Virtual Networks Module 1.2

Question 1

What is the key organiser of infrastructure resources in Google cloud

Answer 1

Projects,
they associate objects and services with billing. Projects can contain entire networks. Default quota for each project is 15 networks, but it can be increased. Networks can be shared between projects.

Question 2

Are cloud networks limited to regions

Answer 2

Google Cloud networks are global resources, spanning all available regions across the world
Subnets are regional resources.

Question 3

What are subnets for

Answer 3

Inside a network yo can segregate your resources with regional subnets

Question 4

What is default network

Answer 4

Every project is provided with a default network with preset subnets(a subnet is allocated for each region with non-overlaping CIDR blocks)
And routes between subnets and default to the internet
And firewall rules that allow ingress traffic for ICMP, RDP and SSH to anywhere as well as ingress traffic from within the default network for all protocols and ports.

Question 5

What is auto mode network

Answer 5

One subnet from each region is automatically created within it (they use set of predefined IP ranges with a/20 mask that can be expanded to 16). All of those subnets fit within the 10.128.0.0/9 CIDR block. (the default networks is actually an auto mode network)

Question 6

VPC networks ?

Answer 6

VPC networks are by default isolated private networking domains. Therefore, no internal IP address communication is allowed between networks, unless you set up mechanisms such as VPC peering or VPN.

A VPC network does the following:

• Provides connectivity for your Compute Engine virtual machine (VM) instances.
• Offers native internal passthrough Network Load Balancers and proxy systems for internal Application Load Balancers.
• Connects to on-premises networks by using Cloud VPN tunnels and VLAN attachments for Cloud Interconnect.
• Distributes traffic from Google Cloud external load balancers to backends.
  VPC networks have an internal DNS service that allows you to address instances by that DNS names, instead of their internal IP addresses.

Question 7

How do we control traffic to VM instances

Answer 7

Traffic to and from instances can be controlled with network firewall rules. Rules are implemented on the VMs themselves, so traffic can only be controlled and logged as it leaves or arrives at a VM.

Question 8

Difference between default and auto networks

Answer 8

The default network is an auto mode VPC network with pre-populated IPv4 firewall rules. The default network does not have pre-populated IPv6 firewall rules.

Question 9

Custom mode networks

Answer 9

Custom mode VPC networks are more flexible and are better suited to production. They don’t automatically create subnets.
You decide which subnets to create, in regions you choose, and using IP ranges you specify.
These IP ranges cannot overlap between subnets of the same network. Regional IP allocation.
Expendable to IP regions you specify.

Question 10

Switching between network modes

Answer 10

You can convert an auto mode network to a custom mode network but this conversion is one way

Question 11

Can virtual machines communicate over internal ip addresses when they are in different regions

Answer 11

Yes if they are in the same network they can communicate over Googles global fiber network.
Virtual machines which belong to different networks must comunicate over external IP addresses even they are in the same region.VM instances within same VPC network can communicate privately on a global scale,

Question 12

Is traffic between VMs over external IPs touching the internet

Answer 12

No but the traffic is going through googles edge routers this has different billing and security

Question 13

How can we securely connect on premisses network to a google cloud network

Answer 13

VPN can securely connect your on-premises network to your Google Cloud network. This reduces cost and network complexity. They communicate through vpn gateway

Question 14

how can you sagregate devices within network

Answer 14

Inside a network, you can segregate your resources with regional subnetworks. subnetworks work on a regional scale.
Because a region contains several zones, subnetworks can cross zones.
The subnet is simply an IP address range,

Question 15

Which are reserved IP addresses within a subnet

Answer 15

The first and second addresses in the range, .0 and .1, are reserved for the network and the subnet’s gateway, respectively.
second-to-last address in the range and the last address, which is reserved as the “broadcast” address.

Question 16

Can we apply single firewall rule to multiple VMs in different regions

Answer 16

A single firewall rule can be applied to multiple VMs, even though they are in different zones, if they are in the same network and in the same subnet. You specify a VPC network when you define firewall rule

Question 17

Can subnets cross zones

Answer 17

subnetworks work on a regional
Because a region contains several zones, subnetworks can cross zones within the same region.

Question 18

Can we increase IP range of a subnet without workload shutdown

Answer 18

Google Cloud VPCs let you increase the IP address space of any subnets without any workload shutdown or downtime. The lower subnet mask, the larger address space. The new subnet must not overlap with other subnets in the same VPC network in any region.
The new network range must be larger than the original, which means the prefix length value must be a smaller number.
In other words, you cannot undo an expansion.

Question 19

What are the rules for defining subnets

Answer 19

Each IP range for all subnets in a VPC network must be a unique valid CIDR block.
Also, the new subnet IP address ranges are regional internal IP addresses and have to fall within valid IP ranges. Subnet must not overlap with other subnets in the same VPC network in any region.
Subnet ranges cannot match, be narrower, or be broader than a restricted range.Subnet ranges cannot span a valid RFC range and a privately used public IP address range.Subnet ranges cannot span multiple RFC ranges.

Question 20

What is default IP range for auto mode subnet, and to which value it can be expanded

Answer 20

Now, auto mode subnets start with a /20 IP range. They can be expanded to a /16 IP range, but no larger.

Question 21

How can we expand subnet range over maximum of 16 range

Answer 21

You can convert the auto mode subnetwork to a custom mode subnetwork to increase the IP range further.

Question 22

What is recommended when creating subnets

Answer 22

Avoid creating large subnets.
Overly large subnets are more likely to cause CIDR range collisions when using Multiple Network Interfaces
and VPC Network Peering, or when configuring a VPN or other connections to an on-premises network.

Question 23

4 Ingress firewall rules for the default network:

Answer 23

default-allow-icmp
default-allow-rdp
default-allow-ssh
default-allow-internal
These firewall rules allow ICMP, RDP, and SSH ingress traffic from anywhere (0.0.0.0/0)
all TCP, UDP, and ICMP traffic within the network

Question 24

What is Cloud NAT

Answer 24

Cloud NAT is Google’s managed network address translation service.
It lets you provision (supply) your application instances without public IP addresses, while also allowing them to access the internet in a controlled and efficient manner. This means your private instances can access the internet for updates, patching, configuration management, and more.

Question 25

What is the difference between Claud NAT and Load Balancer

Answer 25

Elastic Load Balancers distribute incoming traffic (inbound) across multiple targets (like EC2s), while NAT Gateways allow EC2 instances to connect to services outside your VPC, so we are talking about outbound traffic (outbound). Load Balancers can handle incoming traffic back out to the internet

Question 26

What is the difference between VPN gateway and load balancer

Answer 26

While VPN gateways operate on the network (OSI layer 3 primarily), load balancers operate on the transport layer (OSI layer 4) by using the IP address to route traffic