Google Kubernetes Engine Clusters
Configuring and Managing Firewall Rules
The course is part of these learning paths
This course explores how to implement virtual private clouds on the Google Cloud Platform. It starts off with an overview, where you'll be introduced to the key concepts and components that make up a virtual private cloud.
After covering basic VPC concepts and components, we'll dive into peering VPCs, shared VPCs, and VPC flow logs, including a hands-on demonstration of how to configure flow logs. We’ll also look at routing and network address translation, before moving on to Google Kubernetes Engine clusters. We’ll cover VPC-native clusters and alias IPs, as well as clustering with shared VPCs.
You’ll learn how to add authorized networks for GKE cluster master access and we finish off by looking at firewall rules. We’ll cover network tags, service accounts, and the importance of priority. You’ll also learn about ingress rules, egress rules, and firewall logs.
If you have any feedback related to this course, feel free to contact us at firstname.lastname@example.org.
- Get a foundational understanding of virtual private clouds on GCP
- Learn about VPC peering and sharing
- Learn about VPC flow logs and how to configure them
- Learn about routing in GCP and how to configure a static route
- Understand the pros and cons of VPC-native GKE clusters
- Learn about cluster network policies
- Understand how to configure and manage firewall rules in GPC
This course is intended for anyone who wants to learn how to implement virtual private clouds on the Google Cloud Platform.
To get the most from this course, you should already have experience with the public cloud and networking, as well as an understanding of GCP architecture.
Hello and welcome to Cloud NAT! With Cloud NAT, your VM instances can send outbound packets to the internet and they can receive inbound responses to those packets without the need for a public IP address. You can also use Cloud NAT to allow private GKE clusters to send outbound packets to the internet and to receive responses to those packets. It essentially allows internet communications to/from VM instances and private GKE clusters without opening them up directly to the internet via a public IP.
So, what exactly is Cloud NAT? Cloud NAT is a software-based managed service within Google Cloud. What it does is configure the underlying Andromeda software that is used to power VPC networks within Google Cloud. It’s a service that provides source network address translation for virtual machines without the need to assign public IPs to them. In addition, it provides destination network address translation for the incoming response packets.
The image on your screen shows the difference between a traditional NAT and Cloud NAT.
In a typical configuration, what Cloud NAT does is provide outbound network address translation in conjunction with static routes that have been defined within the VPC network, provided the next hops for those routes are pointed at the default internet gateway. Unless it’s been changed, the default route in a VPC network will fit this requirement.
In addition to providing NAT to the internet for packets sent from VM NICs with no public IP address, Cloud NAT can also provide NAT to the internet for packets sent from an alias IP range that’s been assigned to a virtual machine’s network interface.
I should point out that although Cloud NAT cannot provide NAT to the internet for packets sent from a VM interface that has a public IP assigned to it, it CAN provide NAT for packets whose sources come from an alias IP range of the interface, even if it has an external IP assigned to it. This is because an external IP on a NIC will never provide 1-to-1 NAT for alias IP addresses.
Now, the one thing I want to make really clear here, is that Cloud NAT does NOT permit unsolicited incoming requests that originate from the internet. It only allows incoming requests that are responses to outbound requests. So, this means that, unless an incoming request is a response to a previous outbound request, it will not be allowed.
In cases where a VM has multiple NICs attached, each NIC will belong to a separate VPC network. That being the case, and because a Cloud NAT gateway can only apply to a single VM NIC, you can use separate Cloud NAT gateways to provide NAT to the same VM. In such a case, each Cloud NAT gateway would apply to a different NIC, provided each NIC has no public IP assigned.
As far as GKE goes, a Cloud NAT gateway can be used to perform NAT for nodes and pods in a VPC-native private cluster. If you need to provide NAT for an entire private cluster, the best way to do so is to configure the Cloud NAT gateway so that it applies to all subnet IP ranges for the cluster.
To read more about the nuts and bolts of Cloud NAT, visit the URL that you see on your screen: https://cloud.google.com/nat/docs/overview
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.