Google Cloud Router

Home » Google Cloud » Google Cloud Router

Google Cloud Router

Last updated on April 11, 2023

Google Cloud Router Cheat Sheet

  • Cloud Router is a fully distributed and managed Google Cloud service that helps you define custom dynamic routes and scales with your network traffic.

Features

  • It works with both legacy networks and Virtual Private Cloud (VPC) networks.
  • Cloud Router utilizes Border Gateway Protocol (BGP) to exchange routes between your Virtual Private Cloud (VPC) network and your on-premises network.
  • Using Cloud Router is required or recommended in the following cases:
    • Required for Cloud NAT
    • Required for Cloud Interconnect and HA VPN
    • A recommended configuration option for Classic VPN
  • When you extend your on-premises network to Google Cloud, use Cloud Router to dynamically exchange routes between your Google Cloud networks and your on-premises network.
  • Cloud Router peers with your on-premises VPN gateway or router. The routers exchange topology information through BGP.

Route Advertisements

  • Through BGP, Cloud Router advertises the IP addresses of Google resources that clients in your on-premises network can reach. Your on-premises network then sends packets to your VPC network that have a destination IP address matching an advertised IP range. After reaching Google Cloud, your VPC network’s firewall rules and routes determine how Google Cloud route the packets.
  • Tutorials dojo strip
  • Default Route Advertisement – Cloud Router advertises subnets in its region for regional dynamic routing or all subnets in a VPC network for global dynamic routing.
  • Custom Route Advertisement – You explicitly specify the routes that a Cloud Router advertises to your on-premises network.

Validate Your Knowledge

Question 1

You are hosting a web application in your on-premises data center that needs to fetch files from a Cloud Storage bucket. However, your company strictly implements security policies that prohibit your bare-metal servers from having a public IP address or having any access to the Internet. You want to follow Google-recommended practices to provide your web application the necessary access to Cloud Storage.

What should you do?

  1. a. Issue nslookup command on your command-line to get the IP address for storage.googleapis.com.
    b. Discuss with the security team why you need to have a public IP address for the servers.
    c. Explicitly allow egress traffic from your servers to the IP address of storage.googleapis.com.

  2. a. Create a VPN tunnel connecting to a custom-mode VPC in the Google Cloud Platform using Cloud VPN.
    b. Create a Compute Engine instance and install the Squid Proxy Server. Use the custom-mode VPC as the location.
    c. Configure your on-premises servers to use the new instance as a proxy to access the Cloud Storage bucket.

  3. a. Migrate your on-premises server using Migrate for Compute Engine (formerly known as Velostrata).
    b. Provision an internal load balancer (ILB) that uses storage.googleapis.com as a backend.
    c. Set up the new instances to use the ILB as a proxy to connect to the Cloud Storage.

  4. a. Create a VPN tunnel to GCP using Cloud VPN or Cloud Interconnect.
    b. Use Cloud Router to create a custom route advertisement for 199.36.153.4/30. Announce that network to your on-premises network via VPN tunnel.
    c. Configure the DNS server in your on-premises network to resolve *.googleapis.com as a CNAME to restricted.googleapis.com.

Correct Answer: 4

Private Google Access for on-premises hosts requires that you direct services to one of the following special domains. The special domain you choose determines which services you can access:

private.googleapis.com (199.36.153.8/30) provides access to most Google APIs and services, including Cloud and Developer APIs that support VPC Service Controls and those that do not support VPC Service Controls. VPC Service Controls are enforced when you configure a service perimeter.

restricted.googleapis.com (199.36.153.4/30) only provides access to Cloud and Developer APIs that support VPC Service Controls. VPC Service Controls are enforced for these services if you’ve configured a service perimeter. Access to any Google API or service that does not support VPC Service Controls is prohibited.

For on-premises hosts to reach restricted Google API services, requests to Google APIs must be sent through a VPC network, either through a Cloud VPN tunnel or Cloud Interconnect connection.

In both cases, all requests to Google APIs and services must be sent to a virtual IP address (VIP) range 199.36.153.4/30 (restricted.googleapis.com). The IP address range is not announced to the Internet. Traffic sent to the VIP stays within Google’s network only.

Routes in your on-premises network must be configured to direct traffic for the IP address ranges used by the private.googleapis.com or restricted.googleapis.com domains to the next hop Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) that connect to your VPC network.

You can use Cloud Router Custom Route Advertisements to announce routes for the following destinations:

199.36.153.8/30 – if you chose private.googleapis.com

199.36.153.4/30 – if you chose restricted.googleapis.com

Your on-premises network must have DNS zones and records configured so that Google domain names resolve to the set of IP addresses for either private.googleapis.com or restricted.googleapis.com. You can create Cloud DNS-managed private zones and use a Cloud DNS inbound server policy, or you can configure on-premises name servers. For example, you can use BIND or Microsoft Active Directory DNS.

Hence, the correct answer is: 

1. Create a VPN tunnel to GCP using Cloud VPN or Cloud Interconnect.

2. Use Cloud Router to create a custom route advertisement for 199.36.153.4/30. Announce that network to your on-premises network via VPN tunnel.

3. Configure a CNAME record on your on-premises DNS server to resolve all *.googleapis.com traffic to restricted.googleapis.com.

The following option is incorrect because your company does not allow you to provision a public IP address for your on-premises data center. Moreover, you still have to establish a VPN tunnel to connect your on-premises network to the Google Cloud privately, which is not mentioned in this option:

1. Issue nslookup command on your command-line to get the IP address for storage.googleapis.com.

2. Discuss with the security team why you need to have a public IP address for the servers.

3. Explicitly allow egress traffic from your servers to the IP address of storage.googleapis.com.

The following option is incorrect because using a Squid Proxy server exposes your network to the public through the Compute Engine instance. You need to connect to Cloud Storage privately so this option does not satisfy the requirement:

1. Create a VPN tunnel connecting to a custom-mode VPC in the Google Cloud Platform using Cloud VPN.

2. Create a Compute Engine instance and install the Squid Proxy Server. Use the custom-mode VPC as the location.

3. Configure your on-premises servers to use the new instance as a proxy to access the Cloud Storage bucket.

AWS Exam Readiness Courses

The following option is incorrect because you don’t need to migrate your existing on-premises server to Google Cloud. It is stated in the scenario that you need your on-premises application to connect to Cloud Storage privately so using Migrate for Compute Engine is inappropriate for this scenario:

1. Migrate your on-premises server using Migrate for Compute Engine

2. Provision an internal load balancer (ILB) that uses storage.googleapis.com as a backend.

3. Set up the new instances to use the ILB as a proxy to connect to the Cloud Storage.

References:
https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid
https://cloud.google.com/vpc-service-controls/docs/private-connectivity
https://cloud.google.com/network-connectivity/docs/router/how-to/advertising-custom-ip

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Google Certified Associate Cloud Engineer Practice Exams

Google Cloud Router Cheat Sheet Reference:

https://cloud.google.com/network-connectivity/docs/router/concepts/overview

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?