Google Professional Cloud Network Engineer – Designing, Planning, and Prototyping a GCP Network Part 2
- 1.2 Designing a Virtual Private Cloud (VPC)-Other Concepts
VPC. Other concepts shared VPC. So you may need to put forward say different department or applications or different units altogether in different project for your budgeting or access permissions or whatnot right that need, right, that’s where you will use shared VPC. So the concept of shared VPC is you have the host project which is hosting your VPC which is network and that network is shared across multiple projects and those multiple projects are called as the service project. So everything is controlled by the shared VPC in terms of network and shared. This particular VPC has got a security admin and that is organization wide network admin you can think of and you don’t need that particular admin or network admin for individual projects.
And this is where the shared VPC concept comes into play. Individual project team, they do not have their own network, they may have their own network if at all. They are managing some internal steps there, but they can use the shared VPC network for the VM instances or the resources on the cloud. Some of the terminologies on the shared VPC shared VPC host project this host project actually host shared VPC and it has got a network security administrator shared VPC service project and these are the service project which are using those networks from the shared VPC. And typically if you look at this particular architecture, all those resources inside the service project will be billed to the service projects and not to the host project. So the billing still happens to the service project. It teaches that they are using the backbone, the network backbone from the shared VPC network.
These projects are standalone project, it could be under one organization or multiple. So shared VPC network is typically the network which is backbone for all the service projects, IAM rules and policies. And this is where typically you can think of it differs, right? So we said you can have one particular network administrator or security administrator spanning across multiple projects and that’s where one administrator can manage the control the network for all the service projects you have an organization and in organization you have multiple projects and that’s the concept organization. Nothing new here. You can have organization admin controlling access permissions to the network admins for the shared VPC and you can have shared VPC admin as a network admin.
So service project also can have admin stator but ultimately the network admin network is controlled by the shared VPC and not by the service project admin. You can still go ahead and get the permission attached to the service project administrator as a network, but they can only view the network and not modify the network. So you have network admin privileges like compute network admin and security privileges like compute security admin and that’s it as a concept from the shared VPC. If you go to console here, you can go ahead and create shared VPC and it says shared VPC is only available projects within an organization. So my project is not under an organization. If you look at if I click on this particular project, oh my God, let me see. Click here, open details. If you look at no organization, if at all, I have organization here which is defined from G suite, then only I can create shared VPC which will share the VPC between the projects. VPC Pairing VPC pairing another concept where you can have multiple VPCs connected to each other, right? And that is where it may be required for different network individually managed by different projects or within the project.
And you want to connect them to each other so that the resource can talk to each other. And that’s where you use VPC peering. It can be used to connect one to many VPCs subject to quota based on total number of VM in Peer VPC. And this is very important because this actually goes to quota back to what you can do within one particular VPC. And this is applicable if at all you are pairing two different VPCs together, it is nontransitive nature. Which means if A is paired with B and B is paired with C, you cannot expect actually the resources from A will be able to talk to C directly. So it is non transitive in nature. Security policies remain independent and can limit communication ability between two VPCs. And these security policies are independent, right? And this is not same as share VPC. In VPC pairing, you have different administrator or network administrator or security administrator independent of each other. Like you have one VPC managed by one particular group of people and another VPC managed by another group of people.
The quota limit, as we said, there is a VPC quota, right? So the VPC quota like 15,500 total number of VM you can create inside VPC Share or pairing VPC goes with the same quota. And which means if at all you are pairing like three different VPCs together, then total number of virtual machine inside those three VPCs together should not cross more than 15,500. A network can have up to 50. A 25 network, 25 directly peered network in total. So you can up to 25 networks. You can pair it together. So if I go back to the console, you can go here and do VPC Network Peering. And I can just go ahead and create. So I have this particular project. I’m just keeping the same project. I’m just creating a Peering for GCP project. This is going to take a while. I’m just going to pause it.
So it is enabled now. VPC network peering is enabled. I’m just going to go ahead and create it. I’m going to continue. So VPC peering your network I don’t have actually too many network here. Okay, I should have two different network here, right? Customer and default. VPC clearing. I can enable it for one node for this project. Or if at all I have it in another project and if I have access to it then I can choose another project but it is inside the same project. Custom VPC, the network name is custom VPC the default is selected. So I want to connect from default to custom VPC. I’m going to just go ahead and create this connection is being created waiting for prior network.
