Networking in Google Cloud Platform

In this blog, we will discuss the backbone of any cloud vendor, "networking." We will also review hybrid networking/connectivity. Whether you are migrating to the cloud or deploying your applications on Google Cloud for the very first time, you need to design and implement scalable networks. Let's explore what this network is in Google Cloud.

What is a VPC?

A VPC, or Virtual Private Cloud, is a software-defined private and isolated virtual network. Just imagine it like a home to all the resources created in Google Cloud. The major advantage of using Google's VPC over other cloud vendors is that you are not bound to a specific geographical region. Instead, VPC in Google Cloud is global by build.

But what's the benefit of VPC being global?

If VPC were regional by build, resources would have been created in a specific VPC assigned for a particular region. In order to perform cross-regional communication between the resources, you should have used services like VPN, which would have added more deployment costs and overheads. VPCs are made up of certain components:

• Subnets
• Firewall rules
• Routes

Do all the services need a VPC?

The answer is NO. Compute Engine virtual machine (VM) instances, including Google Kubernetes Engine (GKE) clusters, App Engine flexible environment instances, and other Google Cloud products built on Compute Engine VMs, only require a VPC.

What are subnets?

The entire network is segmented into multiple small networks or IP ranges for easier implementation and management of the resources. Subnets are regional resources and have IP address ranges associated with them. A network must have at least one subnet before you can use it.

There are two types of VPC:

• Auto-mode VPC: Auto-mode VPC networks create subnets in each region automatically.
• Custom-mode VPC: Custom mode VPC networks start with no subnets, giving you full control over subnet creation. You can create more than one subnet per region.

As soon as you create an account in Google Cloud, a VPC with the name default is created (it is an auto-mode VPC). If you forget to select a network, default VPC will be picked automatically.

Types of IP Stacks

• Single Stack: Supports only IPv4 IP addresses. It is supported on both Auto-mode and Custom-mode VPC.
• Dual Stack: Supports both IPv4 and IPv6 IP addresses. This is only supported on Custom-mode VPC.

Things to keep in mind while designing a subnet:

What are Firewall Rules?

They are similar to your Firewall Rules in the Physical Machines. Firewall Rules are used to allow or deny connections to or from your virtual machine (VM) instances based on a configuration that you specify.

Types of Traffic

Traffic is a very relative term. The same traffic can be Ingress and Egress. In Google Cloud, traffic is classified by the perspective of a VPC.

• Ingress: It is the incoming traffic, i.e., requests coming inside the VPC.
• Egress: It is the outgoing traffic, i.e., requests going outside the VPC.

Components of Firewall Rules

• Direction: Google Cloud offers Ingress and Egress as the direction.
• Priority: Priority is the preference given to a particular firewall rule. It is in the range of 0 to 65535, where 0 is the highest priority and 65535 is the lowest priority. For instance, there is one firewall defined to block TCP traffic with Priority 1000 and there is one more firewall rule to allow all the TCP traffic with Priority 1. In this scenario, all the TCP traffic will be allowed as the second Firewall Rule has more Priority.
• Actions on matches: When traffic matches your parameters, you can either allow or deny that traffic.
• Network: You need to define the network to which you are applying the firewall rules.
• Targets: These are the end targets to which this firewall rule will be applied. Google Cloud offers 3 types of target options:
  • All instances in the network: This option applies the firewall rule to all the instances in the network.
  • Specified target tags: The firewall rule applies only to instances in the VPC network with a matching network tag.
  • Specified service accounts: The firewall rule applies only to instances in the VPC network that use a specific service account.
• Source or Destination: The direction of the firewall rule determines the possible values for the source and destination parameters.
• Ports and Protocols: The firewall rule will be applied only for these protocols and ports. For instance, if you want to allow only ssh traffic, then enter the protocol as ssh and port as 22.
• Logs: With every hit on the firewall rule, it will log the activities. It is preferred to turn it off, as enabling it will result in a large number of logs which ultimately add to increased cost in Cloud Logging.

For the best practices for defining firewall rules, you can follow the Google Cloud Documentation.

As soon as you create an account in Google Cloud, four firewall rules are created by default, namely:

• default-allow-icmp
• default-allow-internal
• default-allow-ssh
• default-allow-rdp

What are Routes?

Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside your Google Cloud Virtual Private Cloud (VPC) network or outside it. In a VPC network, a route consists of a single destination prefix in CIDR format and a single next hop. When an instance in a VPC network sends a packet, Google Cloud delivers the packet to the route's next hop if the packet's destination address is within the route's destination range.

By default, Google Cloud creates routes for most of the default VPC.

What is RFC 1918?

As we were running out of IPv4 addresses, a long time back, three CIDR Blocks of the IP addresses were declared as the addresses used only for internal use. i.e. organizations were authorized to use the ranges within their isolated networks. In Google Cloud, only three services support RFC1918, namely, Direct Interconnect, Partner Interconnect, and VPN (Classic and HA). The three reserved CIDR blocks are as mentioned below:

• 10.0.0.0 – 10.255.255.255
• 172.16.0.0 – 172.31.255.255
• 192.168.0.0 – 192.168.255.255

What is a Cloud Router?

