Networking Flashcards

Question

How are default networks laid out?

Answer 1

If you have a concept in your mind that all this traffic is flowing through some single firewall chokepoint device somewhere, you’re mistaken. GCP is a full SDN, with firewall policies applied at the instance-level, no matter where it resides. These checks are performed immediately without having to funnel traffic through dedicated security appliances.

Answer 2

Each VPC network has its own distributed [_firewall_](https://cloud.google.com/compute/docs/vpc/firewalls), which allows or denies traffic into and out of the network, and between VM instances. The firewall has an explicit-deny policy, meaning that any traffic that needs to be permitted must have a rule created. You cannot create “deny” rules, only “allow” rules.

Answer 3

VPC stands for Virtual Private Cloud. A Virtual Private Cloud (VPC) network is a cloud version of a physical network, enforced within Google's network Incoming and Outgoing Traffic from instances can be controlled using firewall rules that can be configured while creating VPC Network. Resources in a VPC network can communicate with each other using internal i.e. Private IPv4 addresses, but firewall rules should be set accordingly. Instances with internal IP addresses and no external IP address can communicate with external Google APIs and services using the Private Google Access option. VPC networks can be connected easily to another VPC network in different projects or organizations by using VPC Network Peering.

Answer 4

Generally, each network is divided into multiple useful IP range partitions called subnets (to avoid overhead and maintenance and to provide more security for different departments). VPC networks do not have IP addresses associated with them. IP address ranges are associated with the subnets only. When you spin up any resource in the Google Cloud, you always choose a network and subnet. You have to choose a zone or a region also depending on the resource. By selecting a zone, it automatically picks up its parent region. Subnets are also regional resources and by selecting a region for your resources (like VMs), it will automatically pick what subnet it can use.

Answer 5

**tatic IP** * **Regional** **Global** * Two types: * Regional Static IP * GCE Instances * Network Load Balancers * Global Static IP (Anycast IP) * Global Load Balancers * HTTP(S) * SSL Proxy * TCP Proxy *Note:* * Pay for IPs that are not in use

Answer 6

A static IP address is a fixed IP address. The address maintains an association with a project unless the administrator releases it. An organization uses a static address to apply consistency for services such as a web application or website. Many virtual machines utilize a different type of address where as long as the resource uses the IP address and remains active, there is no change. This IP address type is known as an ephemeral IP address. A virtual machine running an application often maintains the same IP address until the instance is stopped or deleted.

Answer 7

There are times when you may want to reserve an external IP address. A reservation can be made using Cloud Console or the command line. To reserve a static IP address using Cloud Console, go to the Networking option in the navigation area and then select External IP Address under Virtual Private Cloud (VPC).

Answer 8

subnets, a type of regional resource associated with an IP address range. The IP addresses associated with subnets are private so that resources, including APIs and third-party services, can communicate with one another. VPCs do not have to be standalone; they are sharable inside an organization utilizing a project. Assuming users across an organization have the appropriate permissions, it is possible to create resources in a shared environment.

Answer 9

Shared VPC, also known as XPN in the API and command-line interface, enables an engineer to export subnets from an existing VPC network to a host project or other service project inside the same organization. Instances inside a service project may have network connections to shared subnets within a host project.

Answer 10

If you prefer to configure a load balancer using gcloud, use a command with the following structure: Beyond the HTTPS load balancer mentioned in the previous section, there are many other alternatives to create a network load balancer. Key commands that should be applied in creating a load balancer command line are presented in Table 8-5. Mimicking the creation of the HTTP load balancer created in the Cloud Console, the following command lines are used. To create a health check: To create a backend service: To add an instance group as the backend to the backend services:

Answer 11

GCP Cloud DNS supports three different zone types—managed, public, and private. Most often, cloud engineers work with managed zones because they are associated with a project. A managed zone holds all of the DNS records for DNS name suffixes (www.dynalearning.com). A project may have several managed zones, and each zone must have a unique name. With Cloud DNS, a managed zone is the resource type that supports an entire DNS zone. That means all records on the same Google Server will map to the same nameservers. A nameserver responds to a DNS query against a managed zone based on your zone configuration. A project can support many managed zones, but you are charged daily for each managed zone that exists.

