GCP Networkng Flashcards
How can I monitor the traffic on the VPC network to see where packets are coming from?
Enabling flow logs.
What is the largest network space you can have in a GC VPC?
/8
Will the CloudFirewall block traffic between instances in the same network?
Yes as the FW rules are applied at the instance level. and at the virtual network level.
Will the CloudFirewall block traffic coming into the network?
Yes as the firewall rules are applied at the virtual network and instance level.
When you create a GCP network (VPC), will this network (VPC) span more then a single region?
Yes, when you create a network (VPC), it spans every region.
Is a GCP network (VPC) able to span projects?
No
What is an external IP?
It is an IP address available externally and is assigned to the instances network interface.
By default the external IP address is ephemeral, what dose this mean?
It means the external IP address is given an public IP from the GCP global IP pool and this IP is put back in the pool once the instance is rebooted.
I have an external IP that is ephemeral when I stop and start my instance, is the external IP returned to the GCP global pool and do i get a new one on restart?
Yes, the address is returned to the pool and you get a new one once the VM is restarted.
What are the two different types of static IP you can reserve?
In Google Cloud Platform (GCP), there are two types of static IP addresses you can reserve:
- External Static IP
Used for public-facing resources like VM instances, load balancers, or VPN gateways.
Assigned from Google’s public IP pool.
Can be either:
Regional: Used for VM instances with external access.
Global: Used for global resources like global load balancers. - Internal Static IP
Used for private communication within a VPC network.
Assigned from a private IP range in a VPC subnet.
Always regional and used for resources like:
Internal load balancers.
Private Google Kubernetes Engine (GKE) clusters.
Private service access (e.g., Cloud SQL, Filestore).
When I create firewall rule, can I apply the rule to the entire VPC (global network) ?
Yes, the rule will span the entire global VPC network.
When I create firewall rule, can I apply the rule to a group of instances?
Yes, you can match the rule based on tags
Is network load balancing regional or global?
The network load balancer is regional or multi-region.
What are the two types of IP addresses in GCP?
Static and ephemeral
Can An instance only use a static IP that has been reserved in the same region?
Yes, in Google Cloud Platform (GCP), an instance can only use a static external IP address that has been reserved within the same project and region as the instance. This rule ensures that IP addressing conforms to regional boundaries and resource management practices within GCP. Here’s a closer look at how static IP addresses work and why they are region-specific:
Static IP Addresses in GCP
Regional Resource:
Static IP addresses in GCP are regional resources. This means that each static IP must be created and used within the same region where it was reserved. For example, if you reserve a static IP in the us-central1 region, it can only be assigned to resources (like VM instances, load balancers, etc.) that are also in the us-central1 region.
Project Scope:
In addition to being regional, static IPs are scoped to the project. Only resources within the same project can use a reserved static IP. You cannot directly assign a static IP reserved in one project to a resource in another project without transferring the IP address, which involves releasing it in one project and re-reserving it in another, subject to IP availability.
Assigning a Static IP to an Instance
To assign a static external IP address to a Compute Engine instance, you can follow these steps:
Reserve a Static IP:
Go to the Google Cloud Console.
Navigate to “VPC network” > “External IP addresses”.
Reserve a new static IP in the region where your instance is or will be located.
Assign the Static IP to an Instance:
You can assign the static IP during the creation of a new instance or edit an existing instance to attach the static IP.
During the instance creation or editing process, choose the reserved static IP as the external IP for the network interface.
What is cloud interconnect?
It refers to the 3 options to connect you on-prem to GC.
What options do you have to connect from on-prem to GCP.
Cloud VPN
Peering
Dedicated interconnect
What is Dedicated interconnect?
you connect with google’s network at a colocation, this is an expensive option but supports upto 80 GBper sec, a single link is 10GB at a cost of 1700 per month.
I need 50GB bandwidth to google, what is my best option?
Dedicated interconect, this is where you connect to a colocation, colocation has a CP peering edge.
With Dedicated interconnect, do you pay egress fees?
Yes, but at a discount, upto 50%
With Dedicated interconenct can I have it connect to my VPC or Google over all for say G-Suit?
Direct interconnect only supports connecting to a VPC.
What is Peering?
Peering connects you with google network so you can call the google API and services.
Will peering connect to the internet
No
What is the peering speed?
10GB
What speed is supported by cloud VPN?
1.5GB
When using CloudVPN, what options do I have to make it faster?
Use a second VPN
For CloudVPN what is the protocal?
IPSEC
For CloudVPN what key exchange is suported?
IKE1v1 and IKEv2
With CloudVPN, is client to site supported?
No
In Google Cloud Platform (GCP), Cloud VPN primarily supports site-to-site IPsec VPN connectivity. This means it is designed to connect entire networks together, allowing resources in one location to communicate securely with resources in another location over the public internet. Typically, this involves connecting a network in your on-premises data center to your virtual network within GCP (VPC).
