Google Virtual Private Cloud Cheat Sheet

You can create and manage your own virtual topology network where you can launch your Google Cloud resources using Google Virtual Private Cloud (VPC).
Google VPC is the networking layer of Google Cloud resources.
A VPC spans all the zones in the region. After creating a VPC, you can add one or more subnets in each zone.

Key Concepts

A virtual private cloud (VPC) allows you to specify an IP address range for the VPC, add and expand subnets, and configure firewall rules.
You can expand CIDR ranges without downtime.
To protect Google Cloud resources, segment your networks by setting up firewall rules.
Projects can contain multiple VPC networks unless you create an organizational policy that does not allow it.
New projects start with a default network that has one subnetwork.

VPC networks including their firewall rules and associated routes are global resources.
Subnets are regional resources.
Resources inside the same VPC network can communicate with each other by using an internal IPv4 address but is still subject to applicable network firewall rules.
Instances with IPv4 addresses can communicate with Google APIs and services.
Network administration can be secured by using Identity and Access Management (IAM) roles.

Network and Subnets

Each VPC network consists of one or more useful IP range partitions called subnets.
Each subnet is associated with a region.
A network must have at least one subnet before you can use it.
Auto mode VPC networks create subnets in each region automatically. These automatically created subnets use a set of predefined IP ranges that fit within the 10.128.0.0/9 CIDR block.
Custom mode VPC networks start with no subnets giving you full control.
You can create more than one subnet per region.
You can switch a VPC network from auto mode to custom mode. This is a one-way conversion which means custom mode VPC networks cannot be changed to auto mode VPC networks.

Configuring IP Addresses

External IP Address
- You should assign an external IP address to instances if you need them to communicate with the Internet.
- Instances support static and ephemeral external IP addresses.
Internal IP Address
- You should assign a specific internal IP address when you create a VM instance.
- You can reserve a static internal IP address for your project and assign that address to your resources.
- Static external IP addresses can be either a regional or a global resource. A regional static IP address allows resources of that region or resources of zones within that region to use the IP address.

Firewall Rules

Firewall rules are defined at the network level.
They only apply to the network where they are created but the name defined for each of them must be unique to the project.
Firewall rule components
- The direction of connection:
  - Ingress rules apply to incoming connections from specified sources to Google Cloud targets
  - Egress rules apply to connections going to specified destinations from targets.
- A numerical priority, which determines whether the rule is applied.
  - Only the highest priority (lowest priority number) rule whose other components match traffic is applied;
  - Conflicting rules with lower priorities are ignored.
- An action upon match, either allow or deny, decides whether the rule permits or blocks connections.
- The enforcement status of the firewall rule.
- A target, which defines the instances to which the rules apply.
- A source for ingress rules or a destination for egress rules.
- The protocol (such as TCP, UDP, or ICMP) and destination port.

Routes

System-generated default route
- When you create a VPC network, it includes a system-generated default route which serves as a path out of the VPC network, including the path to the Internet, and provides the standard path for Private Google Access.
Subnet routes – define paths to resources like VMs and internal load balancers in a VPC network.
Static routes – are defined using static route parameters and support static route next hops.
Dynamic routes – are routes managed by Cloud Routers inside the VPC network. Their destinations are IP address ranges outside your VPC network, from a BGP peer. Dynamic routes are utilized by:
- Dedicated Interconnect
- Partner Interconnect
- HA VPN tunnels
- Classic VPN tunnels that use dynamic routing

Communications and access for App Engine

VPC firewall rules apply to resources running in the VPC network. For App Engine instances, firewall rules work as follows:
- App Engine standard environment
  - Only App Engine firewall rules apply to ingress traffic. App Engine standard environment instances do not run inside your VPC network which means VPC firewall rules do not apply to them.
- App Engine flexible environment
  - Both App Engine and VPC firewall rules apply to ingress traffic. Inbound traffic is only permitted if it is allowed by both types of firewall rules. For outbound traffic, VPC firewall rules shall apply.

Connecting VPC Networks

An organization can use a Shared VPC to keep a VPC network in a common host project. Authorized IAM members from other projects in the same organization can create resources that use the Shared VPC network’s subnet.
You can use VPC Network Peering to connect VPCs to other VPC networks located in different projects or organizations.
VPC networks can be securely connected in hybrid environments by utilizing Cloud VPN or Cloud Interconnect.

Pricing

No charge for egress through network IP addresses. There are charges though for egress traffic through external IP addresses, even if traffic is in the same zone.
You are also charged for active and unused static and ephemeral IP addresses inside your VPC.

Validate Your Knowledge

Question 1

Your company wants to set up a new Virtual Private Cloud (VPC) behind a firewall to secure the data egress. You have to filter the traffic flowing out of the VPC. You need to configure the VPC to have the least possible number of open egress ports.

What should you do?

Create a firewall rule that blocks all egress traffic and allows specific ports with the same priority number.
Create a firewall rule that blocks all egress traffic with a low-priority number of 65534. Create another firewall rule that allows egress traffic for specific ports needed with a high-priority number set to 200.
Create a firewall rule that blocks all egress traffic with a high-priority number of 200. Create another firewall rule that allows egress traffic for specific ports needed with a high-priority number of 65534.
Create a firewall rule that allows inbound traffic to specific ports needed and set its priority to 1000. Remove both the implied allow egress rule and implied allow egress rule.

