Everything you should know under VPC Network in GCP

A Virtual Private Cloud (VPC) is like a digital playground that you can set up in the cloud. Imagine it as your very own section of the internet where you can create, store, and run your computer programs and data. It’s like having your own secret corner of the internet, away from the hustle and bustle of the public web.

Purpose of VPC

Now, you might wonder why you’d want your own digital playground in the first place. Well, here’s the deal: VPCs are all about control, security, and organization.

• Control: With a VPC, you’re the boss. You decide who can come in and who can’t. It’s like having your own digital bouncer at the entrance.
• Security: Your VPC acts like a digital fortress. It keeps your stuff safe from prying eyes and cyber-snoops. It’s your very own online security guard.
• Organization: In your VPC, you can neatly arrange your digital toys. You can put your websites, databases, and other computer programs in separate rooms, so they don’t get all mixed up.

Benefits of using VPC in GCP

Okay, now that we know what a VPC is and why it’s important, let’s talk about why you’d want to use it in Google Cloud.

• Privacy: In GCP’s VPC, your data is like a secret diary locked in a digital safe. It’s hidden away from the outside world, keeping it private and secure.
• Customization: Just like decorating your room, you can customize your VPC. You get to choose the address range, create different spaces (we call them subnets), and set up the rules for who’s allowed in.
• Connectivity: Even though your VPC is private, it’s not cut off from the world. You can connect it to the internet when you want to and keep it separate when you don’t. It’s like having a magical bridge that appears only when you need it.
• Organization: With VPCs, you can neatly organize your digital stuff. Put your web server in one corner, your database in another, and your secret project in yet another. It’s like having different shelves for your books, toys, and games.

VPC Components

Networks

1. Default Network

Default Network is created by GCP automatically when you set up a new project. It allows communication between resources within the project without any additional configuration. It provides a simple and convenient way to get started with basic networking.
Imagine the default network as the first room you step into when you enter your digital playground (VPC). It’s there to get you started. When you create a new project in Google Cloud, it gives you this room automatically. But remember, it’s just a basic room, and you can make it fancier by adding your own stuff later.

2. Custom Networks

Custom Networks are user-defined networks that give you more control and flexibility over your VPC. With custom networks, you can define your own IP address ranges and configure subnets and firewall rules as per your requirements. This allows for better segmentation and organization of resources within your VPC.
Custom networks are like designing your own rooms in your VPC. You get to decide how they look, what color the walls are, and what furniture goes inside. This way, you can create spaces that are perfect for your needs, like one for your website and another for your secret project.

3. Subnets

Subnets are subdivisions of a network that define smaller address spaces. Just like how neighborhoods are divided into blocks, a network is divided into subnets. Each subnet can have its own IP address range and is associated with a specific region or availability zone. Subnets help organize resources and control network traffic within a VPC.
Subnets are like different areas within your rooms. You can have a bedroom, a kitchen, and a living room in your house, right? Similarly, you can have subnets for different things in your VPC. For example, you might have one subnet for your web server and another for your database. This keeps things neat and organized.

IP Addresses

1. Internal IP Addresses

Internal IP addresses are used for communication between resources within a VPC. These addresses are only accessible within the VPC and aren’t directly reachable from the internet.
Internal IP addresses are like the addresses of your rooms in your digital playground. They help your digital stuff find its way around. For instance, if your web server wants to talk to your database, it uses these internal addresses to know where to go.

2. External IP Addresses

External IP addresses, also known as public IP addresses, are used for resources that require direct connection from the internet.
External IP addresses are like the signs outside your digital playground. They tell the internet where to find your stuff. For example, when someone wants to visit your website, they use an external IP address to connect.

3. Reserved IP Addresses

Reserved IP addresses are special IP addresses set aside for specific purposes within a VPC. For example, some IP addresses are reserved for services like Cloud DNS or load balancers. These addresses cannot be assigned to resources manually.
Reserved IP addresses are like saving a parking spot for your special guests. You set some IP addresses aside so that they’re always available when you need them. For instance, you might reserve an IP address for your important email server.

Routes

Routes determine how network traffic is directed within a VPC or between different networks. Think of routes as a GPS system that tells network packets where to go. GCP supports system-generated routes as well as custom routes that you can define.

Firewall Rules

Firewall rules act as a security barrier for your VPC, controlling incoming and outgoing network traffic. They are like a security guard that checks the identity of each packet before allowing it in or out of the network.

1. Ingress Rules

Ingress rules control inbound traffic, allowing or denying access to resources based on specified criteria like source IP address, port, or protocol.
Ingress rules are like security guards at the entrance of your rooms. They decide who’s allowed in and who’s not. For example, you can set up an ingress rule that says only your team members can enter your project room.

