# GCP Professional Network Engineer # RFC1918 IP Address Allocation for Private Internets - determine the number of servers and IP address you need - determine number of private hosts first - 10.0.0.0/8 (24-bit; Class A) - 172.16.0.0/12 (20-bit; 16 Class B blocks) - 192.168.0.0/16 (16-bit; 256 Class C blocks) - use route summarization for better routing performance and management - 192.168.0.0/24 and 192.168.1.0/24 could be 192.168.0.0/23, spanning both (borrowing a bit) # CIDR Notation - `/29` 8 (2^3) - `/28` 16 (2^4) - `/27` 32 (2^5) - `/26` 64 (2^6) - `/25` 128 (2^7) - `/24` 256 (2^8) - `/23` 512 (2^9) - `/22` 1,024 (2^10) - `/21` 2,048 (2^11) - `/20` 4,096 (2^12) - `/19` 8,192 (2^13) - `/18` 16,384 (2^14) - `/17` 32,768 (2^15) - `/16` 65,536 (2^16) - `/15` 131,072 (2^17) - `/14` 262,144 (2^18) - `/13` 524,288 (2^19) - `/12` 1,048,576 (2^20) - `/11` 2,097,152 (2^21) - `/10` 4,194,304 (2^22) - `/9` 8,388,608 (2^23) - `/8` 16,777,216 (2^24) # Identity and Access Management (IAM) ## Identity Access Management (IAM) - Authentication (AuthN) and Authorization (AuthZ) - **who** can do **what** on **which** resource - types - Google Account - Service Account - Google Groups - GSuite (Workspace) Domain - Cloud Identity Domain - roles - Primitive - Predefined (more granular) - Custom (most granular) - IAM policy - bindings consist of **members** and **roles** - identity (who) - role (can do what) - resource (on which resource) - hierarchy - Organization - Folder - Project - Resources - policies are inherited from top down, and union of all parent policies - key people - OrgAdmin - NetworkAdmin (networking - usually at org level) - **KNOW PERMISSIONS AND WHAT EACH ALLOWS YOU TO DO** - SecurityAdmin (security policies - usually at org level) - ComputeInstanceAdmin ## Network IAM Roles Defining IAM Policies - selecting the default policies that enforce organization standards across all resources Determining the Resource Hierarchy - create the structure of how roles will be assigned to resources Delegating Responsibility - select the team members that will be assigned the IAM roles to implement the configuration of Network and Security Key roles: - `roles/compute.networkAdmin` (Compute Network Admin) - over 200 permissions for compute network resources - doesn't create firewalls, assign IAM roles, or SSL certs - `roles/compute.securityAdmin` (Compute Security Admin) - over 50 permissions for computer security - firewall, SSL - `roles/compute.xpnAdmin` (Compute Shared VPC Admin) - 14+ permissions - administer shared VPC networks - `roles/compute.networkViewer` (Compute Network Viewer) - 14+ permissions - read-only access to Compute Engine networking - granted to Service Accounts Can view roles and assignees in Console or Gcloud SDK - `gcloud iam roles` (copy, create, delete, describe, list, undelete, update) - `gcloud iam roles list --filter="network"` - `gcloud iam roles describe ` (lists available permissions) - `gcloud iam list-grantable-roles` (list IAM grantable roles for a resource) - `gcloud iam list-testable-permissions` (list IAM testable permissions for a resource) Creating Custom Roles - need `getIamPolicy` and `setIamPolicy` permissions to set IAM role ## Service Accounts - Created at project level - if you assign service account to Compute Engine instance, it uses IAM instead of access scopes, for permissions - granting `serviceAccountUser` role to users allows them to impersonate and act on resources as SA (like sudo or actAs) - **need to understand how to audit service accounts** Commands in GCloud SDK: - `gcloud iam service-accounts` - `list` and `--filter="serviceAccounts"` - `disable ` # Designing, Planning and Implementing a VPC Network ## GCP Global Network GCP computing architectures meet you where you are. All regions are connected by a private global network. - Global - Region - Zones - Infrastructure - Resources ![Screen Shot 2022-10-21 at 6 10 26 AM](https://user-images.githubusercontent.com/5553105/197193350-d5c7b1ab-3550-421f-8d62-e0ab7659f0c9.png) Ingress to GCP - Premium Tier: Traffic from your users enters Google's network at a location nearest to them. - Standard Tier: Traffic from your users enters Google's network through peering, ISP, or transit networks in the region where you have deployed your GCP resources. Egress from GCP - Premium Tier: Egress traff is sent through Google's network backbone, leaving at a global edge POP closest to your users. - Standard Tier: Egress traffic is sent to the internet via a peering or transit network, local to the GCP region from which it originates. ![Screen Shot 2022-10-21 at 6 11 40 AM](https://user-images.githubusercontent.com/5553105/197193295-82b04bfc-feca-4ddc-872c-f7b3c85b12c8.png) ## Making a VPC - REF: https://cloud.google.com/vpc/docs/vpc Components - Mode (automatic or custom) - Subnet - Name - Region - IP Range - Primary (all subnets have only 1 primary range) - Secondary (subnets may have up to 20 secondary ranges; allows for separation of infra (VM) from containers or multiple services running on VM) - Alias IP (associating more than one IP address to a network interface) - allows one node on a network to have multiple connections to a network, each serving a different purpose - can be assigned from either primary, or secondary subnet ranges Default, Auto, Custom VPCs - Default (named "default" and uses Auto Mode) - Auto (VPC assigns predefined range in every region) - starts with `/20` range and can be expanded to `/16` range (65,534 addresses) - Custom (recommended in production - you completely control) - minimize collision risk (connecting, hybrid, peering, etc.) - cannot be changed to Auto mode after - starts with `/12` range and can be expanded to `/8` range (to be confirmed) Reserved IPs - first 2 addresses, and last 2 addresses are reserved by GCP - Network (xxx.xxx.xxx.0) - Gateway (xxx.xxx.xxx.1) - don't respond to ping traffic - Second-to-last (xxx.xxx.xxx.254) - reserved for potential future use - Broadcast (xxx.xxx.xxx.255) DHCP, DNS, Metadata - Internal IPs - IP address allocated to VMs by DHCP from regional subnetworks - DHCP renews every 24 hours - Hostname and IP address are registered with internal DNS - Alias IP - additional IPs assigned to a VM, mapped to or is a primary IP - External IPs - External IP address assigned from a pool of ephemeral IPs managed by GCP - DHCP renews every 24 hours - VM doesn't know about the external IP, mapped to internal IP by the VPC - mapped by Metadata server - Allows communications from outside the project - Metadata (Internal DNS) ![Screen Shot 2022-10-21 at 6 38 02 AM](https://user-images.githubusercontent.com/5553105/197201138-7353a2ba-7100-44a7-b551-84a52ddc256a.png) ## VPC