Google Cloud Hybrid Connectivity Cheat Sheet

• There are several ways to extend your on-premises environment to the Google Cloud Platform.
• You can connect your infrastructure to Google Cloud Platform (GCP) on your terms, from anywhere based on your requirements.

Cloud Interconnect

• Provides low latency, highly available connections that enable you to reliably transfer data between your on-premises and Google Cloud VPCs.
• Cloud Interconnect connections provide internal IP address communication, which means internal IP addresses are directly accessible from both networks.
• Cloud Interconnect offers two options to extend your on-premises network to the Google Cloud Platform:
  • Dedicated Interconnect
    • Direct physical Connection to Google’s network.
  • Partner Interconnect
    • Provides connectivity through a supported service provider.
  • You can use Cloud Interconnect in combination with Private Google Access for on-premises resources so that your on-premises resources can use internal IP addresses rather than external IP addresses to reach Google APIs and services.

Direct Peering

• Direct Peering connects your on-premises network to Google services, including Google Cloud products that can be exposed via one or more public IP addresses.
• Traffic from Google’s network to your on-premises network also takes that same connection, including traffic from VPC networks in your projects.
• Direct Peering exists outside of Google Cloud Platform. So, unless you need to access Google Workspace applications, the recommended methods of access to Google Cloud Platform are via Dedicated Interconnect or Partner Interconnect.

Carrier Peering

• Carrier Peering enables you to access Google applications, such as Google Workspace, by using a service provider to obtain enterprise-grade network services that connect your infrastructure to Google.
• When connecting to Google through a service provider, you can get connections with higher availability and lower latency, using one or more links.

Cloud VPN

• Cloud VPN securely extends your peer network to Google’s network through an IPsec VPN tunnel.
• Ipsec VPN tunnels encrypt data by using industry-standard Ipsec protocols as traffic traverses the public Internet.
• It only requires a VPN device in your on-premises network, unlike Cloud Interconnect that comes with overhead and costs to set up a direct private connection.
• Cloud VPN pricing is based on the location of the Cloud VPN gateway and the number of tunnels per hour.

Validate Your Knowledge

Question 1

1. Create a VPC on Google Cloud and configure it as a host for a Shared VPC.
2. Build a custom-mode VPC. Set up VPC Network Peering between your on-premises network and your newly created VPC to establish a connection through a private IP range.
3. Provision virtual machines on your on-premises and Google Cloud VPC networks that will serve as bastion hosts. Configure the VMs as proxy servers using public IP addresses.
4. Set up Cloud VPN between your on-premises network to a VPC network through an IPsec VPN connection.

Show me the answer!

Correct Answer: 4

On-premises hosts can reach Google APIs and services by using Cloud VPN or Cloud Interconnect from your on-premises network to Google Cloud. On-premises hosts can send traffic from the following types of source IP addresses:

– a private IP address, such as an RFC 1918 address

– a privately used public IP address, except for a Google-owned public IP address. (Private Google Access for on-premises hosts does not support re-using Google public IP addresses as sources in your on-premises network.)

In the following example, the on-premises network is connected to a VPC network through a Cloud VPN tunnel. Traffic from on-premises hosts to Google APIs travels through the tunnel to the VPC network. After traffic reaches the VPC network, it is sent through a route that uses the default Internet gateway as its next hop. This next hop allows traffic to leave the VPC network and be delivered to restricted.googleapis.com (199.36.153.4/30).

Hence, the correct answer is: Set up Cloud VPN between your on-premises network to a VPC network through an IPsec VPN connection.

The option that says: Create a VPC on Google Cloud and configure it as a host for a Shared VPC is incorrect because this will only allow resources on multiple GCP projects to communicate with each other by defining a host project. This does not allow you to connect your on-premises data center to Google Cloud.

The option that says: Build a custom-mode VPC. Set up VPC Network Peering between your on-premises network and your newly created VPC to establish a connection through a private IP range is incorrect because VPC peering only connects Google VPC networks, regardless of whether they belong to the same project or organization. It will not help you establish a connection between your on-premises and GCP resources.

The option that says: Provision virtual machines on your on-premises and Google Cloud VPC networks that will serve as bastion hosts. Configure the VMs as proxy servers using public IP addresses is incorrect because bastion hosts are specifically designed for end-users to access private instances. Since we need to connect resources and not just users, using bastion hosts will not satisfy the requirement. 

References:
https://cloud.google.com/vpc/docs/private-access-options
https://cloud.google.com/vpc/docs/private-google-access-hybrid#private-vips

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Google Cloud Hybrid Connectivity Cheat Sheet References:

https://cloud.google.com/hybrid-connectivity
https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview
https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview
https://cloud.google.com/network-connectivity/docs/direct-peering