Google Virtual Private Cloud (VPC) Network
A Google VPC network is a global resource that provides network logical isolation. Their associated routes/firewall rules, are also global resources.
A Google VPC includes granular IP address range selection, routes, firewall, Virtual Private Network (VPN) and Google Cloud Router.
Each GCP project contains one or more VPC networks.
It has not IP ranges. IP ranges are assigned to subnets.
A network must have at least one subnet (virtual subnetworks).
Subnets are regional resources, located in a specific region (in one or more zones) and connected by a global wide area network.
Each subnet defines a range of IP addresses. Since they are regional, 2 instances in 2 subnets in 2 different regions can have the same IP addresses.
Resources and instances
The VPC connects the resources to each other and to the Internet.
When you create an instance or resource (Compute Engine VM instances, GKE clusters, and App Engine Flex instances) you select a zone, a network, and a subnet. GCP assigns the instance an IP address from the range of available addresses in the subnet.
Traffic to and from instances can be controlled with network firewall rules.
- Single VPC across all regions
- No cross region VPNs required
- No peering of regional VPCs required
- Single shared VCP
- Firewalls, Routes, VPN configured once
- Private IP space managed centrally
- Private access to Google APIs
- No need for public IPs to access Google services
- Encryption of data in transit
- Cloud Armor – secure the VPC perimeter
- Distributed firewalls
- Distributed network
- No choke points: weaked points that can be attacked
- High bandwidth and availability
- Andromeda control plane
- Support for Kubernetes via GKE
GCP offers two types of VPC networks – auto mode and custom mode.
On creating VPC network, you specify how Google Cloud Route will perform Dynamic Routing:
- Global: Google Cloud Route will learn routes from all regions
- Regional: Google Cloud Route will learn routes from its region.
You can also set a DNS server policy.
VPC network in auto mode
Each project starts with a default auto mode network. Default network contains also default firewall rules.
You can have up to 5 VPCs per project.
When an auto mode network is created, one subnet from each region is automatically created within it’s predefined IP ranges and new subnets are added when new regions become available.
Every subnet has a predefined /20 IP range, wich can be expanded up to /16 IP range. The predefined IP ranges of the subnets do not overlap with IP ranges you would use for different purposes (except for manually added ones).
I has an internet gateway and opened firewalls between subnets so that all resources can communicate.
VPC network in custom mode
When a custom mode network is created, no subnets are automatically created. This type of network provides you with complete control over its subnets and IP ranges.
You decide which subnets to create, in regions you choose, and using IP ranges you specify.
In custom VPC netowrks, one primary CIDR range is mandatory. You can optionally create secondary CIDR ranges.
When you create a subnet, you must define a primary IP address range and optionally up to five secondary IP address ranges:
- Primary IP address range: IP addresses used for either VM primary internal IP addresses, VM alias IP addresses, or the IP addresses of internal load balancers.
- Secondary IP address ranges: IP address ranges used only for alias IP addresses.
Reserved Ips: Every subnet has four reserved IP addresses in its primary IP range (no reserved IP addresses in the secondary IP ranges) e.g. 10.1.2.0/24
- Network: First address in the CIDR range 10.1.2.0
- Default Gateway: Second address in the CIDR range 10.1.2.1
- Second-to-last Reservation: Second-to-last CIDR range 10.1.2.254
- Broadcast: Last address in the primary CIDR range 10.1.2.255
Quotas and limits
- VPC do not support IPv6 within the network.
- VPC only support IPv4 unicast (multicast are not supported).
- VPC can have maximum 15000 VM machine instances (no limit per subnet).
VPC Flow Logs
VPC Flow Logs record a sample of network flows sent from and received by VM instances.
They can be used for network monitoring, forensics, real-time security analysis and expense optimization.
Flow logs are collected for each VM connection every certain time. Data is annotated and sent to Google Cloud Logging (formerly Stackdriver Logging) with the data and appropriate format.
Flow logs are stored in Google Cloud Logging for 30 days. However, you can export them to any supported destination.
On creating a VPC network, you can enable VPC Flow Logs for all or several subnets. You can specify aggregation interval, the sample rate and set whether you want additional metadata or not.
Network Service Tiers
- Premium tier: traffic in Google's premium backbone
- Highest performance.
- For services that need global availability.
- Default tier.
- Standard tier: regular ISP networks.
- Cost optimized: it routes the traffic from/to other zones over internet.
- For services hosted entirely within a region.
- Similar performance to other cloud providers.
It depends on networking tier.
- Billed for traffic egress:
- To the internet.
- To another VPC.
- From one region to another (in the same network).
- Between zones within region.
- Free traffic ingress.
- Free VM to VM traffic in single zone.
- Free traffic to GCP service (limit may apply).
Bastion Host is used to as proxy to connect to VMs that are not accessible from outside (they do not have external IP address).
Use Case: creation of a bastion host to access an internal application/database server for maintenance purposes.
Bastion host VM instance sits on the same subnet as the target VM instances.
NAT Gateway Host Isolation
A NAT Gateway is a VM instance that is setup with IP forwarding to another VM instance that has not external IP address.