Designing Networks
I. Introduction to GCP Networking
• Overview of Cloud Networking:
• Definition of cloud networking and comparison with traditional networking.
• Key components of GCP’s networking services and their roles.
• Networking within the shared responsibility model (what GCP manages vs. what the user manages).
II. Key Components of GCP Networking
1. VPCs and Subnets:
VPC structure: How to create a VPC.
• Subnets:
• Regional design of subnets.
• Choosing subnet ranges (CIDR blocks).
• Primary and secondary ranges in subnets.
A virtual private cloud (VPC) is a secure, isolated private cloud hosted within a public cloud. VPCs are like a network in a data center.
Network-based organizational structures for controlling access to GCP resources. Global resources - single VPC can span multiple regions.
VPC Subnets
A subnet, or subnetwork, is a logical division of an IP network into smaller, more manageable networks.
Subnets are regional resources, and have IP address ranges associated with them.
A VPC can have subnets in each region in order to provide private addresses to resources in the region. Since the subnets are part of a larger network, they must have distinct IP address ranges.
VPC ranges 10.140.10.0/20, 10.140.20.0/20, and 10.140.30.0/20.VPC is created, it can create subnets in each region.
If subnets are created automatically, their IP ranges are based on the region.
Subnet addressed most-significant bit-group in their IP addresses
Subnetting divides broadcast domains, meaning that traffic is routed efficiently, improving speed and network performance.
A subnet mask ensures that traffic remains within its designated subnet.
A CIDR block is a group of IP addresses that share the same network prefix and number of bits. CIDR stands for Classless Inter-Domain.
IP Addressing and CIDR Blocks
Architects are expected to understand IP addresses and classless inter-domain routing (CIDR) block notation. IP addresses can be specified using either IPv4 or IPv6. IPv4 uses four octets, such as 192.168.20.10. IPv6 uses eight 16-bit blocks, such as FE80:0000:0000: 0000:0202:B3FF:FE1E:8329. For the purposes of the exam, understanding IPv4 addressing should be sufficient.
CIDR, which stands for Classless Inter-Domain Routing, is an IP addressing scheme that improves the allocation of IP addresses. It replaces the old system based on classes A, B, and C. This scheme also helped greatly extend the life of IPv4 as well as slow the growth of routing tables.
OLD Style based on classes
Key Points:
First octet determines the class.
Default subnet masks were fixed based on class.
Network and host portions of the address were predetermined:
Class A: Network.Host.Host.Host
Class B: Network.Network.Host.Host
Class C: Network.Network.Network.Host
Waste problem: Many organizations received huge address blocks (like Class A) but only needed a fraction of them.
When you create a subnet, you will have to specify a range of IP addresses. Any resource that needs an IP address on that subnet will receive an IP address in that range. Each subnet in a VPC should have distinct, non-overlapping IP ranges.
You can specify an IP range using the CIDR notation. This consists of an IPv4 IP address followed by a /, followed by an integer. The integer specifies the number of bits used to identify the subnet; the remaining bits are used to determine the host address.
For example, if you specified 172.16.0.0/12, this would mean that the first 12 bits of the IP address specify the subnet. This is called the subnet mask. The remaining 20 bits are used for host addresses. Since there are 20 bits available, there can be 1,048,574 IP addresses in that range.
Routing, and it's a standard for representing IP addresses and their routing properties.
2. IP Addressing:
• Public vs. private IP addresses.
• Internal vs. external IPs in GCP.
• Ephemeral and static IPs.
Public IP addresses
Visible to everyone on the internet, public IP addresses identify a device and allow it to access the internet. They can be used to create servers, gain remote access, and more. However, public IP addresses are more exposed to external threats.
Private IP addresses
Only accessible within a private network, private IP addresses allow devices to securely connect to each other. They are less vulnerable to threats because they are not directly accessible from the internet.
Internal IP addresses are used for communication within the GCP network, while external IP addresses are used for communication with external networks.
IPv4 Example:
192.168.1.25
It’s 32 bits, divided into 4 octets (each 0–255).
Written in dotted decimal format.