Answer 12

A CIDR address is made up of two values: a network address to establish the subnet, and the host identifier. To understand what CIDR notation means, take the IP address 192.168. 0.15 and the /24 CIDR, for example. 192.168. 0.15 defines the address prefix, and /24 defines **the number of bits reserved for the netmask**. This means that the first 24 bits of the IP address are reserved for network routing. With CIDR notation, a slash added at the end of the address expresses how many bits of an IP address are allocated to a network mask. Note that you can create a larger IP allocation with a smaller number such as /10, which offers 4,194,304 available addresses, versus /14, which offers 262,144 available addresses.

Answer 13

A class C network would have a subnet mask of 255.255. 255.0 which means that 24 bits are used for the network. In CIDR notation this is designated by a **/24** following the IP address.May 12, 2022

Answer 14

A class C network would have a subnet mask of 255.255. 255.0 which means that 24 bits are used for the network. In CIDR notation this is designated by a **/24** following the IP address.May 12, 2022

Answer 15

An easy way to understand CIDR is to **think of the notation on the end as the amount of bits that will be allocated to the network**. In this example “/24” would mean that the first 24 bits are allocated to the network (10101110.00010000. 00000000) and the remaining 8 bits would be allocated to the host (. 00000000). **“/16” leaves the remaining 16 bits (or last two numbers) free to use for specific addresses and a “/8” the remaining 24 bits to use**. For better clarification, here are all the possible addresses for each: 10.0.0.0/24: Includes ranges 10.0.0.1–10.0.0.254 (can assign the last number)

Answer 16

* Shared VPC allows an organization to connect resources from multiple projects to a common VPC network to communicate with each other securely and efficiently using internal IPs from that network. * requires designating a project as a **host project** and attach one or more other **service projects** to it. * allows organization administrators to delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls. * allows you to * implement a security best practice of least privilege for network administration, auditing, and access control. * apply and enforce consistent access control policies at the network level for multiple service projects in the organization while delegating administrative responsibilities * use service projects to separate budgeting or internal cost centers.

Answer 17

hared VPC connects projects within the same organization. Participating host and service projects cannot belong to different organizations

Answer 18

Firewall rules consist of several components: * Direction (ingress versus egress) * Priority * Action (allow or deny) * Target

Answer 19

By default, two firewall rules are automatically created, an ingress rule and an egress rule, directing allowable or deniable traffic to IP address 0.0.0.0/0. The priority is 65535.

Answer 20

When alias IP addresses are configured, anti-spoofing checks are performed against traffic, ensuring that traffic exiting VMs uses VM IP addresses and pod IP addresses as source addresses. The anti-spoofing checks verify that VMs do not send traffic with arbitrary source IP addresses. Use of static routes for container networking would be a less secure approach compared to IP aliasing because it would require anti-spoofing checks to be disabled on container host VMs (anti-spoofing checks are disabled when IP forwarding is enabled).

Answer 21

Cloud Armor security policy overview Use Google Cloud Armor security policies to help protect your load-balanced applications from distributed denial of service (DDoS) and other web-based attacks. Managed protection Managed protection is an application protection service that helps protect your web applications and services from DDoS attacks and other threats from the internet Bot management Provides effective management of automated clients' requests towards your back ends through native integration with reCAPTCHA Enterprise. Rate limiting Rate-based rules help you protect your applications from a large volume of requests that flood your instances and block access for legitimate users. Configuring Google Cloud Armor security policies Use these instructions to filter incoming traffic to HTTP(S) load balancing by creating Google Cloud Armor security policies.

Answer 22

* *Dedicated Interconnect* provides a direct physical connection between your on-premises network and Google's network. * *Partner Interconnect* provides connectivity between your on-premises and VPC networks through a supported service provider.

Answer 23

* Traffic between your on-premises network and your VPC network doesn't traverse the public internet. Traffic traverses a dedicated connection or goes through a service provider with a dedicated connection. By bypassing the public internet, your traffic takes fewer hops, so there are fewer points of failure where your traffic might get dropped or disrupted. * Your VPC network's internal IP addresses are directly accessible from your on-premises network. You don't need to use a NAT device or VPN tunnel to reach internal IP addresses. For details, see [_IP addressing and dynamic routes_](https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview#ip-addressing-dynamic-routes). * You can scale your connection capacity to meet your particular requirements. For Dedicated Interconnect, connection capacity is delivered over one or more 10-Gbps or 100-Gbps Ethernet connections, with the following maximum capacities supported per Interconnect connection: * 8 x 10-Gbps connections (80 Gbps total) * 2 x 100-Gbps connections (200 Gbps total)

Answer 24

**Use Cloud VPN instead** If you don't require the low latency and high availability of Cloud Interconnect, consider using [_Cloud VPN_](https://cloud.google.com/network-connectivity/docs/vpn) to set up IPsec VPN tunnels between your networks. IPsec VPN tunnels encrypt data by using industry-standard IPsec protocols as traffic traverses the public internet. A Cloud VPN tunnel doesn't require the overhead or costs associated with a direct, private connection. Cloud VPN only requires a VPN device in your on-premises network.

