Working with Virtual private networks (VPC)and Virtual machines
Creating an auto-mode VPC and Exploring connectivity for VM's instances
Table of contents
Overview
Google Cloud Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Kubernetes Engine containers, and App Engine flexible environment. In other words, without a VPC network you cannot create VM instances, containers, or App Engine applications. Therefore, each Google Cloud project has a default network to get you started.
You can think of a VPC network as similar to a physical network, except that it is virtualized within Google Cloud. A VPC network is a global resource that consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network (WAN). VPC networks are logically isolated from each other in Google Cloud.
In this lab, I'll create an auto-mode VPC network with firewall rules and two VM instances. Then, you explore the connectivity for the VM instances.
What will I do
Explore the default VPC network
Create an auto mode network with firewall rules
Create VM instances using Compute Engine
Explore the connectivity for VM instances
Task 1. Explore the default network
View the subnets
To view the subnets, In the navigation menu, go to the VPC network > VPC networks.
You will find the default network with its subnets
Each subnet is associated with a Google Cloud region and a private RFC 1918 CIDR block for its internal IP address range and a gateway.
View the routes
- In the left panel, click the routes - Under the route management tab, you will find that there is a route for each subnet and one for the Default internet gateway (0.0.0.0/0). These routes are managed for you, but you can create custom static routes to direct some packets to specific destinations. For example, you can create a route that sends all outbound traffic to an instance configured as a NAT gateway.
View the firewall rules
Each VPC network implements a distributed virtual firewall that you can configure. Firewall rules allow you to control which packets are allowed to travel to which destinations. Every VPC network has two implied firewall rules that block all incoming connections and allow all outgoing connections.
In the left pane, click Firewall. Notice that there are 4 Ingress firewall rules for the default network:
default-allow-ICMP
default-allow-rdp
default-allow-ssh
default-allow-internal
To delete the VPC network, simply open it and delete it. once you deleted the VPC network, you will notice that the routes and default firewall also got deleted.
NOTE:
1. These firewall rules allow ICMP, RDP, and SSH ingress traffic from anywhere (0.0.0.0/0) and all TCP, UDP, and ICMP traffic within the network (10.128.0.0/9). The Targets, Filters, Protocols/ports, and Action columns explain these rules.
2. Without a VPC network, there are no routes and no firewall rules!
Task 2. Create a VPC network and VM instances
Creating a VPC network
To create a VPC network, just go to the navigation menu > VPC networks >VPC networks and open it.
Now on the top, click "Create VPC network"
Just enter the name, and in the subnets section choose automatic for getting automatic subnets by gcp.
Under the firewall rules, select all rules since These are the same standard firewall rules that the default network had. The deny-all-ingress and allow-all-egress rules are also displayed, but you cannot check or uncheck them because they are implied. These two rules have a lower Priority (higher integers indicate lower priorities) so the allowed ICMP, custom, RDP and SSH rules are considered first.- In the dynamic routing mode, choose regional and click on "create" to create a new VPC network
Note: If you ever delete the default network, you can quickly re-create it by creating an auto-mode network as you just did. After recreating the network, allow-internal changes to an allow-custom firewall rule.
creating a VM instance
go to compute engine > VM instances and create 2 VM's using these configurations :
VM-1 Name : mynet-us-vm Region : us-east3 Zone : us-east3-b Series : E2 Machine type : e2-micro (2 vCPU, 1 GB memory)
VM-2
Name : mynet-eu-vm
Region : europe-west2
Zone : europe-west2-c
Series : E2
Machine type : e2-micro (2 vCPU, 1 GB memory)
Task 3. Explore the connectivity for VM instances
Explore the connectivity for the VM instances. Specifically, try to SSH to your VM instances using tcp:22, and ping both the internal and external IP addresses of your VM instances using ICMP. Then explore the effects of the firewall rules on connectivity by removing the firewall rules individually.
Verify connectivity for the VM instances
The firewall rules that you created with my network allow ingress SSH and ICMP traffic from within my network (internal IP) and outside that network (external IP).
Under the VM instances, Note the external and internal IP addresses for mynet-eu-vm.
- For mynet-us-vm, click SSH to launch a terminal and connect.
Note: You can SSH because of the allow-ssh firewall rule, which allows incoming traffic from anywhere (0.0.0.0/0) for tcp:22. The SSH connection works seamlessly because Compute Engine generates an SSH key for you and stores it in one of the following locations:
- By default, Compute Engine adds the generated key to project or instance metadata.
- If your account is configured to use OS Login, Compute Engine stores the generated key with your user account.
Alternatively, you can control access to Linux instances by creating SSH keys and editing public SSH key metadata.
Now, To test connectivity to mynet-eu-VM's internal IP, run the following command :
ping -c 3 <Internal ip>
Now, To test connectivity to mynet-eu-vm's external IP, run the following command :
ping -c 3 <external ip>
Here's what it looks like :
Now delete the allow-ICMP firewall rules
Remove the allow-icmp firewall rule and try to ping the internal and external IP addresses of mynet-eu-vm.
YOU will notice this :close the SSH terminal
Note: The 100% packet loss indicates that you cannot ping mynet-eu-vm's external IP. This is expected because you deleted the allow-icmp firewall rule!Now Delete the SSH firewall rule
After deleting it, return to the Compute engine > VM instances and on mynet-us-vm, click SSH to launch a terminal and connect.
You will see this error :
Note: The Connection failed message indicates that you cannot SSH to mynet-us-vm because you deleted the allow-ssh firewall rule!
Conclusion
In this Section, you explored the default network along with its subnets, routes, and firewall rules. You deleted the default network and determined that you cannot create any VM instances without a VPC network.
Thus, you created a new auto mode VPC network with subnets, routes, firewall rules, and two VM instances. Then you tested the connectivity for the VM instances and explored the effects of the firewall rules on connectivity.