What is Google Cloud Platform (GCP)?
- Google Cloud Platform (GCP) has one of the largest and fastest networks in the world.
- GCP resources are treated as services instead of hardware. For example, Persistent Disk is not a physical device, but is a service used over a network.
Projects, Networks, and Subnetworks
All infrastructure resources in GCP are organized under projects. Project is defined as a key organizer for all the resources:
- Projects consist of Objects and Services which are billed. Projects contain networks, and the maximum number of networks that can be created per project is five.
- The networks in GCP do not contain IP ranges, but are a combination of IP addresses and Services in a network.
- By default, GCP networks are Global, and are available in regions all over the world.
- A network can be split into smaller networks which are called Subnetworks.
- Subnetting is often learned in networking+ basic 101 level.
- There are three types of networks in GCP:
Learning: GCP – no IP ranges; GCP has 3 types networks – Default, Auto and Custom
Types of Networks
- If a network type is not specified, by default GCP considers the Default
- An auto mode network can be converted to custom mode, however, the vice-versa cannot be done. A Custom mode network will always be a custom network.
Consider a project containing five networks, with each network having its own virtual machine.
- In this example, virtual machines A and B are on the same network, and can interact with each other through Internal IP addresses.
- Virtual machines C and D, which are in the same region, communicate through External IP addresses as they are in different networks.
- The traffic that passes through virtual machines C and D go through the Cloud Router, which has separate billing and security conditions.
Consider a region which has two zones A and B.
- The subnetwork in a region can spread across multiple zones in that region.
- In this example, there are two virtual machines present in different zones, that can communicate with each other using the same subnet IP address.
- The same firewall rule can be applied to both the virtual machines, even though they are in different zones.
Reviewing IP addresses and Interfaces, Internal DNS, Routes, and Rules:
In GCP, virtual machines (VM) can have two IP addresses:
- Internal IP address
- External IP address.
- Internal IP addresses are assigned to a VM DHCP internally.
- Every machine and service that is dependent on a VM, has an Internal IP address. Examples are Google App Engine and Kubernetes Engine.
- When a VM is created in GCP, a symbolic name is registered with an Internal address.
- An External IP address is assigned when a VM externally faces the internet.
- When an External IP address is assigned from a pool, it is called Ephemeral.
- A Reserved External IP address is called Static.
- Even if Reserved IP addresses are not attached to a VM, they are billed.
- A VM will not know External IP address that is used, and the external address is mapped to the internal IP address of the VM transparently by Google Cloud VPC.
DNS resolution for Internal IP Addresses
When you create a VM with some name, this symbolic name is registered with the Internal DNS service which translates the name to the Internal IP Address.
- DNS is scoped to the network, so it can translate web URLs and VM names of hosts in the same network but it cannot translate the hostnames of VM’s in a different network.
- There is a Fully Qualified Domain Name (FQDN) for each instance. The format is hostname.c.project-id.internal.
- When an instance is deleted, and a new one is created, a new Internal IP address is generated, which may interrupt the connection from the Google Compute Engine.
- A DNS always points to a hostname, whatever the Internal IP address might be.
- Every instance will have a metadata server that acts as a DNS resolver.
- A metadata server handles all metadata queries for local network resources, and routes all other queries to a public DNS for public name resolution.
DNS resolution for External IP Addresses
- If an instance cannot find an External IP address, a Look-up table is stored in the network.
- The Look-up table matches the External IP address with an Internal IP address of the specific instance.
- Instances that have External IP addresses will allow connections with outside hosts.
- Public DNS records of an instance can only be published through Admins by using DNS Servers.
- Domain names in GCP are hosted through a managed service known as Cloud DNS.
Alias IP Ranges
- An exciting feature of Networking is Alias IP ranges.
- Alias IP ranges enable to assign a range of IP addresses as aliases to a VM Primary Network Interface.
- If there are multiple services on a VM, and if you require each service to have different IP addresses, Alias is the best option. For example, you can represent Containers or Applications on a VM by configuring them through multiple IP addresses, instead of having a separate network interface.
- Alias IP ranges are drawn from either Local subnets primary or Secondary CIDR ranges.
Multiple Network Interface
- Every instance in a VPC network will have a default interface. You can also create multiple interfaces attached to a VM.
- A Multiple Network Interface enables to configure instances which can connect to multiple VPC networks.
- Every interface will have an Internal IP address, and can also have an External IP address.
- An instance can have up to 8 interfaces.
- Multiple Interface network is useful when you would like to configure an instance as a network appliance. This helps in Load balancing, Web Application Firewall (WAF), WAN optimization, Intrusion Detection, and Prevention techniques.
- Other use-cases include applications that require traffic separation in an instance, Network and Security Functions, Bandwidth isolation across separate interfaces, and so on.
- By default, every network has a default route. Therefore, all instances in the network exchange traffic directly with each other, across the subnet.
- Every network (default) will have a route that directs its packets to the destination which is outside the network.
- You can also create custom routes that override default routes.
- Firewall rules allow the packets to reach a destination. A default route has pre-configured firewall rules.
- Routes match packets based on the Destination address. A route is created when a Network or Subnetwork is created. Therefore, traffic is enabled from anywhere.
The functionality of Firewall rules is to Allow or Deny the traffic to and from your VM’s
- Unapproved connections, both inbound and outbound which means Ingress (Inbound) and Egress (Outbound) respectively.
- Firewall rules apply to the whole network, and connections are allowed or denied at the instance level.
- Even if all firewall rules are deleted accidentally, the Deny ingress rule, and allow egress rule for the network still remain.
- A firewall rule consists of parameters like:
- Direction of rule which means, Inbound connections match with Ingress rules, and Outbound connections match with Egress rules.
- Source of connection or Destination of connection for egress packets.
- Specific protocols or a specific combination of ports and protocols.
- Allows or Denies packets to match direction protocol port or/and source or destination of the rule.
- Priority of the rule, which means applying firewall rules based on the preference.
Egress and Ingress Use-cases:
- Egress firewall rules handle all outgoing connections in a GCP network.
- The Egress allow rule allows only Open Connections that match specific addresses, ports, and protocols.
- The Egress deny rule prevents instances from making connections that match non-permitted protocol, port, and IP address ranges.
- In Egress rules, the destination to which a rule is applied is decided through IP CIDR ranges.
- Destination ranges can be used to protect a VM from unwanted connections.
- Ingress firewall rules allow only specified ports, protocols, or IP addresses to connect.
- The Ingress allow rule allows only specified ports, protocols or IP addresses to connect.
- Source CIDR Ranges is used to protect undesired connections to an instance.