Answer 25

Cloud Load Balancing 1. Intro 1. Provides scaling, high availability, and traffic management for Internet facing, and private applications. 2. Cloud load balancing is fully integrated with cloud CDN 3. Used in the background for many services 4. Compute Engine vs Kubernetes Load Balancing 1. Compute Engine needs Network Load Balancing 2. Kubernetes does load balancing out of the box. 1. You can do two types: 1. Nodes (VMs) 2. Pods 2. cluster autoscaler 1. optimize the size of your cluster, either increasing or reducing the number of instance

Answer 26

10. 0.0.0/8: 10.0.0.0 to 10.255.255.255 172. 16.0.0/12: 172.16.0.0 to 172.31.255.255 192. 168.0.0/16: 192.168.0.0 to 192.168.255.255

Answer 27

*Firewall rules* control network traffic by blocking or allowing traffic into (ingress) or out of (egress) a network, subnet, or device. Two implied firewall rules are defined with VPCs: one blocks all incoming traffic, and the other allows all outgoing traffic. You can change this behavior by defining firewall rules with higher priority. Firewall rules have a priority specified by an integer from 0 to 65535, with 0 being the highest priority and 65535 being the lowest. The two implied firewall rules have an implied priority of 65535, so you can override those by specifying a rule with a lower number that has a higher priority. In addition to the two implied rules, which cannot be deleted, there are four default rules assigned to the default network in a VPC. These rules are as follows: * default-allow-internal allows ingress connections for all protocols and ports among instances in the network. * default-allow-ssh allows ingress connections on TCP port 22 from any source to any instance in the network. This allows users to ssh into Linux servers. * default-allow-rdp allows ingress connections on TCP port 3389 from any source to any instance in the network. This lets users use Remote Desktop Protocol (RDP) developed by Microsoft to access Windows servers. * default-allow-icmp allows ingress ICMP traffic from any source to any instance in the network.

Answer 28

Shared VPC Sometimes, it is necessary for resources in different projects to communicate. For example, a data warehouse project may need to access a transactional database in an e-commerce project to load e-commerce data into the data warehouse. For organizational reasons, it may be preferable to keep the e-commerce and data warehouse systems in separate projects. In general, Google recommends using a single VPC network when it meets your needs because a single VPC network is easier to manage than the alternatives. However, if you have multiple teams that have their own projects, then creating a single Shared VPC host project with a single Shared VPC network can be used to meet network access requirements without a lot of additional management overhead. With this configuration, resources in those projects can communicate across project boundaries using private IP addresses.

Answer 29

PC network peering enables different VPC networks to communicate using private IP address space, as defined in RFC 1918. VPC network peering is used as an alternative to using external IP addresses or using VPNs to link networks. It is important to note that VPC peering can connect VPCs between organizations; VPC sharing does not operate between organizations. VPC network peering is typically used in software-as-a-service (SaaS) platforms when the SaaS provider wants to make its services available to customers, which use different organizations within GCP. Also, organizations that have multiple network administrative domains can use VPC network peering to access resources across those domains using private IP addressing. The following are three primary advantages of VPC network peering: There is lower latency because the traffic stays on the Google network and is not subject to conditions on the public internet. Services in the VPC are inaccessible from the public internet, reducing the attack surface of the organization. There are no egress charges associated with traffic when using VPC network peering.

Answer 30

Cloud VPN is a GCP service that provides virtual private networks between GCP and on-premises networks. Cloud VPN is implemented using IPSec VPNs and is available in two types, HA VPN and Classic VPN. Some Classic VPN functionality is scheduled to be deprecated on March 31, 2022. HA VPN provides an IPSec VPN connection with 99.99 percent availability. HA VPN uses two connections to provide high availability. Each connection has its own external IP address. HA VPN gateways support multiple tunnels. It is possible to configure an HA VPN with just one active gateway, but that does not meet requirements for the 99.99 percent availability SLA.

