Google Cloud Network Design and Monitoring – GCP Network Engineer Track Part 4
Team Lead Google Cloud in Content
This course will be the fourth of a multi-course track to prepare one for the role of a GCP Network Engineer. The Network Design and Monitoring course will build on top of the fundamentals covered in the previous three courses, and expand on it by covering network design best practices, Cloud Deployment manager, balancing network performance and costs with Network Service Tiers, configuring VPC Flow logs and firewall logs, and best practices for optimizing and diagnosing Cloud Storage transfer performance.
Let's get started!
Welcome to our course. Let's learn what this course is about to help you prepare for the Google Cloud Network Engineer exam.
Designing Your Network
Best Practices for Network Design
Let's review some of the concepts we've discussed so far from a design perspective by going over best practices for properly planning your VPC structure. Link to Google's very large VPC design document is below: https://cloud.google.com/solutions/best-practices-vpc-design
Cloud Deployment Manager
Cloud Deployment Manager
Let's take a look at the Cloud Deployment Manager service, which is Google's first party infrastracture as code product.
Cloud Deployment Manager Hands On
This hands on demonstration will cover a variety of configuration types, starting with simple instances and moving up to more complex multi-network configurations, including templates. If you want to view the configuration and template files used in this lesson, you can access them via either the following web link or copy from the below cloud storage location for your own reference: Web link: https://console.cloud.google.com/storage/browser/la-gcloud-course-resources/network-engineer/deployment-manager?project=la-gcpcourse-resources&folder=true&organizationId=true Bucket location: gs://la-gcloud-course-resources/network-engineer/deployment-manager/
Network Service Tiers
Let's talk about network service tiers, which allow you to balance optimal network performance with saving costs.
Monitoring and Logging
VPC Flow Logs
Let's take a look at VPC Flow Logs, which sample network packets to provide insight on who your VPC instances are talking to.
VPC Flow Logs Hands On
This lesson will go through a hands on demonstration of enabling, generating, and viewing VPC flow logs. The commands used in this lesson will be listed below. Create web server GCE instance and firewall to enable HTTP access:
Send 500 curl commands to website:
gcloud compute instances create web-server --zone=us-central1-a --machine-type=f1-micro --subnet=subnet-a --metadata=startup-script=sudo apt-get update$'n'sudo apt-get install apache2 -y$'n'echo '<!doctype html><html><body><h1>Hello Linux Academy!</h1></body></html>' | sudo tee /var/www/html/index.html --tags=http-server && gcloud compute firewall-rules create custom-network-allow-http --direction=INGRESS --priority=1000 --network=custom-network --action=ALLOW --rules=tcp:80 --source-ranges=0.0.0.0/0 --target-tags=http-server
BigQuery query to view count of access attempts from external resources, you will need to substitute your table in the from table field, as yours will be different:
for ((i=1;i<=500;i++)); do curl (website-ip-address); done
#standardSQL SELECT jsonPayload.connection.src_ip, COUNT( jsonPayload.connection.src_ip ) AS total_requests, SUM(CAST(jsonPayload.bytes_sent AS INT64)) AS bytes, jsonPayload.dest_instance.vm_name, jsonPayload.connection.dest_port, jsonPayload.connection.protocol, jsonPayload.src_location.country, jsonPayload.src_location.city FROM `flowlogs.(your-table-name)` WHERE jsonPayload.reporter = 'DEST' GROUP BY jsonPayload.connection.src_ip, jsonPayload.dest_instance.vm_name, jsonPayload.connection.dest_ip, jsonPayload.connection.dest_port, jsonPayload.connection.protocol, jsonPayload.src_location.country, jsonPayload.src_location.city ORDER BY total_requests DESC
This lesson will cover what you need to know for working with firewall rules in a VPC, which we will follow with a hands on demonstration.
Firewall Logs Hands On
This lesson will go through a hands on demonstration of working with firewall logs. The commands used in this lesson will be listed below. Create custom VPC, subnet, web server GCE instance and firewall to enable HTTP access:
BigQuery query to view IP address of connection attempts, port attempted, and location if applicable:
gcloud compute networks create custom-network --subnet-mode=custom gcloud compute networks subnets create subnet-a --network=custom-network --region=us-central1 --range=10.0.1.0/24 gcloud compute instances create web-server --zone=us-central1-a --machine-type=f1-micro --subnet=subnet-a --metadata=startup-script=sudo apt-get update$'n'sudo apt-get install apache2 -y$'n'echo '<!doctype html><html><body><h1>Hello Linux Academy!</h1></body></html>' | sudo tee /var/www/html/index.html --tags=http-server gcloud compute firewall-rules create custom-network-allow-http --direction=INGRESS --priority=1000 --network=custom-network --action=ALLOW --rules=tcp:80 --source-ranges=0.0.0.0/0 --target-tags=http-server
#standardSQL SELECT jsonPayload.connection.src_ip, jsonPayload.connection.dest_port, jsonPayload.remote_location.continent, jsonPayload.remote_location.country, jsonPayload.remote_location.region, jsonPayload.rule_details.action FROM `denied_logs.(your-table-name-here)` ORDER BY jsonPayload.connection.dest_port
Optimize Cloud Storage Performance
This lesson will cover best practices for optimizing the performance of file transfers to Cloud Storage, and how to diagnose and measure performance. Below is the link for the perfdiag utility for further reference: https://cloud.google.com/storage/docs/gsutil/commands/perfdiag
Course Conclusion and Next Steps
If you are working through the GCP Network Engineer preparation track, the link to the exam preparation course is below: https://linuxacademy.com/cp/modules/view/id/469
Take this course and learn a new skill today.
Transform your learning with our all access plan.Start 7-Day Free Trial