Virtual Private Cloud

In this chapter, we will look at Google Cloud Virtual Private Cloud (VPC). The chapter will focus on the network security concepts within Google Cloud, although we will cover some foundational networking concepts that are essential. We will begin by looking at how Google Cloud’s global footprint is structured with regard to different regions and zones. Then, we will cover the key concepts of VPC, such as global VPC versus regional, how to create custom IP address subnets, micro-segmentation, custom routing, and the different types of firewall rules and their usage. We will look at some design patterns for VPC, focusing on shared VPC in particular and its importance from a security perspective, and we’ll get an overview of the different types of connectivity options that are available to connect Google Cloud to your on-premises or third-party cloud provider using different options. Finally, we will look at DNSSEC and some load balancer options...

Google Cloud VPC is a virtual network built on Google’s internal production network and is based on Andromeda, which is Google’s implementation of its software-defined network. Andromeda is out of scope for the exam, but those who want to understand more about the underlying network and how it is built can read more about it by using the link in the Further reading section.

You can think of Google Cloud VPC as a virtual network, which is very similar to a physical environment but more powerful due to its software-defined nature. At a high level, VPC is responsible for providing underlying connectivity to your Google Cloud services, such as Compute Engine (virtual machines), Google Kubernetes Engine (GKE), Google App Engine (GAE), and any other Google Cloud services that are built on top of these services. VPC also natively provides load balancing and proxy services, helps distribute traffic to backend services, and provides the capability to connect...

This topic is not part of the exam blueprint. Due to the fact that this is related to the design and architecture and how services are organized, it’s important to understand some of the foundational concepts of how Google organizes its regions and zones. We will also look at what global, regional, and zonal resources are.

Regions refer to geographic locations where Google Cloud has data centers that offer cloud services. For example, in the United States, Google has regions in Iowa (us-central), Virginia (us-east), and Los Angeles (us-west); across the globe, Google Cloud has regions in Australia, Singapore, India, the UK, Germany, and more. A full list of Google Cloud regions can be found here: https://packt.link/b9TVP.

Figure 7.2 – Google Cloud region locations

At the time of writing, Google has a presence in more than 200 countries, with 29 regions, 88 zones, and 146 PoP or edge locations. As part of...

VPC can be deployed in different models based on your network architecture requirements. In this section, we will look at the different models that are available and how you can create them. We will look at the two VPC modes that can be used to create a VPC network: auto mode and custom mode. After that, we will look at Shared VPC networks, what they are, and how to create one. In the next section, will go over VPC peering, a technique for connecting two VPCs that are located in different organizations but can be considered peers.

Figure 7.3 – Google network components

We will use the illustration shown in Figure 7.3 to understand a few concepts before we jump into the deployment models. A VPC as a resource is created inside the project and is global in nature. Once you create the VPC network, you have the option to either create a global VPC with all regions in scope or customize things based on which region(s) you want to...

In this section, we will look at some micro-segmentation techniques. We will cover topics such as how to create subnets, define custom routing, and use firewall rules that can help in creating segmentation in your network.

Subnets

Creating subnets for different types of workloads is a key micro-segmentation strategy. In this section, we will look at what types of subnets you can create and how to apply those subnets to your network design. Irrespective of what type of subnet you create, whether using auto mode or custom mode, on Google Cloud there are two types of Classless Inter-Domain Routing (CIDR) ranges: primary and secondary. Let us look at Figure 7.16 to better understand the difference between the two and when to use one over the other.

Figure 7.16 – Subnet CIDR ranges

The primary CIDR range is mandatory in a subnet; the secondary range is optional. The VMs, load balancers, and so on get IP addresses from the primary...

In this section, we will look at Cloud DNS and how to configure it with some basics. For the exam, you only need basic knowledge of the Cloud DNS topics. We will look at an overview of Cloud DNS and some key components that you need to understand.

