Before jumping into Google VPC Networks (virtual private Cloud), we need to understand the basic terms of Networking, which is being used in all Cloud environments. I have tried to cover all aspects of Google VPC Networks, which will help you to understand the Google VPC Networks fundamental.
Below are the basic concepts for Networking, these are essential to understand the GCP VPC Networks.
A) Networking Basic
A.1) IPV4 Address
IPV4 Address is the logical address of your server, using this address one server can talk to another server. The IP address has two parts.
IPV4 is 32 bits long and have four octets. Every octet has a value between 0 to 255 and separated with “.” dot.
e.g. 192.168.39.40
IP Address ranges has been classified in multiple classes (A, B, C, D, E, F). Each class has a different IP range and reserved for different purpose.
A.2) Classless Inter Domain Routing (CIDR)
CIDR is a way to define the IP range for continuous IP.
Representation: A.B.C.D /N
N is the number of bits, which is reserved for the network. Above CIDR represents 2 power (32-N) IP.
e.g. 10.10.10.0/31
Number of IP = 2 power (32-31) = 2
A.3) Public IP vs Private IP
A.3.1) A public IP address is an IP address that can be accessed over the Internet. The Public IP address is globally unique IP address assigned to a computing device.
A.3.2) The Private IP address is an IP address that can be accessed within the private Network only
A.4) IPv4 vs IPv6 IP Address
IPv4 and IPv6 are both IP addresses that are binary numbers. IPv4 is 32-bit binary number while IPv6 is 128-bit binary number address. IPv4 address is separated by “.” Dot. while IPv6 address are separated by “:” colons.
A.5) Subnet and Subnetting
A.6) NIC {Network Interface Card}
As IP address is the logical address of your server, using this address one server can talk to another servers. The IP address is assigned on specific device in the server called NIC. The server can have multiple NIC.
A.7) Unicast Vs Broadcast Vs Multicast
We can transfer the data between devices using three methods. i.e. Unicast, Broadcast and Multicast.
A.7.1) Unicast
Communication happens from one source to one destination only. There is One-to-One mapping between source and destination.
A.7.2) Broadcast
If you want to send the message to all available devices in your network, then Broadcast is good way to communicate.
A.7.3) Multicast
If you want to send the message to more than once devices in your network but not all, then Multicast is good to communicate.
Some time we confused between Broadcast and Multicast. Let assume, you have 100 devices in your network, and you send a message from one device to all the other devices then it is called Broadcast.
A.8) Routing
It is the process to find the path for a network traffic in networks or across the network.
There are two types of routing.
A.8.1) Static Routing
Network Admin defines the route manually from source to destination.
A.8.2) Dynamic Routing
When network grows, it is very difficult to update the routes manually, so need some mechanism, which updates routes automatically and exchange information. Border Gateway Protocol (BGP) is used as dynamic routing protocol.
When network grows, it is very difficult to update the routes manually, so need some mechanism, which updates routes automatically and exchange information. Border Gateway Protocol (BGP) is used as dynamic routing protocol.
B) GCP VPC Network
B.12.3) DHCP lease gets renewed every 24 hours.
VPC-1 and VPC-3 has peering connection, so VPC-1 and VPC-3 can connect to each other. VPC-2 and VPC-3 has peering connection, So VPC-2 and VPC-3 can connect to each other But VPC-1 and VPC-2 cannot connect to each other.
B.1) VPC Network is virtual network of virtual Data Center in GCP. Each VPC is logically isolated to another VPC in GCP.
B.2) In GCP, VPC refers as VPC Network.
B.3) You can manage this VPC using console, API and CLI depends upon yours ask.
B.4) In GCP, all resources come under the project, VPC also comes under the project hierarchy.
B.5) GCP VPC is global resource, it is not bound with specific zone and region. When we create GCP VPC, we don’t specify the region/Zone, also we don’t specify CIDR range as well.
B.6) VPC networks do not support broadcast and multicast.
B.7) VPC networks support IPV4 unicast traffic.
B.8) VPC network also does not support IPV6 traffic within VPC Network.
B.9) Dynamic Routing Mode
When we create VPC network, we need to specify the mode of Dynamic Routing. There are two types of modes.
B.9.1) Regional
In this mode, Cloud Router learns routes only in the region.
B.9.2) Global
In this mode, Cloud Router learns routes from all region.
In this mode, Cloud Router learns routes only in the region.
B.9.2) Global
In this mode, Cloud Router learns routes from all region.
B.10) GCP Subnet
B.10.1) You can create the multiple subnets under the VPC network. Subnets are region specific in GCP.You need to specify the CIDR block and region to create the Subnet under the VPC.
B.10.2) You can create multiple subnet in one region.
B.10.3) Subnet belong to same VPC can communicate to each other using their private IPv4 address.
B.10.4) You can expand the IP range of existing subnet.
B.10.5) You cannot shrink the IP range of existing subnet.
