Networking Flashcards
What is a VPC Network?
- Virtual Private Cloud (VPC) network
- Manage networking for your GCP Compute resources
- All Compute Engine, Kubernetes Engine containers and AppEngine Flex apps, exist within a VPC Network.
- A Default mode network is created, can be updated or replaced with custom mode to meet your needs (custom IP Addresses and sub-nets)
- Securely connect your VPC network of IPsec for VPN access.
- Support for firewall restriction and routing between networks and instances - Works across regions, highly scalable
- Shared VPC allows sharing a network across projects to operate services with their own quota and billing
What do VPC firewall rules allow you to do, how do they work?
- Firewall rules protect your VM instances from unapproved connections, both inbound and outbound.
- You can create firewall rules to allow or deny connections based on a combination of IP addresses, ports and protocols.
- Functions between other networks AND between instances on the same network (distributed firewall)
What is a route, how or why would I need one?
- A route is a mapping of an IP range to a destination
- Routes tell the VPC network where to send packets destined for a particular IP address
- Routes are created automatically when the network is created: a default route for Internet traffic, and a route for each subnet when the subnet is created.
- Routes still need Firewall rules to allow packets
- Routes may apply to instances by using a matching Tag attribute
How do your route packets to the Internet?
- Must be sent by an instance that has an external IP address
What is VPC Network Peering?
- Allows private connectivity across two VPC networks, in different projects or organizations.
What is CIDR notation?
- CIDR = Classless Inter Domain Routing, using 1-bit increments
- CIDR notation is a compact representation of an IP Address and its associated routing prefix (subnet mask splits into host part and network part)
- A Class C address 192.168.1.100/24 gives access to 256 IP addresses:
- 254 hosts IPs in the range 192.168.1.1 to 192.168.1.254
- 1 Network address 192.168.1.0 (reserved)
- 1 Broadcast address 192.168.1.255 (reserved)
- the /24 represents subnet 255.255.255.0
What are the different ‘Classes’ of networks?
Why is using Classful address scheme considered wasteful?
- Class A: 1.0.0.0 - 126.0.0.0 = /8
- Class B: 128.0.0.0 - 191.255.0.0 = /16
- Class C: 192.0.0.0 - 223.255.255.0 = /24
- Giving Class C to an org that need 5 hosts is wasteful
- Use CIDR instead, which uses 1-bit increments instead of 8-bit for classful.
How do firewall rules work with regards to subnets?
- Aautomode VPC creates inter-subnet firewall rules to allow instances on the same subnet to communicate
- To allow communication between different subnets, you must define a custom firewall rule to allow that access
What is Google Cloud VPN?
- Securely connects your on-premise network to your GCP VPC network/gateway through an IPSec VPN connection (VPN Tunnel)
- Requires an IPsec VPN gateway on the client side
- Supports static and dynamic routes (via Cloud Router), for managing traffic between GCP VPC and existing infrastructure
What is required to use a VPN?
- Must have a peer gateway by the client
- The peer VPN gateway must have a static external IP address
- The CIDR range of the VPC network must not conflict with the CIDR ranges of the peer VPN gateway
- You must supply a shared secret for the VPN
- Setup firewall rules and any custom routing needed
What is Cloud Router? When should it be used?
- fully distributed and managed cloud service that scales with your network traffic
- Use Cloud Router to dynamically exchange routes between GCP networks and your on-premises network.
- Cloud Router peers with your on-premises VPN gateway or router Static routing
- Dynamic routing: uses Border Gateway Protocol (BGP) to exchange network topology information, so no static routes are required *
- Static routing: sutiable for small networks and stable topologies, routing table control
- Use Cloud Router to enable dynamic routing from your VPN tunnel
- Pricing: FREE OF CHARGE!
VPC - What are Forwarding Rules?
- routes govern traffic LEAVING an instance
- forwarding rules can direct traffic that ARRIVEWS from OUTSIDE the network AS WELL as traffic (that ARRIVES) from INSIDE the network
- rules based on IP, protocol or port
What are some use cases for VPC ‘forwarding rules’?
- Virtual hosting: multiple rules to point to a single instance, allowing multiple external IPs with just one VM; especially useful for SSL hosting
- Forwarding rules over a VPN
- Load balancing: forward traffic to a load-balancer
What is needed to create and use a VPC ‘forwarding rule’?
- Creation of a ‘targeted instance’ resource on the VM - BEFORE the fowarding rule
* gcloud compute target-instances create - Creation of the forwarding rule
* gcloud compute forwarding-rules create
What is Cloud Load Balancing?
When and why would we want to use it?
- Distribute traffic to load-balanced compute resources in single or multiple regions
- Close to users with high-availability
- Scale resources up or down with intelligent Autoscaling
- Integrated with Cloud CDN for optimal app and content delivery
- Scales as your user and traffic grows
- Supports internal load-balancing (via Andromeda)