Networking Flashcards
What is a VPC Network?
- Virtual Private Cloud (VPC) network
- Manage networking for your GCP Compute resources
- All Compute Engine, Kubernetes Engine containers and AppEngine Flex apps, exist within a VPC Network.
- A Default mode network is created, can be updated or replaced with custom mode to meet your needs (custom IP Addresses and sub-nets)
- Securely connect your VPC network of IPsec for VPN access.
- Support for firewall restriction and routing between networks and instances - Works across regions, highly scalable
- Shared VPC allows sharing a network across projects to operate services with their own quota and billing
What do VPC firewall rules allow you to do, how do they work?
- Firewall rules protect your VM instances from unapproved connections, both inbound and outbound.
- You can create firewall rules to allow or deny connections based on a combination of IP addresses, ports and protocols.
- Functions between other networks AND between instances on the same network (distributed firewall)
What is a route, how or why would I need one?
- A route is a mapping of an IP range to a destination
- Routes tell the VPC network where to send packets destined for a particular IP address
- Routes are created automatically when the network is created: a default route for Internet traffic, and a route for each subnet when the subnet is created.
- Routes still need Firewall rules to allow packets
- Routes may apply to instances by using a matching Tag attribute
How do your route packets to the Internet?
Cloud Router - Must be sent by an instance that has an external IP address
NAT Gateway - A Cloud NAT gateway can provide NAT services for packets sent from a Compute Engine VM’s network interface as long as that network interface doesn’t have an external IP address assigned to it. For GKE clusters, Cloud NAT can provide service even if the cluster nodes have external IP addresses in certain circumstances. For details, see GKE interaction.
The Cloud NAT gateway can be configured to provide NAT for the VM network interface’s primary internal IP address, alias IP ranges, or both. You make this configuration by choosing the subnet IP address ranges to which the gateway should apply.
What is VPC Network Peering?
- Allows private connectivity across two VPC networks, in different projects or organizations.
What is CIDR notation?
- CIDR = Classless Inter Domain Routing, using 1-bit increments
- CIDR notation is a compact representation of an IP Address and its associated routing prefix (subnet mask splits into host part and network part)
- A Class C address 192.168.1.100/24 gives access to 256 IP addresses:
- 254 hosts IPs in the range 192.168.1.1 to 192.168.1.254
- 1 Network address 192.168.1.0 (reserved)
- 1 Broadcast address 192.168.1.255 (reserved)
- the /24 represents subnet 255.255.255.0
What are the different ‘Classes’ of networks?
Why is using Classful address scheme considered wasteful?
- Class A: 1.0.0.0 - 126.0.0.0 = /8
- Class B: 128.0.0.0 - 191.255.0.0 = /16
- Class C: 192.0.0.0 - 223.255.255.0 = /24
- Giving Class C to an org that need 5 hosts is wasteful
- Use CIDR instead, which uses 1-bit increments instead of 8-bit for classful.
How do firewall rules work with regards to subnets?
- Aautomode VPC creates inter-subnet firewall rules to allow instances on the same subnet to communicate
- To allow communication between different subnets, you must define a custom firewall rule to allow that access
What is Google Cloud VPN?
- Securely connects your on-premise network to your GCP VPC network/gateway through an IPSec VPN connection (VPN Tunnel)
- Requires an IPsec VPN gateway on the client side
- Supports static and dynamic routes (via Cloud Router), for managing traffic between GCP VPC and existing infrastructure
What is required to use a VPN?
- Must have a peer gateway by the client
- The peer VPN gateway must have a static external IP address
- The CIDR range of the VPC network must not conflict with the CIDR ranges of the peer VPN gateway
- You must supply a shared secret for the VPN
- Setup firewall rules and any custom routing needed
What is Cloud Router? When should it be used?
Google Cloud Router
On Google Cloud, dynamic routing can be established using Cloud Router. It exchanges network topology information through Border Gateway Protocol (BGP). Cloud Router advertises subnets from its VPC network to another router or gateway via BGP. This is great for setting up VPN between the cloud and on-prem, as topology changes automatically propagate with no manual intervention and higher redundancy for your systems.
