GCP Networkng Flashcards
How can I monitor the traffic on the VPC network to see where packets are coming from?
Enabling flow logs.
What is the largest network space you can have in a GC VPC?
/8
Will the CloudFirewall block traffic between instances in the same network?
Yes as the FW rules are applied at the instance level. and at the virtual network level.
Will the CloudFirewall block traffic coming into the network?
Yes as the firewall rules are applied at the virtual network and instance level.
When you create a GCP network (VPC), will this network (VPC) span more then a single region?
Yes, when you create a network (VPC), it spans every region.
Is a GCP network (VPC) able to span projects?
No
What is an external IP?
It is an IP address available externally and is assigned to the instances network interface.
By default the external IP address is ephemeral, what dose this mean?
It means the external IP address is given an public IP from the GCP global IP pool and this IP is put back in the pool once the instance is rebooted.
I have an external IP that is ephemeral when I stop and start my instance, is the external IP returned to the GCP global pool and do i get a new one on restart?
Yes, the address is returned to the pool and you get a new one once the VM is restarted.
What are the two different types of static IP you can reserve?
regional for assigning to a instance and global that can be assigned to a load balancer.
When I create firewall rule, can I apply the rule to the entire VPC (global network) ?
Yes, the rule will span the entire global VPC network.
When I create firewall rule, can I apply the rule to a group of instances?
Yes, you can match the rule based on tags
Is network load balancing regional or global?
The network load balancer is regional or multi-region.
What are the two types of IP addresses in GCP?
Static and ephemeral
An instance can only use a static IP that has been reserved in the same?
Region
What is cloud interconnect?
It refers to the 3 options to connect you on-prem to GC.
What options do you have to connect from on-prem to GCP.
Cloud VPN
Peering
Dedicated interconnect
What is Dedicated interconnect?
you connect with google’s network at a colocation, this is an expensive option but supports upto 80 GBper sec, a single link is 10GB at a cost of 1700 per month.
I need 50GB bandwidth to google, what is my best option?
Dedicated interconect, this is where you connect to a colocation, colocation has a CP peering edge.
With Dedicated interconnect, do you pay egress fees?
Yes, but at a discount, upto 50%
With Dedicated interconenct can I have it connect to my VPC or Google over all for say G-Suit?
Direct interconnect only supports connecting to a VPC.
What is Peering?
Peering connects you with google network so you can call the google API and services.
Will peering connect to the internet
No
What is the peering speed?
10GB
What speed is supported by cloud VPN?
1.5GB
When using CloudVPN, what options do I have to make it faster?
Use a second VPN
For CloudVPN what is the protocal?
IPSEC
For CloudVPN what key exchange is suported?
IKE1v1 and IKEv2
With CloudVPN, is client to site supported?
No
With CloudVPN is dynamic routs supported?
Yes use CloudRouter
For CloudVPN what is the SLA?
99.9%
Is a VPC a global or regional resource?
Global
Is a subnet a regional or global resource?
Regional
Is a subnet a a zone bound resource?
No it spans zones within a region.
Is it possible to share a VPC between projects?
Yes
Is there a instance limit on a VPC?
Yes 7000 instances, you can use a second VPC.
In a VPC can I use unicast or broadcast traffic?
No.
Can I convert manual addressing to automatic?
No you can only go from auto to manual
is IpPvs supported?
no, but ipv6 can be used to reach the LB for resources in the network, this also include the LB for app engine.
what are network tags?
The primary method of segmenting traffic for instances.
Is the firewall regional or attached to the global VPC?
Attached to the global VPC, this mean when you setup a firewall rule you attached it to a VPC and it is global.
Do you define firewall rules at the subnet or instance level?
Both instance and subnet level
Is all ingress traffic denied by default?
Yes
Is all egress traffic denied by default?
No
Are firewall rules prioritized?
Yes, rules are evaluated lowest number first.
When you create a VPC what default firewall rules do you get when the VPC is using automatic subnet mode creation?
- allow-icmp 65534
- allow-internal 65534
- allow-rdp 65534
- allow-ssh 65534
- deny-all-ingres 65535
- allow-all-egress 65535
Are all default rules asigned a low or high priority number?
Most all rules get 65K at top end, http and https get 1K at ko end.
When you create a VPC with two subnets, can VM 1 in subnet 1 ping VM 2 in subnet 2?
Yes, by default you get a default firewall rule to enable traffic that is local between subnets.
What is a router?
It defines where a packet is sent once it leaves the VM?
How would i take two VM and route all traffic to a proxy?
Define a route with a tag and asigne the tag to the VM’s
For routes what are my next hop options
- default internet gateway
- VPN tunnel
- IP
- Instance
Are routes global?
Yes, they are attached to a VPC (global)
What is a host project?
I refers to a project that will host a VPC for other projects.
What is a service project?
It refers to a project that is using a host project VP.
What is a standalone project?
It is a project that is not using a shared VPC
Can I share a hosted projects outside the orgnization?
No
Can i link a service project with many host projects?
No only one host project.
Van a project be both a service and host project?
No
When I create a VPC subnet, is the subnet tied to a zone?
No it is independent of the zone, when you deploy an instance, it is at this time you defne in what zone the instance and disk will live.
I created a VPC with auto subnet mode, I have two subnets with an instance in each, will I be able to ping without adding a firewall rule?
Yes, the following rules are created,
- allow-icmp 65534
- allow-internal 65534
- allow-rdp 65534
- allow-ssh 65534
- deny-all-ingres 65535
- allow-all-egress 65535
I created a VPC with custom subnet mode, I have two subnets with an instance in each, will I be able to ping without adding a firewall rule?
No, no firewall rules are created.
What is a custom subnet?
Where you create the subnet and manually enter the required firewall rules.
When you create a VPC what default routes do you get?
- Default gateway
- A rule to any subnets you create as part of the VPC
What are the filters you can use on a firewall rule?
- Source port
- Dest port
- Source address
- Dest address
- Portocal
How can you group instances so the firewall rule sis applied, is it a label?
No, it is a tag, tags are used for networking.
I have two VPC and I want to connect both, what options do I have?
- CloudVPN
- VPC Peering
I have GKE and I want to connect its network to another VPV, what is my best option?
VPC peering can be used for this.
I have App engine flexible and I want to connect its network to another VPV, what is my best option?
VPC peering can be used for this.
For VPC peering can i have overlapping subnet ranges?
No
I have a number of firewall rules and I wnat to see how they effect traffic, how cna i do this?
Use firewall logging.
I ahve firewall logging turned on, where can I send the logs?
Stackdriver
pub/sub
BigQuery
I have an external IP that is ephemeral when I reboot my instance, is the external IP returned to the GCP global pool and do I get a new one on restart?
The IP is not given back to the pool.
I have a network load balancer and instances are not receiving traffic, what would I need to do?
Open firewall for the health check from specific ports found in network LB documentation.
What protocols are supported by the network load balancer?
SSL proxy and TCP
Has the network load balancer got sessionAfinity feature?
Yes, off by default.
What is the Network loadbalancer?
It is an L4 LB supporting SSL proxy and TCP, it is single or multi-region.
What is the google load balancer?
It is an L7 LB and supports only multi-region and HTTP and HTTP(S).
Is the network load balancer, internal or external facing?
Both, internal between instances and external to receive traffic from the internet.
Is the GCP load balancer global?
Global, unlike AWS, the load balancer is a global load balancer receiving traffic and distributing it to one or more regional globally
Can you use the GCP load balancer for internal VM?
No, it is an internet only facing LB