Cloud Routers aren't similar to physical routers. Google Cloud Router enables dynamic route updates between your Compute Engine VPN and your non-Google network. Cloud Router eliminates the need to configure static routes and automatically discovers network topology changes.

To create a Cloud Router, you need to define a Network, a Region, and an ASN or Autonomous System Number.

What is Cloud NAT?

Cloud NAT or Network Address Translation is the service used to route traffic and let multiple Virtual Machines connect to the public internet using a single public IP address and still want to use private IPs. The advantage of using Cloud NAT is that it reduces the surface area of your VMs to prevent direct malicious attempts on your systems. Another advantage of using Cloud NAT is that it is a software-defined network, thus scaling and availability is not an issue.

What is a Shared VPC?

Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more service projects to it.

The only condition for shared VPC is that the projects must be in the same organization.

What is VPC Network Peering?

As your presence on Google Cloud grows, the complexity in your architecture grows directly. Thus, in order to maintain the simplicity and reduce the network overheads, VPC Network Peering was created. Google Cloud VPC Network Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks, regardless of whether they belong to the same project or the same organization. VPC Network Peering enables you to connect VPC networks so that workloads in different VPC networks can communicate internally. Traffic stays within Google's network and doesn't traverse the public internet. Each side of a peering association is set up independently. Peering will be active only when the configuration from both sides matches.

What is Private Service Connect?

It is a fully-managed service that is used to set up your private connectivity to third-party or Google services across different networks, projects, or organizations. You just need to create a Private Service Endpoint and a Private Service Attachment. The advantage of using it is that it reduces the network management by removing the need to create proxies and keeping the traffic internal to Google’s network, thus making it secure.

What is a Cloud VPN?

It is one of the most common services to implement Hybrid Connectivity in Google Cloud. Cloud VPN or Virtual Private Network works similarly to the VPN that we use in our day-to-day life. The real use of Cloud VPN is to use the Public Internet along with encryption. Traffic traveling between the two networks is encrypted by one VPN gateway and then decrypted by the other VPN gateway. As of now, Google Cloud offers two types of VPN, namely:

• Classic VPN: Classic VPN gateways have a single interface, a single external IP address, and support tunnels that use static routing (policy-based or route-based). You can also configure dynamic routing (BGP) for Classic VPN with SLA of 99.9% service availability.
• HA VPN: HA VPN is a high-availability (HA) Cloud VPN solution that lets you securely connect your on-premises network to your VPC network through an IPsec VPN connection in a single region. HA VPN provides an SLA of 99.99% service availability.

To know more about the difference between HA VPN and Classic VPN, refer to the below table.

What is Cloud Interconnect?

It is the option that is explored by organizations that are very much sure about shifting to Google Cloud and are looking to work very closely with Google Cloud service with very low latency. Cloud Interconnect provides low latency, high availability connections that enable you to reliably transfer data between your on-premises and Google Cloud Virtual Private Cloud (VPC) networks. Some major advantages revolve around reducing the Egress Cost, traffic traversing privately, less network overhead, and lastly crazy high speed. As of now, there are two types of Interconnects that are supported by Google Cloud, namely:

• Dedicated Interconnect: It provides a direct physical connection between your on-premises network and Google's network.
• Partner Interconnect: It provides connectivity between your on-premises and VPC networks through a supported service provider.

What is Peering?

Peering is the last option in the bucket of Hybrid Networking. It is often used when latency or time is not a big issue, and you are not ready to invest in Interconnects, and deploying Cloud VPN is not that feasible. The use case for Peering is to connect to Google Workspace. Google Cloud offers Peering in two modes, namely:

1. Direct Peering: Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects.

2. Carrier Peering: Carrier Peering enables you to access Google applications, such as Google Workspace, by using a service provider to obtain enterprise-grade network services that connect your infrastructure to Google.

Cloud Networking is a broad topic, and nearly every service has a 1:1 relation with networking. Apart from the above services, below are some frequently used services in the Networking domain:

Cloud Armor

This Google Cloud product has an equal footprint in Security and Networking. Cloud Armor helps you protect your Google Cloud deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi). Google Cloud Armor features some automatic protections and some that you need to configure manually. You can specify particular suspicious IP addresses and create multiple Policies as per your convenience. To learn more about the Cloud Armor service, head over to the Google Cloud Documentation.

Cloud DNS

Cloud DNS or Domain Name System is a high-performance, resilient, global DNS service that publishes your domain names to the global DNS in a cost-effective way. DNS is a hierarchical distributed database that lets you store IP addresses and other data and look them up by name. To learn more about the Cloud DNS service, head over to the Google Cloud Documentation.

Cloud CDN

Cloud CDN (Content Delivery Network) uses Google's global edge network to serve content closer to users, which accelerates your websites and applications. Its best use case is by attaching it with the HTTP(S) Load Balancer. To learn more about the Cloud CDN service, head over to the Google Cloud Documentation.

Get one-on-one coaching on Google Cloud with a GCP expert. Plus, get access to free training content and 1,000+ hands-on practice labs. Learn more.