-Subnet level support
VPC - What are Forwarding Rules?
- routes govern traffic LEAVING an instance
- forwarding rules can direct traffic that ARRIVEWS from OUTSIDE the network AS WELL as traffic (that ARRIVES) from INSIDE the network
- rules based on IP, protocol or port
What are some use cases for VPC ‘forwarding rules’?
- Virtual hosting: multiple rules to point to a single instance, allowing multiple external IPs with just one VM; especially useful for SSL hosting
- Forwarding rules over a VPN
- Load balancing: forward traffic to a load-balancer
What is needed to create and use a VPC ‘forwarding rule’?
- Creation of a ‘targeted instance’ resource on the VM - BEFORE the fowarding rule
* gcloud compute target-instances create - Creation of the forwarding rule
* gcloud compute forwarding-rules create
What is Cloud Load Balancing?
When and why would we want to use it?
- Distribute traffic to load-balanced compute resources in single or multiple regions
- Close to users with high-availability
- Scale resources up or down with intelligent Autoscaling
- Integrated with Cloud CDN for optimal app and content delivery
- Scales as your user and traffic grows
- Supports internal load-balancing (via Andromeda)
What are the types of load-balancing?
- Global external load balancing
- HTTP(S) load balancing
- SSL Proxy load balancing - non-https(s) traffic
- TCP Proxy load balancing - non-htttp(s) traffic
- Regional external load balancing
- Network load balancing- distributes traffic among a pool of instances within a region
- Regional internal load balancing
- Internal load balancing- distributes traffic from GCP VM instances to a group of instances in the same region
What is and how do you setup Internal Load Balancing?
- Internal Load Balancing enables you to run and scale your services behind a private load balancing IP address which is accessible only to instances internal to your Virtual Private Cloud (VPC).
- Think external LB service to Web tier, which has internal configuration to LB to App tier (like AJP), but instead using Google ‘Internal’ Load Balancer solution
What is Cloud CDN and what is it good for, why/when should I use it?
- Cloud CDN works with the HTTP(S) Load Balancing service
- Content may come from VM instance groups or Cloud Storage buckets
*
Switch takes traffic from Subnets to different devices, Internet GW and VPN GW.
Subnets isolate traffic in different zones.
Subnets can spand zones.
Subnets can isolate to a zone.
How does traffic get from one region to another in the same VPC?
In the same VPC, traffic is able to span all region using internal IP addresses. The traffic can move across all subnets.
What are the two different ways you can manage traffic in a region for two different apps?
Put traffic in different subnets but have one VPC
Put traffic in different VPCs for better isolation.
What do internal and external IP addresses provide?
Internal - communicate within a VPC traffic Globally.
External - communicate with external networks and to other VPCs.
What networks have routes?
All networks have routes.
The default network has a default route to the internet and individual routes to each subnet.
What are route tables
Tables are used to tell which routes and rules apply to each VM instance.
Routes could apply to multiple instances or single instances depending on the tags used in the route statement.
If an instance tag is used, the route applies to that instance, and if an instance tag is not used, then the route applies to all instances in that network.
Individual read-only route tables are created for each VM instance based off of the parent route table.
How are default networks laid out?
How are firewall rules applied?
If you have a concept in your mind that all this traffic is flowing through some single firewall chokepoint device somewhere, you’re mistaken.
GCP is a full SDN, with firewall policies applied at the instance-level, no matter where it resides.
These checks are performed immediately without having to funnel traffic through dedicated security appliances.
How is traffic controlled with firewall rules and what are the only type of rules you are allowed to create?
Each VPC network has its own distributed firewall, which allows or denies traffic into and out of the network, and between VM instances.
The firewall has an explicit-deny policy, meaning that any traffic that needs to be permitted must have a rule created. You cannot create “deny” rules, only “allow” rules.
What are some factoids about a VPC network?
VPC stands for Virtual Private Cloud.
A Virtual Private Cloud (VPC) network is a cloud version of a physical network, enforced within Google’s network
Incoming and Outgoing Traffic from instances can be controlled using firewall rules that can be configured while creating VPC Network.
