Chief Characteristics
- Networks are organised under a Virtual Private Cloud (VPC) object
- A GCP VPC Network:
- Is Global in scope
- Is not an IP Subnet in the traditional sense but a rather more general term as in “The Core network” or “The Data Center Network”
- Consists of one or more regional sub-networks
- Operates in one of 3 modes:
- default: 1 non-overlapping subnet per region and default firewall rules allowing SSH, ICMP and RDP ingress and no egress restrictions
- auto:
- 1 non-overlapping /20 subnet per region from the 10.128.0.0/9 network => up to 2048 * /20 regional subnets
- subnets can be expanded to /16 => up to 128 * /16 regional subnets
- As new regions come online, a subnet is automatically added to the network from this range
- custom:
- No automatic subnets
- Number and range of each subnet decided by administrator and allocated from RFC 1918 address space
- subnets must not overlap
- auto-mode networks can be converted to custom-mode but not vice-versa
- By default a project can have up to 5 networks but this quota can be increased
Traffic Flow
- Workloads connected to subnets within the same VPC-Network can communicate over their Internal IPs, regardless of region
- Workloads connected to subnets in different VPC-Networks communicate over their external IPs via the public-facing Google Edge Routers (although traffic does not actually flow through the Internet)
- Customer sites can therefore connect to an entire VPC through a single VPN because once it’s connected, traffic inside the VPC is routed over the GCP private network only
- Because subnets are regional they can cross zones i.e. workloads on a given subnet can be placed in any zone in that region
IP Addressing
- Up to 2 IPs per VM: Internal and External
- Internal IPs
- Assigned by DCHP
- Automatically added to network-scoped DNS
- External IPs
- Optional
- Is not known to a VM i.e. an Instance only sees it’s Internal IP Address
- Can be assigned from a Pool (Ephemeral) or Static
- Unused External IPs i.e. those not assigned to VM or FW rule. are charged at a higher rate
- Accessible from the Internet
- DNS records can be published to an external public nameserver or an instance of Cloud DNS
- IP Alias Ranges
- Assign an Internal IP range to the primary VM IP Address
- Alias range can be defined from a subnets Primary or Secondary CIDR range
- Containers running on a VM may use the alias range for example
- VPC routes towards the alias range are automatically configured by GCP
DNS Resolution
- VM Hostname = Instance Name (name of the VM)
- A metadata server allocated to each Instance acts as the internal DNS resolver and forwards all other queries to Googles public DNS servers
- Mapping of Internal to External IPs is maintained by the VPC-Network
- Internal FQDN:
- Resolves to Internal IP: because this address is assigned by DHCP the internal IP of an instance can change if it’s deleted & re-created
- Internal FQDN format: <hostname>.<zone>.c.<project-id>.internal
- FQDN does not change if the instance is re-created
- External IPs can have public DNS records assigned (not done automatically)
- Zones can be hosted on an existing public DNS server or the GCP service: Cloud DNS
- Cloud DNS is a managed DNS service hosted on GCP
- Runs on Googles global network and provides a 100% uptime SLA
- Scales to millions of DNS records updated from a UI, CLI or API
Routing
- All networks have routes that permit traffic between subnets
- A default route is used to direct traffic outside of the network
- The default network has pre-configured firewall rules that permits any-any traffic within a network as shown below
- Whenever a network or subnet is added, a route is automatically created in the VM Routing Table towards that new IP network – you can think of it as a set of connected interfaces on a router
- Manually configured rules must be accompanied by a suitable Firewall rule
- A manually configured route applies to all instances (VMs) in a network where a network-tag is not specified
- If a tag is specified in the route, it is applied only to VMs matching that tag
Firewall
- A stateful distributed firewall is applied across all instances in a VPC network
- Implicit rules:
- deny-all ingress
- permit-all egress
RULE STRUCTURE
| PARAMETER | DESCRIPTION |
|---|---|
| Name | 63 characters max starting with a lowercase letter Can include numbers and hyphens but must not end with a hyphen |
| Logs | On/Off Be aware that large volumes of logs increases Stackdriver costs |
| Network | VPC Network to which this rule applies |
| Priority | Default = 1000 Rules with a lower number have higher priority |
| Direction | Ingress/Egress |
| Action on match | Allow/Deny |
| Targets | – All instances in network – Specified target tags – Specified service account |
| Source filter | – IP Ranges – Source tags – Service account |
| Destination filter | IP Ranges only |
| Protocols and Ports | – Allow all – Specific TCP and UDP ports – Other protocols e.g. icmp |
| Enforcement | Disable or Enable rule |
Firewall rule structure
Pricing
- Ingress traffic is not charged unless processed by a chargeable GCP resource e.g. LoadBalancer
- Responses to requests are seen as Egress traffic and therefore charged
- Egress traffic within a zone over Internal IPs is not charged i.e. traffic between VMs in the same zone over internal IPs
- Egress traffic towards GCP services such as Drive, Maps, YouTube etc. is not charged
- Egress traffic between zones over External IPs is chargeable
- External IPs are charged
- Unused Static IPs charged at a higher rate than others
- Static IPs charged higher than ephemeral
- Lower charge for ephemeral IPs attached to preemptible VMs
- Up to date pricing information: https://cloud.google.com/vpc/network-pricing
- See also, pricing calculator to estimate costs: https://cloud.google.com/products/calculator/