Answer 31

Network peering is a network configuration that allows for routing between networks. Direct peering is a form of peering that allows customers to connect their networks to a Google network point of access. This kind of connection is not a GCP service—it is a lower-level network connection that is outside of GCP. It works by exchanging Border Gateway Protocol (BGP) routes, which define paths for transmitting data between networks. It does not make use of any GCP resources, like VPC firewall rules or GCP access controls. Direct peering should be used when you need access to Google Workspace services in addition to Google Cloud services. In other cases, Google recommends using Dedicated Interconnect or Partner Interconnect.

Answer 32

The Private Service Connect for Google APIs allows users to connect to Google APIs and services through an endpoint within their VPC network without the need for an external IP address. The endpoint will forward traffic to the appropriate API or service. Clients can be GCP resources and on-premises systems. GCP resources may or may not have an external IP address. Private Service Connect endpoints are configured to access one of two bundles of APIs. The All APIs endpoint (all-apis) provides access to the same APIs as private.googleapis.com. VPC-SC (vpc-sc) provides access to the same APIs as restricted.googleapis.com.

Answer 33

Serverless VPC Access is used to connect from a serverless environment in GCP to resources in a VPC using an internal address. This option supports Cloud Run, App Engine Standard, and Cloud Functions.

Answer 34

Private Service Access is used to connect from a serverless environment on GCP to resources within a VPC using IP addresses. This is implemented using a VPC Network Peering connection. The GCP VM instances connecting to services may have an external IP address, but they do not need one.

Answer 35

*Load balancing* is the practice of distributing work across a set of resources. GCP provides five different load balancers for different use cases. * Is the workload distributed to servers within a region or across multiple regions? * Does the load balancer receive traffic from internal GCP resources only or from external sources as well? * What protocols does the load balancer need to support? The answers to these questions will help you determine when to use each of the five types: * Network TCP/UDP * Internal TCP/UDP * HTTP(S) * SSL Proxy * TCP Proxy

Answer 36

The Internal TCP/UDP load balancer is the only internal load balancer. It is used to distribute traffic from GCP resources, and it allows for load balancing using private IP addresses. It is a regional load balancer. Instances of the Internal TCP/UDP load balancer support routing either TCP or UDP packets but not both. Traffic passes through the Internal TCP/UDP load balancer and is not proxied. The Internal TCP/UDP load balancer is a good choice when distributing workload across a set of backend services that run on a Compute Engine instance group in which all the backend instances are assigned private IP addresses. The internal TCP/UDP load balancers route traffic within a VPC. The network TCP/UDP load balancers operate outside of VPCs. They handle traffic that can originate from anywhere on the internet, on VMs in VPCs with eternal addresses, or on VMs in VPCs through NAT. When traffic needs to be distributed across multiple regions, then one of the global load balancers should be used.

Answer 37

The Network TCP/UDP load balancer distributes workload based on IP protocol, address, and port. This load balancer uses forwarding rules to determine how to distribute traffic. Forwarding rules use the IP address, protocol, and ports to determine which servers, known as a target pool, should receive the traffic. The Network TCP/UDP is a nonproxied load balancer, which means that it passes data through the load balancer without modification. This load balancer only distributes traffic to servers within the region where the load balancer is configured. All traffic from the same connection is routed to the same instance. This can lead to imbalance if long-lived connections tend to be assigned to the same instance. This is an external-facing resource based in a specific region.

Answer 38

*TCP Proxy Load Balancing* lets you use a single IP address for all users regardless of where they are on the globe, and it will route traffic to the closest instance. TCP Proxy Load Balancing load balancers should be used for non-HTTPS and non-SSL traffic. GCP provides load balancers tailored for regional and global needs as well as specialized to protocols. When choosing a load balancer, consider the geographic distribution of backend instances, the protocol used, and whether the traffic is from internal GCP resources or potentially from external devices.

Answer 39

Cloud CDN Cloud CDN is a content delivery network managed by Google Cloud. As with any content delivery network, Cloud CDN provides the means to distribute content across the globe in ways to minimize latency when accessing that data. Cloud CDN works with external HTTP(S) Load Balancing. The load balancer provides a public IP address while the CDN backend is responsible for providing content. Cloud CDN content can come from several sources, including Compute Engine instance groups, zonal network endpoint groups, App Engine, Cloud Run, Cloud Functions, and Cloud Storage.