IPv6 Example:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
It’s 128 bits, providing many more addresses.
Written in hexadecimal.
🧩 3. Network and Host Portions
Each IP address has two parts:
Example:
If the subnet mask is 255.255.255.0 and the IP is 192.168.1.25
Network ID: 192.168.1.0
Host ID: 25
🗺️ 4. Types of IP Addresses
🛣️ 5. How Routing Works
When you send data:
TCP breaks it into packets.
IP adds source and destination IPs.
Routers look at the destination IP address and forward packets closer to their destination.
The packets may take different routes.
At the destination, TCP reassembles them in order.
Each router uses a routing table to decide the best next hop for each packet.
⚙️ 6. Subnet Masks and Network Division
A subnet mask defines how many bits of the IP address identify the network.
Example:
255.255.255.0 → /24 network prefix
This means the first 24 bits are the network, and the remaining 8 bits are for hosts.
This allows organizations to divide networks efficiently — like breaking a large office network into smaller subnets.
🧮 7. Ports: Identifying Applications
While IP addresses identify devices, TCP and UDP ports identify specific applications on those devices.
Example:
192.168.1.25:80 → Web server (HTTP)
192.168.1.25:25 → Mail server (SMTP)
TCP/IP uses this combination of IP address + port number to deliver data to the correct program.
📘 Summary
In short:
TCP/IP addressing works by giving every device a unique IP address (like a phone number), which IP uses to route packets across networks. TCP then ensures those packets are delivered reliably and in the right order to the right application via ports.
Would you like me to create a diagram showing how an IP packet moves from one computer to another (including routers, IP addresses, and ports)? It’s a great visual for this concept.
3. Routes and Firewalls:
• Routes: Basics of routing in a VPC.
• Default routes, custom routes, and their use.
• Firewall Rules:
• Stateless nature of GCP firewalls.
• Ingress vs. egress rules.
• Tags and service accounts in firewall rules.
Routing in a Virtual Private Cloud (VPC) network defines the path for traffic to travel between virtual machines (VMs) and destinations.
Routes: A route is made up of a destination prefix, a next hop, and a priority. When a VM sends a packet, Google Cloud delivers it to the next hop if the destination address is within the route's range.
You can create custom static routes to direct packets to specific destinations.
Firewall Rules
Firewall rules control network traffic by blocking or allowing traffic into (ingress) or out of (egress) a network.
Two implied firewall rules are defined with VPCs:
One blocks all incoming traffic. Others allow all outgoing traffic.
You can change this behavior by defining firewall rules with higher priority.
Firewall
In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.
The Internet Control Message Protocol is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information
They are as follows:
The direction of traffic. This is either ingress or egress.
The action. This is either allow or deny traffic.
The target. This defines the instances to which the rule applies.
The source. This is for ingress rules or the destination for egress rules.
A protocol specification.
This includes TCP, UDP, or ICMP, for example.
A port number. A communication endpoint associated with a process.
An enforcement status. This allows network administrators to disable a rule without having to delete it.
Firewall rules are global resources that are assigned to VPCs, so they apply to all VPC subnets in all regions. Since they are global resources, they can be used to control traffic between regions in a VPC.
Both TCP and UDP are protocols used for sending bits of data — known as packets — over the Internet. They both build on top of the Internet protocol. In other words, whether you are sending a packet via TCP or UDP, that packet is sent to an IP address.
Hypertext Transfer Protocol Secure is an extension of the Hypertext Transfer Protocol. It is used for secure communication over a computer network.
SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server.
SSL Stands for secure sockets layer. Protocol for web browsers and servers that allows for the authentication, encryption and decryption of data sent over the Internet.
Cloud VPN is a GCP service that provides virtual private networks between GCP and on-premises networks. Cloud VPN is implemented using IPsec VPNs and supports bandwidths up to 3 Gbps.
Data is transmitted over the public Internet, but the data is encrypted at the origin gateway and decrypted at the destination gateway to protect the confidentiality of data in transit. Encryption is based on the Internet Key Exchange (IKE) protocol.
No comments:
Post a Comment