Google Cloud Network Concepts – GCP Network Engineer Track Part 1
Team Lead Google Cloud in Content
Google Cloud Platform is one of the fastest-growing cloud service platforms offered today that lets you run your applications and data workflows at "Google-sized" scale. With "Google-sized" scale comes the responsibility of managing a "Google-sized" network.
The Google Cloud Certified Professional Network Engineer certification will test your ability to implement and manage network architectures in Google Cloud Platform.
This course is the first of a four-course track to prepare you for the role of a GCP Network Engineer. The Network Concepts course covers the fundamentals of networking on GCP, which will act as a foundation for more advanced teachings as we move along this track.
So let's get started!
Welcome to our Google Cloud Network Concepts course. This will be your first step in the journey to become a Google Cloud Certified Professional Network Engineer. Below are links to supplementary courses for learning networking fundamentals, as mentioned in the lesson:Network Routing Fundamentals Subnetting Fundamentals
Using the Interactive Diagram
In this lesson, we cover the interactive diagram we will be using throughout this series of courses, which you will also have access to as an additional study tool.
Role of the Google Cloud Network Engineer
Before we jump into the course, let's get a big-picture view of what exactly the roles and responsibilities are of a Google Cloud Network Engineer.
GCP Networking Fundamentals
Google Cloud Networking Infrastructure
We are going to start this course with the fundamentals of how Google Cloud's networking infrastructure is organized. The topics in this section will be the foundation for everything else we discuss in this course.
What is a Virtual Private Cloud (VPC)?
Now that we have looked at how Google's global networking resources are organized, we will take a closer look at the core unit of all GCP networking in the virtual private cloud (VPC), which is Google's implementation of a private network that is global in scope.
Let's take a closer look at how subnets work on a Google Cloud VPC.
Using the GCP Sandbox Environment
In this lesson, we cover how to create your own GCP sandbox project to follow along with for hands-on lessons.
Hands On - VPCs and Subnets
In this lesson, we put the concepts covered in previous lessons into practice by creating and manipulating VPCs and subnets on Google Cloud. Below are the commands we use for creating a custom VPC and its subnets:
gcloud compute networks create my-custom-network --subnet-mode=custom gcloud compute networks subnets create subnet-a --network=my-custom-network --region=us-central1 --range=10.1.2.0/24 gcloud compute networks subnets create subnet-b --network=my-custom-network --range=10.128.1.0/24 --region=us-east1
In this lesson, we discuss IP addresses on Google Cloud — both internal and external — and attaching them to multiple VPCs.
Hands On - IP Addresses
This hands-on demo focuses on working with both internal and external IP addresses. For reference, the
gcloud commands to create both external IP addresses and our double-VPC setup are below:
Create two custom mode VPCs, each with a subnet in the
Reserve two static external IP addresses in the
gcloud compute networks create custom-network-1 --subnet-mode=custom gcloud compute networks subnets create subnet-a --network=custom-network-1 --region=us-central1 --range=10.1.2.0/24 gcloud compute networks subnets create subnet-b --network=custom-network-1 --range=10.128.1.0/24 --region=us-east1 gcloud compute networks create custom-network-2 --subnet-mode=custom gcloud compute networks subnets create subnet-c --network=custom-network-2 --region=us-central1 --range=10.2.2.0/24 gcloud compute networks subnets create subnet-d --network=custom-network-2 --range=10.128.2.0/24 --region=us-east1
gcloud compute addresses create east-address-1 --region=us-east1 gcloud compute addresses create east-address-2 --region=us-east1
In this lesson, we take a look at the concepts of how firewall rules work on GCP, followed by a hands-on demonstration.
Hands On - Firewalls
This lesson takes us through a hands-on demonstration of creating both ingress and egress firewall rules. As mentioned in the lesson, below are the commands for creating your VPC/subnet/instance environment to match that shown in the lesson. Copy and paste the following commands in a Cloud Shell window to get up and running.
gcloud compute networks subnets create subnet-a --network=custom-network --region=us-east1 --range=10.2.1.0/24 gcloud compute networks subnets create subnet-b --network=custom-network --region=us-east1 --range=10.2.2.0/24 gcloud compute instances create instance-1a --zone=us-east1-b --machine-type=f1-micro --subnet=subnet-a gcloud compute instances create instance-1b --zone=us-east1-b --machine-type=f1-micro --subnet=subnet-a gcloud compute instances create instance-1c --zone=us-east1-b --machine-type=f1-micro --subnet=subnet-a gcloud compute instances create instance-2 --zone=us-east1-b --machine-type=f1-micro --subnet=subnet-b
In this lesson, we go over the concepts of network routing on Google Cloud, followed by a hands-on demonstration.