So this is one way creation, right? So I need to go ahead and create another connection from custom VPC to default one VPC P ring other and now this is going to go join and this is controlled by each and every VPC, right? As because I have both the network within the project, I don’t have to log in and log out or don’t have different permissions but if at all say one network is managed by one project team and another network is managed by another project team, any of that individually can disconnect go ahead and disconnect that particular network. So VPC peering is established now the resources from the default network can talk to resources to custom VPC provided the firewall rules are opened. So that’s the VPC peering in a nutshell. So what is the difference between VPC peering and shared VPC and when do you want to use it? Right? So use cases when you want to use VPC peering versus shared VPC. If your networks are within your project then shared VPC is not possible. You can do VPC pairing, we just saw it. If you have multiple organizations, shared VPC is not possible. But you can do VPC pairing with the multiple organizations you can do network management and this is very important aspect from the network and security standpoint, right? For shared VPC you have one particular network administrator as a host project and they manage the complete backbone of shared VPC. But in case of VPC pairing, individual project team manage their own VPCs and control their own VPCs.
As an example here going back if at all from say default network, I just went ahead and delete this peering. The peering will be vanished and even custom VPC they have this peering enabled, they will be waiting and they will not be able to connect it to the default network. Done onward. So it is individually managed connections. That’s what you can think of VPC quotas and Limits we’ll see it in next chapter. VPC Quotas and Limits VPC do not support IPV Six within the network. So inside the VPC it does not support IPV six. VPC only support IPV four. Unicast or Multiclast multicast is not supported here within or inside VPC. VPC networks can have 15,500 virtual machine instances and you cannot extend this number. There is no per subnet limit limit only at the VPC.
So you can have one particular subnet having all the 15,500 virtual machines or you can have multiple subnets having different number of virtual machines but total number of virtual machines should not exceed 15,000 number of machines. So shared VPC also you can actually look at what are the limitations for shared VPC. Number of service project that can attach to the host project is up to 100 number of shared VPC host project you can have it is 100. Number of host project to which a service project can attach is one. Okay, so this is very important for peering. You need to look at peering limits per instance, number of instances, et cetera, like per network, secondary IP, maximum tags.
So all of these are like additional limits which you can make sure that you understand it routers, firewall rules and forwarding rules, how many rules you can create, how many firewall rules you can create, how many routers you can create it. So all of that impacts your quotas and limit and probably you want to have a look at it. Let’s take a look at some of the security requirements that we have it for VPC. And this is the first one is the bastion host. So what you can do is if there are think of it right, there are some instances which are internal to your VPC and should not be accessed outside your VPC network.
And you can think of you have database application server you want to isolate completely or you have some processing or back end processing instances which are not exposed outside. What you can do is you can take the external IP address out from that particular VM instance, right, and your internal clients are connecting to those particular VM instances as and when it is required. And you are good with that in case if at all you want to have the maintenance, right, you want to install some software or upgrade some software there or you want to troubleshoot certain things right at the time of maintenance. What you can do is you can create a bastion host.
This is another virtual machine within the network. And that network you can open the firewall to connect it to that particular instance and do whatever activity you want to do it. This instance has got access from the outside only for that particular maintenance window. And once the maintenance is gone done, you can just delete that particular instance. And this host is called as a passion host. It is used for temporary purpose or maintenance purpose to connect the internal virtual machine or the instances at the time of maintenance. All other time there is no access whatsoever from outside network to these particular instances you can think of that’s how you can isolate your internal servers from outside world. The second aspect of the security is when the services in fact the instances wants to connect to your internal instances.
And this is the external the network. So you may have two different network, maybe your data center or the network resources from any other project wants to connect your internal instance. That’s where you can just go ahead and use Nat gateway. So typically if you look at the instance one does not have external IP address, right? And definitely it is not accessible from outside world and that is how we can protect it, right? The instance two you can configure as a Nat gateway with IP forwarding rule configured into the instance two. What happens is instance three can connect to instance two and that the traffic gets routed to instance one and you can have the firewall rules configured in instance to only get the connections from the instance from the other network. And this is actually you can think of when you want to isolate the instance, but at the same time you want to have system access and then you have firewall the connections to your other network.
And this is you can do a Nat gateway. We are going to see this in the demo for Nat gateway as well as bastion host. We are going to get into a demo and see this in action for Nat gateway as well as bastion host. Guys, thank you. VPC Flow Logs VPC flow log records a sample of network flow sent from and received by A VM instances. And you can think of it as like the network log. Whenever the network is being accessed by external entities or by the system, everything is locked in VPC flow log. By default it is not enabled while creating it or you can update it to have the flow logs created. This log is definitely large in numbers, so while enabling it, you need to make sure that you enable it and you have wherever you are storing those flow logs, you have the retention policy mentioned. So these locks can be used for network monitoring, forensic, real time security analysis and expense optimizations.