B.10.6) Subnet Flow Logs
If you want to capture IN and OUT traffic from Network interface in Subnet, then “flow logs” features of Subnet is your answer. Turning on the flow logs properties in GCP subnet does not affect the performance.
B.10.7) Subnet IP Range (CIDR Block)
B.10.7.1) We need to provide an IPV4 IP address range to create the Subnet, it is in CIDR form. As per the RFC1918 standard there is a specific range reserved for private networks. Below are the ranges which can be used as VPC’s CIDR.
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
B.10.7.2) There are two type of IP Ranges in GCP subnet. i.e. Primary and Secondary.
a) Primary IP range
a.1) This is required IP range to create any Subnet and you can create maximum one primary IP range in a subnet.
a.2) You can use any RFC1918 CIDR block to create the primary IP range.
a.3) Below are the use cases of primary IP range.
a.3.1) VM primary internal IP address
a.3.2) Use in Internal LB
a.3.3) As alias IP of virtual Server (When multiple services are running on your virtual server and you want to expose each service with different IP, then alias IP comes into picture)
b) Secondary IP Range
b.1) This is optional IP range, while crating the subnet.
b.2) you can create multiple Secondary IP ranges in a subnet.
b.3) You can create maximum 30 secondary IP ranges in a Subnet.
b.4) You can use any RFC1918 CIDR block to create the primary IP range.
b.5) Secondary IP range is being used as alias IP.
B.10.8) Alias IP can be come from Primary IP range or Secondary IP range.
B.10.9) You can create maximum 300 IP ranges in a subnet including primary and secondary IP ranges.
B.10.10) Private Google Access
If you want to access the google API/Service without assigning the Public IP to VM, then “Private Google Access” property is your answer. You should enable this property in the subnet. By default, it is disabled.
B.11) GCP provides three type of VPC mode.
User Created -Automatic Mode ,User Created -Custom Mode and GCP Created (Default Mode)
B.11.1) User Created -Automatic Mode
B.11.1.1) When we create VPC Network in Automatic mode, one subnet is created in each region automatically. These subnet use predefine IP range. Range comes under the CIDR block 10.128.0.0/9 and unused portion of 10.128.0.0/9 is reversed for GCP use.
B.11.1.2) Default size of each subnet is /20, you can expand it to /16.
B.11.1.3) You can add more subnets in this VPC network manually, but it should not come under range of 10.128.0.0/9.
B.11.1.4) When any new region is introduced in GCP, GCP creates subnet in that region automatically.
B.11.1.5) You can convert the Automatic mode VPC to custom mode VPC. We Will discuss Custom mode VPC later in this Blog.
B.11.1.6) By Default, all egress (Outbound) traffic allowed in Subnet.
B.11.1.7) By Default, all Ingress (Inbound) traffic deny in Subnet.
B.11.1.8) Default Firewall rules and routes are created automatically. Firewall rules help us to create the manage inbound and outbound traffic in subnet. Routes help us to define the path to send the traffic from source to destination. We will discuss Firewall rule and Routes later in this blog.
B.11.1.9) Internet access is allowed by default.
B.11.2) User Created -Custom Mode
B.11.1) When we create VPC Network in custom mode, no subnet is created automatically.
B.11.2) You can create Subnet as per RFC 1918 CIDR.
B.11.3) You cannot change custom mode VPC network to automatic mode.
B.11.4) No route is created except the Internet access route.
B.11.3) GCP Created (Default Mode)
B.11.3.1) By Default, when we create the project then auto-mode VPC network is created automatically. GCP called this as Default network.
B.11.3.2) If you want to stop the creation of VPC network when project is created, then you must apply policy on organization level. This policy should contain constraint “Compute.SkipDefaultNetworkCreation”.
B.12) Internal IP
B.12.1) The private address is an IPV4 address that can be accessed within the private Network only.
B.12.2) It is allocated from subnet range to Virtual server from DHCPB.12.1) The private address is an IPV4 address that can be accessed within the private Network only.
B.12.3) DHCP lease gets renewed every 24 hours.
B.13) External IP
B.13.1) This is Public IP address.
B.13.2) External IP is not attached to virtual server. It is mapped to internal IP which is assigned to virtual server.
B.13.3) There is two type of external IP. i.e. Ephemeral and Static.
B.13.3.1) Ephemeral
As name implies, it is temporary. It is attached to virtual server and release when VM is stopped.
B.13.3.1) Static
It is assigned to device for specific period.
B.14) Routes
B.14.1) Routes help us to define the path to send the traffic from source to destination. Destination can be inside in GCP network or outside the GCP networks.
B.14.2) Each VPC comes from system generated routes. Below are default routes.
B.14.2.1) Route to allow communication between subnet in same VPC network.
B.14.2.2) Allow access of internet via Internet Gateway.