2. Egress Rules

Egress rules control outbound traffic, specifying what packets are allowed to leave the network.
Egress rules are like security guards at the exit of your rooms. They decide who can leave and where they can go. For instance, you can set up an egress rule that allows your database to send data outside but not the other way around.

Advance VPC Topics

Now that we have a good grasp of what a VPC is and what are different essential component of it, Let’s deep dive into some advance topics.

VPC Peering

VPC Peering allows direct and secure connections between VPC networks in GCP. It enables resources within different VPCs to communicate with each other as if they were part of the same network. VPC peering establishes a private network connection between two VPC networks, allowing resources within those networks to communicate directly. This connection is created over Google’s internal network infrastructure, ensuring secure and low-latency communication.

To set up VPC peering, you need to define the peering relationship in both VPCs and accept the peering request. Once established, resource instances, such as virtual machines, within the peered VPCs can communicate using private IP addresses without traversing the public internet.
You can do VPC peering in two ways.

• Peering within a Project: In GCP, you can create VPC peering connections within the same project. This means that if you have multiple VPCs within a project, you can establish private connectivity between them. Peering within a project is like creating a shortcut path between different parts of a neighborhood, making it easier for resources in different VPCs to interact.
• Peering across Projects: VPC peering also allows you to establish connections between VPC networks in different projects. This means that if you have separate projects within GCP, you can connect their VPCs together. By establishing peering connections, these networks can securely exchange data, creating a cohesive network environment. Peering across projects is like connecting neighborhoods in different cities, enabling resources in different projects to communicate seamlessly.

Limitations and Considerations:

• VPC Peering is not transitive, meaning that if Network A is peered with Network B and Network B is peered with Network C, Network A and Network C are not automatically peered.
• IP address ranges in peered VPC networks cannot overlap.
• GCP imposes certain limits on the number of peering connections and routes within a VPC network, so it’s important to consider scalability requirements.

Benefits of VPC Peering:

• Secure and Private Communication: VPC Peering provides a secure and private channel for communication between resources in different VPC networks. This is particularly useful when sharing sensitive data or when resources need to communicate privately within specific environments.
• Low Latency and High Performance: Because VPC peering connections are established within Google’s network infrastructure, they benefit from high-speed, low-latency communication. This ensures optimal performance for applications and services that require fast and reliable network connectivity.
• Simplified Network Architecture: With VPC peering, you can simplify your network architecture and reduce the complexity of managing multiple VPC networks. Instead of setting up complex VPN connections or relying on public internet communication, you can establish direct, private connections between VPCs.
• Shared Resources: VPC Peering allows you to share resources, such as databases or file servers, between different VPC networks. This promotes collaboration and resource utilization across projects or departments while maintaining network isolation and security.
• Cost Efficiency: By using VPC peering instead of external VPNs or interconnects, you can potentially reduce network costs. VPC peering connections use Google’s internal network, which is free for inbound and outbound traffic within the same region.

Shared VPC

Shared VPC, also known as Shared Virtual Private Cloud, is a networking feature in GCP that allows multiple projects to share a common VPC network. It provides a centralized and efficient way to manage network resources while maintaining project-level isolation and control. In Google Cloud terms, it’s a networking configuration that lets one project (known as the host project) share its VPC network with other projects (known as service projects). Here’s how it works:

• Host Project: The host project is the owner of the VPC network. It establishes and manages the VPC resources such as subnets, firewall rules, routes, and Cloud VPN/Interconnect. The host project maintains control over the networking configuration and has the authority to manage and allocate IP addresses.
• Service Projects: Service projects are the projects that need access to and can utilize the shared VPC network. These projects may belong to different teams or organizations. Service projects can create and manage their own resources such as virtual machines, load balancers, and Google Kubernetes Engine (GKE) clusters within the shared VPC network.

Benefits of Shared VPC:

• Simplified Network Management: Shared VPC simplifies network administration by centralizing control and management of networking resources in the host project. This simplifies the setup and maintenance of complex networks, reduces administrative overhead, and promotes consistent networking practices.
• Project-Level Isolation: Each service project within the shared VPC retains its own project-level isolation, which means resources and networks within a service project are segregated from other service projects. This ensures that each project can maintain separate security policies and access controls.
• Resource Sharing: Shared VPC enables sharing of resources like subnets and firewall rules across service projects. This makes it easier to collaborate on resources that require shared network connectivity, such as shared databases or shared web application servers. It eliminates the need to duplicate resources across multiple projects, reducing management complexity.
• Security and Compliance: Shared VPC allows for consistent security policies and access controls. Firewall rules and IAM permissions can be applied uniformly across service projects, ensuring a standardized security posture and compliance requirements.
• Network Cost Optimization: With Shared VPC, network egress costs between service projects are eliminated since the traffic stays within the shared VPC network. This can lead to cost savings, especially if there is significant inter-project network traffic.
• Flexibility and Scalability: Shared VPC provides flexibility for project teams to manage their own resources within the shared VPC environment. This allows teams to deploy and manage their applications while benefiting from the centralized management of network resources.

