Virtual Private Clouds (VPC) Flashcards
What is a Virtual Private Cloud?
A software version of a physical network that links resources in a project
What are some key points of a VPC? (7)
- automatically created when a project is created.
- global - spans the globe without relying on the public internet
- secure - can be securely routed through Google global network
- backend services can access other Google services without creating a public IP
- can be linked to on-premise VPNs using IPSec
- can use firewalls
- can use separate projects and billing accounts
- can contain subnets - subnets are regional, have range of private internal ips
What are some key points about subnets in a VPC? (7)
- can specify region
- can specify IP range
- can turn off Private Google access, allowing VMs on subnet to access Google services without assigning external IP to the VM
- can turn off logging of network traffic
- can set up firewall rules
- dynamic routing option - global or regional
- can set up DNS policy server that enables DNS name resolution by GCP or can customize
How do you create a VPC via shell?
glcoud compute networks create [VPC NAME] –subnet-mode=[auto|custom]
How do you create custom subnets for a VPC via shell?
gcloud beta compute network subnets create [SUBNET NAME] –network=[VPC NAME] –region=[REGION] –range=[RANGE] –enable-private-ip-google-access –enable-flow-logs
How do you create a shared VPC and assign projects via shell?
- need to make sure you have the Shared VPC Admin role (compute.xpnAdmin)
- gcloud compute shared-vpc enable [HOST PROJECT ID]
- gcloud compute shared-vpc associated-projects add [SERVICE PROJECT ID] –host-project [HOST PROJECT ID]
At what levels can a shared VPC exist?
Folder or organization.
What is VPC peering?
allows inter-project traffic when an organization does not exist
How do you set up VPC peering via shell?
gcloud compute networks peerings create [PEER NAME] –network [VPC 1 NAME] –peer-project [PROJECT 2 NAME] –peer-network [VPC 2 NAME] –auto-create-routes
then do the same but reverse project 1, vpc1 and vpc 2
At what level are firewalls for VPC defined?
They are defined at the network level and used to control flow of traffic to VMs. They allow or deny traffic on a port and are applied in one direction (incoming or outgoing)
What are the components for VPC firewall rules (7)?
- direction - incoming or outgoing
- priority - highest rules are applied. lower priority rules that match are not applied. 0 to 65535. 0 is the highest
- action - allow or deny
- target - an instance to which the rules apply (all in a network, instances with particular network tag or instances using a specific service account)
- source/destination - source applies to IP ranges, network tags, service accounts or combination. destination only uses IP ranges
- Protocol and port (TCP, UDP, ICMP etc…)
- enforcement status - enabled or disabled
What 2 implied rules do all VPCs start with?
- allows egress to all destinations
- denies all traffic from any source
both rules have priority 65535 so they can be overwritten
Automatically created VPCs have what 4 network rules created?
- allows incoming traffic from any VM on same network
- allows incoming TCP on port 22 (for SSH)
- allows incoming TCP on port 3389 (allowing RDP)
- allow incoming ICMP from any source (Internet Control Message Protocol)
all these have priority 65535
How do you create a VPC firewall via shell?
gcloud compute firewall-rules create
many options
How do you increase the number of addresses available on a VPC subnet?
gcloud compute networks subnets expand-ip-range [SUBNET NAME] –prefix-length [NEW PREFIX LENGTH]
You can only increase the number of addresses. The only was to decrease is to recreate the subnet.