Routes In GCP, a **route** consists of a **single destination CIDR** and a **single Next Hop**. Route is a way or course taken in getting from a starting point to a destination. System-generated routes - Subnet routes - created by GCP any time a primary or secondary subnet is added to a VPC - Default - whenever a resource is created, GCP creates a default route - defines path out of network (i.e. to the Internet) - provides standard path for Google Private Access - can default and replace with custom route (NAT gateway) ![Screen Shot 2022-10-21 at 6 51 53 AM](https://user-images.githubusercontent.com/5553105/197200202-8cc6de59-c2a6-42e6-8b09-f0f47aaaabb4.png) Custom routes - Static - Dynamic ![Screen Shot 2022-10-21 at 6 53 33 AM](https://user-images.githubusercontent.com/5553105/197200546-8c0cb155-4670-4f63-949d-dbffabe52334.png) ![Screen Shot 2022-10-21 at 6 54 40 AM](https://user-images.githubusercontent.com/5553105/197201397-4c3cbb47-681f-40ec-96b0-94d081b07792.png) Comparison ![Screen Shot 2022-10-21 at 6 54 52 AM](https://user-images.githubusercontent.com/5553105/197200774-99f8baee-edb3-4649-98c0-92f26539e6b9.png) Routing Priority - Subnet routes - Custom routes - Default routes - Drops the packet ![Screen Shot 2022-10-21 at 6 52 52 AM](https://user-images.githubusercontent.com/5553105/197200953-09aaf9b6-09e3-4fa3-808c-3c197b4ff68e.png) ![Screen Shot 2022-10-21 at 6 53 08 AM](https://user-images.githubusercontent.com/5553105/197200985-1b1becb9-d955-4f7b-9f86-19fde47d746e.png) ## VPC Firewall Rules Distributed virtual firewall controlling ingress and egress traffic **for a single VPC**. Implied rules - ingress: deny all by default (cannot view in logs so would have to create same with higher priority) - egress: allow all by default (cannot view in logs) - priority lower than all other rules, not visible, not removable Components - Priority (0 - 65535; 0 is highest priority; exits on first match) - Action on match (allow or deny; one or other) - Direction (ingress or egress) - Protocols and ports (TCP, UDP, ICMP, IPIP) - Source / Destination (source IP range, destination IP range) - Targets - what to take action on (all instances, target tags, service accounts) - Secondary filter - narrow rules (target tags, service accounts) - Enforcement status (enabled or disabled) - **enforced at the instance level** Summary - VPC object can be in any datacenter and is global - To access resources in a region, we assign a subnet to that region - Routes are created when you create your subnet - In each region their are zones - Resources consumed by assigning IP addresses from subnet - Firewall rules are enforced at the instance level ![Screen Shot 2022-10-21 at 7 49 39 AM](https://user-images.githubusercontent.com/5553105/197212747-c9f86d31-c4ff-4414-8940-9afed071f953.png) ## VPC Peering - Peering: Make or become equal or the same length. - Allows us to build SaaS ecosystems in GCP making services available privately across different VPC networks within or across different organizations. Overview - Allows private communications between VPC networks without an external IP - Connection must be established on both sides - Subnet ranges cannot overlap Routing - No granular routing; use firewall rules to control traffic - Firewall rules created separately on both sides - must use as no way to exclude VMs, etc. from peered network - not automatic; must use and export custom routes - no transitive routing supported (A - B - C) [no A->C] Traditional connectivity ![Screen Shot 2022-10-21 at 7 56 43 AM](https://user-images.githubusercontent.com/5553105/197214414-00a9c64e-b907-4cd1-94a6-ff2855e3ec09.png) Peered connectivity (reduced latency, increased security, decreased egress costs) ![Screen Shot 2022-10-21 at 7 56 51 AM](https://user-images.githubusercontent.com/5553105/197214625-00475e3c-9cef-4b64-aeac-242a97d5e0ff.png) ![Screen Shot 2022-10-21 at 7 58 03 AM](https://user-images.githubusercontent.com/5553105/197214666-48d8b91f-858a-49a5-88c7-12470e59c4db.png) ![Screen Shot 2022-10-21 at 8 00 50 AM](https://user-images.githubusercontent.com/5553105/197214726-c0483ca9-6d42-4d73-a416-4137b493e656.png) ![Screen Shot 2022-10-21 at 8 01 04 AM](https://user-images.githubusercontent.com/5553105/197214759-5149a909-3321-411e-9da0-a498ec9d129f.png) ## Shared VPC A way to centrally manage network resources within a **host project** and share them to any number of **service projects**. Benefits - centralizes network administration by sharing a VPC across projects - relies on IAM roles to share network resources Key IAM roles that make VPC sharing possible: - Organization Admin - Shared VPC Admin - Network Admin (network resources, routes, subnets) - Security Admin (firewall rules and SSL certs) - Service Project Admin (grant Network User role to use resources) - Network User (assigned to all service project users, in order to consume resources) - Required roles to create Shared VPC Network - `roles/compute.xpnAdmin` - `roles/resourcemanager.projectIamAdmin` Concepts - Service Project resources are not required to use Shared VPC resources and can use local (unless restricted by Org policy) - instances in service project must use external IP address to find in that same service project (even if internal IP) - Hybrid connectivity best connected to Host Project, and shared with Service Project - Load Balancing is managed in the Service Projects - GKE: Alias IPs must be created BEFORE service project requests a GKE Cluster Summary - Host project can have more than one VPC; all are shared VPC - Host and service projects attached at project level - Project cannot be host and service project simultaneously - Can only connect service project to one host project at a time - Resources objects obtain IP address information from shared VPC network Illustrations ![Screen Shot 2022-10-21 at 8 09 15 AM](https://user-images.githubusercontent.com/5553105/197220090-dd9a0176-bda4-4838-a1a9-b35ef361d2b8.png) ![Screen Shot 2022-10-21 at 8 09 51 AM](https://user-images.githubusercontent.com/5553105/197219931-9d192015-894b-4ae2-98f1-a5f688d3b19f.png) ![Screen Shot 2022-10-21 at 8 10 44 AM](https://user-images.githubusercontent.com/5553105/197219981-04c7d00c-0f4c-41d6-9ba9-812f0c182df7.png) ![Screen Shot 2022-10-21 at 8 11 19 AM](https://user-images.githubusercontent.com/5553105/197220025-92c4cab4-ef68-4c0f-9de1-88f30159b9c1.png) ![Screen Shot 2022-10-21 at 8 12 11 AM](https://user-images.githubusercontent.com/5553105/197220277-7ef3c027-13fe-4b47-8da1-b2ef141c6fca.png) ![Screen Shot 2022-10-21 at 8 14 08 AM](https://user-images.githubusercontent.com/5553105/197220370-be3ba171-5332-40c2-9209-5ddf84417b79.png) ## Cloud