Introduction to GCP Network Resources
Start course
1h 34m

Google Cloud Platform has become one of the premier cloud providers on the market. It offers the same rich catalog of services and massive global hardware scale as AWS as well as a number of Google-specific features and integrations. Getting started with GCP can seem daunting given its complexity. This course is designed to demystify the system and help both novices and experienced engineers get started.

This Course covers a range of topics with the goal of helping students pass the Google Associate Cloud Engineer certification exam. This section focuses on identifying relevant GCP services for specific use cases. The three areas of concern are compute, storage, and networking. Students will be introduced to GCP solutions relevant to those three critical components of cloud infrastructure. The Course also includes three short practical demonstrations to help you get hands-on with GCP, both in the web console and using the command line.

By the end of this Course, you should know all of GCP’s main offerings, and you should know how to pick the right product for a given problem.

Learning Objectives

  • Learn how to use Google Cloud compute, storage, and network services and determine which products are suitable for specific use cases

Intended Audience

  • People looking to build applications on Google Cloud Platform
  • People interested in obtaining the Google Associate Cloud Engineer certification


To get the most out of this course, you should have a general knowledge of IT architectures.


In this section, we're going to briefly introduce each of the GCP networking services. Networking is a complex topic, there's a lot of room for error, if we try to not think about it or make a lot of random assumptions, but fortunately, GCP's solutions are pretty intuitive. Now, it's out of scope for us to explain in minute detail computer networking concepts so this section is not meant to go in-depth on the tooling or configuration for any of the products, we're just going to give a basic overview on the problems that each service is meant to solve. In the following lessons and the demo video, we'll do a deeper dive on the products most critical to setting up an application and passing the certification exam.

So, we'll start by talking about GCP Cloud DNS and Cloud Load Balancing. Now, the former is the GCP solution for configuring DNS records for domains that you own. It's not a domain registrar, that's actually a separate Google product. You can register domains with Google, but the Cloud DNS, rather, is a means for associating a domain name like, you know, with the actual servers or endpoints hosting the content. So it's analogous to Amazon route 53 and AWS or any other domain name servicing company. GCP Cloud Load Balancing is the traffic routing layer. Now, there are many types of GCP load balancers to serve different use cases, such as internal traffic, external internet-facing traffic, SSL offloading, HTTP requests, TCP UDP requests, both Cloud DNS and load balancing, we're going to cover these in more depth in their own lessons but that's just the basic for those two.

Now, the next thing we want to cover are GCP's Network Peering services. Now, there are a few different ones here, so let's go through this carefully. Peering, in case you aren't familiar, is simply the process of connecting two separate networks so that they can exchange traffic. And there are many business cases where you may need to connect GCP traffic to an internal corporate network or a customer's private data center or some other distinct endpoint. So the two main solutions for this are GCP Direct Peering and Carrier Peering. Now, the former works by creating a dedicated connection between your private network of choice and Google's Edge Network, and the latter, Carrier Peering, works through a service provider like Softbank or level 3 or Verizon.

So in the case of Carrier Peering, you have a service provider acting as a kind of black box or middleman, and there are a few specific enterprise-level use cases where this can be really necessary. For example, for security purposes, a company might want to expose only a portion of their network to the public internet for accessing GCP services, however, configuring and maintaining a DMZ, basically, a perimeter network, that might be too much overhead, particularly for smaller companies, so instead the company might just go to their service provider, say, Verizon, and ask them to create a dedicated link for traffic to GCP. This is the problem that carrier peering can solve.

Now, for direct connections to GCP, Direct Peering is a logical solution. This creates a peering connection between your internet internal network and Google. Now, there's another version of this similar that's even more direct, this is called Dedicated Interconnect. Dedicated Interconnect Solution. This is similar to direct peering but it goes further by creating literally a dedicated physical connection. You set up a colocation facility and with routing hardware that matches GCPs requirements, you create a dedicated wire connection from your systems to Google's. Very useful if you need an air gap or you need physical control over the infrastructure for whatever reason. Now, on top of this, there's actually another fourth option for situations where you need the dedicated physical connection but your company's data center, for whatever reason, cannot access a GCP colocation facility. And this is a somewhat niche scenario, it's covered by a product called GCP Partner Interconnect and this is again similar to the Carrier Peering solution in that it works through a third-party service provider. So essentially, you select a service provider from a list of GCP partners, there's a link, we can show you some of the examples, and you use their direct connection to GCP. So you're relying on both GCP and another company's hardware which may potentially create additional concerns around performance and security, however, it may still be your best option if you already have a trusted third party ISP and you still need that dedicated physical connection to GCP. So to review, Direct Peering, Carrier Peering, Direct Interconnect, and Partner Interconnect. Make sure to keep in mind the basic differences, especially if you're responsible for your business's network or data management.

