The course is part of these learning paths
Before you can start creating a bunch of Virtual Machines, you need a way to organize and connect to them. This course will show you how to build your own private and public networks in GCP.
- What a Google Virtual Private Cloud is
- How to create VPC networks
- How to connect or isolate VPCs
- How to share a VPC with other projects
- Cloud Architects
- Network Engineers
- Anyone preparing for a Google Cloud certification
- Understand basic networking concepts
- Access to a GCP account
So, now it's time for a practical demonstration on creating your own custom VPC networks on Google Cloud Platform. Now I'm going to end up building two separate VPCs and each VPC will be divided into two subnets, making for a total of four. I'm also going to be showing you how to add routing and firewall rules and I'm going to cover how to connect two VPCs together, as well as how to share a VPC with other projects. In this demo, I'm going to stick to using the GCP console. So, of course, the first step is to just log in. You can see I've already done that. Next, I want to access the VPC page so I need to search for VPC and then click on VPC networks. This is the main VPC management page. It does allow you to work with more than just networks. You'll see there's quite a few options in the menu here. I'm not going to be covering all of these, instead, I really want to focus on VPC networks. I will also touch on firewall, routes, VPC network peering, and shared VPC. So the VPC network screen shows you all of your current VPCs. Now by default, your account will start out with a single VPC called default.
Now, this basically provides customers a quick and easy way to start playing with virtual machines. This way you don't have to create a VPC in order to spin up a VM, you can just use default if you want to do some quick testing or some experimentation. Now, you'll notice that default is split up into many different subnets, and the point of this is to make it as easy as possible to use. Each subnet exists in a different region, so no matter which region you want to create a VM in, default has you covered. Now here are the list of routes that are defined for default. Notice that there is a route for each subnet. This means all the subnets are connected. You can create a virtual machine in US East 1 and a virtual machine in Asia East 1 and they can internally route packets back and forth. So, you can communicate without using public IPs or touching any public networks. Of course, there's also a route defined to the Internet as well. So, if you assign a public IP, your VM can download whatever software you need. You can change any of this if you wish, you can add new routes or delete existing ones but this is what's automatically set up for you. We should also take a look at the firewall rules. Now these control what protocols are allowed and what port numbers you can connect to. So, by default, you're going to start out with these four.
Now, the first three rules are for controlling traffic from the Internet. You can see that the source for these rules is defined as 0.0.0.0/0, which basically means all IP addresses. Now the fourth rule is just for controlling internal traffic. Notice the source matches the cider range of all IPs contained inside of default VPC. So, this first rule is what allows SSH connections from the public Internet. Now, this will be very useful for you to use when you want to connect to any Linux VMs. This third rule allows RDP connections. This is what's going to allow you to connect to any windows VMs that you create. The second rule here allows you to ping your VMs to make sure they're up and running. And this last rule allows pretty much anything to happen internally. Here, you can see all TCP and UDP ports are open, so just as long as the request is made by a server running inside of default, it will be allowed. Now, these rules were designed to be a compromise between security and ease of use. So, you can spin up a VM and then SSH or RDP to it, but you can't do much else. In some ways, these rules are too restrictive.
For example, you can't run a public web server because external connections to ports 80 and 443 are blocked. However, they're also too permissive. Anyone on the Internet can ping any of your VMs and anyone can also try to connect via SSH or RDP. So, it's important to realize that default is really only meant for running temporary VMs. If you just want to spin up a few for testing, then it's fine, but default is not meant to use for a real production environment. You would either need to heavily customize the firewall rules or an even better solution is just to create a whole new VPC and set that up with the right permissions. Let me show you how to do that next. So, I'm going to go back to the main VPC page and then I want to click on 'Create VPC network' at the top of the screen. So, now all I have to do is fill out this form. You'll notice there's a lot of options that are available and I'm not going to cover every single one. I'm just going to cover the basics. So, first I need a name, I'm going to call this one demovpc-1. Next, you need to define at least one subnet. Now, you can let Google automatically generate the subnets for you.