Resources in a VPC network can communicate with each other using internal i.e. Private IPv4 addresses, but firewall rules should be set accordingly.
Instances with internal IP addresses and no external IP address can communicate with external Google APIs and services using the Private Google Access option.
VPC networks can be connected easily to another VPC network in different projects or organizations by using VPC Network Peering.
What are some factoids related to subnets?
Generally, each network is divided into multiple useful IP range partitions called subnets (to avoid overhead and maintenance and to provide more security for different departments). VPC networks do not have IP addresses associated with them. IP address ranges are associated with the subnets only.
When you spin up any resource in the Google Cloud, you always choose a network and subnet. You have to choose a zone or a region also depending on the resource. By selecting a zone, it automatically picks up its parent region. Subnets are also regional resources and by selecting a region for your resources (like VMs), it will automatically pick what subnet it can use.
What are the two types of Static IPs?
tatic IP
- Regional Global
- Two types:
- Regional Static IP
- GCE Instances
- Network Load Balancers
- Global Static IP (Anycast IP)
- Global Load Balancers
- HTTP(S)
- SSL Proxy
- TCP Proxy Note:
- Global Load Balancers
- Regional Static IP
- Pay for IPs that are not in use
Static and Ephemeral IP Addresses
A static IP address is a fixed IP address. The address maintains an association with a project unless the administrator releases it. An organization uses a static address to apply consistency for services such as a web application or website.
Many virtual machines utilize a different type of address where as long as the resource uses the IP address and remains active, there is no change. This IP address type is known as an ephemeral IP address. A virtual machine running an application often maintains the same IP address until the instance is stopped or deleted.
Reserving an IP Address
There are times when you may want to reserve an external IP address. A reservation can be made using Cloud Console or the command line.
To reserve a static IP address using Cloud Console, go to the Networking option in the navigation area and then select External IP Address under Virtual Private Cloud (VPC).
VPCs consist of
subnets, a type of regional resource associated with an IP address range. The IP addresses associated with subnets are private so that resources, including APIs and third-party services, can communicate with one another.
VPCs do not have to be standalone; they are sharable inside an organization utilizing a project. Assuming users across an organization have the appropriate permissions, it is possible to create resources in a shared environment.
Creating a Shared Virtual Private Cloud
Shared VPC, also known as XPN in the API and command-line interface, enables an engineer to export subnets from an existing VPC network to a host project or other service project inside the same organization. Instances inside a service project may have network connections to shared subnets within a host project.
Load Balancer Types
Configuring a Load Balancer Using gcloud
If you prefer to configure a load balancer using gcloud, use a command with the following structure:
Beyond the HTTPS load balancer mentioned in the previous section, there are many other alternatives to create a network load balancer. Key commands that should be applied in creating a load balancer command line are presented in Table 8-5.
Mimicking the creation of the HTTP load balancer created in the Cloud Console, the following command lines are used.
To create a health check:
To create a backend service:
To add an instance group as the backend to the backend services:
Understanding Zone Types DNS
GCP Cloud DNS supports three different zone types—managed, public, and private. Most often, cloud engineers work with managed zones because they are associated with a project. A managed zone holds all of the DNS records for DNS name suffixes (www.dynalearning.com). A project may have several managed zones, and each zone must have a unique name. With Cloud DNS, a managed zone is the resource type that supports an entire DNS zone. That means all records on the same Google Server will map to the same nameservers. A nameserver responds to a DNS query against a managed zone based on your zone configuration. A project can support many managed zones, but you are charged daily for each managed zone that exists.
How would you build a shared VPC for a test and prod environment? It has 3 different networks that need to connect.
What are the differences between Shared VPC and VPC peering?
What are the 3 different build out modes for VPC Subnets?
What IPs do you need to communicate across regions with different subnets, but all part of the same VPC?
Do firewall rules apply to all vms in subnets are just one at a time.
Can you expand or shrink subnets are both?
What is the difference between external and internal IP
What are the different types of load balancers?
