5. Networking Services (II)

Question 1

VPC Peering

Answer 1

For 2 separate VPC to communicate between one another, they must do it over the inet. To do it privately - VPC Peering service.

• helps reduce latency
• improves network security
• reduces network cost

Question 2

VPC Peering: independency

Answer 2

Each VPC has its own firewall rules etc.

Peering must be done from both sides, not just from the side of one VPC.

Question 3

VPC Peering: Rules

Answer 3

• CIDR range cannot overlap, so IP addresses of the two networks cannot overlap
• Transitive peering is not supported: if A is connected to B, and C is connected to B, A cannot communicate with C unless they both agree.
• Internal DNS between A and C is also unavailable.

Question 4

VPC Peering: Setup demo

Answer 4

Same as the large demo before but do it for two separate projects and have only one subnet per project.

1. Once created, go to VPC network –> network Peering
2. Create a new connection there using the project name of the 2nd VPC and the VPC network name

Question 5

Shared VPC: concepts

Answer 5

Within a Shared VPC network there can be several projects in different zones and they are grouped under a Host Project.

Each Host Project can have several Service Projects, each Service Projects can however have only one Host Project connection.

Projects that are not part of any of the above are called standalone projects.

Shared Networks are created to share the same resources available in the organisation between the projects in the shared network.

Note: external IP addresses within a host project are only available for use to the projects in this Host Project
Note: Service Projects communicate between one another using an Internal static IP.

Question 6

Permissions within a Shared VPC

Answer 6

Shared VPC Admin – like an owner, has access to the whole shared VPC

Service Project Admin:
- Project-level permissions – allowed to work with all the subnets within a specific project in the shared VPC
- Subnet-level permissions – only allowed to work with a specific subnet(region) of a network

Question 7

VPC Flow Logs (definition)

Answer 7

To monitor incoming and outgoing traffic from VM instances to the VPCs.

Question 8

VPC Flow Logs: exporting

Answer 8

Logs can be exported to Cloud Logging for 30 days.

If they need to be stored for longer, they can be sent to a Cloud Storage bucket.

Question 9

VPC Flow Logs: number of packets

Answer 9

1 of every 10 packets are captured (roughly), this cannot be modified.

To compensate for the loss of logs, it interpolates the data using the captured packets info.

Question 10

VPC Flow Logs: use cases

Answer 10

1. Network Monitoring
2. Analyse network usage: countries, expenses
3. Network Forensics: when incidents occur
4. Real-time security analysis: using Pub/Sub and integrate with SIEM (Splunk, Rapid7, LogRhythm)

Question 11

VPC Flow Logs: record format (the way in which the logs are saved)

Answer 11

• Core Fields: Base (connection, start/end time, bytes sent, packets sent..) + IP details (src IP, src port, dest IP…, protocol)
• Additional Fields: Metadata (src instance, src vpc, dest instance…) + Instance Details, Geo Details, GKE details etc.

Question 12

VPC Flow Logs: exporting (costs)

Answer 12

Filtering by Core/Additional Fields, eg. by specific Metadata, allows to export only those specific logs and hence save money.

Question 13

DNS Fundamentals: info storage

Answer 13

To store info about how the human-readable version is translated into an IP, a Zone File is created/used. The file is hosted/stored by the Nameserver.

Question 14

DNS Record Types

Answer 14

Name Server Records (NS): which DNS server contains the current records for domain

A and AAAA records: address records for IPv4 (A) and IPv6 (AAAA); associated with the domain names, so A will point to google.com not the IP version

CNAME records: connect shop.bowtie.co and ftp.bowtie.co to botie.co

TXT records

MX records: which email the mail should go to

PTR records: pointer records. Points to the IP version and only then retrieves the domain name. When we search for an IP not a specific domain name.

SOA records: start of authority - stores info about the zone, zone cannot work without this info.

Question 15

Network Address Translation (NAT)

Answer 15

Translate private IP addresses to public IPs.

Static NAT: maps 1 private IP to 1 public IP
Dynamic NAT: maps 1 private to a pool of public IP addresses
Port Address Translation (PAT): multiple private IPs to 1 public IP

Question 16

Network Address Translation (NAT): Static NAT

Answer 16

Private to connect with Public.

They cannot do it directly because Internal IP cannot just connect to External IP.

So a NAT table is used that translates the Internal/Private IP to its public version - happens through router.

Devices are allocated the permanent public IPs.

Question 17

Network Address Translation (NAT): Dynamic NAT

Answer 17

1 to Many Public ones.

The mapping from private to public happens based on the first come first served sort of. So the translated public IP doesn’t stay with the private device forever.

This works in the cases when several devices share the same public IP pool.

Question 18

Network Address Translation (NAT): Port Address Translation - PAT

Answer 18

Many to 1 Public.

Question 19

Cloud DNS

Answer 19

Manages DNS servers for your specific zones.

• global service, but impossible to select a Google location
• domain name must be purchased

Can manage:
- public zones: visible to the public internet
- private zone: DNS data is not exposed to the public, visible only within your network

Question 20

DNS peering

Answer 20

VPC network peering in not required for the DNS cloud peering zone to operate.

Question 21

DNS - managed private zone - DEMO

Answer 21

Network Services –> Cloud DNS –> create a zone

Once the zone is created the DNS records are also created:
1. Name Server Records (NS records)
2. Start of Authority Records (SOA records)