GCP Google Cloud Platform - VPC Virtual Private Cloud
October 20, 2018
The Series
Big Data
A short clarification: Basic Concepts gives just the intuition of the topic, while the Cheatsheet provides a general overview with lists of organized and structured links with a minimal definition.
These links, coming from the official documentation, are to be used for the study, keeping on focusing at the big picture.
Basic Concepts TL;DR
VPC - Virtual Private Cloud is the network space of your activity or company. It is like your actual Data Center, but just in Cloud. Integrated with your IT resources on-premises (local).
Before diving into the technical definitions, we’ll get the intuition comparing a Network to a big Sporting Village.
The Village will have:
-
spots open to the public (bar and restaurant) [public subnet]
-
The entrance only for members [gateways and firewalls]
-
The internal streets open to pedestrians, bikes or cars [routes]
-
Different zone for kids, tennis, swimming pools, basketaball ecc [private subnets]
-
Internal Common Services [NAT Gateway, VPN ecc..]
-
Internal Names and Addresses [Private IP and DNS]
Moreover, the village may be connected with other Villages around the World….
Now let’s dive a little more into the basic concepts :
Subnets: “boxes” in which resources with IP are placed. Located in different places (Europe USA ecc).
Private IP Addresses: all the resources of the network have and use a private IP
Routes and IP forwarding: the paths in which the traffic may flow
CIDR: groups of IP addresses with this notation 10.10.10.0/24. The last number indicates the initial bits fixed (10.10.10 → 24 bits), that is → prefix ranges. See CIDR (explanations and computing)
Firewall rules: security rules for allowing/blocking traffic in relation to protocol, generic labels and specific addresses.
DNS: a network resource may be referred with a number (IP) or a corresponding name.
Region and Zones : in Cloud you may choose to distribute resources in different data Centers (zones) in the same or different big Regions (US-west, US-east, Europe-west). More distance → more latecncy
NAT: systems that translate internal and external addresses automatically
Load Balancers and Availability Groups: behind the IP Address of your website may sit a fleet of Servers. In this case the IP Address point to a Load Balancer that sends traffic to the fleet (Availability Group).
Important concept: you have to manage how to organize your data center in subgroups depending on which instance may communicate with each other and how.
For example: The finance private subnet may talk only with the accounting private subnet. The public resources may be accessed from Internet only with Https and may ask for data to the DB in the private DB subnet.
Ask yourself
Think at the IT Infrastructure of your Company or University or Government Institution.
How may it fit in this picture?
How could it be transferred into the Cloud?
What could be private? What public? How?
Cheatsheet
A quick roadmap to all the most important topics. Refer to the doc Building Blocks (links and definitions) for any doubts.
-
-
-
default route → Private Google Access
-
subnet route
-
static route
-
dynamic route
-
-
Virtual Hosting
-
Load Balancing
-
-
-
-
-
TAGs label used to group resources
-
Private Google/Services Access Access to Google Service only from inside without public IP and any public exposure
-
VPC Flow Logs → IP traffic going to and from network interfaces
-
VM may have a tag
-
Network Interface → may be 2+ in 1 VM
-
Load Balancer distribute workload to 2+ VMs
Connection with Internet (public):
-
valid default Internet gateway route
-
Firewall rules allow egress traffic
-
-
CDN Content Delivery Network - caching content near users at the edges of Google's network
VPCs may be connected :
-
Shared VPC - attach subnets to other project → VPCs → host and service
-
-
VCP Peering connectivity directly with IP ranges (CIDR - rfc1918) across VPCs different projects/organizations
Connection with on-premise Data Centers may be made with:
-
-
Border Gateway Protocol (BGP) Enable dynamic routing, that is, automatic update of routing configuration when there are changes
-
Cloud Interconnect – Dedicated - fast & expensive
-
Cloud Interconnect – Partner - cheaper
-
Step by Step Guides and :
-
-
-
-
-
Demos
Labs - Qwiklabs
VPC Networking Fundamentals
Multiple VPC Networks
Creating Cross-region Load Balancing
Using VPC Network Peering
Dynamic VPN Gateways - Cloud Routers (advanced)
Building a High-throughput VPN
Practice Tests
The Series
Big DataA short clarification: Basic Concepts gives just the intuition of the topic, while the Cheatsheet provides a general overview with lists of organized and structured links with a minimal definition.
spots open to the public (bar and restaurant) [public subnet]
The entrance only for members [gateways and firewalls]
The internal streets open to pedestrians, bikes or cars [routes]
Different zone for kids, tennis, swimming pools, basketaball ecc [private subnets]
Internal Common Services [NAT Gateway, VPN ecc..]
Internal Names and Addresses [Private IP and DNS]
- default route → Private Google Access
- subnet route
- static route
- dynamic route
- Virtual Hosting
- Load Balancing
TAGs label used to group resources
Private Google/Services Access Access to Google Service only from inside without public IP and any public exposure
VPC Flow Logs → IP traffic going to and from network interfaces
VM may have a tag
Network Interface → may be 2+ in 1 VM
Load Balancer distribute workload to 2+ VMs
valid default Internet gateway route
Firewall rules allow egress traffic
CDN Content Delivery Network - caching content near users at the edges of Google's network
Shared VPC - attach subnets to other project → VPCs → host and service
VCP Peering connectivity directly with IP ranges (CIDR - rfc1918) across VPCs different projects/organizations
- Border Gateway Protocol (BGP) Enable dynamic routing, that is, automatic update of routing configuration when there are changes
Cloud Interconnect – Dedicated - fast & expensive
Cloud Interconnect – Partner - cheaper
0 comments
Note: only a member of this blog may post a comment.