VPC Flow Logs

VPC Flow Logs provide detailed visibility into network traffic within a VPC network. It captures information about network flows, including source and destination IP addresses, protocols, and ports. This data enhances network troubleshooting, monitoring, and security analysis. Flow Logs are stored in Google Cloud Logging or BigQuery for easy access and analysis.

Cloud VPN

Cloud VPN enables you to securely connect your on-premises network to a VPC using encrypted tunnels over the public internet. It uses the Internet Protocol Security (IPsec) protocol to establish a secure connection between your local network and your VPC. Cloud VPN is suitable for scenarios where you need to establish secure connectivity but do not require high bandwidth or dedicated network links.

Advantages of Cloud VPN

• Simplicity: Cloud VPN is easy to set up and manage, requiring minimal on-premises hardware and configuration.
• Cost-Effective: Cloud VPN uses existing public internet infrastructure, making it a more cost-effective solution compared to dedicated physical connections.
• Flexibility: Cloud VPN can establish secure connections regardless of the geographical location of your on-premises network.

Cloud Interconnect

Cloud Interconnect provides a more robust and dedicated option for connectivity between your on-premises network and your VPC. It offers two connection options:

• Dedicated Interconnect: This option allows you to establish a direct physical connection between your on-premises network and GCP. You can connect to GCP through a partner’s network service provider or establish a direct peering connection at one of the Google Cloud Interconnect locations.
• Partner Interconnect: Partner Interconnect enables you to connect to GCP through a supported service provider. The service provider establishes the connectivity on your behalf, using their network infrastructure.

Advantages of Cloud Interconnect

• Higher Bandwidth: Cloud Interconnect offers much higher bandwidth options compared to Cloud VPN, making it suitable for scenarios that require heavy data transfer or low latency.
• Dedicated Connection: With dedicated interconnect, you have a dedicated physical connection, ensuring consistent performance and reliability.
• Better Network SLAs: Cloud Interconnect typically provides better Service Level Agreements (SLAs) compared to Cloud VPN, ensuring higher uptime and better support for critical workloads.

VPC Security Features

When it comes to VPC security in GCP, there are several powerful features and tools available to protect your resources and data. Here we will discuss about them one by one.

Identity and Access Management (IAM)

Identity and Access Management, commonly known as IAM, is a fundamental security feature in GCP. IAM allows you to manage and control access to your resources by assigning roles and permissions to users and service accounts. You can define who can perform what actions on specific resources, ensuring that only authorized individuals have access. IAM helps you maintain the principle of least privilege by granting only the necessary permissions, and it provides a reliable way to manage access across your organization.

Private Google Access

Private Google Access is a feature that allows resources within your VPC to access Google APIs and services without requiring public IP addresses. By enabling Private Google Access, you can establish private connectivity between your VPC and the Google Cloud Platform services, such as Cloud Storage or BigQuery. This keeps your data traffic within your private network, enhancing security by reducing exposure to the public internet.

VPC Service Controls

VPC Service Controls provide an additional layer of security for your VPC by allowing you to define security perimeters around your resources and services. With VPC Service Controls, you can create a boundary that prevents data exfiltration and unauthorized access to your resources. This helps you protect sensitive data, even in scenarios where external collaborators or third-party services are involved.

Cloud Armor

Cloud Armor is a distributed denial-of-service (DDoS) and application defense service in GCP. It offers protection against attacks and vulnerabilities by providing web application firewall (WAF) capabilities. With Cloud Armor, you can define rules that allow or block certain types of traffic to your applications, protecting them from common attack vectors. This keeps your applications secure and available to intended users.

Cloud DLP (Data Loss Prevention)

Cloud DLP, or Data Loss Prevention, helps you identify and protect sensitive data within your VPC. It enables you to create and manage inspection jobs to scan your data for sensitive information such as credit card numbers or social security numbers. With Cloud DLP, you can classify, mask, or redact sensitive data to prevent unauthorized access or accidental exposure. This feature ensures that your data remains secure and complies with regulatory requirements.

That’s all for now.
Thank you for reading!!

Stay tuned for more articles on Cloud and DevOps. Don’t forget to follow me for regular updates and insights.

Let’s Connect: LinkedIn