region that’s the subnetwork as a backup network which is created. If you look at the resources from zone two of this particular subnet can talk to the resources inside this particular subnet. In region two, using the internal communication provided you have firewall opened and routes defined so that they understand that there is this particular instance and how to reach that particular instance. You can also have the resource from one particular network talking to another one via external IP address. Again, a firewall is a major role here unless there is a firewall open and routes are defined to reach to those particular instances.
So reserved addresses you can actually have network addresses which are first addresses in the Cider range, default gateway address, the second address in the Cider range, resort addresses second, last in the Cider range and broadcast address. That’s the last address in the Cider range. And these are the reserve addresses that you can think of. So what is reserved addresses? So out of whatever range you define for a particular subnet, the initial two addresses which is like network address, that is your subnetwork. The second one is default gateway for that particular subnetwork. So this is reserved from the initial two and the last two are reserved addresses and the broadcast address in the side range. These four addresses are not usable if at all.
Your subnetwork has got 256 addresses, four of them is not usable for you because it is reserved and you will be able to only use 262 address range. So what is subnet? Subnet contains VPC contains subnetworks. Subnets are region specific subnetwork in single zone or multiple zone within the region. Using subnetwork we can apply single firewall rules all VM, even if they are in different zones. You can create multiple subnets within single region and zone to isolate resources on a different business needs. Each subnet has a contiguous 1918 IP space or the IP range. Virtual Machine instances within VPC network can communicate with the instances in all other subnetwork within the same VPC regardless of their region using RFC 1918 Private IP. And this is very important.
So all the IP address, if you look at IP ranges I’m going back here. So if at all you create say the instance under US central one using this particular address range. This instance can talk to any other instance within that particular network using internal IP address. We don’t have to use external IP address, okay? And that is very important. Within the VPC you can isolate portion of your network, even the entire subnet using the firewall rules and those are very important. You can create firewall rules to block or open the connections between the networks, subnetwork and the network. So we saw there are default network, auto network and custom network, right? So you can create auto subnetworks with specific zone firewalls are open between subnetworks and so all the resources can communicate with each other and you can see the default default VPC so it is auto in nature and you can actually see it auto or custom. You can convert this default into the custom but once you convert this network into custom you will not be able to take this back into auto mode and that is very important consideration. You can always convert your auto network or default network into custom network and modify the subnetworks firewall rules or routes. In custom network you can create a network within a specific zone or region. No firewall rules are open for communication, you have to open it explicitly and this is very important.
So if you look at the overall picture here, you have the region, you have zones or you have subnetworks within the zone or within the region and your load balancer is actually communicating to your back end services or the instances within the services. Your traffic actually if at all you have a website, the traffic will come to DNS whether it is cloud DNS or you have any other DNS and it will route to cloud load balancing and then it will be forwarded to the back end instances and this is very important. So you can have the instances within or inside the VPC networks and you can even have these resources spanning across multiple regions as because Google cloud load balancer are global in nature, especially the Http and Https.
So look at this particular typical example here, okay, your traffic you have a default network inside Google cloud platform and that cloud platform has got a different subnetwork created one for region two. So two subnetworks for region two and one subnetwork in region one and this region one and region two could be anywhere because your VPC is global in nature and your resources actually will sit inside those subnetworks. So whether it is one particular zone or multiple zones, if you look at this particular subnetwork one, it has got 24 address range, ten dot, 240 dot, zero slash 24 address range and this second network has got two 4192-168-1024, the third network and this is very specific to zone A. Again the third network which has got a 16 address range which is like more or bigger range, but this is spanning across multiple zones. So zone A as well as zone b. So this is the typical use case. You can mix and match the way we want to have it, but you cannot go beyond the for one particular subnetwork. You need to have subnetwork within the region, maybe spanning across multiple zones.
- 1.2 Designing a Virtual Private Cloud (VPC)-Fiewall & Routes
Routes and firewall rules. So what is routes? Routes are actually the way you can tell a particular VM how to reach to the particular instance or the particular resources using the routing mechanism. Whereas the firewall rules you can put forward traffic control rules, restrictions for egress or ingress traffic for your VM or the cloud resources. Let’s get into details. So what is route? Route tells VM instance and the VPC network how to send a traffic from an instance to the destination either inside the network or outside GCP network. And that is what it is defined in the routes. Each VPC comes with some system generated routes to route the traffic among its subnetworks and send the traffic from illegible instance to the Internet. And some of the example here and I can go back into our VPC network. So here is the route. Route says you can go to destination range ten, 128, 00:20, all those IP ranges inside it as the next hub.
