GCP Cloud Network
- Has no IP address range
- Is global and spans all available regions
- Contains subnetworks
- Is available as
default
,auto
orcustom
(custom mode networks cannot be converted back to auto) - Networks isolate systems (VM instances that are in different regions but the same network can communicate via internal IP, but instances which are in the same region but in different networks need to communicate via external IP)
Subnet is a range of IP addresses that can be used. Except four addresses which are reserved.
- You cannot undo an expansion of IP ranges.
Normally, each resource requires an external IP address to be able to interact with other resources (such as a VM to a bucket), but under the subnet, Private Google Access can be enabled to do this.
A VM does not know its external IP, only its internal. The VPC maps the internal address to the external one outside of the VM.
A VM can be given aliases which are additional IP addresses which can be configured for internal apps and containers running in the VM.
Cloud NAT
The Cloud NAT gateway implements outbound NAT, but not inbound NAT. In other words, hosts outside of your VPC network can only respond to connections initiated by your instances; they cannot initiate their own, new connections to your instances via NAT.
Shared VPC vs VPC Peering
Consideration | Shared VPC | VPC Network Peering |
---|---|---|
Across Organizations | No | Yes |
Within Project | No | Yes |
Network Admin | Centralized | Decentralized |
Firewall
Creating firewall rules by tag rather than by address.
When a VM is created the ephemeral external IP address is assigned from a pool. There is no way to predict which address will be assigned, so there is no way to write a rule that will match that VM’s IP address before it is assigned. Tags allow a symbolic assignment that does not depend on order in the IP addresses. It makes for simpler, more general, and easier to maintain, firewall rules.
Basic commands
To list available VPC networks.:
gcloud compute networks list
To list all available VPC subnets (sorted by VPC network):
gcloud compute networks subnets list --sort-by=NETWORK
Advanced commands
Network
Creating Network and Subnets using the command line:
gcloud compute networks create managementnet --project=qwiklabs-gcp-03-4bbb109f4c40 --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional
gcloud compute networks subnets create managementsubnet-us --project=qwiklabs-gcp-03-4bbb109f4c40 --range=10.240.0.0/20 --stack-type=IPV4_ONLY --network=managementnet --region=us-west4
To create another network with two separate subnets:
gcloud compute networks create privatenet --subnet-mode=custom
gcloud compute networks subnets create privatesubnet-us --network=privatenet --region=us-west4 --range=172.16.0.0/24
gcloud compute networks subnets create privatesubnet-eu --network=privatenet --region=europe-west1 --range=172.20.0.0/20
Firewall
Create a firewall rule using the cloud shell:
gcloud compute firewall-rules create privatenet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=privatenet --action=ALLOW --rules=icmp,tcp:22,tcp:3389 --source-ranges=0.0.0.0/0
© Filip Niklas 2024. All poetry rights reserved. Permission is hereby granted to freely copy and use notes about programming and any code.