Show me the answer!

Correct Answer: 2

The firewall rule priority is an integer from 0 to 65535, inclusive. Lower integers indicate higher priorities. If you do not specify a priority when creating a rule, it is assigned a priority of 1000.

The highest priority rule applicable to a target for a given type of traffic takes precedence. Target specificity does not matter. For example, a higher priority ingress rule for certain destination ports and protocols intended for all targets overrides a similarly defined rule with lower priority for the same destination ports and protocols intended for specific targets.

A rule with a deny action overrides another with an allow action only if the two rules have the same priority.

As per scenario requirements, you should only allow egress traffic for some ports. This means that you need to set a higher priority number for rules that allow egress traffic on some ports, and a lower priority number to block all egress port traffic. This will ensure that traffic going out from specific ports will be allowed.

Hence, the correct answer is: Create a firewall rule that blocks all egress traffic with a low-priority number of 65534. Create another firewall rule that allows egress traffic for specific ports needed with a high-priority number set to 200.

The option that says: Create a firewall rule that blocks all egress traffic and allows specific ports with the same priority number is incorrect because when an allow or deny traffic has the same priority number, the deny rule overrides the allow rule which means all egress traffic will be blocked.

The option that says: Create a firewall rule that blocks all egress traffic with a high-priority number of 200. Create another firewall rule that allows egress traffic for specific ports needed with a high-priority number of 65534 is incorrect because setting the block rule to a higher priority than the allow rule will block all egress traffic. You have to also allow some ports to be opened and not block the egress traffic entirely.

The option that says: Create a firewall rule that allows inbound traffic to specific ports needed and set its priority to 1000. Remove both the implied allow egress rule and implied allow egress rule is incorrect because you should create a rule that allows outbound (egress) traffic instead of inbound (ingress) traffic. In addition, you can’t remove the implied firewall rules in your VPC. You can override these implied firewall rules as long as your custom rules have higher priorities.

References:
https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules
https://cloud.google.com/vpc/docs/overview

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

Question 2

You have a project that has a single non-default VPC with a subnetwork configured in the us-central1 region. A Compute Engine instance was deployed in this subnetwork that serves web traffic.

Another instance needs to be deployed in the us-west3 in the same project. You need to ensure that this newly created instance can connect to the other instance in the us-central1 region.

You want to follow Google-recommended practices. What should you do?

a. Configure a subnetwork in the same VPC, located in us-west3.
b. Build the new instance into the new subnetwork.
c. Use the IP address of the instance in us-central1 as the endpoint.
a. Configure a VPC with a subnetwork in us-west3.
b. Expose the instance using an internal load balancer.
c. Provision a new instance in the new subnetwork.
d. Use the load balancer’s IP address as the endpoint.
a. Using the same VPC, create a subnetwork in us-west3.
b. Utilize Cloud VPN to establish a connection between the two subnetworks.
c. Provision a new instance in the new subnetwork.
d. Use the first instance’s private IP address as the endpoint.
a. Configure a VPC with a subnetwork in the us-west3 region.
b. Use VPC Peering to allow connectivity between the two VPCs.
c. Provision a new instance in the new subnetwork.
d. Use the first instance’s private IP address as the endpoint.

Show me the answer!

Correct Answer: 1

For many simple use cases, a single VPC network provides the features that you need, while being easier to create, maintain, and understand than the more complex alternatives. By grouping resources with common requirements and characteristics into a single VPC network, you begin to establish the VPC network border as the perimeter for potential issues.

A single VPC can span multiple regions without communicating across the public internet. For on-premises, you can share a connection between VPC and on-premises resources with all regions in a single VPC.

Hence, the correct answer is:

1. Configure a subnetwork in the same VPC, located in us-west3.

2. Build the new instance into the new subnetwork.

3. Use the IP address of the instance in us-central1 as the endpoint.

The following option is incorrect because load balancers only help you create an endpoint for your application. This will not be enough to connect the instances deployed in us-central1 and us-west1 regions.

1. Configure a VPC with a subnetwork in us-west3.

2. Expose the instance using an internal load balancer.

3. Provision a new instance in the new subnetwork.

4. Use the load balancer’s IP address as the endpoint.

The following option is incorrect because Cloud VPN is only used for hybrid networking solutions. Cloud VPN is mainly used for creating a connection between your on-premises infrastructure and GCP resources.

1. Using the same VPC, create a subnetwork in us-west3.

2. Utilize Cloud VPN to establish a connection between the two subnetworks.

3. Provision a new instance in the new subnetwork.

4. Use the first instance’s private IP address as the endpoint.

The following option is incorrect because creating a new VPC and setting up VPC peering is unnecessary since two regions in the same VPC can communicate with each other without extra steps as long as the subnetwork CIDR ranges do not overlap.

1. Configure a VPC with a subnetwork in the us-west3 region.

2. Use VPC Peering to allow connectivity between the two VPCs.

3. Provision a new instance in the new subnetwork.

4. Use the first instance’s private IP address as the endpoint.

References:
https://cloud.google.com/vpc/docs/vpc-peering
https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal: