Last updated on July 4, 2023
Google Virtual Private Cloud Cheat Sheet
- You can create and manage your own virtual topology network where you can launch your Google Cloud resources using Google Virtual Private Cloud (VPC).
- Google VPC is the networking layer of Google Cloud resources.
- A VPC spans all the zones in the region. After creating a VPC, you can add one or more subnets in each zone.
Key Concepts
- A virtual private cloud (VPC) allows you to specify an IP address range for the VPC, add and expand subnets, and configure firewall rules.
- You can expand CIDR ranges without downtime.
- To protect Google Cloud resources, segment your networks by setting up firewall rules.
- Projects can contain multiple VPC networks unless you create an organizational policy that does not allow it.
- New projects start with a default network that has one subnetwork.
- VPC networks including their firewall rules and associated routes are global resources.
- Subnets are regional resources.
- Resources inside the same VPC network can communicate with each other by using an internal IPv4 address but is still subject to applicable network firewall rules.
- Instances with IPv4 addresses can communicate with Google APIs and services.
- Network administration can be secured by using Identity and Access Management (IAM) roles.
Network and Subnets
- Each VPC network consists of one or more useful IP range partitions called subnets.
- Each subnet is associated with a region.
- A network must have at least one subnet before you can use it.
- Auto mode VPC networks create subnets in each region automatically. These automatically created subnets use a set of predefined IP ranges that fit within the 10.128.0.0/9 CIDR block.
- Custom mode VPC networks start with no subnets giving you full control.
- You can create more than one subnet per region.
- You can switch a VPC network from auto mode to custom mode. This is a one-way conversion which means custom mode VPC networks cannot be changed to auto mode VPC networks.
Configuring IP Addresses
- External IP Address
- You should assign an external IP address to instances if you need them to communicate with the Internet.
- Instances support static and ephemeral external IP addresses.
- Internal IP Address
- You should assign a specific internal IP address when you create a VM instance.
- You can reserve a static internal IP address for your project and assign that address to your resources.
- Static external IP addresses can be either a regional or a global resource. A regional static IP address allows resources of that region or resources of zones within that region to use the IP address.
Firewall Rules
- Firewall rules are defined at the network level.
- They only apply to the network where they are created but the name defined for each of them must be unique to the project.
- Firewall rule components
- The direction of connection:
- Ingress rules apply to incoming connections from specified sources to Google Cloud targets
- Egress rules apply to connections going to specified destinations from targets.
- A numerical priority, which determines whether the rule is applied.
- Only the highest priority (lowest priority number) rule whose other components match traffic is applied;
- Conflicting rules with lower priorities are ignored.
- An action upon match, either allow or deny, decides whether the rule permits or blocks connections.
- The enforcement status of the firewall rule.
- A target, which defines the instances to which the rules apply.
- A source for ingress rules or a destination for egress rules.
- The protocol (such as TCP, UDP, or ICMP) and destination port.
- The direction of connection:
Routes
- System-generated default route
- When you create a VPC network, it includes a system-generated default route which serves as a path out of the VPC network, including the path to the Internet, and provides the standard path for Private Google Access.
- Subnet routes – define paths to resources like VMs and internal load balancers in a VPC network.
- Static routes – are defined using static route parameters and support static route next hops.
- Dynamic routes – are routes managed by Cloud Routers inside the VPC network. Their destinations are IP address ranges outside your VPC network, from a BGP peer. Dynamic routes are utilized by:
- Dedicated Interconnect
- Partner Interconnect
- HA VPN tunnels
- Classic VPN tunnels that use dynamic routing
Communications and access for App Engine
- VPC firewall rules apply to resources running in the VPC network. For App Engine instances, firewall rules work as follows:
- App Engine standard environment
- Only App Engine firewall rules apply to ingress traffic. App Engine standard environment instances do not run inside your VPC network which means VPC firewall rules do not apply to them.
- App Engine flexible environment
- Both App Engine and VPC firewall rules apply to ingress traffic. Inbound traffic is only permitted if it is allowed by both types of firewall rules. For outbound traffic, VPC firewall rules shall apply.
- App Engine standard environment
Connecting VPC Networks
- An organization can use a Shared VPC to keep a VPC network in a common host project. Authorized IAM members from other projects in the same organization can create resources that use the Shared VPC network’s subnet.
- You can use VPC Network Peering to connect VPCs to other VPC networks located in different projects or organizations.
- VPC networks can be securely connected in hybrid environments by utilizing Cloud VPN or Cloud Interconnect.
Pricing
- No charge for egress through network IP addresses. There are charges though for egress traffic through external IP addresses, even if traffic is in the same zone.
- You are also charged for active and unused static and ephemeral IP addresses inside your VPC.
Validate Your Knowledge
Question 1
Your company wants to set up a new Virtual Private Cloud (VPC) behind a firewall to secure the data egress. You have to filter the traffic flowing out of the VPC. You need to configure the VPC to have the least possible number of open egress ports.
What should you do?
- Create a firewall rule that blocks all egress traffic and allows specific ports with the same priority number.
- Create a firewall rule that blocks all egress traffic with a low-priority number of 65534. Create another firewall rule that allows egress traffic for specific ports needed with a high-priority number set to 200.
- Create a firewall rule that blocks all egress traffic with a high-priority number of 200. Create another firewall rule that allows egress traffic for specific ports needed with a high-priority number of 65534.
- Create a firewall rule that allows inbound traffic to specific ports needed and set its priority to 1000. Remove both the
implied allow egress rule
andimplied allow egress rule
.
Question 2
You have a project that has a single non-default VPC with a subnetwork configured in the us-central1
region. A Compute Engine instance was deployed in this subnetwork that serves web traffic.
Another instance needs to be deployed in the us-west3
in the same project. You need to ensure that this newly created instance can connect to the other instance in the us-central1
region.
You want to follow Google-recommended practices. What should you do?
-
a. Configure a subnetwork in the same VPC, located in
us-west3
.
b. Build the new instance into the new subnetwork.
c. Use the IP address of the instance in us-central1 as the endpoint. -
a. Configure a VPC with a subnetwork in
us-west3
.
b. Expose the instance using an internal load balancer.
c. Provision a new instance in the new subnetwork.
d. Use the load balancer’s IP address as the endpoint. -
a. Using the same VPC, create a subnetwork in
us-west3
.
b. Utilize Cloud VPN to establish a connection between the two subnetworks.
c. Provision a new instance in the new subnetwork.
d. Use the first instance’s private IP address as the endpoint. -
a. Configure a VPC with a subnetwork in the
us-west3
region.
b. Use VPC Peering to allow connectivity between the two VPCs.
c. Provision a new instance in the new subnetwork.
d. Use the first instance’s private IP address as the endpoint.
For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:
Google Virtual Private Cloud Cheat Sheet References:
https://cloud.google.com/vpc
https://cloud.google.com/vpc/docs/firewalls
https://cloud.google.com/vpc/docs/routes
https://cloud.google.com/vpc/docs/using-vpc