As we know Google is global, therefore as a customer of google cloud platform (GCP) one can easily leverage the benefits of GCP and make there presence felt globally and that too with ease.
With a reliable, secured and a highly available cloud platform that google offers, it enables the users to build a robust service offering on top of GCP Stack. This not only enables them to have a strong and a reliable infrastructure but it also gives them an opportunity to easily integrate the latest solution & services with their product offerings.
Networking is the uttermost important component of any software stack and this fact remains the same for cloud computing as well. Its the networking that connects all your resources and services to one another.
GCP uses a software defined network that is built on top of google’s global fiber infrastructure. In this write up we plan to share some of the most widely used components of GCP. Following is the list of items that are covered as part of this writeup:
Virtual Private Cloud (often referred as VPC)
Load Balancers in Google Cloud
Cloud Identity and Access Management
Hybrid Connectivity
Let’s start with the very most important part of any cloud architecture i.e. setting up the network foundations.
Virtual Private Cloud(VPC)
GCP consists of regions, zones and point of presense(also referred as POP’s). GCP can bring its traffic closer to its peer because of its extensive, widely spread global network. This not only reduces the costs but also helps user with a better experience and lower latency.
A VPC is just a virtual version of your physical network implemented inside of Google’s production network. VPC provides users a level of isolation, this isolation in the cloud are referred to as virtual private clouds where the resources provisioned in cloud infrastructure are not shared with any other users.
Building resources in VPC provides users an opportunity to build a secure environment.
In Google Cloud Platform, you can create your GCP resources, connect them with each other and provide an isolation to them from one another in virtual private cloud.
Following are the VPC Objects that you will often come across while creating a new VPC.
1. Projects - will be holding all the objects and resources that you are going to provision like buckets, compute engine instance etc. They help us to organise the GCP resources. Projects usually contain entire network.
2. Networks - there are 3 type of networking offered in GCP. Each of these have there own reasons to choose for while designing a use case. These 3 types are described below:
2.1. Default : Unless disabled, each new project starts with a default network. Default Network is an auto mode VPC network with pre-populated IPv4 firewall tules.
2.2. Automative : auto mode VPC networks are easy to setup and use. These are well suited for general use cases like where we need the subnets created automatically in each region.
Auto mode networks is useful for the early exploration. However, Custom networks are recommended and more preferred option for the production environment.
2.3. Custom : is the most flexible and a preferred method for production. It provides complete control over the subnets created in your VPC network, including regions and IP address ranges.
3. Subnetworks - are regional resources and each subnet defines a range of IP addresses. This allows you to divide/segregate your environment based on IP ranges.
4. Regions/Zones - represent the google data centre where three resources will be provisioned and they provide secure, reliable and high availability.
5. IP addresses(Internal/External)- In GCP, each VM can have two IP addresses assigned to it: Internal IP and External IP.
- Internal IP which is assigned by DHCP.
- External IP is an optional IP which is required mostly when the application is internet facing application.
As matter of fact, the External IP address is unknown to the OS of the VM. The external IP address is mapped to the VMs internal address transparently by VPC.
Sometimes there is a requirement to disable the access of internet, however you still need to access the google api’s for performing various tasks. In such scenarios you can enable the access for private google api’s in your vpc.
6. Resources in GCP refer to the different objects in google cloud like projects, folders, service account, compute engine instances etc.
7. Routes : Bydefault, every network has routes that let instances in a network send traffic directly to each other. Just ensuring the routes does not ensure transfer of packets. You must also have firewall rules accordinly in place.
The default routes can be disabled by setting up the appropriate organisation policy.
8. Firewall rules protect your instances from unapproved connections both inbound and outbound. Firewall rules are applied at the network as a whole but the connections are allowed or denied at the instance level. Firewall rules are stateful i.e. if a connection is allowed then all subsequent transaction in the same connection will also be allowed.
