Skip to main content

Google Cloud Network Concepts

Course

Intro Video

Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content

Length

04:07:41

Difficulty

Advanced

Videos

19

Hands-on Labs

2

Course Details

Google Cloud Platform is one of the fastest-growing cloud service platforms offered today that lets you run your applications and data workflows at "Google-sized" scale. With "Google-sized" scale comes the responsibility of managing a "Google-sized" network.

The Google Cloud Certified Professional Network Engineer certification will test your ability to implement and manage network architectures in Google Cloud Platform.

This course is the first of a four-course track to prepare you for the role of a GCP Network Engineer. The Network Concepts course covers the fundamentals of networking on GCP, which will act as a foundation for more advanced teachings as we move along this track.

So let's get started!

Syllabus

Introduction

Getting Started

Course Introduction

00:02:46

Lesson Description:

Welcome to our Google Cloud Network Concepts course. This will be your first step in the journey to become a Google Cloud Certified Professional Network Engineer. Below are links to supplementary courses for learning networking fundamentals, as mentioned in the lesson: Network Routing FundamentalsSubnetting Fundamentals

Using the Interactive Diagram

00:01:42

Lesson Description:

In this lesson, we cover the interactive diagram we will be using throughout this series of courses, which you will also have access to as an additional study tool.

Role of the Google Cloud Network Engineer

00:04:00

Lesson Description:

Before we jump into the course, let's get a big-picture view of what exactly the roles and responsibilities are of a Google Cloud Network Engineer.

Core Concepts

GCP Networking Fundamentals

Google Cloud Networking Infrastructure

00:07:42

Lesson Description:

We are going to start this course with the fundamentals of how Google Cloud's networking infrastructure is organized. The topics in this section will be the foundation for everything else we discuss in this course.

What is a Virtual Private Cloud (VPC)?

00:08:41

Lesson Description:

Now that we have looked at how Google's global networking resources are organized, we will take a closer look at the core unit of all GCP networking in the virtual private cloud (VPC), which is Google's implementation of a private network that is global in scope.

Subnets

00:11:40

Lesson Description:

Let's take a closer look at how subnets work on a Google Cloud VPC.

Using the GCP Sandbox Environment

00:02:57

Lesson Description:

In this lesson, we cover how to create your own GCP sandbox project to follow along with for hands-on lessons.

Hands On - VPCs and Subnets

00:17:05

Lesson Description:

In this lesson, we put the concepts covered in previous lessons into practice by creating and manipulating VPCs and subnets on Google Cloud. Below are the commands we use for creating a custom VPC and its subnets:

gcloud compute networks create my-custom-network 
    --subnet-mode=custom

gcloud compute networks subnets create subnet-a 
    --network=my-custom-network 
    --region=us-central1 
    --range=10.1.2.0/24

gcloud compute networks subnets create subnet-b 
    --network=my-custom-network 
    --range=10.128.1.0/24 
    --region=us-east1

IP Addresses

00:10:19

Lesson Description:

In this lesson, we discuss IP addresses on Google Cloud — both internal and external — and attaching them to multiple VPCs.

Hands On - IP Addresses

00:16:30

Lesson Description:

This hands-on demo focuses on working with both internal and external IP addresses. For reference, the gcloud commands to create both external IP addresses and our double-VPC setup are below: Create two custom mode VPCs, each with a subnet in the us-east1 and us-central1 regions:

gcloud compute networks create custom-network-1 
    --subnet-mode=custom

gcloud compute networks subnets create subnet-a 
    --network=custom-network-1 
    --region=us-central1 
    --range=10.1.2.0/24

gcloud compute networks subnets create subnet-b 
    --network=custom-network-1 
    --range=10.128.1.0/24 
    --region=us-east1

gcloud compute networks create custom-network-2 
    --subnet-mode=custom

gcloud compute networks subnets create subnet-c 
    --network=custom-network-2 
    --region=us-central1 
    --range=10.2.2.0/24

gcloud compute networks subnets create subnet-d 
    --network=custom-network-2 
    --range=10.128.2.0/24 
    --region=us-east1
Reserve two static external IP addresses in the us-east1 region:
gcloud compute addresses create east-address-1 --region=us-east1

gcloud compute addresses create east-address-2 --region=us-east1

Firewalls

00:11:12

Lesson Description:

In this lesson, we take a look at the concepts of how firewall rules work on GCP, followed by a hands-on demonstration.

Hands On - Firewalls

00:17:14

Lesson Description:

This lesson takes us through a hands-on demonstration of creating both ingress and egress firewall rules. As mentioned in the lesson, below are the commands for creating your VPC/subnet/instance environment to match that shown in the lesson. Copy and paste the following commands in a Cloud Shell window to get up and running.

gcloud compute networks subnets create subnet-a --network=custom-network --region=us-east1 --range=10.2.1.0/24

gcloud compute networks subnets create subnet-b --network=custom-network --region=us-east1 --range=10.2.2.0/24

gcloud compute instances create instance-1a --zone=us-east1-b --machine-type=f1-micro --subnet=subnet-a

gcloud compute instances create instance-1b --zone=us-east1-b --machine-type=f1-micro --subnet=subnet-a

gcloud compute instances create instance-1c --zone=us-east1-b --machine-type=f1-micro --subnet=subnet-a

gcloud compute instances create instance-2 --zone=us-east1-b --machine-type=f1-micro --subnet=subnet-b

Routing

00:09:57

Lesson Description:

In this lesson, we go over the concepts of network routing on Google Cloud, followed by a hands-on demonstration.