NAT Lets your compute VM instances and GKE container pods communicate with the internet using a shared public IP address. Benefits - Security - create instances without public IP addresses - High Availability - Managed service without user intervention - Scalability - Seamlessly scales with the number of instances and volume of network traffic ![Screen Shot 2022-10-21 at 8 40 39 AM](https://user-images.githubusercontent.com/5553105/197222697-3bedfa07-6d57-4f7e-9379-5e9eea7ab53d.png) Overview - specific to one region - only instances in that region can use Cloud NAT - if resources in multiple regions, must create Cloud NAT gateway for each region ![Screen Shot 2022-10-21 at 8 34 11 AM](https://user-images.githubusercontent.com/5553105/197221350-08eb532a-8300-481c-802c-ea55afa6787e.png) - choose ranges - Primary & Secondary - Primary only - Selected subnets - Outbound NAT traffic only (no inbound) ![Screen Shot 2022-10-21 at 8 35 23 AM](https://user-images.githubusercontent.com/5553105/197221887-44fd9056-7a30-4014-bb75-b663224bdcc2.png) - VM with external IP does NOT need to route through NAT ![Screen Shot 2022-10-21 at 8 35 55 AM](https://user-images.githubusercontent.com/5553105/197222003-55a8001a-6cfc-4583-86bd-5d07add8fa30.png) NAT translation example ![Screen Shot 2022-10-21 at 8 38 18 AM](https://user-images.githubusercontent.com/5553105/197222159-7b746efd-15cf-4d0d-91e0-5be8e1665f3b.png) Configuration - Minimum ports per VM (allows up to 64K ports) - Default 64 ports per VM - VM ports assigned 32000 - 33023 - support approx 1000 VMs - Increasing to 1024 for container workloads - support approx 64 VMs (keep in mind for IPs required for GKE cluster and number of nodes) ## Private Google Access Provides a methods for VMs to reach public IP addresses of Google APIs & Services through the VPC network's default internet gateway, while not traversing the public internet and not requiring an external IP. Instances with external IP do not use PGA. ![Screen Shot 2022-10-21 at 8 43 07 AM](https://user-images.githubusercontent.com/5553105/197224434-b56ce733-e474-4d66-8bc7-6d7364d3bfa4.png) Overview - only instances with internal-only IP uses - enabled On/Off on a per-subnet basis - add firewall rule to allow egress to all IP (0.0.0.0/0) - optionally use network tags to limit which VMs can access - add DNS entry for *.googleapis.com - restricted.googleapis.com - private.googleapis.com ![Screen Shot 2022-10-21 at 8 46 20 AM](https://user-images.githubusercontent.com/5553105/197224521-d304de24-456a-4ff7-9eb4-97d5c6701d69.png) Summary ![Screen Shot 2022-10-21 at 8 48 23 AM](https://user-images.githubusercontent.com/5553105/197224550-10a4d749-182b-492e-9851-59b4a449abbc.png) # Kubernetes, Clusters & VPC Interactions ## Kubernetes Cluster Networking ### Cluster Components Control Plane (a.k.a. Master) - runs on Google Resources [managed] - etcd (distributed persistent state store) - kube-api-server - kube-schedulers - kube-controller-manager - cloud-controller-manager Workers - Node Pool (groups of nodes) - Node VM compute instances - kubelet - kube-proxy Container Networking - nodes - vm instance running Kubernetes agents (default `/20`, min `/29`, max `/8`) - best practice: don't exceed 500 nodes - pods - unit of deployment, one or more containers + storage (default `/14`, min `/19`, max `/9`) - **rolling updates, so need at least double max pods** - best practice: don't exceed 500,000 pods - POD IP address range is a single range assigned at cluster creation and cannot be changed - services - endpoint for application access (default `/20`, `/27`, max `/16) - serve as static IP for pods in cluster which can come and go - Service IP address range not primary vpc - allows pods to scale ![Screen Shot 2022-10-22 at 12 26 36 PM](https://user-images.githubusercontent.com/5553105/197356959-626e0bb5-f6af-4057-879f-5615e8ca85a3.png) ## GKE Cluster IP Allocation Zonal vs Regional Cluster - Zonal default has single control plane instance - Control plane can be inaccessible to make cluster updates during maintenance/upgrades - Nodes share single regional subnet Regional Cluster - nodes spread across multiple zones in region - Control plane at least 3 instances across zones so higher availability - Nodes share single regional subnet Routes-based Cluster - legacy - move traffic through cluster using routes - IP range used for BOTH pods and services and the last `/20` of range used for services - If default `/14` range assigned, total IPs is 262,144 - Last `/20` is 4,096 addresses for Services - So Pods have 258,048 addresses available (`/14 - /20`) - IPs assigned to pods by carving subsets from Pod IP range - IP range is single range assigned to pods at cluster creation - max pods/node of 110 allocates 256 IPs per node (`/24 CIDR`) VPC Native Cluster (Alias IP) - acquire addresses from regional VPC subnet - able to customer max pods/node, and impact min/max nodes in cluster - able to set NEGs as backend for load balancer - only option to use Shared VPC clusters ![Screen Shot 2022-10-22 at 12 42 46 PM](https://user-images.githubusercontent.com/5553105/197357530-b7661cb8-f45f-44c5-b6ae-ff08effb9b9f.png) ## GKE Private Clusters Default - master and nodes have external IP address - Authorized Masters can be enabled for BOTH private and public clusters - must add Master IP Range to cluster so peering can be set up for private RFC1918 communication between control plane and nodes Public Master / Public Nodes - default configuration - all have external IPs Public Master / Private Nodes - nodes do not have external IP address - control plane (Public Master) still accessible with external IP - need Cloud NAT for pods to reach internet - best to enabled Master Authorized Networks to protect control plane (IP whitelist) Private Master / Private Nodes - need new internal IP range (i.e. 172.16.0.0/28) - must assign Master Authorized Network(s) to allow bastion, etc. to access nodes - need Cloud NAT for pods to reach internet - peering-route- will be added to routes table for managed control plane with new IP range ![Screen Shot 2022-10-22 at 12 50 15 PM](https://user-images.githubusercontent.com/5553105/197357797-0f8ce3c1-2dc2-4014-b023-8bf420f4b78c.png) ## Shared VPC Clusters - create IP ranges in Host Project PRIOR to cluster creation - Only supported by VPC-Native Clusters (Alias IP) - grant cluster service account IAM role **on host project** - Host Service Agent User role (`roles/container.hostServiceAgentUser`) - user creating cluster MUST have Network User role (`roles/compute.networkUser`) ## Network Policy Pod and Service network security. Isolating Pods and Services. By default pods are not