Google Professional Cloud Network Engineer – Implementing a GCP Virtual Private Cloud (VPC)
- 2.1 Configuring VPCs
Implement a GCP VPC. Let’s go ahead and get into GCP VPC. We will just reiterate some of the concepts which we already saw in earlier section. We are going to focus towards VPC configuration, subnetwork firewall and routes in this particular lecture. So overall objectives here implementing VPC is configure VPC and its component VPC sharing, VPC Peering, ETCA. All in demo. Configuring routes again in demo. Kubernetes networking again in demo. Maintaining firewall rules again in demo. So all of this is a kind of demo here. Let’s go ahead and get into it.
- VPC Configure
Let’s go ahead and configure VPC here as part of this demo. If you look at the syllables to cover for us is the first one is configure GCP, VPC resources, Cider range, subnet, firewall rules, etc. Okay let’s go ahead and get into it. So we’ll start with with VPC resources so we’ll start with VPC resources, we’ll configure VPC, we’ll add subnates, firewalls, all of that so let’s go ahead and go ahead and get started. So I want to log into console. To do that, let me switch my account. I can go here into section network and I can go to VPC networks and you can find I have created one custom VPC out of one of the demo. But let me just go ahead and delete those networks and I have default network already there. So let me go ahead and create the network. This time however, I’m going to create two different network. One is Auto Network and the second one is custom network.
So I would want to name it as Auto network. So if you look at this one you will have the subnetworks created for all your zones which you can use it the firewall rules already created and default. It says it’s regional network. So the routing mode I can actually get into global routing node routing mode DNS policy, no policy, I’ll just go ahead and create one. So this is Auto Network. Let me go ahead and create custom VPC network. But this time I want to create USA West subnet I want to select US West. Here you need to give the IP ranges so let me give ten one dot so it says invalid IP range so 1010 private Google access off let me switch it on flow log and this is one of the points that how you can enable the logs flow locks for the network. Here you can go and enable the flow logs and it says turning VPC flow lock doesn’t affect performance but the system generates large logs and this is for each and every request through its travel you will get the logs for it.
So I can just say add another one and I can say subnet USA East and I just wanted to select US East region Google private access on flow logs on if you want to have secondary IP ranges you can create that. I’m not going to do it. What is the problem? Okay, subnet range so the only one that I have is 100 I’ll just go ahead and copy this and put it here just the eleven done. So two subnetwork inside my custom VPC and I’m enabling go global routing. So Auto Network is created. If you look at Auto network all the subnets are created by default for each and every zone that you have, each and every reason that you have. But when you create a custom VPC, it will create only subnetworks which you have created or which you have asked for.
Okay, so that is the difference between ito and custom subnetworks.
If you go to firewall rules you can find all these firewall rules already there and it is attached to the networks. Okay, click on it and you can find firewall rules for auto mode network there are no firewall rules which are attached. I’m just going to add it. Just want you to attach an existing firewall rules. Add firewall rules I want to give say firewall http so do you want to enable the firewall logs on? I can switch it on here network which network you want to create firewall rules for auto network you can define priority and this priority defines which firewall rule to be applied and in which order. If there are multiple firewall rules are applicable at the same time it says traffic egress or ingress I’m seeing ingress allow this firewall rule is allow the target is specified target tag specified service account or all instance in the network. I’m just going to go all instance in the network IP ranges you want to give specific IP ranges or apply to a specific subnetwork you can do that, I’m just not going to filter it now. Second source filter if at all you want to apply it protocol that you want to open specify protocol TCP 80 80 80 enable so if it says allow all then it will allow just all the traffic to this particular network which is bad idea to do it. But for auto network I’m just going to say allow all and create source IP is I want to allow it from the globe to all my network.
So this is going to create or allow all my internal virtual machines to take any traffic from outside world and it is all protocols. If I go to Custom, I can create different firewall rules here, add firewall rule, I can say custom http and what I want to do here is for all egress traffic I want to just enable egress traffic, which is going out of the network and that is because these VMs are accessing specific http links destination. IP to all and I want to enable http web incoming all instances but in specific subnetwork the subnetwork which I want to do is assuming my web servers are in west zone. Okay? I don’t have any other tag. I can actually tag it to service account. Or you can create a tag network tags, which you can apply it. You can put forward the port create.
So if you look at the routes, routes are already created, default to the Internet gateway so that all the VMs can access the Internet. And the routes are created for each and every subnetworks that are created out of VPC creation. VPC peering there is no VPC peering currently. There is no private service connection. There is no internal static addresses. That’s all guys, we have covered VPC creation subnetworks and firewall firewall rules. We will get into more details about VPC pairing in next lecture. Thanks.
- VPC Peering
Let’s go ahead and do configure the VPC peering between the projects. So I have the network’s two networks auto Network and Custom Network. Let me go ahead and do a peering. So I want to do Network peering with Auto and the Custom add peering so within project. So auto network peer VPC within this particular project. Yes. I have another one which is custom VPC. I can go ahead and create that. So this pairing is getting created. I can go ahead and add another connection within project Two.
