VPC Flashcards
How many networks can a project contain by default?
5
What are the 3 types of VPC networks?
Default, Auto, Custom
A network in Google Cloud has these featuures
Global and spans all available regions
Has no IP address range
Contains subnetworks
Default network type
Every project gets this VPC with preset subnets and firewall rules.
A subnet for each region with non overlapping CIDR blocks.
Firewall rules allow ICMP, RDP and SSH traffic from anywhere. Within the network, any ingress traffic is allowed.
Also an auto mode network.
Auto mode network type
Default network
Regional IP allocation
Fixed /20 subnetwork per region, expandable up to /16
As new regions become available, auto added
Can be converted to custom to avoid auto adding (1 way)
All subnets fit in 10.128.0.0/9 CIDR block
Custom mode network type
Full control
Subnets cannot overlap IP ranges
Describe how resources in different regions and/or networks communicate
Resources in same network can communicate across regions with internal IP
Resources in different networks cannot communicate with internal IP
Describe how a basic VPN would connect to a VPC with multiple regions
Single VPN Gateway can leverage global VPC
A subnet reserves what IP addresses
4 total reserved addresses
.0 and .1 for network and subnet’s gateway
Second to last and last address for broadcast
What is relationship between subnets and regions/zones, and how does it affect firewall rules
Subnets work on a region, which has multiple zones. So subnets can cross zones (for the given region)
Use same subnet IP address so a single firewall rule will work
Subnet expansion features
Can increase IP address space of any subnets without workload shutdown or downtime
Note still cant overlap, need valid CIDR block
Cannot undo
How many IP addresses can a machine have?
- One internal, one (optional) external. Although… see Alias IP Ranges
External IP address types
Ephemeral or static
Static IP address cost more when…
they are not used/assigned
External IP addresses are mapped to…
the internal IP address
Cloud DNS Features and Availability
Host DNS zones. 100% availability
Alias IP Ranges
Assign range of internal IP addresses as an alias to a VM’s network interface. Useful if multiple services or containers running on VM
Define a Route. Every network has what kind of routes?
Mapping of an IP range to a destination. Routes that let instances in a network send traffic directly to each other. A default route that directs packets to destinations that are outside the network.
Manually created networks and firewalls
Manually created networks have no default firewall rules
Routes are created automatically when
A network is created. A subnetwork is created.
VPC and Firewall Relationship (mention ingress/egress rules, how firewall connections work)
VPC network functions as a distributed firewall
Firewall rules are applied to the network as a whole
Connections are allowed or denied at the instance level
Firewall rules are stateful (if connection established, allow bidirectional comms)
Implied deny all ingress and allow all egress
Firewall rule is composed of
direction, source or destination, protocol and port, action, priority, and rule assignment
Example Network Pricing for Compute Engine
Ingress - No Charge (unless something like load balancer)
Egress to same zone (internal IP address) - No Charge
Egress to Google Products - No Charge
Egress to a different GCP service in same region - No Charge (for most)
Egress between zones in same region - .01
Egress to the same zone (external IP address) - .01
Egress between regions within US and Canada - .01
Egress between regions, not including US regions - varies by region
How to estimate costs
Google Cloud Pricing Calculator
Structure of a Network with Increased Availability
Use multiple zones in same subnetwork (single firewall rule on CIDR block). IE VMs in multiple zones.
Structure of a Network with Globalization
Use multiple regions. Load balancer can route to region that is closest to user.
Cloud NAT
Provides internet access to private instances (internal IP addresses) for things like updates, patching, etc. Outbound initiated only.
Private Google Access definition and scope
Provides access to Google APIs and services for VM instances with only internal IP addresses. Subnet-by-subnet basis. Does not impact VMs with public IP addresses.
Firewall rules added via
Tags
