Google Kubernetes Engine Clusters
Configuring and Managing Firewall Rules
The course is part of these learning paths
This course explores how to implement virtual private clouds on the Google Cloud Platform. It starts off with an overview, where you'll be introduced to the key concepts and components that make up a virtual private cloud.
After covering basic VPC concepts and components, we'll dive into peering VPCs, shared VPCs, and VPC flow logs, including a hands-on demonstration of how to configure flow logs. We’ll also look at routing and network address translation, before moving on to Google Kubernetes Engine clusters. We’ll cover VPC-native clusters and alias IPs, as well as clustering with shared VPCs.
You’ll learn how to add authorized networks for GKE cluster master access and we finish off by looking at firewall rules. We’ll cover network tags, service accounts, and the importance of priority. You’ll also learn about ingress rules, egress rules, and firewall logs.
If you have any feedback related to this course, feel free to contact us at email@example.com.
- Get a foundational understanding of virtual private clouds on GCP
- Learn about VPC peering and sharing
- Learn about VPC flow logs and how to configure them
- Learn about routing in GCP and how to configure a static route
- Understand the pros and cons of VPC-native GKE clusters
- Learn about cluster network policies
- Understand how to configure and manage firewall rules in GPC
This course is intended for anyone who wants to learn how to implement virtual private clouds on the Google Cloud Platform.
To get the most from this course, you should already have experience with the public cloud and networking, as well as an understanding of GCP architecture.
Welcome to VPC Flow Logs. In this lesson, we’ll take a look at what VPC flow logs are and how to use them.
VPC Flow Logs are an important tool for network troubleshooting, monitoring, and forensic analysis. What VPC Flow Logs do is record samples of network traffic flows that are sent from and received by VM instances and GKE nodes. You can use Cloud Logging to view VPC flow logs and you can even export them to destinations supported by Cloud Logging.
Because VPC Flow Logs are a part of Andromeda, which is what powers VPC networks in GCP, they cause no delay and have no effect on performance when you enable them. I should point out that VPC Flow Logs only work with VPC networks. They do not support legacy networks.
When you enable VPC flow logs for a subnet, they will capture data from all VM instances on that specific subnet. What VPC Flow Logs will do is sample the inbound and outbound TCP and UDP flows for each VM on the subnet being tracked.
The URL on your screen provides a description of all the data that is included in each flow record:
When enabled, flow log collection occurs at specific intervals for each VM connection. The packets that are collected are then aggregated based on the configured aggregation interval into a single flow log entry, and then sent to logging. The logs are then stored in logging for 30 days by default – but they can be stored longer if you export them to a supported destination.
When used for network monitoring, flow logs allow you to monitor your VPC networks and they provide real-time visibility into your network. They also allow you to perform network diagnostics and to understand your traffic, which in turn, helps with capacity planning.
Leveraging flow logs for network forensics allows you to investigate specific incidents. For example, you can use flow logs to identify which IP addresses communicated with whom, and when. You can also track down compromised IPs by analyzing all incoming flows and outgoing flows.
In the upcoming demonstration, I’ll show you how to configure VPC flow logs.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.