Cloud DNS is a highly scalable fully managed service offered by Google Cloud. You can create both public and private zones using Cloud DNS. Cloud DNS uses an internal metadata server that acts as the DNS resolver for both internal and external resolutions, such as resolving hostnames on the public internet. Every VM instance has a metadata server used for querying instance information – for example, name, ID, startup/shutdown scripts, custom metadata, service account, and so on – and the DNS resolver is set on VMs as part of default DHCP (Dynamic Host Configuration Protocol) leases. Overriding DHCP leases is possible by customizing the DHCP configuration; however, it is not a common pattern.

Cloud DNS also supports...

In this section, we will look at load balancing. There are many different load balancers that are available on Google Cloud. We will look at each of the different types of load balancers, what they are, and when to use which type of load balancer based on the traffic type. We will go over a decision tree that helps you decide what type of load balancer would meet your requirements, along with some limitations as well.

The other aspects that we will cover include the difference between external and internal load balancers and when to use which and why; regional versus global load balancers; and some considerations from a network tier perspective, as some load balancers are only supported by Premium Tier while others are also supported by Standard Tier. This can be an important thing to be aware of both from a cost and security perspective.

Let us start by looking at the different types of load balancers:

• Global external HTTP(S) load balancer: This load balancer...

Throughout this chapter, we have made references to hybrid connectivity. The term hybrid connectivity means that you can join your Google Cloud network to your on-premises network and a third-party cloud provider using multiple connectivity options. We will look at two options: Cloud VPN (IPSec) and Cloud Interconnect.

Before we look at the different connectivity options, it’s important to understand what Cloud Router is, as it is a key component when creating a Google Cloud-based VPN. Cloud Router is a managed service and a regional resource. It is responsible for exchanging routes between your VPC and your on-premises network via BGP. Dynamic routing options include both regional and global. With regional routing, Cloud Router shares routes only for subnets in the region where Cloud Router is provisioned. With global routing, it shares routes for all subnets in the VPC network.

Figure 7.29 – Cloud Router

Figure...

In this section, we will look at some VPC best practices and design considerations that you need to factor in when designing and building your secure network on Google Cloud. From an exam perspective, it is important to understand these as you will find questions about best practices.

VPC best practices

For VPC, some of the best practices include the following:

• Prevent overlapping IPs and control subnet creation by creating VPC networks using custom subnet creation mode.
• Reduce management and topology complexity by making use of Shared VPC where possible.
• Group similar applications into fewer, more manageable, and larger subnets.
• Apply organization policies to do the following:
  • Skip the creation of default networks for new projects.
  • Restrict shared VPC host projects and subnets.
  • Restrict VPC peering usage.
• Ensure the design scales to your needs by considering the limitations of each network component.

Key decisions...

In this chapter, we covered what VPC is and the concepts of regions and zones and how they are designed. We looked at VPC models such as Shared VPC and VPC peering. We covered micro-segmentation strategies such as custom routing, firewall rules, and subnets. We then looked at how to configure Cloud DNS and enable DNSSEC. We covered topics related to different options that are available for Google Cloud load balancing and hybrid connectivity, and finally, we looked at some VPC best practices and design considerations.

In the next chapter, we will cover Context-Aware Access and some more network security aspects, such as Identity-Aware Proxy, web application firewalls, distributed denial of service protection, and Google Private Access.

For more information on Google Cloud VPC, refer to the following links:

• Andromeda: Performance, Isolation, and Velocity at Scale in Cloud Network Virtualization: https://packt.link/y1soL
• VPC Networks – Controlling Access: https://packt.link/iQmOj
• HTTP Load Balancer with Cloud Armor: https://packt.link/Wi9Te
• Cloud Load Balancing overview: https://packt.link/Wm7kG
• An overview of DNSSEC: https://packt.link/D9PfM
• Migrating DNSSEC zones to Cloud DNS: https://packt.link/g8HmK
• Networking in Google Cloud: Defining and Implementing Networks: https://packt.link/YCEbn
• Networking in Google Cloud: Hybrid Connectivity and Network Management: https://packt.link/2BEqK