Google Kubernetes Engine Clusters
Configuring and Managing Firewall Rules
The course is part of these learning paths
This course explores how to implement virtual private clouds on the Google Cloud Platform. It starts off with an overview, where you'll be introduced to the key concepts and components that make up a virtual private cloud.
After covering basic VPC concepts and components, we'll dive into peering VPCs, shared VPCs, and VPC flow logs, including a hands-on demonstration of how to configure flow logs. We’ll also look at routing and network address translation, before moving on to Google Kubernetes Engine clusters. We’ll cover VPC-native clusters and alias IPs, as well as clustering with shared VPCs.
You’ll learn how to add authorized networks for GKE cluster master access and we finish off by looking at firewall rules. We’ll cover network tags, service accounts, and the importance of priority. You’ll also learn about ingress rules, egress rules, and firewall logs.
If you have any feedback related to this course, feel free to contact us at firstname.lastname@example.org.
- Get a foundational understanding of virtual private clouds on GCP
- Learn about VPC peering and sharing
- Learn about VPC flow logs and how to configure them
- Learn about routing in GCP and how to configure a static route
- Understand the pros and cons of VPC-native GKE clusters
- Learn about cluster network policies
- Understand how to configure and manage firewall rules in GPC
This course is intended for anyone who wants to learn how to implement virtual private clouds on the Google Cloud Platform.
To get the most from this course, you should already have experience with the public cloud and networking, as well as an understanding of GCP architecture.
Hello, and welcome back. In this demonstration here, what we're going to do is create a static route that directs all traffic to an imaginary proxy server. Now on the screen here, I'm logged in to my Google Cloud Platform console and I'm in my VPC network section here. Now what we're going to do is create this static route for one of our VPC networks that we created earlier.
So what we'll do here is we'll scroll down, and we'll do this for network A. We can see here we have one sub-net defined and it's called mysubnet. And the address range here for this subnet is 192.168.0.0/24 What we'll do here is we'll create a static route that directs any traffic going anywhere to an imaginary proxy server that we're going to assume exists for this specific demonstration. So we'll assume this proxy server exists on 192.168.0.10.
To create this route, we simply select routes over here, along the top menu bar. And we could also do it over here in the left navigation pane as well. Now we can see our default routes that were already created as part of the deployment of our virtual network. We can see our default route to the internet. We can see the default local route, and then we can see a route that was generated when we peered network A with network B.
Now for this demonstration, like I said, we're gonna send everything to an imaginary proxy server. Since we're sending all traffic there, we're going to use this 0.0.0/0 destination IP range. But you'll see here, we have a priority of 1000 for this existing default route. So what we're going to do with our static route is override this default route by setting the priority for our new route to 500. Remember, the lower the number, the higher the priority.
So we'll go ahead and add a route and we're just going to call this proxy. And this description here, I'll just put in here something along the lines of internet traffic to proxy server. And we can see for the network we have it assigned to network A, and then the destination IP range. So essentially, we're saying all traffic. And again, we need to set the priority here to a higher priority than the default route for internet traffic.
Now, if we hover over instance tags here, we can see that we could assign instance tags. And if we did that, what that would do is cause this route to apply to all instances on the network that have the tag that we specify here. Now, since for this demonstration we're not going to use any instance tags, this route will apply to all instances in the network A network that we're applying this route to.
If we hover over next hop here, and we talked about this earlier as well. The next hop is what tells this route where to send traffic to. If we select the dropdown here, we can send the traffic to the default internet gateway, which we don't have to do here because we already have a default route that does that. We can specify an instance on the network, an IP address, a VPN tunnel, or we can specify a forwarding rule of an internal load balancer.
What we're going to do for this demonstration here is specify an IP, and like I said earlier, let's just assume that the IP address of our proxy device is 192.168.0.10. And then what we'll do here is create the rule or the route excuse me. So at this point we now have a proxy route created, this is a static route. We have our description here, and basically what we're doing here is we're overriding the default route to the internet, by setting our priority to 500.
So what this route would do is send any traffic from the network A VPC network, and it would send that traffic out to the proxy server that exists at 192.168.0.10. And then that proxy server would do whatever it needs to do and then send traffic out on its way, depending on how that proxy server's configured.
So that's pretty much it. You give your route a name, give it a description. You tell the route where that traffic is going to go. You tell the route what the destination Ips you want the route to apply to, in this case it's all. You set the priority of the route, determine any instance tags you wanna use, and then configure the next hop which basically tells the route where is the next hop in the path that you wanna send traffic to. So with that, let's call it a wrap.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.