When the priority is defined here you can go to default internet and this is by default it is created. And we have seen that for custom as well as auto mode VPCs a route has been created. So if you look at the network and routes for all the default route, you can find the default route for each and every address range that we have. But for custom routes as because we have only one subnet which is 100. So for that there is one route created and the second one is to the default gateway. You can just go ahead and delete it if you don’t want any instance going out to the internet because you may think that it is an internal service, an instance should not go out to the Internet, right? So that’s how you can manage the route or control what your instances can and can’t do. So some thoughts around cloud routers. All network have automatically created route to the Internet and IP range in the network. The subnet route let instances and send traffic to any other instances or the resource within the same VPC network. The default route let the instances and send the traffic outside VPC network that is Internet gateway names automatically generated applies to a traffic egressing VM forward traffic to most specific route. You can have traffic delivered only if it matches to the firewall rule.
So you need to make sure that the firewall rule is open for that particular route then and then only it will go out. Otherwise it will not go out, it will be blocked outside the VM instance created. When the subnet is created and applies to tagged VM as well enable VM on the same subnet to communicate. So these are the properties of route. Essentially what we are saying here is the routes are created for subnetworks and that is by default you don’t need to create it again if you want to delete it, you can just go ahead and delete it for route to work a unit to have firewall rules opened from that particle for those destination IP addresses. As an example, routes here and which we saw the routes like ten dot, ten dot, zero slash 20, r 11460 zero slash 20 and default route to the internet.
And this is another route example firewall rules, as we said, firewall rules, you can control the traffic from or to the cloud resources. An example here, if you look at the virtual machine, you can define traffic actually going out to the internet or coming in to this particular virtual machine. If I go back in the console, you can have these particular firewall rules directly created for you. But when you are creating a VM instance, I can go here compute VM. So you can attach or detach firewall rules here, okay? And if you go and edit, you can’t edit the firewall rules here, right? You can just go ahead and do it from the network tag. So all of these firewall rules are like network tags. If I go back, let me create another console here, that way we can switch in and switch out to the network. So you see these rules, right? The Firewall rules, this is like targets.
What is that? You want to enforce it, you can actually go ahead and use default allow ICMP there or default allow SSH. I go back and here it says apply to all right, I can go ahead and he did this specific tag and I can say default ICMP traffic save. So now what I can do is I can go back to this particular instance and I can say default ICMP and that’s how ICMP will be allowed. So you can control the traffic to and from the instances using firewall rules. The actions, you can allow traffic or you can deny traffic. The conditions the destination side arrange. Like if you are hitting outside this network, that is the destination side range and that is egress traffic or if at all someone is coming inside your virtual machine. And that’s where you define the ingress IP ranges. You can define protocol or you can define ports for it. And we saw that, right?
So here you can define protocol. If I go protocol and port, it says TCP and 80, TCP and 443. So you can define port and protocol. Each VPC network implement distributed virtual firewalls. And if you look at the VPC, the concept of VPC itself is a private network and everything is blocked by default, right? So Firewall allows you to control which packets can travel to which destinations. Each VPC network has two implied firewall rules that blocks all incoming connections and allow all outgoing connections from those network resources. And that’s where we saw it’s like zero zero, right? Each network has its own firewall controlling access to and from the instances you can have allow rules as well as deny rules. You can have default. So the default network has got automatically created firewall rules. No manually created network has automatically created firewall rules by default, allow for all outgoing traffic and deny all incoming traffic.
You can have network tags and you can attach those tags to the VM instances. So you can attach the rules to the tags and you can attach those particular tags to the VM instances. We saw http traffic, right? Http and Https tags are used to use a defined string and tags are applied to VM and not to IP addresses. So if you go back, we saw that there are tags, you can create it, I can go ahead. So you can create the tax rate and we saw ICMP tags. Routes and firewall rules are network resources and cannot be shared between the projects or the network. It is specific to a network it maintains in a network table traffic. It is Sdn routing. That is what it is used for.
Subset of routes and rules for one, VM is derived from the table applied to traffic as it exits the VM or when it is getting inside the VM, especially traffic. Sdn routing is actually when it is applied, it is going out from the VM. So if you look at these firewall rules and routes are not inside the VM and this is very important, so whenever you are using it, you will not find these routes and firewall rules which is configured as a part of that particular OS.
It is outside your VM instances. If there is no traffic matching both the routes, the rule is dropped. Allowed traffic with route is delivered to a target VM service or internal pop, not routing or switching firewall rules. Typically it’s a connection control. You have default and custom network default. Deny all ingress default. Allow all egress traffic ingress firewall rules you have deny for everything. The second source filter allow the source range and tag for simpler rules inside the firewall rules. Egress rules. It has matched IP Cider.
- 1.2 Designing a Virtual Private Cloud (VPC)-IP Address
IP addresses. On Google cloud platform, there are two different type of addresses which you can have it. One is internal IP address and the second one is external IP address. So before we get into the whole conversation of IP address here, let me go ahead and launch one instance and we’ll see IP addresses there. I can go ahead and create the instance and we’ll see IP addresses. I’m just keeping everything default. So the instance is getting created. And this is where you see internal IP address as well as external IP addresses. So you can see this particular internal IP address. And this is within your subnetwork. If I take this particular zone, US is to one B, so US is to one B and I can actually map 142 address there. So us east one b.