The lock collection, the flow locks are collected by each VM connection every 5 seconds. And this is the data annotated and sent to Stackdriver logging with the data format described here. The locks are stored in Stackdriver logging for 30 days. If you wish to keep the log longer, you must export them in the destination and we are going to see those flu logs shortly. Use cases. You can do network monitoring, understanding network usage, optimizing network traffic. And this is again very important, if at all your network traffic is continuously going to the region or the resources are not really near to your customer, that’s probably you can go ahead and increase the back end instances in the network wherein there is considerable amount of traffic. Right. So you can have multiple use cases like that to understand or get into details of the flow log.
The way you enable flow log is in the console if you go. So if I go here in my network, if I click on read it, I should be able to see OK, if I go and create the network, I can go and enable flow locks here. Okay, so it is part of subnet. Let me go ahead and use existing one. Flow locks are off. You can just go ahead and edit and you can on switch on the flow locks right now all the network access for this particular the instances resides within this subnetwork will be captured in Stackdriver logging and if I go in Stackdriver logging so it took some time for logs to get in. So what you can do is you can either type subnetwork or you can just go to GCE subnetwork right for this particular subnetwork and you can get the logs for that particular subnetwork. So you only see this particular subnet because I just enabled it for one particular subnetwork. You can go ahead and enable it for all other subnetwork, whatever you wanted. I can go here and VPC network so if I go here default network I can click here and edit and you can enable flow lock for those subnetworks. So that’s how you can get actually the flow locks. As an example here I tried to connect it from Windows Nt, right and you can see the details compute engine, this is the timestamp okay and this is the period. So likewise you can get the flow logs and get the analytics done on the flow locks. If you have any questions on the flow lock, let me know, otherwise you can move to the next lecture.
Thanks VPC Pricing VPC is built for egress traffic and that is to the internet varied by region to region, from one region to another region in the same network or between the zones within the region. So you need to make sure that you are designing, you are designing the network, you are designing it properly. It is not built for traffic in Grace VM to VM in the single zone or traffic to GCE services and there may be limit applied. You can actually go ahead and see the pricing documentation because this might have changed when you are watching this particular video.
Another thing to note here is they have come up with a standard tier and premium tier to look at and very importantly you need to make sure that you understand standard tier versus premium tier you can think of. Standard tier is like any other network public cloud offerings that we have available like AWS and Azure which they use public internet most of the time to transfer your traffic until your service where in Google’s context they have fiber optic network and point of presence in many locations.
So they route their traffic via their own fiber optic network near to the customer and that’s the premium tier. So when I was using it last two years it was all premium tier. That’s what I can guess it for. But now they have created a standard tier as well to reduce the pricing which will be incurred by the customer. That’s it for VPC guys. In a nutshell, we are going to get in detail of demo. But if you haven’t any questions on theory, let me know. Otherwise you can move to the next chapter. Thank you.
- 1.3 Designing a hybrid network
Cloud networking hybrid connectivity. We are going to get into details of the connection between your own premises to your VPC and we already saw VPC how you can create your private networking in public cloud environment. Now we are going to see how you can connect that private environment of private network with your own data center if at all you have it or your office. So hybrid connectivity or the connection from your own office to your cloud or your private network is a part of networking service and networking service is a part of one of the three core services that are available in public cloud environment. We are going to see we already saw VPC that’s your private networking in cloud. We are going to connect you are now the VPC with your own premises using VPN or interconnections and we are going to get into details of that right now.
So to connect your own premises with GCP you have multiple options and you can use based on what is the use case that you have it. So the first option and this is just copy paste you can think of from Google cloud platform. The first option is Google cloud interconnect and what is that? So this is required wherein you want to have considerable amount of data exchange between your Google cloud platform and your own office, not your end customers but your own office or your own data center and that’s where you use cloud interconnect. We are going to get into details of interconnect shortly but wanted to just give you a high level overview.
The other option that you have if you do not want to have dedicated connection is cloud VPN and this is you can think of it like traditional VPN or IPsec VPN which you can use it over public internet. There is no physical connection exists when you are using cloud VPN it is just going via public internet and why you use it. You do not have actually the use case to connect your cloud interconnect or to have a pipe or dedicated pipe from the GCP VPC to your own premises and that’s where you will start with the cloud VPN. It is low cost as compared to interconnect and it has got its own benefit and disadvantage as well. But that’s the second service. The third one is the pairing.