Hands On - Routing

00:17:56

Lesson Description:

This lesson combines all the topics we've discussed in this section so far, as well as creating custom routes to support a custom NAT gateway. All commands referenced in this lesson are listed below. See Google Cloud's documention for setting up single NAT gateway, which is similar to the following: Delete default VPC:

gcloud compute firewall-rules delete default-allow-icmp default-allow-internal default-allow-rdp default-allow-ssh

gcloud compute networks delete default
Create a VPC network to host your virtual machine instances for this scenario:
gcloud compute networks create my-network 
    --subnet-mode custom
Create subnet for the us-central1 region:
gcloud compute networks subnets create subnet-us-central11 
    --network my-network 
    --region us-central1 
    --range 192.168.1.0/24
Create subnet for the us-east1 region:
gcloud compute networks subnets create subnet-us-east1 
    --network my-network 
    --region us-east1 
    --range 192.168.2.0/24
Create firewall rules to allow SSH connections in the new network you just created:
gcloud compute firewall-rules create my-network-allow-ssh 
--direction=INGRESS 
--priority=1000 
--network=my-network 
--action=ALLOW 
--rules=tcp:22 
--source-ranges=0.0.0.0/0

gcloud compute firewall-rules create my-network-allow-internal 
    --direction=INGRESS 
    --priority=1000 
    --network=my-network 
    --action=ALLOW 
    --rules=all 
    --source-ranges=192.168.1.0/24,192.168.2.0/24
Create a virtual machine to act as a NAT gateway on my-network:
gcloud compute instances create nat-gateway --network my-network 
    --subnet subnet-us-central1 
    --can-ip-forward 
    --zone us-central1-a 
Create a new virtual machine without an external IP address:
gcloud compute instances create private-instance 
    --network my-network 
    --subnet subnet-us-central1 
    --no-address 
    --zone us-central1-a 
    --tags no-ip
Create a route to send traffic destined to the internet through your gateway instance:
gcloud compute routes create nat-route 
    --network my-network 
    --destination-range 0.0.0.0/0 
    --next-hop-instance nat-gateway 
    --next-hop-instance-zone us-central1-a 
    --tags no-ip --priority 800
Optional: Log in to your NAT gateway via SSH to configure iptables to NAT traffic to the internet. Note: These examples assume the interface is called eth0. Different Linux distributions use different names for interfaces. Modify the name of the interface in commands to match your distribution. On your NAT gateway instance, configure iptables:
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The first sudo command tells the kernel you want to allow IP forwarding. The second sudo command masquerades packets received from internal instances as if they were sent from the NAT gateway instance. To inspect your iptables NAT rules, use the list option:
sudo iptables -v -L -t nat
Optional: If you want these settings to persist across future reboots:
sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/20-natgw.conf
sudo apt-get install iptables-persistent

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Securing Your VPC Networks

Cloud IAM

00:13:39

Lesson Description:

Security for GCP network resources requires a multi-layered approach. In this lesson, we briefly cover the basics of Cloud Identity and Access Management (IAM), as well as aspects of IAM that are most relevant for a Google Cloud Network Engineer.

Hands On - Cloud IAM

00:14:39

Lesson Description:

This lesson offers a hands-on demonstration of the IAM concepts from the previous lesson. We will add a role to a new member, explore how permissions are bundled with roles, create a custom role, and edit IAM policies using the command line. The commands used in this lesson are listed below for your reference. Multiple updates — edit entire policy Getting/downloading current policy is optional — you can always set a fresh policy without downloading the old policy first. Get (download) copy of policy:

gcloud projects get-iam-policy [PROJECT_ID] --format [FORMAT] > [FILE-PATH]
After editing the downloaded policy file, set the new policy by applying the edited one:
gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]
Directly add/remove a single IAM role with a single gcloud command (this does not affect other assigned roles in the project):
gcloud projects add-iam-policy-binding [PROJECT-ID] --member user:[EMAIL] --role [ROLE_ID]

gcloud projects remove-iam-policy-binding [PROJECT-ID] --member user:[EMAIL] --role [ROLE_ID]
Note: For organization-level changes, swap out gcloud organizations for gcloud projects.

Connecting to Compute Engine Instances

00:09:11

Lesson Description:

This lesson covers methods for securely connecting to instances on GCP, especially Linux instances. It focuses on proper IAM roles for working with Google-managed SSH keys, setting instance and project metadata, and what is necessary if you choose to manage your own SSH keys.

Cloud Armor

00:09:36

Lesson Description:

This lesson is a bit of an advanced preview of the Cloud Armor service, which defends your load-balanced backends from malicious traffic, such as DDoS attacks.

Next Steps

Course Conclusion and Next Steps

00:00:46

Lesson Description:

The next course in this four-course series is our Google Cloud Network Management course.

Take this course and learn a new skill today.

Transform your learning with our all access plan.

Start 7-Day Free Trial