isolated. - enable at cluster creation time, or after cluster creation - need at least N1-Standard1 size to accommodate additional resources - GKE will recreate all cluster nodes (NOTE: if maintenance window it will not run until next schedule maintenance) - when enabled, all pods still can communicate until you define policy rules (YAML file) - example deny all ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress spec: podSelector: {} policyTypes: - Ingress ``` - example web to database ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: database-allow-from-web spec: policyTypes: - Ingress podSelector: matchLabels: app: database ingress: - from: - podSelector: matchLabels: app: web ``` ![Screen Shot 2022-10-22 at 1 00 33 PM](https://user-images.githubusercontent.com/5553105/197358087-8965e0b4-7398-4d67-a570-ba575e4d5128.png) Summary ![Screen Shot 2022-10-22 at 1 05 35 PM](https://user-images.githubusercontent.com/5553105/197358230-3a51d3a2-1647-40b1-b2dc-555570bad563.png) # Load Balancing ## Load Balance Overview Acts as traffic director to multiple backends to allow scaling. - HTTP(S) load balancer - layer 7 for HTTP and HTTPS applications - ports `80`, `8080`, and `443` - TCP load balancer - layer 4 load balancing or proxy for applications that rely on TCP/SSL protocol - UDP load balancing - layer 4 load balancing for apps that rely on UDP protocol To know - key difference of proxy load balancers (terminates incoming connections, opens new connections to backend) Components - Forwarding Rule (external IP [VIP = anycast IP]) - fwd rule for IPv4 and another for IPv6 - Target Proxy (terminate request) - HTTP or HTTPS - URL map (L7 URI to route to backends, or storage bucket) - Backend service (instance group and serving capacity metadata; specify which health checks performed) - Instances - Storage buckets - MUST HAVE firewall rule for health check for (`130.211.0.0/22` and `35.191.0.0/16`) Balancing Mode - tells LB system when backend at full stage - if full, new requests automatically routed to another Architecture ![Screen Shot 2022-10-22 at 8 48 50 PM](https://user-images.githubusercontent.com/5553105/197370866-33bd68a6-b16d-4277-bbdc-01916dae5b6e.png) ## Global Load Balancer - HTTP(S) and Use Cases ![Screen Shot 2022-10-22 at 9 01 29 PM](https://user-images.githubusercontent.com/5553105/197371226-bc6c4be0-41db-4704-95e8-67db64fe2245.png) - Premium Tier - global external IP address (IPv4 or IPv6) - "anycast IP" - traffic routed to location nearest to user - Standard Tier - regional external IP address (IPv4) - only distribute traffic to VMs in single region - traffic routed to location where backend instances are located ![Screen Shot 2022-10-22 at 8 58 36 PM](https://user-images.githubusercontent.com/5553105/197371219-cc205752-afa5-44c7-9960-cccac41dbddc.png) ## TCP & SSL Global Load Balancers ![Screen Shot 2022-10-22 at 9 02 46 PM](https://user-images.githubusercontent.com/5553105/197371336-f74d7735-ec82-477e-99e7-24c17422519f.png) - does not support port 80 - 25, 43, 110, 143, 195, 443, 465, 587, 700, 995, 1883, 5222 - Proxy load balancers (TCP / SSL) - global services and not single region - specific ports so any other, use Network load balancers - original port/IP address not preserved by default - target proxy terminates connection; opens another to backends (why losing original IP info) - can configure though "proxy protocol rules" to save source IP/port info - session affinity (route subsequent requests to same backend instances) - backend services manage health checks and detect if available to send traffic Components ![Screen Shot 2022-10-22 at 9 11 57 PM](https://user-images.githubusercontent.com/5553105/197371525-e9f703fa-7cf9-4c4c-b9b9-f3c5e284c164.png) Firewall rules (allow health checks) ![Screen Shot 2022-10-22 at 9 13 09 PM](https://user-images.githubusercontent.com/5553105/197371563-f31f77b7-a66f-478d-adad-4823678b65c6.png) Summary ![Screen Shot 2022-10-22 at 9 14 13 PM](https://user-images.githubusercontent.com/5553105/197371582-d3059436-a45a-4085-ad2a-d6131281d19d.png) ## Network Load Balancer ![Screen Shot 2022-10-22 at 9 15 34 PM](https://user-images.githubusercontent.com/5553105/197371612-800d6e75-9f3e-4ff4-8e67-40c2be1724ff.png) **Regional non-proxy** load balancer that does not terminate client connections but allows them to pass through to our GCP backends. - within a **single region**, the load balancer services all zones - does not modify source IP or port - instances chosen at random - existing traffic sent to same server using source IP/port and destination IP/port hash - no session affinity, but target pools provides that persistent connection - does not load balance traffic within GCP network - responses go directly back to client, not through load balancer - industry term: **direct server return** - must run basic web server on each instance so HTTP health checks on port 80 Key difference - GCP recommends allowing all IP addresses `0.0.0.0/0` Components ![Screen Shot 2022-10-22 at 9 18 47 PM](https://user-images.githubusercontent.com/5553105/197371704-4146f1dd-29bc-4366-8670-9273f6768d76.png) Summary ![Screen Shot 2022-10-22 at 9 23 13 PM](https://user-images.githubusercontent.com/5553105/197371848-bade907d-d271-4869-a65f-97acd6daadf1.png) ## Internal Load Balancing ![Screen Shot 2022-10-22 at 9 28 06 PM](https://user-images.githubusercontent.com/5553105/197371994-d198644f-d7b3-4ad2-93b8-1b67df1b64ef.png) - Allow higher availability and flexibility in rolling updates, maintenance - only RFC1918 addresses in same region (not traffic from public internet) - internal fwd rules must be in same subnet - each uses one regional backend service (must have 1 IG and health check) - no UDP health checks, so must run a TCP service to respond to health check - can configure failover backends if a configurable threshold of backend not responding - configure firewall rules for internal traffic source ranges ## Managed Instances ![Screen Shot 2022-10-22 at 9 30 04 PM](https://user-images.githubusercontent.com/5553105/197372104-a4bef033-30a9-4043-a596-c99cb1b41719.png) - instance template - zonal, regional (recommend 3 minimum instances) - managed instances - autoscaling policy (default 60 second cool down period; configurable) - unmanaged instance - no autoscaling policy To know: - rolling update and canary (how to) - autoscaling target utilization methods - Average CPU utilization - Cloud Monitoring metrics - HTTP load balancing serving capacity (utilization or requests/sec) Summary ![Screen Shot 2022-10-22 at 9 31 25 PM](https://user-images.githubusercontent.com/5553105/197372092-9ddb9ca0-7087-4e87-8190-a92a570b10f2.png) ## Network Endpoint Groups ![Screen