And this is not purely a part of Google Cloud platform, but you can think of peering is required when you want to connect your Google Cloud Google platform. Like G suite applications, you want to access all other Google services and you want to take advantage of reducing ingress fee. And that’s where you use peering. You have multiple options there in peering as a direct peering and carrier peering and we are going to see the differences in all of those shortly. So the first one is cloud interconnect. So cloud interconnect let you connect your own premise or the data center you can think of with Google Cloud platform. The additional advantage, which you get it out of Cloud interconnect, is you have dedicated connection to GCP directly and that’s where you can exchange the data. You can exchange the network configurations, like if you have subnetwork kind of implementation in your own data center and your resources virtual machine or physical servers wants to connect to the GCP resources or GCP wants to connect to your own servers.
That’s where cloud interconnect will be able to help you to have dedicated internet connection or interconnections between your premises with Google Cloud Platform. So high level features, it’s a low latency highly available service that you can use it to connect your on premise to Google Cloud Platform. You can have dedicated and partner connection options. So you may have a location wherein you can get connected to Google for it pop location. But there are some companies they do not have interconnections or the location exactly near to the Google pop location. That’s where you can go with the partner connection option. It supports RFC 1918.
What does this mean? This means is you can have network exchanges between your on premises and cloud and all of these resources can talk to each other. You can create IP space, IP Ranges. That the way which we have seen it in VPC, right? The similar way you can have the network connections or support between your on premise or the office with your GCP VPC and it is a direct pipe or private pipe you can think of just like data center from your data center to Google Cloud premises. Another option that we have is direct or partner pairing and why do you use it? So this is not you can think of you want to exchange the network between on premises with Google Cloud Platform.
So everything is you can think of everything is there in the Google and you want to just take down your egress fees and you want to have high speed connection and that’s where you use direct peering. You are not exchanging any network information with Google Cloud Platform using peering option. So the features you can have direct connections with Google or partner wherever, if you are not available there with a direct connection, you can have VPN which you can configure or directly internet, like public internet and you want to reduce the cost of egress fees, right? And that’s where you use direct peering. The third option that we have is cloud VPN and this VPN is you can think of traditional traditional VPN. So why do you use it? It has got a SLA, an SLA of 99. 9 service availability.
You can have site to site connections and you can create multiple connections to cloud environment or GCP environment from your own data center or offices. It supports cloud router and we are going to get into details of what is that and what is that means to us. As a cloud router. But you can think of if you want to exchange the network information from your own premises with the GCP because that’s how GCP service resources can discover your resources on premises. Cloud router can be used and you can have encryption or secure traffic using Cloud VPN and that’s where you use Cloud VPN. So in total, what we are going to look at is Cloud Interconnect, cloud Direct and Carrier peering, cloud VPN and Cloud Router. Cloud Router is just an additional. You can think of the service which you need to use it to announce the network changes if there are any. And we are going to get into details.
This is high level, you can think of decision tree and based on this decision tree you want to use one particular service or the other service to connect your on premise data or on premise office or your data center to Google cloud platform. If you look at very high level do you need direct access to your private computing resource on GCP? The answer is no. That’s where you go to peering options, right? So this is where you are just accessing Google Cloud from on premises and not your cloud resources, accessing your on premise data and that is where it differs. Right. Do you need to connect your G suite? Yes.
And can you meet peering requirement? If at all you are there in Google’s location, you can do direct peering. If at all you are not there, there are partners out there who can actually get you connected to Google with their own connections and that’s where you use carrier peering. So this side, that’s where you want to exchange data between your on premises and Google cloud platform with the Interconnections or the networking steps and that’s where you take this route. Do you need to extend your data center to the cloud?
Yes, that’s the requirement. Do you encrypt the sensitive information at the application level? If you encrypt the sensitive information on the application level, you can just go ahead and get into Interconnect because Interconnect does not provide you the encryption for that particular pipe. If at all you need an encryption because your application does not do it, you should go for Cloud VPN. Okay? So if your application is encrypting it or you do not need any encryption for your data, you can take the Interconnect route. Can you meet Google’s at one of our pops location? And that’s where it says if at all you are there in the Pop location. That’s where you can choose this route. Or you just go ahead and talk to Interconnect partner and get it connected to Google, right.
Is your need a ten GB or more? And that is where you have direct connections because if it is less than ten GB, Google recommend it to go with the partner because it’s cheaper. Right. Not going into too much detail here, but the high level thought here is if you need an SLA that’s where you will choose dedicated interconnect and VPN. If you are least bothered about SLA, you will choose direct peering or carrier peering. Also more importantly, if you want to exchange the network from your own data center with Google or you want to have direct connectivity between these two, your own data center and Google Cloud Platform that’s where you will choose dedicated Interconnect or Cloud Vpier.