So from Custom now this time, other way around to Auto Network and create so this is waiting for Peer network to connect and once the peering is established, you will see peering is enabled. I’ll pause the video. Now it is created. I think it took around two minutes to get it connected. So the pairing is established now. Now the VMs from this particular Custom VPC can talk to Atonetwork provided that your firewall rules are opened to do the pairing. So this is how you can actually do the pairing. If you have any questions on VPC pairing, let me know. Otherwise you can move to the next lecture. Thanks.
- Configuring VPC – Share VPC
Let’s go ahead and set up shared VPC. In this section we are going to go ahead and set this shared VPC. But to have this enabled, you will need to do some pretask. And the Pretas are first thing first, you will need to have G suite domain. To have this particular G suite you will have 14 days of trial which you can subscribe for it the way you can. So you just can I’m just logged in now. But you can actually go for trial. G Suite Google and then you will get to the link and you can subscribe for it. Once you log in and create the G suite, you will have organization created. So this is your admin page. You can create, you can manage devices, billing, company profile and all that. But let me go here and show you what is that I have, I just have the company name Systec inc info at gcptrain is my domain gcptrain page. This is the free domain which I got it from Google itself.
While registering, you’ll get to know how to get the free domain. But this is what I have and everything is as you can think of as a default. I have not done anything beyond what I have. It here. Next thing is you need to log in or get into console with the same user ID password. If you look at the user ID password info at GCP train page and then you can actually go ahead and create multiple projects there. But you should go here into organization so that’s how you’ll be able to see the organization. This will take some time. So whenever you are creating G suite, you will need to wait for at least 1 hour. I think I was waiting for 1 hour. I did not actually try in between. But you can even get it very faster.
So yeah, you need to wait for some moment or some time to get this reflected. What you need to do is you will need to delegate the permissions to some user. Okay, so that’s what I have done it. I have actually this particular user which I’m using it for my trainings. So I given shared VPC. The way you can do it is you can just add and you can as an example you can go ahead and give share VPC, share VPC admin, but at the same time you will need to give the network admin as well. That’s what I did. Okay, but we’ll talk about that. So here you need to give share VPC admin. Okay, so I have given it for this particular user and folder admin as well for this user.
Then I logged in with that user and I can see the host project. Okay, I can go here and now I can set up share VPC. So I’m just enabling share VPC. Now it is asking me whether you want to share all the subnets or individual subnets. So what I can actually go ahead and do is because I’m in US West, I can just select US West and US Central, only these two VPCs with the service projects. So you have that understanding, right? There is a host project which host the shared VPC and there are service projects which can access or utilize that particular network. So I’m sharing this particular default US. Central and US. West.
And I can just continue. I have already created the placeholders like service project and service project two. I am just giving it to these two projects, those network access and what they can actually do, compute instance, admin, network admin owners and editors, all of that. Those permissions I’m giving it, if at all Kubernetes access is required, I can just go ahead and enable Kubernetes and I can say save. So it says for Kubernetes engine enabled host project should have Kubernetes access. Let me go ahead and disable it for now, I’ll show that in the network exam, because in that case I need to go to I am and I need to add here another role and I should say Kubernetes engine admin, then only I will be able to do that side. But anyway, I’m not doing it right now.
So now share VPC is there. Okay, which other project can go ahead and use it? Let me go here and I can go to service project and in network VPC. So it is taking some time to get it ready. I’ll pause the video. Project host resource was not found. Resource was not found. Okay, let me just go ahead and share it with only one project and see if it can do. I think I have some problem with the project too, but I will check that in service project, you have already attached that and you are already available. So I can go here in my service project and in my account and go to VPC network shared to my project. So this is where you can actually see it. So the project ID who has shared the 234-413-4413 and you can see the shared network here. Okay, I can go ahead and manage that. I can say detach and I can attach, and while attaching, I can say now individual subnet and I can select these two and save. So only those two subnets should be available in the shared.
So let’s go ahead and create some virtual machines there compute engine create and I should be able to select the shared networking network. So I can either say in this project or I can say network shared with me from the host project. Now, if you go here, the default network was shared and there are multiple options here. So if I go back and say ten 142 00:20 and this is for US East one in zone one. And so I was able to select the subnetwork which is from the other location, and I was able to create it. So in a nutshell, what we have done is we have created G suite account. Then we have given the permissions to this particular user, this user to create shared VPC and manage share VPC you can think of. This particular user is now network administrator for your shared VPC. And then we shared the VPC with other projects. I tried to share it with two projects but I think it was giving us some mirrors on project two. I think project two has got some problems in it. But yes, we were able to share that particular network with the other service projects.
So if I look at, if I go back we have created the instance and that instance is created in service project using the shared shared VPC. That’s all guys on shared VPC. If you have any questions on shared VPC, let me know. I’m going to put forward a list of items which you need to do like getting the admin console, providing the permissions or giving the permissions for the user to create the shared VPC and then managing the shared VPC in the UI itself. If you have any questions on this one, let me know. Otherwise you can move to the next lecture. Thank you.