Shot 2022-10-22 at 9 35 33 PM](https://user-images.githubusercontent.com/5553105/197372230-f05a7111-760a-4488-bf4b-8fe3cb2b42ea.png) Logical groupings of IPs and ports representing software services instead of entire VMs - VPC - subnet - region/zone - default port - (Add Network Endpoint): VM, container, or apps - add IP/Port of app running Highlights - every IP address must be in same subnet - VM instance must be in same zone as NEG - network interface must be in same subnet in VPC network - if using NEG in load balancer, all other backends MUST BE NEGs - IP must be primary address or alias IP - can add same NEG for more than one backend service - can add same IP/port to multiple NEGs To know - you cannot use balancing mode of UTILIZATION for backend services that use zonal NEG as backend - only use balancing modes RATE or CONNECTION - Console - Compute - Network Endpoint Groups ## Cloud Armor Policies - Whitelisting and Blacklisting IPs ![Screen Shot 2022-10-22 at 9 59 06 PM](https://user-images.githubusercontent.com/5553105/197373048-66a6d424-18d3-4f49-8a46-3de9471ceb7f.png) Security Policies are sets of rules you define to enforce application layer firewall rules protecting externally-facing application or services. Each rule is evaluated with respect to incoming traffic. - "Service firewall rules)" - Operates at GCP edge, closest to source, preventing unnecessary consuming resources - Not supported for internal traffic - Check which LBs it supports (formerly just HTTP(S) load balancing) - "Deny lists" or "Allow lists" - 5 IPs or ranges per rule IAM Roles - Compute Security Admin (create, modify policies) - Compute Network Admin (assign policies to backend service) DDoS scenario ![Screen Shot 2022-10-22 at 9 57 58 PM](https://user-images.githubusercontent.com/5553105/197373005-5a09c3c2-3853-4cbc-a73d-de3479354c6e.png) Preview mode - log actions to see how it works before applying rules to traffic # DNS and CDN Network Services ## Cloud DNS ![Screen Shot 2022-10-23 at 9 42 08 PM](https://user-images.githubusercontent.com/5553105/197444473-2f123f13-d49e-4902-8d1b-34996e9a80d1.png) Three zones available using Cloud DNS - Internal DNS - cannot be turned off; automatically created by Google Cloud - `[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal` - Private Zone - contains DNS records only visible internally within your GCP network(s) - Supports **DNS Forwarding** and **DNS Peering** - Public Zone - visible to the internet. Usually purchased through a **Registrar**. ## Managed DNS Zones - Private and Public Zones Creating a Private DNS zone - Public or **Private** - Zone name (i.e., `research-acme-com`) - DNS name (i.e., `research.acme.com`) - Description (optional) - Options - Default (private) - Forward queries to another server - DNS Peering - Managed reverse lookup name - Networks - multi-select Then Create record set - A, CNAME, etc. Create a Public DNS zone - Zone name (i.e., `dev-acme-com`) - DNS name (i.e., `dev.acme.com`) - DNSSEC (Off) - On - Off - Transfer - Description (optional) - then add new Nameserver records pointing to GCPs nameservers Migrating existing public zones - Create public zone - Export records from existing on-premises network - BIND or YAML format - Import DNS Records from on-premises - WARNING: if SOA (start of authority) records, use the `delete-all-existing` flag to replace with ones from Cloud DNS - Update name servers to Cloud DNS name servers at Registrar ![Screen Shot 2022-10-23 at 9 56 39 PM](https://user-images.githubusercontent.com/5553105/197445874-4dfcba31-a09b-42be-aa09-2c03d4ead57a.png) DNS Resolution Order on GCP - when we create a public zone, it's the LAST PLACE resolver looks to resolve a domain name ![Screen Shot 2022-10-23 at 9 57 07 PM](https://user-images.githubusercontent.com/5553105/197445945-ada75d2b-e9b8-4dfd-89eb-e1def16179bd.png) Summary ![Screen Shot 2022-10-23 at 9 58 05 PM](https://user-images.githubusercontent.com/5553105/197445981-6ddbe0d3-246e-4d04-a89a-2cc6036b2760.png) ## DNS Forwarding and DNS Peering - Forwarding - provide inbound and outbound between on-prem and Cloud DNS (hybrid DNS) - CANNOT USE TO FORWARD BETWEEN 2 GCP ENVS REGARDLESS OF DIRECTION - Peering - extend DNS zones between VPC networks DNS Resolution Order on GCP ![Screen Shot 2022-10-23 at 10 02 09 PM](https://user-images.githubusercontent.com/5553105/197446380-229cb751-32a0-403c-a8a8-21f1cd81a00b.png) DNS Policy (forwarding rules) - alternative to forwarding ![Screen Shot 2022-10-23 at 10 03 05 PM](https://user-images.githubusercontent.com/5553105/197446454-f6557fae-1770-4932-8ff6-fc7cf5199acc.png) DNS Peering ![Screen Shot 2022-10-23 at 10 03 46 PM](https://user-images.githubusercontent.com/5553105/197446496-016c7107-2414-4903-82a6-9a8621824d38.png) Summary (Top 5) - Private Zone - Cloud DNS private zones support DNS services for a GCP Project. VPCs in the same project can use the same name servers. - DNS Forwarding for Private Zones - Overrides normal DNS resolution of the specified zones. Instead, queries for the specified zones are forwarded to the listed forwarding targets - DNS Peering for Private Zones - lets you send requests for records that come from one zone's namespace to another VPC network - DNS Policy Outbound - when enabled in Cloud DNS, forwards all DNS request for a VPC network to name server targets. **Disables internal DNS for the selected Networks** - DNS Policy Inbound - create an inbound DNS Policy to allow inbound connections from on-premises systems to use that network's VPC name resolution order ## DNS Security Protects public domain zone from spoofing or impersonation by a 3rd-party DNS server. Cloud DNSSEC for Public Zones - DNS zone for your domain must serve special DNSSEC records for public keys (DNSKEY) and signatures (RRSIG) to authenticate your zone's contents - enabling - click "Registrar setup" and copy the DS line and paste at registrar ![Screen Shot 2022-10-23 at 10 10 54 PM](https://user-images.githubusercontent.com/5553105/197447135-6b0619bc-e413-457f-a5c6-522e6430f1c9.png) - disabling - disable at registrar first, before turning off ![Screen Shot 2022-10-23 at 10 11 05 PM](https://user-images.githubusercontent.com/5553105/197447129-2d4c4002-c5b4-45f0-9428-354a8080ab9a.png) - transfer Migrating Public Zones to GCP ![Screen Shot 2022-10-23 at 10 16 56 PM](https://user-images.githubusercontent.com/5553105/197447639-6aec626a-53b1-4299-b8d2-e00cd85ebd71.png) - create public zone - export on-prem records - import records - update registrar Migrating DNSSEC signed zones to GCP ![Screen Shot 2022-10-23 at 10 15 55 PM](https://user-images.githubusercontent.com/5553105/197447577-eb809dd4-9ea0-46e7-8478-63015d0b06cf.png) - create