Following are some of the key parameters that you should keep in mind while configuring the firewall rules:
- Direction : ingress/egress
- Source or Destination : ip addresses, tags or service account
- Protocols and Port
- Action
- Priority
- Rule assignment
Hierarchical firewall policies : A hierarchical firewall policy allow rule overrides any deny rule with a lower priority or at a lower level in the hierarchy.
9. Multiple network interfaces : You can create additional network interfaces attached to your VMs through network interface controllers or NICs. Multiple network interfaces enable you to create configuration in which an instance connects directly to several VPC networks. Each of these instances must also have an internal IP address.
Multiple NIC’s helps to address the situation where communication between different networks is required.
we will now cover the next important item in our list i.e the Load Balancers in google Cloud.
Load Balancers in Google Cloud
Load Balancers sits in front of your servers and routes your client requests across the different configured servers which are capable of fulfilling those requests.
It efficiently distributes incoming traffic across multiple servers.
Cloud load balancing allows you to put your resources behind a single IP address that is externally accessible or internal to the virtual private cloud(VPC) network.
Global load balancers : backends for global load balancers can spans to different regions. Following are the types of global load balancers that are available :
- HTTP(s) LB
- SSL Proxy
- TCP ProxyRegional load balancers : backends can span to same region but different zones. Following are the types of regional load balancers available in GCP.
- Network LB
- Internal L4 LB
- Internal HTTP(S) LB
Cloud Identity and Access Management(Cloud IAM)
It is a way of identifying who can do what actions on which cloud resources.
This section is focused on controlling the access to VPC networks.
Identity and Access Management is a way of identifying the users/accounts performing actions on the GCP resources. With Cloud IAM we can set policies at different levels where policy contains a set of roles and members.
Once another term that you should be famililar with is “Principle of least privilege” which is often referred to as the best practice in any cloud environment.
Members: There are 5 different type of members which defines the who part:
(i) Google Accounts : represents developer/administrator or any other individual who interacts with GCP.
(ii) Service Accounts : represents an account that belongs to your application instead to an individual user. Usually different service accounts are created for different logical components of an application to ensure better separation of access and logic.
(iii) Google groups : it is a named collection of google accounts and service accounts having a unique address for each group.
(iv) G Suite domains : this represents a virtual group of all the google accounts that are created in an organisation G Suite account.
(v) Cloud Identity domains : is like a G Suite domain because it represents a virtual group of all the google accounts in an organization.
Roles:
In this section we will discuss more about the which part of cloud IAM. In Cloud IAM there are 3 types of roles:
1. Basic roles : roles that provide access to different resources. There are 4 basic roles : Viewer, Editor, owner and Billing Administrator
2. Predefined roles : these provide granular access for a specific service and are managed by google cloud.
3. Custom roles : these are the user defined roles and allows you to bundle one or more supported permissions to meet your specific needs.
Actions:
Although the actions that can be performed on the cloud resources is an interesting and a wider topic . But to keep it simple i have tried to put it under some commonly used words used to denote the “Action”.
Action basically covers the what part. And this what part comprises of verbs like creation of resources, deletion of resources, editing these resources, viewing the resources.
Hybrid Connectivity
Google supports multiple ways to connect your infrastructre with GCP.
Following are the 4 approaches that we have covered below:
1. Cloud VPN
2. Dedicated Interconnect
3. Partner Interconnect
4. Direct Peering
5. Carrier Peering
Dedicated Connection : direct connection between customers onpremise to google networks like direct peering, dedicated interconnect is established.
Shared Connection : indirect connection, provides connection to google networks through a partner like carrier peering, partner interconnect.
Cloud VPN : is google’s own virtual private network which uses the public internet but all the traffic that pass through this network is encryted. This is a useful addition to carrier peering/direct peering.
One can also use the Cloud VPN as main connection between your own premise and the GCP VPC network.
Cloud VPN is an offering from GCP, that enables your on-premises network to establish a network with the GCP VPC network through a VPN tunnel. The traffic is encrypted at one end and then decrypted at the other end thus ensuring that the data stays in encrypted form while travelling over the public internet.
There are two options to choose from :
1. Classic VPN gateways
2. HA VPN gateways