But this is going to create a subnet for every single region, just like default. So, normally you want to set this to custom. Now a subnet has an internal range that's used for assigning IP addresses and it has a region. This defines the physical location for any resources assigned to it. So, I'm going to add two subnets. The first I'm going to call subnet-1. I'll set the region to us-central1 since that's closest to me and I'm going to specify a cider range of 10.1.0.0/16. Now, this means my subnet-1 can use any IP address from 10.1.0.0 to 10.1.255.255. Well, technically less since some IP addresses in that range are reserved for special use, but this gives me about 65,000 IPs. Next, I'll define my second subnet. Now if I needed to, I could go back and edit my subnet-1 settings by expanding this section here. But for the second one, I'm going to call it subnet-2 and I'll pick the same region. Now for this IP range, I'm going to set it to 10.2.0.0/16. So, that means this subnet can use any address between 10.2.0.0 and 10.2.255.255. Hopefully, you're starting to notice a pattern. Eventually subnet-3 is going to end up using all the 10.3 addresses, and subnet-4 will end up using 10.4. So, now that I've got my two subnets defined, I want to add some firewall rules. Now, you're provided a list of common rules that you can choose from here.
You can also create more advanced rules by picking the first option and then editing it. Now this isn't super important because you can always change the rules later. So, for now, I'm just going to enable the ICMP rule and this is what's going to allow me to ping any VMs I create later. And that should be it. I'll just accept the default values on everything else and click on 'Create'. So, we're going to have to wait a little bit while the VPC is created, so let me fast forward. So, now you can see my new demovpc-1 with two subnets. If I click on the name, I can get more details. Here you can see the subnets, here's the defined routes. Now I got two routes for my two subnets and a third route for routing traffic out to the Internet. Of course, if I wanted my VPC to be super secure, I could delete this public route. Now that means my VMs wouldn't be able to download a virus or leak any data outside of my network. However, it would completely cut them off from the Internet. It also will cut off access to all my other GCP services. Now if you want to disable Internet access but still allow connections to GCP, you want to enable private Google access. Private Google access is set on the subnet level, not on the VPC level. This is where you enable private access. I'm going to leave the public Internet route enabled so I'm not going to make any changes. Let's go back to the VPC level and review the firewall rules. Here's the IMCP rule that I chose on setup. Again, I generally find it easier to add the rules later after creation.
And that's it for the firewall rules. So, now that I've created a new VPC, I should test it out and verify that everything works as I expect. Now to test connectivity, I need something to connect to. So, what I need to do is use compute engine to add a few VMs. First, I need to add a new VM to subnet-1, I don't need this to be very powerful since I'm not going to actually run anything on it. So, I'm just going to pick the smallest and cheapest machine type and then I need to make sure that I switch the network from default to demovpc-1 and then the subnet should also be set to subnet-1. Perfect. So, now let me quickly create another VM on subnet-2. Now this VM will be pretty much the same as the last except I need to set the network to demovpc-1 and then set the subnet to subnet-2. Let me fast forward again a little bit. The VMs have been created. So, now I can run my tests. First, let me test external connections. I should be able to ping both machines using their external IPs. Looks like the first VM is responding and so is the second. Great. Next, I want to be able to test internal connectivity.
So, here I should be able to ping the internal address of one VM from the other. I need to connect to instance 1. Looks like I have an issue. It's saying that I forgot to add a rule to unblock port 22 for SSH. Well, that's easy to fix, so let me show you how to do that. I just need to go back to the VPC page, click on demovpc-1 and then select the firewall tab. And from here, I just need to click on add firewall rule. There are four main parts to any firewall rule. First, you need to pick a name, and I always try to pick something descriptive. Second, you need to pick a target. Now this is going to determine which VMs in the subnet will be affected. So, in this case, I'm going to select all instances. This option is going to be specifying a source. Now, this defines the range of IPs that the connection is allowed from. You can make this as narrow as a single IP. You could specify multiple IP ranges or you can open up to all addresses.
The fourth option is to specify the protocol and port. In this case, I want to open up TCP port 22 since that is what SSH requires. You can specify multiple protocols and ports, but I try to avoid making my rules too complicated. It's usually easier to have lots of simple rules instead of having a few really complicated ones. So, now that I've added my rule, I should be able to connect to my VM. And there we go. Luckily, firewall rules go into effect pretty quickly, you don't have to wait super long. So, now I should be able to ping the internal address of instance 2 from instance 1. And there we go. So, now you know how to create a simple VPC and set up some basic firewall rules.
Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.
Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.
When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.