public zone - select DNSSEC as "Transfer" - export DNS records (including original key) - import records - update registrar - FINAL STEP: set DNSSEC to "On" Summary ![Screen Shot 2022-10-23 at 10 17 51 PM](https://user-images.githubusercontent.com/5553105/197447705-e4b2b5e6-1193-410c-a468-fe1c7a19b112.png) ## Content Delivery Network (CDN) Shorten physical distance that data has to travel to get to our users to improve site rendering speed and performance. Stores a cached version of content in multiple geographical locations. Requirements - Premium Tier network (global network) - Global HTTP(S) Load Balancer (fetches content from backends) - Edge Location Cache Server Types of content - Images - Video - Audio - Other - Up to 5TB in size ![Screen Shot 2022-10-23 at 10 21 04 PM](https://user-images.githubusercontent.com/5553105/197447996-6fb44a27-5a3a-439e-89a3-985ccac6c87d.png) Global user experience ![Screen Shot 2022-10-23 at 10 22 05 PM](https://user-images.githubusercontent.com/5553105/197448069-28e6782e-1757-45dc-8d8f-1270a9224449.png) Terminology - Hit - when user request filled from the edge pop location - Miss - if user request arrives and CDN does not have the file - Fill - Cloud CDN initates request to source to fill request - no fill until request enters GCP network at that POP Summary ![Screen Shot 2022-10-23 at 10 24 33 PM](https://user-images.githubusercontent.com/5553105/197448256-7492a7c3-b7f6-48e7-bfb2-a51576f7596c.png) ## Cloud CDN Cache Control ![Screen Shot 2022-10-23 at 10 29 49 PM](https://user-images.githubusercontent.com/5553105/197448797-2c45737b-4cb2-4c23-9ec0-f37551d97a1a.png) - apply correct expiration settings for time-sensitive content - creating custom cache keys (e.g., remove hostname of URI and increase cache hit ratio) - use Cache invalidation (use folder structure instead of individual files: 1 per minute rate) - if want to invalidate before expire date - caches only update changes to files (diffs only) - settings - s-maxage (priority) - maxage - Expires ## Signed URLs ![Screen Shot 2022-10-23 at 10 32 58 PM](https://user-images.githubusercontent.com/5553105/197449054-95f57e9d-d9d2-4ccb-a2e8-2093b904cd23.png) Give public temporary access to content without signing in. ![Screen Shot 2022-10-23 at 10 30 44 PM](https://user-images.githubusercontent.com/5553105/197448846-23074282-5889-4685-91a0-361481b21513.png) - 128-bit key used for signing URL - name - creation method (automatic) - cache-entry max age Needed IAM role ![Screen Shot 2022-10-23 at 10 33 14 PM](https://user-images.githubusercontent.com/5553105/197449081-4bba8f71-3045-4bb6-9db4-56960290dc90.png) Summary ![Screen Shot 2022-10-23 at 10 33 39 PM](https://user-images.githubusercontent.com/5553105/197449191-abc3d1a9-19a2-4ca8-a5cc-23e025170c21.png) ![Screen Shot 2022-10-23 at 10 34 35 PM](https://user-images.githubusercontent.com/5553105/197449203-6fb1aae8-4232-4236-9302-5057e90a98bf.png) # Monitoring Network Operations Observability is a measure of how well internal states of a system can be inferred from knowledge of its external outputs. ## Managing Network Operations Log entries standard fields - actor - logType - logName - severity - timestamp Architecture ![Screen Shot 2022-10-24 at 9 45 30 AM](https://user-images.githubusercontent.com/5553105/197573066-a3ba0580-b556-47c3-8bb4-6c8f5b663933.png) Components - Logs - Cloud Logging API - Cloud Logs Router - Exclusion filter - Inclusion filter - Log sinks - Cloud storage - BigQuery - Pub/Sub (3rd-party exports too) - Log buckets - `_Default` (30 day default retention) - `_Required` (400 day retention, not configurable) IAM roles ![Screen Shot 2022-10-24 at 9 46 47 AM](https://user-images.githubusercontent.com/5553105/197573460-40c1c3a2-78e5-4ac8-bb25-694dfe70d7f4.png) - Logging Admin - full control over all logging services - Logs Configuration Writer - inclusion/exclusion filter configurability - Logs Viewer - view non-private log data and configs - Logs Writer - service accounts must have - Private Logs Viewer - data access and transparency logs access Cloud Logging Agent - for 3rd party solutions/apps - need Log Writer IAM role for service account - if on-prem or other cloud, need service account with private key Summary ![Screen Shot 2022-10-24 at 9 50 11 AM](https://user-images.githubusercontent.com/5553105/197574051-2a54b705-766d-4629-bfba-da4f0aeee7df.png) ## VPC Flow Logs ![Screen Shot 2022-10-24 at 9 59 56 AM](https://user-images.githubusercontent.com/5553105/197574809-c0f9bf59-cc00-42a4-87ca-ffe651c9d476.png) - VPC network monitoring - Forensics - Security analysis - Cost control / forecasting Provide a packet-level view into how our VPC network is functioning. Example Connection ![Screen Shot 2022-10-24 at 9 54 34 AM](https://user-images.githubusercontent.com/5553105/197574868-531d5249-c788-44f6-84d3-1863f44fc2e9.png) ipConnection info ![Screen Shot 2022-10-24 at 9 53 13 AM](https://user-images.githubusercontent.com/5553105/197575139-4d115e3d-f4f3-4805-b51f-e86ee7bf04ad.png) - 5-tuple (`dest_ip`, `dest_port`, `protocol`, `src_ip`, `src_port`) Good to know: ![Screen Shot 2022-10-24 at 9 59 26 AM](https://user-images.githubusercontent.com/5553105/197575200-5e5068b6-e2c0-4e19-be54-1e83ba875131.png) both `SRC` and `DEST` info logged for every VM instance (even if within GCP network) Cost control (aggregation, sampling) ![Screen Shot 2022-10-24 at 9 58 31 AM](https://user-images.githubusercontent.com/5553105/197575443-dfb04fb0-7634-4c80-8ae5-c72de39a9011.png) - sampling controls how much is stored (default 50%; quickly find issue set to 100% for troubleshooting) - can turn on/off as needed - stores in `_Default` for 30 days; if need longer then set up log sink export ## Firewall Rule Logs Allows us to verify and analyze the effects of firewall rules on our network traffic. - not sampled; every connection is logged ![Screen Shot 2022-10-24 at 10 21 47 AM](https://user-images.githubusercontent.com/5553105/197576113-09298f5c-83e5-454d-9b57-3ab66542cd1e.png) IAM roles to enable rirewall rule Logging - compute admin - compute security admin - owner or editor IAM roles for firewall rule Viewing - logging viewer - owner, editor, or viewer (primitive roles) Default rules - ingress - deny all - 65535 priority (not logged and not editable) - egress - allow all - 65535 priority (not logged and not edibable) - to log: - create similar rule with higher priority (any priority with lower number than defaults) Example ALLOW and DENY logs ![Screen Shot 2022-10-24 at 10 25 03 AM](https://user-images.githubusercontent.com/5553105/197576782-504db0f4-d74a-41c5-827b-91151792673e.png) WARNING / Troubleshooting - default deny-all rules