So if you look at US east one, it has got 110, 142 00:20. This is the address region, right? So whenever you are creating an instance, it will be in this particular region. It will be specific to these particular internal IP addresses. If I go back again to Compute service, so you have internal IP address, that is ten external IP address. You can connect this external IP address from outside, but you cannot connect this internal IP from outside. So this internal IP is for communications within your network, within your VPC. But if at all you want to talk to the network outside your VPC, or you want to talk to another VPC, then you should use external IPRs. These external IP addresses has got a multiple aspect in it. You can either have it ephemeral or you can have static IP address. If I go back, let me see if I can change the network here. So I can say internal IP, external IP, it can be either Ephemeral or static.
I can go ahead and just create the static IP address and this static IP address. If at all you’re not attached to a particular instance, google is going to charge you for holding the IP address. If at all it is attached to an instance, then there is no charge. There are different network TS which are available, and this is a new concept still in beta right now. But I will have another training, not training, actually one lecture created to understand what is the network tiers. But you can create IP addresses here. So if I say this one, I can just reserve it. And once you reserve it, you will get the IP address and you can attach it to the instance. So, going back to the theory so internal IP address allocated from the subnet range VM by DHCP DHC’s reservation is renewed every 24 hours. VM name plus IP is registered within the network scope. DNS static IP stays with the VM until the VM is removed and Ephemeral IP is attached to VM forwarding rules and only stays until VM is stopped.
So if at all you say you have a static IP for internal IP address, it will stay there with that particular VM until you completely remove the VM. But if there is an ephemeral IP which is attached, that is dynamic in nature, if you stop the VM instance, the IP will go away. If you restart it again or start the instance again, the new IP will be assigned to that particular virtual machine. In case of static we saw, it is not going to go away. External IP address. It is assigned from the pool Ephemeral. If you turn off or on machine, you get the new IP address and that’s the ephemeral behavior of again, external IP address you can have reserved or static IP address, you can reserve it and you will be built. If at all you’re not attached to the running VM because that’s how there is no cost. Google will not be able to charge you anything, right? If at all it is not attached to VM, that’s why they charge it. VM doesn’t know external IP address. It is mapped to the internal IP.
So typically inside the VM, if at all you are seeing it, you will not know the external IP address. If I go back here and if I SSH here, it is connected now IP config so if you look at the IP addresses here, it says this address and the local host, right? So you do not have any address inside your VM. If you look at, I do not see this particular IP address here in the address range. If I say if config so going back again to our presentation, IP must belong to the IP range of subnet in case of internal IP address. So that’s everything about internal IP address automotive VPC IP comes from the region subnet custom mode VPC you must specify which subnet IP should come.
Legacy Network the IP address is assigned from the network network’s global IP ranges. If we look at the custom subnet, right? Custom IP. So the network if I say create instance and if I go and choose different network, which is like my custom network. So instead of default, if I say custom VPC, I should be able to say that where actually that IP should come from. So ephemeral say custom or automatic. I would say automatic IP forwarding. And if I say done. Okay? So if you look at, there is no subnetwork, if at all, I have a multiple subnetwork in this particular region, right? Then it will pop up your multiple subnetwork. You have to choose that manually here. And that is what it is saying. So what we have is we have subnetwork in so we have subnetwork in US West one, okay, let’s go. And so if I go ahead and create the instance, I have actually subnet in US West one and any zone, okay? So I should be able to choose the network, so I can choose default VPC.
If I have multiple subnetwork, I need to actually choose which the IP address should come from, which particular subnetwork. Okay? And this is what it is. I can just click turn and create. So the IP address will come from the subnet which I have selected, that is from the custom VPC and my subnet in US West region. Going back to theory, each instance has a host name that can be resolved to an internal IP address. The hostname is the same as the instance name like FQD in hostname c projectid internal if I look at here and I just do sudo hostname and that is the instance name. So the host name, that is the instance name c project internal okay, going back again.
Name resolution is handled by internal DNS resolver provided as a part of Compute engine and configured for the use of instance via DHCP. You don’t have to do anything or configure anything here provided answer for internal and external addresses. And you can use an alternative DNS resolver if you want to have it. External IP Address external IP Address instance with external IP Address can allow connections from hosts outside the project and network. And this is very important if at all. You have multiple networks within the project, even it has to talk via external IP address. Users connect directly using external IP address. Admin can also publish public DNS record pointing to an instance. Public DNS records are not published automatically, so you have to publish it.
DNS record for external IP address can be published using external DNS server if you want to have it, but you can use your internal DNS. The DNS zone can be hosted using Cloud DNS as a GCP service and we are going to see that in detail in this particular section. In another lecture, you can create zone and configure domain DNS to use it, or you can create update, remove records manually via API and those are like features of the Cloud DNS that’s it for external or internal IP address guys. If you have any questions on external internal IP address, let me know. Otherwise move to the next next lecture. That is Routes and firewall rule for VPC.