Answer 40

distribute the traffic load between a group of instances. It is done to ensure that system or servers don't get overwhelmed and all the requests are served easily and efficiently

Answer 41

Many high-traffic websites serve numerous concurrent requests(can be hundreds of thousands or millions) from users or clients and return the correct response including text, images, video, or application data, all in one in a fast and reliable manner. Sometimes you might have all experienced visiting your favorite website, and getting connection timeout errors, or images and videos buffering a lot of the time, this might be because the website backend is not able to effectively scale to meet these high volumes. The solution here is to add more backend servers to help serve the traffic and then distribute the traffic to those backend servers based on the capacity and health of servers. That's where load balancing comes into the picture.

Answer 42

To manage load at **Layer 4,** Google Cloud refers to this as **TCP/UDP** **Load Balancing.** You should always try to handle traffic at the lower layers of the network stack, it will provide the best performance. To manage load at **Layer 7,** it handles complex traffic side, such as **HTTP** and **HTTPS** requests. Google Cloud refers to this as **Google Cloud HTTP(S) Load Balancing**. Load balancing can be complex at the higher layers but it comes with more advanced options such as you can route traffic based on content.

Answer 43

The two zone types are public and private. A public zone is visible to anyone with an Internet connection. A private zone is available to only those who have access to the VPC network. When you’re creating a Cloud DNS entry, there is an assumption that you have already purchased a domain name from a domain registrar. If you have not already done so, you can buy a domain name from Google Domains at [https://domains.google/.](https://domains.google/.)

Answer 44

This page provides an overview of Cloud DNS features and capabilities. Cloud DNS is a high-performance, resilient, global Domain Name System (DNS) service that publishes your domain names to the global DNS in a [cost-effective](https://cloud.google.com/dns/pricing) way. DNS is a hierarchical distributed database that lets you store IP addresses and other data, and look them up by name. Cloud DNS lets you publish your zones and records in DNS without the burden of managing your own DNS servers and software. Cloud DNS offers both public zones and private managed DNS zones. A public zone is visible to the public internet, while a private zone is visible only from one or more Virtual Private Cloud (VPC) networks that you specify. For detailed information about zones, see [DNS zones overview](https://cloud.google.com/dns/docs/zones/zones-overview).

Answer 45

DNS Peering * DNS peering allows sending requests for records that come from one zone’s namespace to another VPC network *for e.g., a SaaS provider can give a SaaS customer access to DNS records it manages.* * To provide DNS peering, * Cloud DNS peering zone must be created and configured to perform DNS lookups in a VPC network where the records for that zone’s namespace are available. * The VPC network where the DNS peering zone performs lookups is called the DNS producer network. * To use DNS peering, * A network must be authorized to use a peering zone. * The VPC network authorized to use the peering zone is called the DNS consumer network. * DNS peering and VPC Network Peering are different services. DNS peering can be used with VPC Network Peering, but VPC Network Peering is **NOT** required for DNS peering. VPC peering does not enable DNS peering and must be setup explicitly.

Answer 46

VPC Name Resolution Order * Each VPC network provides DNS name resolution services to the VM instances that use it. * When VMs use their metadata server 169.254.169.254 as their name server, Google Cloud searches for DNS records in the following order: * If the VPC network has an outbound **server policy**, Google Cloud forwards all DNS queries to those alternative servers. The VPC name resolution order consists only of this step. * If the VPC network does not have an outbound server policy: * Google Cloud tries to find a **private** zone that matches as much of the requested record as possible (longest suffix matching). * Searching records that you created in private zones. * Querying the forwarding targets for forwarding zones. * Querying the name resolution order of another VPC network by using peering zones. * Searches the automatically created Compute Engine **internal** DNS records for the project. * Queries **publicly** available zones

Answer 47

Cloud DNS is a high-performance, resilient, global Domain Name System (DNS) service that publishes your domain names to the global DNS in a [cost-effective](https://cloud.google.com/dns/pricing) way. DNS is a hierarchical distributed database that lets you store IP addresses and other data, and look them up by name. Cloud DNS lets you publish your zones and records in DNS without the burden of managing your own DNS servers and software. Cloud DNS offers both public zones and private managed DNS zones. A public zone is visible to the public internet, while a private zone is visible only from one or more Virtual Private Cloud (VPC) networks that you specify. For detailed information about zones, see [DNS zones overview](https://cloud.google.com/dns/docs/zones/zones-overview).