if logging, will generate a lot of log entries (cost) - only works for TCP/UDP and no other protocols (i.e. ICMP) ![Screen Shot 2022-10-24 at 10 28 14 AM](https://user-images.githubusercontent.com/5553105/197577397-e0e18490-bcb9-4589-bca0-08f89f9de8b0.png) Summary ![Screen Shot 2022-10-24 at 10 28 46 AM](https://user-images.githubusercontent.com/5553105/197577456-8009603d-5ef2-4ac7-aba4-cd9becdd97e9.png) ## Cloud Monitoring We create pictures of what is going on; proactive and predictive operations. By collecting measurements over time, we can predict the pattern of events or take automated action based on the state of the environment. Components - Dashboards - Uptime Checks - Alerting Policies - Notification Channels - Groups Metrics components ![Screen Shot 2022-10-24 at 10 31 00 AM](https://user-images.githubusercontent.com/5553105/197577842-c8dc8346-005f-4715-b6de-c64a4860cd80.png) - Monitored resource (can be CPU, disk IDs) - Metric types (e.g., "gauge") - Time-series (points: collection of metrics over time) Workspace - single project for IAM permissions, agents, users - takes name of project where created - can monitor up to 100 GCP projects - best practices - create separate project for Workspace - install monitoring agent on all GCP resources IAM Role for VM service account - Monitoring Metric Writer Role - if 3rd-party, Service Account private key ![Screen Shot 2022-10-24 at 10 42 35 AM](https://user-images.githubusercontent.com/5553105/197580134-c3a8235f-df05-4a2b-b4ad-686c693c0296.png) Summary ![Screen Shot 2022-10-24 at 10 43 16 AM](https://user-images.githubusercontent.com/5553105/197580234-bf7d8363-2f7a-4025-bc29-a32864c83977.png) ## Managing Network Operations - Need to Know ![Screen Shot 2022-10-24 at 10 45 27 AM](https://user-images.githubusercontent.com/5553105/197580579-a1c03416-14c4-4cf5-80d7-55a550a260d8.png) # Hybrid Networks Establishing private connections between our VPC network and existing on-premise or multi-cloud network infrastructure. ![Screen Shot 2022-10-24 at 8 25 20 PM](https://user-images.githubusercontent.com/5553105/197667416-047c8b64-283a-48d0-bf07-153731dffec6.png) ## Hybrid Connections ![Screen Shot 2022-10-24 at 9 25 46 PM](https://user-images.githubusercontent.com/5553105/197675335-ccf8b222-60a6-4863-8ee0-4108a1d9c6ad.png) - VPN - lets you securely connect GCP resources to your own private network - uses IKEv1 or IKEv2 to establish IPSec connectivity - Interconnect - lets you establish high bandwidth, low latency connections between your GCP networks and on-premises infrastructure - Cloud Routers - enable dynamic route updates between your VPN and non-Google network - Regional - Global Colocation Facility ![Screen Shot 2022-10-24 at 8 23 15 PM](https://user-images.githubusercontent.com/5553105/197667204-babd5465-bff3-4d4b-ad2d-6fb4ea29dc62.png) - On-premises - Colocation Facility (Edge POP) - Google Cloud Platform - colocation facility providers establish circuit between colo and GCP establishing layer 2 connectivity - each "metro" metropolitan area - select colocation facility and metro where the Interconnect will live - select location close to on-premise location to reduce latency - each metro supports a subset of regions - more cost effective to avoid inter-region egress costs - each colocation facility supports specific regions LOA-CFA - Letter of Authorization and Connecting Facility Assignment (LOA-CFA) - Google sends email to facility provider to provision cross connect between Google and provider Edge Availability Domain - Each colocation facility has at least 2 - prevents outage as only 1 down at any one time for maintenance Network Service Provider - Colocation facility vendor - enables establishing shared connectivity between provider and GCP Dedicated Interconnect - colo provider provisions circuit between our provider and Google's Edge POP Partner Interconnect - useful if our datacenter in physical location that cannot reach Google partner colocation facility - or if bandwidth needs VPN IPSec - 3GB per tunnel, up to 8 tunnels Direct Peering - exchange routes and next hop is Google Global network; default IGW or VPN tunnel - discount egress rates (no charge for peering) Carrier Peering - works same as direct peering - uses shared network from GCP provider ## Dedicated Interconnect ![Screen Shot 2022-10-24 at 8 30 36 PM](https://user-images.githubusercontent.com/5553105/197668182-5ee115b4-e7ea-4db1-a78a-dc4c4b783d5c.png) - Connect your on-premise network to Google Cloud network by connecting new fiber to your equipment - LOA-CFA specify bandwidth needs for the business - establish BGP session between on-premises router and GCP Cloud Router Order - name - location - **suggest 2nd for SLA for redundancy** Redundancy - company name - technical contact VLAN Attachment (can add to existing) - **Allocates a VLAN on an Interconnect connection and associates that VLAN with a specific Cloud Router** - name - Cloud Router - VLAN ID - Allocate BGP IP address - Bandwidth (max 50Gbs) ## Partner Interconnect ![Screen Shot 2022-10-24 at 8 34 41 PM](https://user-images.githubusercontent.com/5553105/197668834-29b26b6b-8f87-42ed-89ec-c5166f903faa.png) Provide connectivity between GCP and our network through a 3rd-party provider - should still use 2 zones and 2 connections for high availability Setup - select colocation facility - connect on-premises network to facility (closest to our network, and GCP region) - some offer layer 2, and layer 3 - common is layer 3 TCP/IP connectivity Order ![Screen Shot 2022-10-24 at 8 36 11 PM](https://user-images.githubusercontent.com/5553105/197669024-964364f4-c16b-4855-96b2-f51cf0448ff7.png) - check connection - have provider - find a service provider - check VPC network - region - VLAN attachment name - Cloud Router - advertise all subnets OR - custom routes (also can advertise all, plus additional) - adding VLAN attachment, Google generates Pairing key (one time) for service provider to set up - provide pairing key to partner - no need for LOA-CFA since existing connection with Google already - layer 2 needs `/24` range and ASN ## Cloud VPN - need Cloud VPN and Cloud Router - IPSec = Internet Protocol Security - traffic over public internet, but authenticates and encrypts traffic on both sides HA VPN ![Screen Shot 2022-10-24 at 8 41 41 PM](https://user-images.githubusercontent.com/5553105/197669670-0191c6ea-9ab6-49ad-98e5-0e9ac93500c0.png) - 99.99 SLA - VPN Gateway (interfaces) - Tunnels - IP of remote gateway - IKEv1 or IKEv2 - pre-shared key (generate and copy) - Routing - dynamic ONLY FOR HA - route-based - static routes - BGP session (peer device must support BGP) - peer ASN - Cloud Router BGP IP / BGP peer IP - advertisement of route options ![Screen Shot 2022-10-24 at 8 45 21 PM](https://user-images.githubusercontent.com/5553105/197670141-35b46eda-874b-4fcf-8c9f-9c63b24e7511.png) HA VPN active/passive (recommended) ![Screen Shot 2022-10-24 at 8 46 52 PM](https://user-images.githubusercontent.com/5553105/197670361-c20b858a-0e92-4a68-ad44-1fa98b0c1255.png) - in event of failure we have enough capacity Need to know: - difference between 99.9 and 99.99% availability - ASN = autonomous system number - MTU 1460 default (can adjust to reduce latency) - weigh cost implications - against terms of service to connect two on-premises connections through VPN Summary ![Screen Shot 2022-10-24 at 8 47 49 PM](https://user-images.githubusercontent.com/5553105/197670441-e000bba5-707d-4b76-999c-00a9bf98079d.png) ## VLAN attachments ![Screen Shot 2022-10-24 at 8 50 46 PM](https://user-images.githubusercontent.com/5553105/197670925-fcc8145e-a948-4622-953d-9b5362a5b86d.png) ![Screen Shot 2022-10-24 at 8 53 48 PM](https://user-images.githubusercontent.com/5553105/197671219-0085490f-deb4-44e0-9b2e-842eaafe1403.png) Used with both dedicated and partner interconnect - need physical connection between our network and GCP colocation facility - after connection setup, can use cloud console to set up VLAN attachment - binds our Cloud Router to our VPC and enables ability to send routes - not redundant - need separate cloud router in different region - for Partner Interconnect, creates VLAN attachment pairing key (waiting for service provider) - layer 3 - for layer 2, need dedicated connection, ASN Setup - configure interconnect - add VLAN attachment - select project - name - router - VLAN ID - capacity (1Gb/s) Overview ![Screen Shot 2022-10-24 at 8 51 00 PM](https://user-images.githubusercontent.com/5553105/197670958-00ee9011-c00a-41ff-b93e-7dbee0002064.png) ![Screen Shot 2022-10-24 at 8 54 31 PM](https://user-images.githubusercontent.com/5553105/197671313-2ec0ceb4-5040-4fce-8348-767d289304e2.png) To know about HA - zone name (zone 1) in each region, need multiple in each region for redundancy as zone 1 may be under maint in both regions Multiple VLAN attachments ![Screen Shot 2022-10-24 at 8 55 38 PM](https://user-images.githubusercontent.com/5553105/197671422-52bf9954-1b6b-4ab1-9302-bcd69633adc1.png) - advertise MED values - sets up equal cost multipath routing (ECMP) ## Cloud Router ![Screen Shot 2022-10-24 at 8 57 46 PM](https://user-images.githubusercontent.com/5553105/197671680-643e9136-3f94-4716-acd9-a054c9da98b6.png) - Not a physical device. Software defined. - Establish connection between on-premises network and GCP network. - uses BGP routing protocol - if using internal load balancing, recommend regional routing mode (vs global) to reduce risk of lost connectivity Private ASN ![Screen Shot 2022-10-24 at 8 59 34 PM](https://user-images.githubusercontent.com/5553105/197672005-f814f62c-662b-438d-b926-186750b0512a.png) - 64512 - 65534 and 42000000 - ... Redundancy ![Screen Shot 2022-10-24 at 9 01 36 PM](https://user-images.githubusercontent.com/5553105/197672215-0f8daa24-8543-4964-802a-0d9b759bccc7.png) Use cases and components ![Screen Shot 2022-10-24 at 9 01 15 PM](https://user-images.githubusercontent.com/5553105/197672260-54372f8d-2e4c-4255-97d5-a048d2b1c590.png) Mode - Regional (default) - only share subnets available from region - Global - shares all VPC networks where subnets are provisioned ## Peered Connections ![Screen Shot 2022-10-24 at 9 07 04 PM](https://user-images.githubusercontent.com/5553105/197672933-ff9b84fc-9ba8-436b-aacf-7ee94a3b4ec0.png) Direct connection between Google's network and another network to support the exchange of traffic. Overview ![Screen Shot 2022-10-24 at 9 08 46 PM](https://user-images.githubusercontent.com/5553105/197673140-65a5e0bc-3988-43e7-874f-ae20f9b08bf0.png) - no direct connection - global routing only, no BGP routing - should use VPN tunnel to add encryption across - no setup or maintenance - discounted egress rates Direct Peering Connections ![Screen Shot 2022-10-24 at 9 09 27 PM](https://user-images.githubusercontent.com/5553105/197673229-d79e3a88-3b94-4370-b794-1c305f304378.png) - need 24/7 NOC - minimum traffic requirements (10gbs) Carrier Peering Connections - 1/3 discount on egress costs may justify extra provider costs Summary ![Screen Shot 2022-10-24 at 9 11 43 PM](https://user-images.githubusercontent.com/5553105/197673526-2d8ccb3c-0f9f-483f-8f32-b8ba7bd7d4d8.png) ## Highly Available Connections Availability - if customer cannot access a service at any time, it's "unavailable" - call it "downtime" ![Screen Shot 2022-10-24 at 9 13 11 PM](https://user-images.githubusercontent.com/5553105/197673756-8b14da36-979f-445e-89d8-f439448826d2.png) Deciding - based on availability, make sure business needs are met Architectures - 99.9% ![Screen Shot 2022-10-24 at 9 14 16 PM](https://user-images.githubusercontent.com/5553105/197673875-03f7953b-6fff-4559-bdd8-1549c0a6b2fe.png) - 99.99% ![Screen Shot 2022-10-24 at 9 14 54 PM](https://user-images.githubusercontent.com/5553105/197673989-6c9c4169-e29c-47b6-a74d-7b29619077f5.png) ![Screen Shot 2022-10-24 at 9 24 56 PM](https://user-images.githubusercontent.com/5553105/197675208-3633a92c-538f-487b-aa75-02640c8d1d48.png) Autonomous System Numbers (ASN) ![Screen Shot 2022-10-24 at 9 18 51 PM](https://user-images.githubusercontent.com/5553105/197674435-50502125-7111-4b1a-97c2-a5f6c10a6b67.png) - group of routers that shared network information to make connectivity possible - routing on BGP supports only destination-based forwarding paradigm - forwards package based on the destination path - routes based on destination IP address - routing table describes the path to reach networks - in case of route path failure, uses alternative routes NextHop ![Screen Shot 2022-10-24 at 9 19 45 PM](https://user-images.githubusercontent.com/5553105/197674553-2117900d-54fc-4d17-a77e-e5985e61691d.png) Multi exit discriminator (MED) ![Screen Shot 2022-10-24 at 9 20 12 PM](https://user-images.githubusercontent.com/5553105/197674709-9320a149-6d73-445b-b055-55df5f7e182b.png) - like a "tie breaker" to help router decide route (lower value wins) Equal-cost multi-path (ECMP) ![Screen Shot 2022-10-24 at 9 22 43 PM](https://user-images.githubusercontent.com/5553105/197674986-2f4b4cae-daf0-4711-b58b-266529b8022b.png) ![Screen Shot 2022-10-24 at 9 22 58 PM](https://user-images.githubusercontent.com/5553105/197675006-29ebdae9-9fed-4d11-8aa1-2ab90d75d054.png) Maximum Transmission Unit (MTU) - remember outer packet adds encryption so need 75 lower than 1460 max so data can be routed Partner Interconnect NEEDS PUBLIC ASN - all others use private