Google Kubernetes Engine Clusters
Configuring and Managing Firewall Rules
The course is part of these learning paths
This course explores how to implement virtual private clouds on the Google Cloud Platform. It starts off with an overview, where you'll be introduced to the key concepts and components that make up a virtual private cloud.
After covering basic VPC concepts and components, we'll dive into peering VPCs, shared VPCs, and VPC flow logs, including a hands-on demonstration of how to configure flow logs. We’ll also look at routing and network address translation, before moving on to Google Kubernetes Engine clusters. We’ll cover VPC-native clusters and alias IPs, as well as clustering with shared VPCs.
You’ll learn how to add authorized networks for GKE cluster master access and we finish off by looking at firewall rules. We’ll cover network tags, service accounts, and the importance of priority. You’ll also learn about ingress rules, egress rules, and firewall logs.
If you have any feedback related to this course, feel free to contact us at firstname.lastname@example.org.
- Get a foundational understanding of virtual private clouds on GCP
- Learn about VPC peering and sharing
- Learn about VPC flow logs and how to configure them
- Learn about routing in GCP and how to configure a static route
- Understand the pros and cons of VPC-native GKE clusters
- Learn about cluster network policies
- Understand how to configure and manage firewall rules in GPC
This course is intended for anyone who wants to learn how to implement virtual private clouds on the Google Cloud Platform.
To get the most from this course, you should already have experience with the public cloud and networking, as well as an understanding of GCP architecture.
Hello and welcome to VPC resources. In this lesson, you will be introduced to several concepts related to VPC. We will take an introductory look at VPC networks, firewall rules, routes, subnets and IP ranges, shared VPCs, and VPC network peering. We’ll also take a quick, introductory look at some hybrid cloud options and some load balancing options. We will cover each of these topics in more detail as the course progresses, but I feel it’s important to provide you with an overview level introduction to kick things off.
The term VPC is shorthand for virtual private cloud. A virtual private cloud provides the underlying networking components for other services such as compute engine virtual machines and Google Kubernetes Engine clusters.
A VPC network is not terribly different from a physical network, except for the fact that a VPC network is obviously virtualized. A VPC network is a global resource that you can deploy within the Google cloud platform. It consists of regional virtual subnets that are located within one or more data centers. The virtual subnets in a VPC network define ranges or blocks of IP addresses that can be used to address other resources. These subnets are connected via a global wide area network. That said, VPC networks themselves are logically isolated from one another.
The image on your screen depicts a typical VPC network.
VPC networks in Google Cloud Platform provide internal TCP and UDP load-balancing capabilities, and they allow you to connect to your on-prem networks via cloud VPN tunnels and cloud interconnect attachments. VPC networks also allow you to distribute traffic from external load balancers in Google cloud to backend resources.
We will get into more detail on VPC networks later on in the course.
Let’s talk a little bit about firewall rules now. As is the case with a physical firewall device, firewall rules that you define are used to control which types of traffic are allowed into your network and to which destinations that traffic is allowed to reach.
Every VPC network that gets deployed implements a distributed and configurable virtual firewall. Along with the virtual firewall that gets deployed, there are also two implied firewall rules that get deployed with every VPC network as well. These two implied firewall rules block all incoming traffic and allow all outgoing traffic. That being said, there are a handful of additional pre-populated rules that are applied to the default network.
Later on, in this course, you will learn more about firewall rules. For now, all you need to know is that they are used to allow and block traffic.
Routes are another component that make up a virtual private cloud. Routes are used to direct traffic. They tell virtual machine instances and the VPC network how to send traffic from one location to another. While each VPC network comes with default routes that are used to route traffic among its subnets and to other destinations, you can also create custom static routes that allow you to direct certain traffic to specific destinations.
We will touch on some of the technical details of routes later on.
Forwarding rules are used to direct traffic to specific resources in a VPC network. Such rules are based on the destination’s IP address, protocol, and port. You can use forwarding rules to direct traffic that originates inside of your network or from outside of Google cloud to specific destinations within your network. You can use forwarding rules to direct traffic to target instances, load balancer targets, and cloud VPN gateways.
A VPC also consists of IP addresses, Alias IP ranges, and network interfaces. IP addresses, for example, allow resources like Compute Engine VMs instances and GKE containers to communicate over the VPC network. Alias IP ranges are used in situations where multiple services are running on a single VM. Assigning each service running on the VM a different internal IP by using alias IP ranges ensures that the VPC network forwards traffic for each specific service to the VM running that service.
Network interfaces provide the communication functionality for GCP VM instances. While it’s common for a VM to include one network interface, there will be times when you will need to attach multiple network interfaces to a VM instance. When you attach multiple network interfaces to a VM instance, each interface can reside in a different VPC network. You can also use multiple network interfaces to allow a network appliance VM to act as a gateway.
In situations where you need to share a VPC network from one project to another, you can leverage what’s called a Shared VPC. With a Shared VPC, you can allow access to either the whole network or to specific subnets within the network via IAM permissions. You’ll often see Shared VPCs in use in larger organizations that require centralized control over their networks but also organizational flexibility.
VPC network peering allows you to make services available across multiple VPC networks, whether those networks are part of the same project or different projects. You can even use VPC peering to make services available across networks in different organizations. What VPC peering does is ensure that all communications among resources on the peers happens through internal IP addresses. It keeps those communications private.
Services like Cloud VPN and Cloud Interconnect allow you to connect a VPC network to other networks. More specifically, the Cloud VPN service allows you to connect VPC networks on Google Cloud Platform to physical on-prem networks and to virtual networks on other cloud platforms, like AWS and Azure. Cloud Interconnect allows you to leverage a high-speed physical connection to connect a VPC network to a physical on-prem network.
For situations where you need to distribute traffic across multiple VMs, GCP offers load balancing. This load balancing functionality comes in multiple flavors. We have global external load balancing, regional external network load balancing, and regional internal load balancing. While global load balancing allows you to distribute the backends across multiple regions, regional load balancing requires the backends to remain in a single region. External load balancers allow you to distribute incoming internet traffic across multiple devices on a Google Virtual Private Cloud. Internal load balancers, as you might expect, are used when you need to distribute internal traffic across instances inside of Google Cloud.
So, now that you have a high-level understanding of the key components that make up a Google Virtual Private Cloud, let’s take a closer look at each.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.