Answer 48

Records A record is a mapping between a DNS resource and a domain name. Each individual DNS record has a type (name and number), an expiration time (time to live), and type-specific data. Some of the commonly used record types are: * **A:** Address record, which maps host names to their IPv4 address. * **AAAA:** IPv6 Address record, which maps host names to their IPv6 address. * **CNAME:** Canonical name record, which specifies alias names. * **MX:** Mail exchange record, which is used in routing requests to mail servers. * **NS:** Name server record, which delegates a DNS zone to an authoritative server. * **PTR:** Pointer record, which defines a name associated with an IP address. * **SOA:** Start of authority, used to designate the primary name server and administrator responsible for a zone. Each zone hosted on a DNS server must have an SOA (start of authority) record. You can modify the record as needed (for example, you can change the serial number to an arbitrary number to support date-based versioning).

Answer 49

We are discussing common facts about all Layer 7 Load Balancers(LBs) and Layer 4 Load Balancers(LBs). In the demo, we will create a simple HTTP Load Balancer. You can create HTTPS Load Balancer in case you own a domain, we have attached a document on how to do that as well. Layer 4-LBs act almost as transport layer-aware routers that do no packet manipulation and are faster than Layer 7-LBs that perform a number of manipulation to packets and also have session affinity feature ensuring connections that result from the same source are always served from the same backend. Layer 7-LBs are more common and are often always software whereas Layer 4 - Load Balancers are less common, and tend to be implemented in dedicated hardware. One important note about Layer 7-LBs is their ability to terminate the SSL traffic. This is a limitation for most Layer 4-LBs as they cannot determine if incoming packets are wrapped in SSL and therefore fail to terminate SSL traffic. L7 Load Balancers can have CA certificates installed within them that can verify the authenticity of the service instead of storing and handling backends. The processing strain from having to encrypt and decrypt such requests is pushed onto Layer 7 - Load Balancers to decrypt such data and re-encrypt the packet for transmission to the backend server. This often results in high latency and can be problematic at times. Within Layer 7 - Load Balancers, the packet is inspected, although this can be a costly process in terms of latency, it has additional features like balancing traffic based on content. For example, your company has a pool of backends that have been fitted with some high-end instances optimized for video processing. Another pool may contain low-power CPUs that are optimized for static websites. Layer 7 - Load Balancers can use the URL path e.g. whizlabs.com/courses to serve the most appropriate backend to send incoming traffic to the ones with high-end instances, whereas requests to a different URL such as whizlabs.com/blogs can be transferred to the low-power instances, all thanks to the Layer 7 - Load Balancers ability to intelligently split traffic.

Answer 50

Before understanding VPC Peering, you must possess knowledge of VPCs which is a virtual version of a physical network. It is a global resource. In the real world, there might be a chance when your company needs connectivity with several other VPCs, either on-cloud or on-premise, VPC Peering is the solution. It provides private connectivity among two VPCs regardless of the same project/organization or not. Private Connectivity means traffic stays within Google Network and not public. It is a secure solution as nothing is going public on the Internet. You are able to save egress costs as nothing is traveling outside. Both VPCs in the Peering connection remain administratively separate which means both are managed by their administrators. Configuration is done in each VPC separately. A VPC can peer with up to 25 VPCs but only direct peering is possible no transitive peering is possible which simply means if VPC A is connected with VPC B and VPC B is connected with VPC C that doesn't mean VPC A is connected with VPC C.

Answer 51

Cloud Router can't be used by itself but it is required for Cloud NAT or Interconnect or VPN. **_From Fig1:_** Let's understand the concept with the help of the below architecture. Consider you have a VPC Network on Google Cloud and an On-premise office network that was connected using VPN Gateway. After a few days, a new network is added to the on-premise network with a name server network. Now you have to add static routes to the routing table in Google Cloud manually and also you need to re-configure your VPN. This is still fine but considers a case when a new network is added quite frequently or the network is destroyed. Same you have to do manually. **_From Fig2:_** Now, Cloud Router helps you overcome the above problem by automatically adding dynamic routes. Cloud Router peers with on-premise VPN Gateway or Router. The routers exchange topology information through BGP(Border Gateway Protocol). The Cloud Router advertises subnets from its VPC Network to the on-premise gateway via BGP. By doing this, any topology changes will be propagated automatically between your VPC and on-premise network. The Cloud Router learns on-premise routes through BGP. **_From Fig3:_** Users don't sense disruptions, as you see if a link fails to VM1, Cloud Router can automatically re-route traffic if a path is available.

Answer 52

There are times when you may want to reserve an external IP address. A reservation can be made using Cloud Console or the command line. To reserve a static IP address using Cloud Console, go to the Networking option in the navigation area and then select External IP Address under Virtual Private Cloud (VPC).