If you do not need your on premises resources talking to Google Cloud Platform that’s where you choose Direct Peering and Carrier Peering. If you are just accessing G Suite applications or collaboration platform and you want to reduce the egress, you are just going to go ahead and use Direct Peering or Carrier Pairing based on where you are or where you are located. Okay, that’s in a nutshell. We are going to get into detail of Cloud VPN in next lecture. Thank you. Where you can actually go and explore the hybrid connectivity options. You can go to the console and you can go inside the network networking and you have hybrid connectivity and that’s where you see three options, right? VPN and Interconnects are the connection option and Cloud Router is just exposing or announcing your internet changes or network changes. So if I go here, you will not be able to see Peering option here because Peering is supported out of G Suite connection and not as a part of Google Cloud Platform connection. So you can go here and create a VPN connection.
If you want to have VPN connection, you can go here and do Interconnect connections if at all you have data center and you can replicate and you can have Cloud router connected created out of this one we are going to see in demo for VPN. I will not be able to show the demo for Interconnect because I do not have the data center to connect to. But I can show you the demo from one region to another region on the Google Cloud platform it’s and then we’ll add Cloud router as well to announce the network changes and we are going to see that in the demo as well. So this is all about the hybrid connectivity guys. If you have any questions on here you can wait for the theory for individual services or you can ask me in our questions. Thank you.
- 1.3 Designing a hybrid network-VPN
Cloud VPN. This is you can think of is the VPN service we traditionally known for on IPsec. Typically what happens is you want to actually connect your on premise data center or your office with Google Cloud platform and this is Go Vayu internet channel, it is public internet and you can connect to GCP using VPN gateway or cloud VPN gateway and we are going to see that shortly. But it is used for your on premise VPN to connect to the Google Cloud platform VPN. And we are talking about this particular VPN. We are not talking about on premises VPN. You may have this hardware device or the software device on premises but we are talking about cloud VPN in the cloud for GCP. So some of the features of cloud VPN you can connect securely on premises network to GCP VPC through IPsec VPN you have high throughput via IPsec, communication tunnel or communication channels which you can use it and if you need more throughput, you can just add tunnels and that’s it.
It is scalable to take your data. It supports Ikea V one and Ikea V two. Both and it can even run over Google Cloud interconnect. We are going to see that shortly for encryption ECMP over multiple VPN tunnels to achieve greater overall throughput traffic is encrypted by VPN as a default. It supports static and dynamic routing via cloud router, supports high throughput secure, reliable and it is managed service. You don’t need to manage anything on the Google Cloud Platform. It is managed by Google. SLE is 99. 9% on monthly service availability.
You pay for individual tunnels and if you add in more and more tunnels, you pay multiples of that tunnels. VPN utilize edge location across the globe so your data gets routed to nearest edge location that you have it. Cloud VPN uses ESP in tunnel mode with authentication. So cloud VPN does not support Ah or ESP in transport mode and this is just a node. So how does actually everything works right? So you have Vpnr connection in your own data center or your office, right. And you have different departments like marketing and legal and you want to connect to Google Cloud platform wherein your VPC is spread across two different regions.
VPC in a nutshell it is global in nature, but you have subnetworks in region one as well as in region two. And you want to connect your VPN data center VPN to the cloud and that’s where you can have different VPN routers connected per region and that is one per region. So you have your connecting to region one, then you’ll have one VPN connections and if you want to support region two then you may need to have another VPN connection. You will need to have public IP addresses on both the sides of the connection. It can be either global original, it can support up to three GPUs of data, individual tunnel and it can scale horizontally with multiple tunnels. If you add it in demo, we are actually going to connect one region to the other one with VPN connection. As because I do not have on premises or the data center which I can get connected to these GCP services. Okay, so where I work, I cannot actually demonstrate the data going from their data center or the company which I work for from there to Google Cloud platform as it is not allowed.
So I need to showcase the demo. Riverain we connect region one to region two with VPN and on top of it we’ll add cloud router so that you see exchange of networking in both the places. That’s it for cloud VPN. We are going to get into demo in next chapter, but let me just show you where you can go and see the demo. So you go to networking and you go to network services, not really hybrid connectivity. And that’s where you see VPN, cloud Interconnect and Cloud routers.
If I go here, I can just create VPN connection and I can explain where you want to where I want to connect it network which network I want to connect it, say custom VPC if I make it the region which region you want to connect to for that particular VPC and you can create it. We are going to have a demo for this one. But this is where you can just go and create a VPN connectivity. That’s it for VPN. Guys, if you have any questions on theory, let me know. Otherwise you can move to the next lecture, which is Demo for VPN. Thanks.