B.14.2) With help of route, GCP forwards the traffic to most specific route according the priority
B.15) Firewall Rule
B.15.1) With the help of Firewall rule, you can allow and deny the traffic with in subnet or VPC Network.
B.15.2) Every VPC network has default firewall rule, below are the details.
B.15.2.1) Allow outgoing (Egress) traffic
B.15.2.1) Deny Inbound (Ingress)Traffic
B.15.2.3) Firewall rule are state-full, Means return traffic of allowed inbound (Ingress) rule is by default allowed
B.16) Shared VPC
B.16.1) As we discussed, VPC is created under the project but If we want to create the VPC network in one project and want to share its subnets to other projects as well to create resources, then “Shared VPC” features are our answer.
B.16.2) In this, we create the VPC Network in one project and share this VPC Network subnets in other VPC.
B.16.3) Project, where VPC is created is called Shared Host project and Project where this VPC is shared are called, Shared Service Project.
B.16.4) Host project and Service project should belong to same organization.
B.16.5) To enable the shared VPC features, user must have Shared VPC admin access (Roles/Compute.xpnAdmin).
B.16.6) You can specify the Subnet in shared VPC which can be accessed by Service project
B.17) VPC Peering
B.17.1) VPC peering is a networking connection between two VPC to route traffic between them using private IP address.
B.17.2) You can create VPC peering between same organization VPCs and VPCs in another organization.
B.17.3) VPC Peering is GCP managed service. There is no single point of failure in communication or a Bandwidth bottleneck.
B.17.4) Below are some limitations.
B.17.4.1) You cannot create VPC peering which has Overlapping IP range
B.17.4.2) A VPC network can have up to 25 directly peering VPC networks.
B.17.4.3) VPC peering does not support transitive Peering Relationship.
 |
VPC Peering |
B.18) Cloud Router
B.18.1) Cloud Router dynamically discovers and advertise routes between subnets (New and Existing) in your VPC network and on-prem Network.
B.18.2) It uses BGP (Border Gateway Protocol) protocol. BGP is a dynamic routing protocol.
B.18.3) You can create one router per region in a VPC Network.
B.19) NAT Gateway
B.19.1) You must assign public IP on Virtual Server to access the internet. If you want to access the internet without assigning public IP on virtual server, Then NAT gateway is your answer.
B.19.2) Cloud Router is required to create the NAT gateway.
B.20) Cloud VPN
B.20.1) With help of Cloud VPN, you can securely connect your on-prem Network to you GCP VPC Network through IPsec VPN connection.
B.20.2) Networks, which are connected to Cloud VPN, have gateway. This is called VPN Gateway.
B.20.3) Traffic Travelling between two networks is encrypted by one VPN gateway and decrypted by another VPN gateway.
B.20.4) GCP offers two type of VPN
B.20.4.1) HA VPN
1) It provides 99.99% SLA.
2) It supports dynamic routing.
B.20.4.2) Classic VPN
1) It provides 99.9 % SLA
2) It supports static and dynamic routing.
2) It supports static and dynamic routing.
B.21) Cloud Interconnect
B.21.1) Cloud Interconnect provides low latency, highly available connection between On-prem and GCP VPC network. It is costly solution compared to Virtual private Gateway.
B.21.2) It allows communication on private IP.
B.21.3) It works on L2 layer.
B.21.4) GCP provides two types of Cloud Interconnect offering.
B.21.4.1) Dedicated Cloud InterConnect
1) It provides a direct physical connection between on-prem network and GCP VPC Network. Dedicated Cloud Interconnect does not use public internet for traffic flow between on-prem and GCP VPC network.
2) It provides capacity between 50 Mbps to 50 Gbps.
3) GCP provide SLA for Dedicated Interconnect service.
B.21.4.1) Partner Cloud InterConnect
1) It provides a connection between on-prem network and GCP VPC Network via GCP supported service provider.
2) It uses service provider network to flow the traffic between network, so data is secure and does not use public Internet.
3) Partner Interconnect service SLA also depend on service provider SLA.
4) It provides capacity between 50 Mbps to 10 Gbps.
B.22) Peering
B.22.1) Sometimes we relate this with VPC peering, but this is totally different from VPC peering. It is also known as Interconnect peering.
B.22.2) If you are consuming lot of google services from on-prem, then GCP charge you high amount for egress traffic. if you want to reduce thus amount then Interconnect peering is your answer.
B.22.3) Peering works on L3 layer.
B.22.4) GCP provides two type of offerings.
B.22.4.1) Direct
1) In this GCP provides, direct peering between on-prem and google network.
2) It gives you direct access to G-suite and other google services.
3) It reduces egress fee approx. 67%.
B.22.4.1) Carrier
1) In this GCP provides peering between on-prem and google network via service provider.
This comment has been removed by a blog administrator.
ReplyDeleteGreat Post. Network part is cover very well here.
ReplyDeleteHope we see more from you