What is some general information about a VPC you should know?
What are IP addressing rules for the VPC subnets:
What are the 4 different IP addresses in a subnet?
What is Dynamic Routing Mode?
What are shared VPC?
Where do you get the IP address from for the various IP addresses.
How do we manage Alias IP Addresses
What is a DNS Peering zone?
DNS Peering
- DNS peering allows sending requests for records that come from one zone’s namespace to another VPC network for e.g., a SaaS provider can give a SaaS customer access to DNS records it manages.
- To provide DNS peering,
- Cloud DNS peering zone must be created and configured to perform DNS lookups in a VPC network where the records for that zone’s namespace are available.
- The VPC network where the DNS peering zone performs lookups is called the DNS producer network.
- To use DNS peering,
- A network must be authorized to use a peering zone.
- The VPC network authorized to use the peering zone is called the DNS consumer network.
- DNS peering and VPC Network Peering are different services. DNS peering can be used with VPC Network Peering, but VPC Network Peering is NOT required for DNS peering. VPC peering does not enable DNS peering and must be setup explicitly.
We are discussing common facts about all Layer 7 Load Balancers(LBs) and Layer 4 Load Balancers(LBs).
We are discussing common facts about all Layer 7 Load Balancers(LBs) and Layer 4 Load Balancers(LBs). In the demo, we will create a simple HTTP Load Balancer. You can create HTTPS Load Balancer in case you own a domain, we have attached a document on how to do that as well.
Layer 4-LBs act almost as transport layer-aware routers that do no packet manipulation and are faster than Layer 7-LBs that perform a number of manipulation to packets and also have session affinity feature ensuring connections that result from the same source are always served from the same backend. Layer 7-LBs are more common and are often always software whereas Layer 4 - Load Balancers are less common, and tend to be implemented in dedicated hardware.
One important note about Layer 7-LBs is their ability to terminate the SSL traffic. This is a limitation for most Layer 4-LBs as they cannot determine if incoming packets are wrapped in SSL and therefore fail to terminate SSL traffic. L7 Load Balancers can have CA certificates installed within them that can verify the authenticity of the service instead of storing and handling backends. The processing strain from having to encrypt and decrypt such requests is pushed onto Layer 7 - Load Balancers to decrypt such data and re-encrypt the packet for transmission to the backend server. This often results in high latency and can be problematic at times.
Within Layer 7 - Load Balancers, the packet is inspected, although this can be a costly process in terms of latency, it has additional features like balancing traffic based on content. For example, your company has a pool of backends that have been fitted with some high-end instances optimized for video processing. Another pool may contain low-power CPUs that are optimized for static websites. Layer 7 - Load Balancers can use the URL path e.g. whizlabs.com/courses to serve the most appropriate backend to send incoming traffic to the ones with high-end instances, whereas requests to a different URL such as whizlabs.com/blogs can be transferred to the low-power instances, all thanks to the Layer 7 - Load Balancers ability to intelligently split traffic.
What is Cloud Router?
Cloud Router can’t be used by itself but it is required for Cloud NAT or Interconnect or VPN.
From Fig1: Let’s understand the concept with the help of the below architecture. Consider you have a VPC Network on Google Cloud and an On-premise office network that was connected using VPN Gateway. After a few days, a new network is added to the on-premise network with a name server network. Now you have to add static routes to the routing table in Google Cloud manually and also you need to re-configure your VPN. This is still fine but considers a case when a new network is added quite frequently or the network is destroyed. Same you have to do manually.
From Fig2: Now, Cloud Router helps you overcome the above problem by automatically adding dynamic routes. Cloud Router peers with on-premise VPN Gateway or Router. The routers exchange topology information through BGP(Border Gateway Protocol). The Cloud Router advertises subnets from its VPC Network to the on-premise gateway via BGP. By doing this, any topology changes will be propagated automatically between your VPC and on-premise network. The Cloud Router learns on-premise routes through BGP.
From Fig3: Users don’t sense disruptions, as you see if a link fails to VM1, Cloud Router can automatically re-route traffic if a path is available.
