Virtual Networks Module 1.2 Flashcards
What is the key organiser of infrastructure resources in Google cloud
Projects,
they associate objects and services with billing. Projects can contain entire networks. Default quota for each project is 15 networks, but it can be increased. Networks can be shared between projects.
Are cloud networks limited to regions
Google Cloud networks are global resources, spanning all available regions across the world
Subnets are regional resources.
What are subnets for
Inside a network yo can segregate your resources with regional subnets
What is default network
Every project is provided with a default network with preset subnets(a subnet is allocated for each region with non-overlaping CIDR blocks)
And routes between subnets and default to the internet
And firewall rules that allow ingress traffic for ICMP, RDP and SSH to anywhere as well as ingress traffic from within the default network for all protocols and ports.
What is auto mode network
One subnet from each region is automatically created within it (they use set of predefined IP ranges with a/20 mask that can be expanded to 16). All of those subnets fit within the 10.128.0.0/9 CIDR block. (the default networks is actually an auto mode network)
VPC networks ?
VPC networks are by default isolated private networking domains. Therefore, no internal IP address communication is allowed between networks, unless you set up mechanisms such as VPC peering or VPN.
A VPC network does the following:
- Provides connectivity for your Compute Engine virtual machine (VM) instances.
- Offers native internal passthrough Network Load Balancers and proxy systems for internal Application Load Balancers.
- Connects to on-premises networks by using Cloud VPN tunnels and VLAN attachments for Cloud Interconnect.
- Distributes traffic from Google Cloud external load balancers to backends.
VPC networks have an internal DNS service that allows you to address instances by that DNS names, instead of their internal IP addresses.
How do we control traffic to VM instances
Traffic to and from instances can be controlled with network firewall rules. Rules are implemented on the VMs themselves, so traffic can only be controlled and logged as it leaves or arrives at a VM.
Difference between default and auto networks
The default network is an auto mode VPC network with pre-populated IPv4 firewall rules. The default network does not have pre-populated IPv6 firewall rules.
Custom mode networks
Custom mode VPC networks are more flexible and are better suited to production. They don’t automatically create subnets.
You decide which subnets to create, in regions you choose, and using IP ranges you specify.
These IP ranges cannot overlap between subnets of the same network. Regional IP allocation.
Expendable to IP regions you specify.
Switching between network modes
You can convert an auto mode network to a custom mode network but this conversion is one way
Can virtual machines communicate over internal ip addresses when they are in different regions
Yes if they are in the same network they can communicate over Googles global fiber network.
Virtual machines which belong to different networks must comunicate over external IP addresses even they are in the same region.VM instances within same VPC network can communicate privately on a global scale,
Is traffic between VMs over external IPs touching the internet
No but the traffic is going through googles edge routers this has different billing and security
How can we securely connect on premisses network to a google cloud network
VPN can securely connect your on-premises network to your Google Cloud network. This reduces cost and network complexity. They communicate through vpn gateway
how can you sagregate devices within network
Inside a network, you can segregate your resources with regional subnetworks. subnetworks work on a regional scale.
Because a region contains several zones, subnetworks can cross zones.
The subnet is simply an IP address range,
Which are reserved IP addresses within a subnet
The first and second addresses in the range, .0 and .1, are reserved for the network and the subnet’s gateway, respectively.
second-to-last address in the range and the last address, which is reserved as the “broadcast” address.
Can we apply single firewall rule to multiple VMs in different regions
A single firewall rule can be applied to multiple VMs, even though they are in different zones, if they are in the same network and in the same subnet. You specify a VPC network when you define firewall rule
Can subnets cross zones
subnetworks work on a regional
Because a region contains several zones, subnetworks can cross zones within the same region.
Can we increase IP range of a subnet without workload shutdown
Google Cloud VPCs let you increase the IP address space of any subnets without any workload shutdown or downtime. The lower subnet mask, the larger address space. The new subnet must not overlap with other subnets in the same VPC network in any region.
The new network range must be larger than the original, which means the prefix length value must be a smaller number.
In other words, you cannot undo an expansion.
What are the rules for defining subnets
Each IP range for all subnets in a VPC network must be a unique valid CIDR block.
Also, the new subnet IP address ranges are regional internal IP addresses and have to fall within valid IP ranges. Subnet must not overlap with other subnets in the same VPC network in any region.
Subnet ranges cannot match, be narrower, or be broader than a restricted range.Subnet ranges cannot span a valid RFC range and a privately used public IP address range.Subnet ranges cannot span multiple RFC ranges.
What is default IP range for auto mode subnet, and to which value it can be expanded
Now, auto mode subnets start with a /20 IP range. They can be expanded to a /16 IP range, but no larger.
How can we expand subnet range over maximum of 16 range
You can convert the auto mode subnetwork to a custom mode subnetwork to increase the IP range further.
What is recommended when creating subnets
Avoid creating large subnets.
Overly large subnets are more likely to cause CIDR range collisions when using Multiple Network Interfaces
and VPC Network Peering, or when configuring a VPN or other connections to an on-premises network.
4 Ingress firewall rules for the default network:
default-allow-icmp
default-allow-rdp
default-allow-ssh
default-allow-internal
These firewall rules allow ICMP, RDP, and SSH ingress traffic from anywhere (0.0.0.0/0)
all TCP, UDP, and ICMP traffic within the network
What is Cloud NAT
Cloud NAT is Google’s managed network address translation service.
It lets you provision (supply) your application instances without public IP addresses, while also allowing them to access the internet in a controlled and efficient manner. This means your private instances can access the internet for updates, patching, configuration management, and more.
What is the difference between Claud NAT and Load Balancer
Elastic Load Balancers distribute incoming traffic (inbound) across multiple targets (like EC2s), while NAT Gateways allow EC2 instances to connect to services outside your VPC, so we are talking about outbound traffic (outbound). Load Balancers can handle incoming traffic back out to the internet
What is the difference between VPN gateway and load balancer
While VPN gateways operate on the network (OSI layer 3 primarily), load balancers operate on the transport layer (OSI layer 4) by using the IP address to route traffic