Client-to-Site VPN
Client-to-site VPN, also known as remote access VPN, allows individual client devices to establish a secure connection to a network over the internet. As of my last update, Google Cloud VPN does not natively support client-to-site VPN setups directly. It’s meant for connecting entire networks (site-to-site), not individual devices.
Alternatives for Client-to-Site VPN in GCP
If you need to set up a client-to-site VPN connection for accessing resources in GCP, you would typically look into one of the following alternatives:
Third-Party VPN Solutions:
You can deploy VPN software that supports client-to-site configurations on Compute Engine instances in your GCP network. Common solutions include OpenVPN, WireGuard, and others. These solutions can be configured to allow individual clients to connect securely to the VPC.
The advantage of this approach is that it provides the flexibility to use a VPN solution that fits your specific needs and can handle both site-to-site and client-to-site configurations.
Identity-Aware Proxy (IAP) for TCP Forwarding:
For securely accessing VM instances without public IP addresses, Google offers Identity-Aware Proxy (IAP), which can control access to TCP services in your VPC from remote clients. IAP works by verifying user identity and the context of the request to determine if a user should be allowed access.
IAP can be an alternative to traditional VPNs for certain types of client-to-VM or client-to-application access, particularly when you’re dealing with administrative access to VMs.
Cloud Interconnect and Peered Connections:
For more extensive corporate needs, where many users need access to cloud resources, setting up Dedicated Interconnect or Partner Interconnect can be a solution. While these are more about extending your corporate network into the cloud (similar to a site-to-site VPN), they provide reliable and secure access to cloud resources.
With CloudVPN is dynamic routs supported?
Yes use CloudRouter
For CloudVPN what is the SLA?
99.9%
Is a VPC a global or regional resource?
Global
Is a subnet a regional or global resource?
Regional
Is a subnet a a zone bound resource?
No it spans zones within a region.
Is it possible to share a VPC between projects?
Yes
Is there a instance limit on a VPC?
Yes 7000 instances, you can use a second VPC.
In a VPC can I use unicast or broadcast traffic?
No.
In Google Cloud Platform’s Virtual Private Cloud (VPC), traffic management and the types of network communication supported are specifically tailored for cloud environments, which differ in some respects from traditional on-premises networking setups.
Unicast Traffic in GCP VPC
Unicast traffic, where communication occurs directly between a single sender and a single receiver, is fully supported in Google Cloud VPC. This is the standard mode of communication between instances within the same VPC network, across different VPC networks via VPC Peering, or between GCP and external networks using Cloud VPN or Cloud Interconnect. Unicast is used for most communications in cloud environments, including HTTP requests, database queries, and internal service calls.
Broadcast Traffic in GCP VPC
Broadcast traffic, on the other hand, involves sending a packet from one sender to all nodes in a network segment. Broadcast is not supported in GCP VPCs. This is typical for cloud providers because broadcast traffic does not scale well with the large, distributed nature of cloud environments and can lead to excessive network congestion (broadcast storms).
Can I convert Static (manual) IP addressing to epheremal (automatic)?
Convert Static IP to Ephemeral IP for Compute Engine Instances
If you initially set up a Compute Engine instance or another resource with a static IP address and now want to switch to an ephemeral IP address, you can do so by following these steps:
Go to the Google Cloud Console:
Open the Google Cloud Console.
Navigate to the “Compute Engine” > “VM instances” section.
Stop the Instance:
You must stop the instance before you can change its IP address from static to ephemeral. Select the instance, click on the “STOP” button, and wait for the instance to shut down completely.
Edit the Instance:
Once the instance is stopped, click on the instance name to open the instance details page.
Click on the “EDIT” button at the top of the page to modify the instance settings.
Change the IP Address:
Scroll down to the “Network interfaces” section.
Here, you will see the network interface and the currently assigned static IP address.
Click on the “External IP” drop-down menu, where you will see options for “Ephemeral” or selecting another static IP. Choose “Ephemeral” to switch to an automatic IP address.
Save and Start the Instance:
Click the “Save” button to apply the changes.
Start the instance again by clicking on the “START” button.
Considerations
Downtime: Changing the IP type requires stopping the instance, which means there will be downtime for any services running on that instance.
Connectivity: Switching from a static IP to an ephemeral IP means that the IP address can change each time the instance is stopped and started. This might affect services that depend on a fixed IP address for connectivity or configuration.
DNS and External Dependencies: If you have DNS entries or external dependencies tied to the static IP address, you will need to update these to handle the new, potentially changing, ephemeral IP addresses.
