Google Cloud Networking
- The Google Cloud Network consists of hundreds of miles of Fibre Optic Cables.
- It spans across the globe with redundant links.
- There are different networking services that you can take advantage of, like HTTP, TCP, and UDP load balancing, cloud CDN, and DNS.
- Custom Virtual Private Networks are created through private namespace with Google Cloud Virtual Networking.
- On-premises can also be connected to cloud (Hybrid Cloud Solution) by using services like Cloud VPN, Cloud Router and Cloud Interconnect.
- You can also connect to Google services like Youtube, Gmail, Maps, and Android development using VPN and Cloud Router, or through Cloud Interconnect or Direct Peering.
Before you learn Google Cloud Networking, you need to first learn the Shared VPC.
Shared VPC Functionality
- Shared VPC is implemented in the Management control plane.
- In this control plane, the project that is managed centrally is known as the Host Project (contains one or more shared virtual networks), and necessary Cloud IAM permissions are set to it.
- A project which participates in shared VPC can be either a host project or a service project.
- A host project contains one or more shared vpc networks. Shared VPC Admin role will enable the project as host project and there after the admin can attach one or more Service projects.
- Service Project is defined as the project that is attached by Shared VPC Admin that allows the project to participate in the Shared VPC.
- The advantage of using shared virtual networks is that you control access to critical resources such as Firewalls with less overhead.
A Shared VPC network is a VPC network defined in a host project and made available as a centrally shared network for eligible resources in service projects
This explains the IAM Roles and Permissions that are assigned to the projects in Shared VPC.
- The Network administrator of a shared host project will have an XPN Administrator role
- This allows a single group to manage new service projects attached to host the project.
- The administrator also has InstanceAdmin role on the service project.
- When a service project is allowed to connect to a shared network, it is better to grant Service project administrators compute.subnetworks.use permission, so that subnetworks are used by a single service project.
- When you configure Subnetwork IP ranges, allow subnetworks sufficient IP space in the same or different regions.
- It is recommended to place both the Host and Service projects in the same folder.
- You can set up an organization policy which disables External IP access to the VMs, to restrict them from accessing public internet.
- Using Shared VPC, you can create Firewalls, Subnet IP Ranges, Routes, VPN Connections, Own billing, Quotas, IAM permissions, and so on.
After learning Shared VPC, you would need to know VPC Peering.
This is the communication between two virtual private networks can be done whether they can be in same project or different projects. This is known as “VPC Peering”
- Google VPC Network Peering is useful when you want to peer two VPC Networks to connect through RFC 1918 space, irrespective of whether the networks belong to the same project, organization or not.
- VPC Network Peering is useful when you want to make services available privately across different VPC networks, within or in different organizations.
- Organizations with several network administrative domains can peer with each other.
- Network Latency, Network Cost, and Network Security are the various advantages of Network Peering.
- App Engine Flexible, Compute Engine, and GKE work with VPC Network Peering.
- VPNs, Firewalls, and Routes are administered and managed separately in each VPC network.
- Peering becomes active only when configurations from both sides match.
- VPC Peers always exchange their subnet routes. They can also exchange custom routes depending on the peering configurations.
- Subnet and Static routes are global, whereas Dynamic routes are Regional or Global.
- A VPC network can peer with multiple VPC networks, with a limit.
- Project Owner, Project Editor, and Network Admin roles are part of IAM Permissions for creating and deleting VPC Networks.
- Peering Traffic and Billing Policy for a peering network is the same as for a Private Network in the same network.