Now let's move on to two important network security solutions and that would be Cloud VPN and Virtual Private Cloud. Now, the former is a virtual private network service designed to protect traffic traveling between GCP and some other endpoint. Like any typical VPN, this is a good way to ensure data coming from the public Internet is secure before it hits your GCP systems. GCP offers both classic and high availability VPN types, the latter being more restrictive in its configuration but promising a better SLA.

Cloud VPN is a simple way of connecting an outside network to GCP endpoints, including a Google Cloud Virtual Private Cloud, or VPC, so let's review that. What is Google Cloud VPC or GCP VPC? Kind of hard to say; quite a mouthful. Anyway, GCP VPC, what that is is a virtual private cloud service within Google Cloud. The virtual private cloud is simply an isolated subset of a larger network with firewalls to block unauthorized access. AWS has the same basic product: VPC. Generally, a VPC is the key unit of measure for defining your application's network resources. So, for example, a single instance of your app or your database, it might live inside of a single VPC, which is usually within a single data center or zone.

And what's unique actually about Google Cloud VPCs is that they can actually span multiple geographic regions, so you can have a single VPC with instances on the United States west coast and instances on the east coast, and they can still talk to each other without accessing the public internet. This isn't the only cool thing also in with Google Cloud VPCs, you get a built-in integration with Cloud VPN and very easy peering between VPCs and the ability to expand the subnet range of available IP addresses within a VPC with zero downtime. So if you have ever had to deal with any of this stuff, if you've ever had to manually, you know, expand subnet ranges in a less full-featured cloud provider, then you'll appreciate a lot of these quality of life enhancements. And suffice to say, Google Cloud VPC will give you the tools you need to manage your app's private cloud configuration.

So let's get into some of the more niche networking services, stuff you probably won't need to worry about right away. So we're going to talk about Cloud CDN, Traffic Director, and Cloud Armor. Now, Cloud CDN is a content delivery network which maybe you guessed if you know the acronym CDN. It's meant to do one thing really well: cache content near your end-users for faster performance. It does this by working with Cloud Load Balancer to cache various types of content: images, video, text, any sort of media at one of its dozens of edge site locations. HTTPS/ SSL support is built-in, so you don't need to worry about performance overhead from encrypted traffic. You know, this is a really great solution if low latency access to content is a critical requirement for your app, given the number of edge site locations they have around the globe.

Now, traffic director. This is a network traffic management tool specifically for service mesh architectures. Now, the term service mesh may not be familiar to everyone so, you know, basic summary: a service mesh is an additional software infrastructure layer that controls service to service communication. This is only relevant when you have a microservice cloud architecture with many different small software services communicating with each other. Tools like Lyft's Envoy Proxy are an example of a service mesh product. GCP traffic director is meant to work on top of that for even easier service traffic management and load balancing. Again, somewhat niche, not something most people are going to worry about at first, however, as a microservice app grows and becomes orders of magnitude more complex, the surface mesh paradigm can become a very useful approach and GCP Traffic Director makes it easy to manage.

And then finally, you have Cloud Armor. This is a DDoS prevention system and this can be really the difference between life and death for a company. Depending on your threat model, if you're a company that's worried about DDoS attacks, this is something that you're going to want to look at. You may or may not, it may or may not be a major concern for your infrastructure but if they are, then Cloud Armor is the way to go. It works directly with TCP load balancing, it offers a way to automatically mitigate suspicious load spikes, you can configure IP range-based blocking, even configure blocks for specific geographic regions if you need to.

So, OK, wow, that was a lot. Congratulations on making it through. You now know all about the basic networking with GCP or at least you know enough to sound credible. In the following three lessons, we're going to dig in on three of the core elements of networking in a cloud provider that would be load balancing, DNS, and multi-region support. Can't wait to see you there.

About the Author

Jonathan Bethune is a senior technical consultant working with several companies including TopTal, BCG, and Instaclustr. He is an experienced devops specialist, data engineer, and software developer. Jonathan has spent years mastering the art of system automation with a variety of different cloud providers and tools. Before he became an engineer, Jonathan was a musician and teacher in New York City. Jonathan is based in Tokyo where he continues to work in technology and write for various publications in his free time.