Automating the Process
If you anticipate needing to switch between static and ephemeral IPs frequently, consider automating this process using the gcloud command-line tool or GCP APIs. Here’s a basic example using gcloud:
bash
Copy code
# Stop the instance
gcloud compute instances stop [INSTANCE_NAME] –zone=[ZONE]
Change the IP address from static to ephemeral
gcloud compute instances add-access-config [INSTANCE_NAME] \
–zone=[ZONE] \
–access-config-name=”External NAT” \
–network-interface=nic0
Start the instance
gcloud compute instances start [INSTANCE_NAME] –zone=[ZONE]
This script stops the instance, changes the IP addressing from static to ephemeral, and starts the instance again.
By following these steps and considerations, you can successfully switch from manual (static) IP addressing to automatic (ephemeral) IP addressing for your GCP resources, adapting to changing needs and configurations in your cloud environment.
is IPv6 supported?
Yes/No
Yes, Google Cloud Platform (GCP) supports IPv6, but the extent and availability of IPv6 support vary across different services within the platform. As of the latest information available, here’s a summary of IPv6 support in key GCP services:
External IPv6 Support
Global and Regional External HTTP(S) Load Balancers: These load balancers support IPv6 clients connecting from the internet. This means you can configure your load balancer to accept connections from IPv6 addresses and forward them to your backend services, which typically operate over IPv4 within the VPC.
SSL Proxy and TCP Proxy Load Balancers: Similar to HTTP(S) Load Balancers, these services support IPv6 addresses for client connections, enabling services hosted on GCP to be accessible via IPv6 from the internet.
Internal IPv6 Support
Internal Infrastructure: Within GCP’s Virtual Private Cloud (VPC), networking is predominantly based on IPv4. There is no native IPv6 support for internal networking between VM instances in a VPC. This means that communication between instances or other resources like databases, storage, etc., within the same VPC currently relies on IPv4.
Domain Name Services
Cloud DNS: Google’s Cloud DNS supports managing both IPv4 (A records) and IPv6 (AAAA records) addresses. This allows you to define DNS records that resolve to IPv6 addresses, facilitating the use of IPv6 for services that are exposed to the internet.
Deployment Considerations
Dual-stack Configuration: For services like load balancers that support IPv6, GCP generally uses a dual-stack approach where both IPv4 and IPv6 addresses are used. This configuration allows you to serve all users, regardless of whether their internet service provider supports IPv6 or IPv4.
Enabling IPv6 on HTTP(S) Load Balancer
To enable IPv6 on an HTTP(S) Load Balancer in GCP, you typically need to:
Set Up the Load Balancer: Create an HTTP(S) load balancer with backend configurations as usual.
IPv6 Configuration: During the frontend configuration, assign an IPv6 address to your load balancer.
DNS Configuration: Use Cloud DNS or another DNS service to set up an AAAA record pointing to the IPv6 address of the load balancer, allowing IPv6 clients to resolve and connect.
Considerations and Limitations
Billing and Quotas: Keep in mind any additional costs and quotas associated with using IPv6 addresses in GCP, similar to IPv4 addresses.
Partial Support: Since internal GCP networking does not support IPv6, any internal communication or services that require direct VM-to-VM connectivity over IPv6 are not feasible. This limitation can impact the design of applications that require IPv6 all the way through.
While GCP’s support for IPv6 is robust for internet-facing services, particularly through load balancers, the lack of IPv6 support for internal VPC networking requires careful planning and potentially maintaining dual networking stacks (IPv4 internally and IPv6 externally) for applications deployed on Google Cloud.
what are network tags?
In Google Cloud Platform (GCP), network tags are used to apply certain networking policies to specific instances or groups of instances within your Virtual Private Cloud (VPC). Network tags are simple, customizable labels that you attach to VM instances, which can then be referenced by a variety of network settings, most commonly firewall rules and network routes.
Key Features and Uses of Network Tags
Firewall Rules:
Application: Network tags are widely used to define the scope of firewall rules. By attaching a specific tag to one or more VM instances, you can specify that only those tagged instances are subject to the corresponding firewall rule. For example, if you have a firewall rule that allows TCP traffic on port 80, and you tag some VMs with the tag http-server, only these VMs will allow traffic on that port.
Flexibility: This approach allows for highly flexible and dynamic firewall configurations. Instead of relying on static IP addresses, which can change and are hard to manage at scale, tags provide a way to implement security policies that automatically apply to all instances with a given tag.
Network Routes:
Routing Decisions: Network tags can also influence routing decisions within a GCP network. You can create routes that direct traffic from or to instances based on the tags those instances have. This is useful for directing specific types of traffic to specialized resources, such as dedicated network appliances or proxies.
How to Use Network Tags
Assigning Tags to Instances:
When creating a new VM instance in the Google Cloud Console, you can specify network tags under the “Management, security, disks, networking, sole tenancy” settings.