Hands On - Routing
This lesson combines all the topics we've discussed in this section so far, as well as creating custom routes to support a custom NAT gateway. All commands referenced in this lesson are listed below. See Google Cloud's documention for setting up single NAT gateway, which is similar to the following: Delete default VPC:
Create a VPC network to host your virtual machine instances for this scenario:
gcloud compute firewall-rules delete default-allow-icmp default-allow-internal default-allow-rdp default-allow-ssh gcloud compute networks delete default
Create subnet for the
gcloud compute networks create my-network --subnet-mode custom
Create subnet for the
gcloud compute networks subnets create subnet-us-central1 --network my-network --region us-central1 --range 192.168.1.0/24
Create firewall rules to allow SSH connections in the new network you just created:
gcloud compute networks subnets create subnet-us-east1 --network my-network --region us-east1 --range 192.168.2.0/24
Create a virtual machine to act as a NAT gateway on
gcloud compute firewall-rules create my-network-allow-ssh --direction=INGRESS --priority=1000 --network=my-network --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0 gcloud compute firewall-rules create my-network-allow-internal --direction=INGRESS --priority=1000 --network=my-network --action=ALLOW --rules=all --source-ranges=192.168.1.0/24,192.168.2.0/24
Create a new virtual machine without an external IP address:
gcloud compute instances create nat-gateway --network my-network --subnet subnet-us-central1 --can-ip-forward --zone us-central1-a
Create a route to send traffic destined to the internet through your gateway instance:
gcloud compute instances create private-instance --network my-network --subnet subnet-us-central1 --no-address --zone us-central1-a --tags no-ip
Optional: Log in to your NAT gateway via SSH to configure iptables to NAT traffic to the internet. Note: These examples assume the interface is called eth0. Different Linux distributions use different names for interfaces. Modify the name of the interface in commands to match your distribution. On your NAT gateway instance, configure iptables:
gcloud compute routes create nat-route --network my-network --destination-range 0.0.0.0/0 --next-hop-instance nat-gateway --next-hop-instance-zone us-central1-a --tags no-ip --priority 800
sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudocommand tells the kernel you want to allow IP forwarding. The second
sudocommand masquerades packets received from internal instances as if they were sent from the NAT gateway instance. To inspect your iptables NAT rules, use the list option:
Optional: If you want these settings to persist across future reboots:
sudo iptables -v -L -t nat
sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/20-natgw.conf sudo apt-get install iptables-persistent
Securing Your VPC Networks
Security for GCP network resources requires a multi-layered approach. In this lesson, we briefly cover the basics of Cloud Identity and Access Management (IAM), as well as aspects of IAM that are most relevant for a Google Cloud Network Engineer.
Hands On - Cloud IAM
This lesson offers a hands-on demonstration of the IAM concepts from the previous lesson. We will add a role to a new member, explore how permissions are bundled with roles, create a custom role, and edit IAM policies using the command line. The commands used in this lesson are listed below for your reference. Multiple updates — edit entire policy Getting/downloading current policy is optional — you can always set a fresh policy without downloading the old policy first. Get (download) copy of policy:
After editing the downloaded policy file, set the new policy by applying the edited one:
gcloud projects get-iam-policy [PROJECT_ID] --format [FORMAT] > [FILE-PATH]
Directly add/remove a single IAM role with a single
gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]
gcloudcommand (this does not affect other assigned roles in the project):
Note: For organization-level changes, swap out
gcloud projects add-iam-policy-binding [PROJECT-ID] --member user:[EMAIL] --role [ROLE_ID] gcloud projects remove-iam-policy-binding [PROJECT-ID] --member user:[EMAIL] --role [ROLE_ID]
Connecting to Compute Engine Instances
This lesson covers methods for securely connecting to instances on GCP, especially Linux instances. It focuses on proper IAM roles for working with Google-managed SSH keys, setting instance and project metadata, and what is necessary if you choose to manage your own SSH keys.
This lesson is a bit of an advanced preview of the Cloud Armor service, which defends your load-balanced backends from malicious traffic, such as DDoS attacks.
Course Conclusion and Next Steps
The next course in this four-course series is our Google Cloud Network Management course.
Take this course and learn a new skill today.
Transform your learning with our all access plan.Start 7-Day Free Trial