Virtual Private Clouds (VPC)

Question 1

What is a Virtual Private Cloud?

Answer 1

A software version of a physical network that links resources in a project

Question 2

What are some key points of a VPC? (7)

Answer 2

1. automatically created when a project is created.
2. global - spans the globe without relying on the public internet
3. secure - can be securely routed through Google global network
4. backend services can access other Google services without creating a public IP
5. can be linked to on-premise VPNs using IPSec
6. can use firewalls
7. can use separate projects and billing accounts
8. can contain subnets - subnets are regional, have range of private internal ips

Question 3

What are some key points about subnets in a VPC? (7)

Answer 3

1. can specify region
2. can specify IP range
3. can turn off Private Google access, allowing VMs on subnet to access Google services without assigning external IP to the VM
4. can turn off logging of network traffic
5. can set up firewall rules
6. dynamic routing option - global or regional
7. can set up DNS policy server that enables DNS name resolution by GCP or can customize

Question 4

How do you create a VPC via shell?

Answer 4

glcoud compute networks create [VPC NAME] –subnet-mode=[auto|custom]

Question 5

How do you create custom subnets for a VPC via shell?

Answer 5

gcloud beta compute network subnets create [SUBNET NAME] –network=[VPC NAME] –region=[REGION] –range=[RANGE] –enable-private-ip-google-access –enable-flow-logs

Question 6

How do you create a shared VPC and assign projects via shell?

Answer 6

1. need to make sure you have the Shared VPC Admin role (compute.xpnAdmin)
2. gcloud compute shared-vpc enable [HOST PROJECT ID]
3. gcloud compute shared-vpc associated-projects add [SERVICE PROJECT ID] –host-project [HOST PROJECT ID]

Question 7

At what levels can a shared VPC exist?

Answer 7

Folder or organization.

Question 8

What is VPC peering?

Answer 8

allows inter-project traffic when an organization does not exist

Question 9

How do you set up VPC peering via shell?

Answer 9

gcloud compute networks peerings create [PEER NAME] –network [VPC 1 NAME] –peer-project [PROJECT 2 NAME] –peer-network [VPC 2 NAME] –auto-create-routes
then do the same but reverse project 1, vpc1 and vpc 2

Question 10

At what level are firewalls for VPC defined?

Answer 10

They are defined at the network level and used to control flow of traffic to VMs. They allow or deny traffic on a port and are applied in one direction (incoming or outgoing)

Question 11

What are the components for VPC firewall rules (7)?

Answer 11

1. direction - incoming or outgoing
2. priority - highest rules are applied. lower priority rules that match are not applied. 0 to 65535. 0 is the highest
3. action - allow or deny
4. target - an instance to which the rules apply (all in a network, instances with particular network tag or instances using a specific service account)
5. source/destination - source applies to IP ranges, network tags, service accounts or combination. destination only uses IP ranges
6. Protocol and port (TCP, UDP, ICMP etc…)
7. enforcement status - enabled or disabled

Question 12

What 2 implied rules do all VPCs start with?

Answer 12

1. allows egress to all destinations
2. denies all traffic from any source
   both rules have priority 65535 so they can be overwritten

Question 13

Automatically created VPCs have what 4 network rules created?

Answer 13

1. allows incoming traffic from any VM on same network
2. allows incoming TCP on port 22 (for SSH)
3. allows incoming TCP on port 3389 (allowing RDP)
4. allow incoming ICMP from any source (Internet Control Message Protocol)
   all these have priority 65535

Question 14

How do you create a VPC firewall via shell?

Answer 14

gcloud compute firewall-rules create

many options

Question 15

How do you increase the number of addresses available on a VPC subnet?

Answer 15

gcloud compute networks subnets expand-ip-range [SUBNET NAME] –prefix-length [NEW PREFIX LENGTH]
You can only increase the number of addresses. The only was to decrease is to recreate the subnet.

Question 16

What two tiers are available for reserving an IP?

Answer 16

1. Standard Tier uses internet for some transfer of data

2. Premium Tier routes all traffic over Google’s global network (more expensive)