network-designs - Virtual Networks Module 1.2.6 Flashcards
If your application needs increased availability, how you should design your network
You can place two virtual machines into multiple zones, but within the same subnet.
Using a single sub-network allows you to to create a firewall rule against the sub-network
you get improved availability without additional security complexity.
Other solution would be a regional managed instance group, it contains instances from multiple zones across the same region, which provides increased availability.
How to globalise your application
Putting resources in different regions allows you to design robust systems with resources spread across different failure domains.
When using a global load balancer like the HTTP load balancer, you can route traffic to the region that is closest to the user. This can result in better latency for users and lower network traffic costs for your project.
While using Cloud NAT enables private instances to access an update server on the Internet, which is referred to as outbound.
However, Cloud NAT does not Implement inbound NAT.
Cloud Nat more details
Hosts outside your VPC network cannot directly access any of the private instances behind the cloud NAT gateway.
Cloud NAT gateway enables access for instance without external IP address to the Internet for updates and patches.
What is Cloud IAP.
IAP tunel
Identity-Aware Proxy (IAP) is a Google Cloud Platform service that intercepts web requests sent to your application, authenticates the user making the request using the Google Identity Service, and only lets the requests through if they come from a user you authorize.
We can create firewalll to allow ssh through IAP and than ssh to private instance through cloud shell, for IAP we can limit IP ranges to 35.235.240.0/20 and for ssh we use tcp, port 22.
How can instances which don’t have external IP addresses, be reached by other instances on the network
when instances don’t have external IP addresses, they can only be reached by other instances on the network, either through a managed VPN gateway or Cloud IAP tunnel, and Cloud IAP enables contexts where access to VMs through SSH and RDP without a bastion host.
Use a bastion host??? but it would need to have external IP????
Which roles and permissions IAP uses, and where to grant roles
IAP uses your existing project roles and permissions when you connect to VM instances.
On navigation many you can go to cloud IAP and grant roles
Where is private google access enabled
It is enabled on a VPC network on subnet level
What private google access enables
VM internal can now access certain Google APIs and services without an external IP address, the instance cannot access the Internet for updates and patches.
You should enable private Google access to allow VM instances that only have internal IP addresses to reach the external IP addresses of Google APIs and services
You enable private Google access on a subnet by subnet basis.
Where is Cloud Nat
Under Network Services
Explain Cloud NAT gateway implements outbound net, but not inbound net.
hosts outside of your VPC network, can only respond to connections initiated by your instances.
They cannot initiate their own.
They can respond to request, but can not initiate their own request, new connections to your instances via the net
