Networking Flashcards
Lowest priority for firewall rule
65,535
VPC implied rules (2)
Block all incoming traffic
Allow all outgoing traffic
Default rules for VPC default network (4)
default-allow-internal
default-allow-ssh (TCP port 22)
default-allow-rdp (TCP on port 3389)
default-allow-icmp (ping)
Cloud Router
Software defined dynamic routing GCP uses to advertise IP address ranges to destinations OUTSIDE VPC network
Cloud Router provides routing services for…(4)
Dedicated Interconnect
Partner Interconnect
HA VPN
Classic VPN tunnels that use dynamic routing
Auto mode VPC subnets fit within CIDR block..
10.128.0.0/9
VPC network peering works with which IaaS (3)
Compute Engine
App Engine Flexible
GKE
Hybrid network implementation options (3)
Cloud VPN
Cloud Interconnect
Direct Peering
Cloud VPN gateways (2)
HAVPN
Classic VPN
Cloud VPN - max network bandwidth per tunnel
3 Gbps
Dedicated Interconnect - bandwidth options
10 Gbps (up to 8 x 10 for 80 Gbps) 100 Gbps (up to 2 x 100 for 200 Gbps)
Partner Interconnect - VLAN attachment size options
50 Mbps - 50 Gbps
Cloud Router used for … (3)
HA VPN
Cloud Interconnect
Router Appliance
Direct Peering
Used to access Workspace services from on prem
Private Service Connect for Google APIs
- Clients
- Connection
- Supported services
- Usage
GCP resources without external IP and on premises systems
Connect to a Private Service Connect endpoint in VPC network which forwards request to Google APIs and services
Supports most Google APIs and services
Allows private consumption of services across VPC networks that belong to different groups, teams, projects, orgs
Private Service Connect for Google APIs with Consumer HTTPS service controls
- Clients
- Connection
- Supported Services
- Usage
GCP resources without external IP and on prem systems
Connect to internal HTTP load balancer in VPC network which forwards request to Google APIs and services
Supports selected regional Google APIs and services
Connect to regional Google APIs and services using HTTP(S) Internal Load Balancer
Option to use URL mapping to limit access to specific APIs
Private Google Access
- Clients
- Connection
- Supported services
- Usage
GCP resources without external IPs
Connect to standard external IP or Private Google Access domains and VIPs for Google APIs and services via network’s default internet gateway
Supports most GCP APIs and services
Access to external IP addresses used by App Engine and third party App Engine based services
Private Google Access for On-Prem Hosts
- Clients
- Connection
- Supported services
- Usage
On prem hosts with or without external IP
Connect to Google APIs and services through Cloud VPN tunnel or Cloud Interconnect via one of the Private Google Access-specific domains and VIPs
Access Private Google Access domains specified
Connect from on prem to Google APIs and services through VPC
Private Service Access
- Clients
- Connection
- Supported services
- Usage
GCP VM instances with or without external IP
Connect to GCP or third party managed VPC network through a VPC Network Peering connection
Some GCP and third party services
Connects instances in your VPC network to service producer’s VPC network via VPC Network Peering connection.
(use IPv4 range allocated for service producers)
Serverless VPC Access
Allows serverless environment (Cloud Run, App Engine, Cloud Functions) to connect to your VPC network
Serverless environment sends requests to VPC network using internal DNS and internal IP address
Advanced traffic management capabilities
Traffic steering
- route based on HTTP parameters (host, path, headers)
Traffic actions
- request based and response based actions (redirects and header transformations)
Traffic policies
- fine tune behavior (advanced load balancing algorithm)
Backend Service (5 features)
Configuration determines load balancing behavior
- Direct traffic to correct backend
- Distribute traffic according to balancing mode
- Determine which health check is monitoring backend
- Specify session affinity
- Determine if services are enabled (Cloud CDN, Cloud Armor, Identity-Aware Proxy)
Load balancer for Cloud CDN
External HTTP load balancer
External UDP/TCP Network Load Balancer
- Regional or global
- How distribute traffic
- Use Case
Regional
Pass through
Distributes external traffic among VM instances
Packets pass through from client to backend (no backend service)
Use Cases:
- Forward packets from internet unproxied - need client source IP preserved
- Migrate existing pass through load blancer
Internal TCP/UDP Load Balancer
- Regional or global
- How distribute traffic
- Use Cases
Regional backends and frontends. **Global access supported
Pass through
Frontend forwarding rule to backend service (instance groups or NEGs)
3 tier web app - between frontend and middleware
Next hop from server to gateway
Internal HTTP(S) Load Balancer
- Regional or global
- How distribute traffic
- Use Cases
Regional only
Forwarding rule specifies internal IP, port, regional target HTTP proxy
Frontend - internal IP, proxy-only subnet
URL map to determine routing
Private Service Connect for Google APIs and consumer HTTP service
Modernizing monolith legacy app (place in front of monolith to distribute subset of traffic to new microservices)
Regional External HTTPS Load Balancer
- How distribute traffic
- Use Cases
External forwarding rule to Envoy proxies in same region as load balancer
to regional backend service
Use advanced networking features for external HTTP traffic while using standard tier network
SSL Proxy Load Balancer
- Regional or global
- How distribute traffic
- Use cases
Regional and standard or global and premium
Premium:
- Adverise load balancer global anycast IP
- GFE directs request to healthy backend instance groups or NEG in region closest to user
Standard:
- Advertise load balancer’s external IP from POP in same region as forwarding rule
Offload SSL processing, control SSL features with SSL policies, terminate TLS in globally distributed locations to minimize latency
Global External HTTP Load Balancer
- How traffic is distributed
Requests routed to GFE closest to client (or in same region as load balancer if regional)
External forwarding rule specifies external IP, port, and target HTTP Proxy
Target HTTP proxy authenticates clients using SSL certs
Backend service distributes to healthy backend
Load balancer for Cloud CDN
External HTTP
Load balancer for Private Service Connect for Google APIs and Consumer HTTP Service
Internal HTTP
Standard API operations (5)
List Get Create Update Delete
IPs in each subnet reserved for Google (4)
First address - Network
Second address - Gateway
Second to last - Potential future use by Google
Last - Broadcast
Cloud VPN max network bandwidth per tunnel
3 Gbps
K8 Networking Modes (2)
VPC native cluster
- Uses alias IPs to route traffic between pods
Routes-Based cluster
- Google Cloud routes to route traffic between pods
Packet Mirroring
Clones traffic to and from VM instances and forwards for inspection
Network Intelligence Center (4) modules
Network topology map
Connectivity tests
Performance dashboard
Firewall insights
Traffic Director
Fully managed, HA control plane for service mesh