For existing instances, you can edit the instance’s settings to add or remove network tags.
Referencing Tags in Firewall Rules:
When you create or edit a firewall rule in GCP, you can specify the network tags in the “Targets” section. This defines which instances the rule applies to based on their tags.
Similarly, you can define the source of traffic as instances with a specific tag under the “Source filter” section by selecting “Source tags”
Is the firewall regional or attached to the global VPC?
Attached to the global VPC, this mean when you setup a firewall rule you attached it to a VPC and it is global.
Where do you define firewall rules?
In Google Cloud Platform (GCP), firewall rules are not defined directly at the subnet or instance level. Instead, firewall rules are applied at the network level within a Virtual Private Cloud (VPC) and can target specific instances using mechanisms like network tags, IP ranges, or service accounts.
Is all ingress traffic denied by default?
Yes
Is all egress traffic denied by default?
No
Are firewall rules prioritized?
Yes, rules are evaluated lowest number first.
When you create a VPC what default firewall rules do you get when the VPC is using automatic subnet mode creation?
- allow-icmp 65534
- allow-internal 65534
- allow-rdp 65534
- allow-ssh 65534
- deny-all-ingres 65535
- allow-all-egress 65535
Are all default rules asigned a low or high priority number?
Most all rules get 65K at top end, http and https get 1K at ko end.
When you create a VPC with two subnets, can VM 1 in subnet 1 ping VM 2 in subnet 2?
Yes, by default you get a default firewall rule to enable traffic that is local between subnets.
What is a router?
It defines where a packet is sent once it leaves the VM?
How would i take two VM and route all traffic to a proxy?
Define a route with a tag and asigne the tag to the VM’s
For routes what are my next hop options
- default internet gateway
- VPN tunnel
- IP
- Instance
Are routes global?
Yes, they are attached to a VPC (global)
What is a host project?
I refers to a project that will host a VPC for other projects.
What is a service project?
It refers to a project that is using a host project VP.
What is a standalone project?
It is a project that is not using a shared VPC
Can I share a hosted projects outside the orgnization?
No
Can i link a service project with many host projects?
No only one host project.
Van a project be both a service and host project?
No
When I create a VPC subnet, is the subnet tied to a zone?
No it is independent of the zone, when you deploy an instance, it is at this time you defne in what zone the instance and disk will live.
I created a VPC with auto subnet mode, I have two subnets with an instance in each, will I be able to ping without adding a firewall rule?
Yes, the following rules are created,
- allow-icmp 65534
- allow-internal 65534
- allow-rdp 65534
- allow-ssh 65534
- deny-all-ingres 65535
- allow-all-egress 65535
I created a VPC with custom subnet mode, I have two subnets with an instance in each, will I be able to ping without adding a firewall rule?
No, no firewall rules are created.
What is a custom subnet?
Where you create the subnet and manually enter the required firewall rules.
When you create a VPC what default routes do you get?
- Default gateway
- A rule to any subnets you create as part of the VPC
What are the filters you can use on a firewall rule?
- Source port
- Dest port
- Source address
- Dest address
- Portocal
How can you group instances so the firewall rule sis applied, is it a label?
No, it is a tag, tags are used for networking.
I have two VPC and I want to connect both, what options do I have?
- CloudVPN
- VPC Peering
I have GKE and I want to connect its network to another VPV, what is my best option?
VPC peering can be used for this.
I have App engine flexible and I want to connect its network to another VPV, what is my best option?
VPC peering can be used for this.
For VPC peering can i have overlapping subnet ranges?
No
I have a number of firewall rules and I wnat to see how they effect traffic, how cna i do this?
Use firewall logging.
I ahve firewall logging turned on, where can I send the logs?
Stackdriver
pub/sub
BigQuery
I have an external IP that is ephemeral when I reboot my instance, is the external IP returned to the GCP global pool and do I get a new one on restart?
The IP is not given back to the pool.
I have a network load balancer and instances are not receiving traffic, what would I need to do?
Open firewall for the health check from specific ports found in network LB documentation.
What protocols are supported by the network load balancer?
SSL proxy and TCP
Has the network load balancer got sessionAfinity feature?
Yes, off by default.
What is the Network loadbalancer?
It is an L4 LB supporting SSL proxy and TCP, it is single or multi-region.
What is the google load balancer?
It is an L7 LB and supports only multi-region and HTTP and HTTP(S).
Is the network load balancer, internal or external facing?
Both, internal between instances and external to receive traffic from the internet.
Is the GCP load balancer global?
Global, unlike AWS, the load balancer is a global load balancer receiving traffic and distributing it to one or more regional globally
Can you use the GCP load balancer for internal VM?
No, it is an internet only facing LB
