Please enable JavaScript.

Coggle requires JavaScript to display documents.

GCP_Networking - Coggle Diagram

- - - - enable that private resources we can touch only from specific subnet. but not from Internet
      - additional reason is to create subnet in different regions for High Availability
      - we should set private and public resources to different subnet
      - subnet provide ability to separate public and private resources
  - - - we can controll subnet and their IP ranges
      - recommended for production
      - No subnet automatically created
    - - Enable private google access - use private IP to go in internal network
      - enable flow-logs: to trouble shut network issues
    - - default VPC created in the each new project
      - subnet are automatically created in each region
- - - - default allow ssh 22
      - RDP - allow remote windows 339
      - default - allow internal
      - default allow ICMP. - ping IP and network topology
  - - - Source (where is a trafic coming from) by CIDR or all instances
      - target (define the destination) - define the destination - SA, TAG
    - - target (define source in GCP) - by TAG or SA
      - Desination is CIDR block
      - all egress is allowed by default from VMs
    - - Action on Match (allow or deny)
      - Protocol TCP, UDP, ICMP
      - Priority
      - Port
      - Enforced status - disabled or enabled
    - - when we allow HTTP and HTTPs trafic on VM - we add the specific tag automatically/. But we can add specific tag manually - it called "NETWORK TAG"
        
        Then we can setup the firewall rule per tag
        
        overall -we controll the resources network by tags
      - By default all egress is allowed from VMs
        
        first we disable all trafic with the low priority rule
        
        then enable only egress trafic for resources which we need, like LB with the higher priority
      - Shared VPC
        
        Case: allow resources from different projects to touch each other
        
        Can be across organisation or shared folder
        
        need role VPC admin
        
        allows to share one project between projects. But can NOT peer different organisation
        
        Shared VPC allows an organization to connect resources from multiple projects to a common VPC network.
        
        Contains Host project (contains shared network) and many Service projects(attached to host project)
        
        Centriled network admin - important
        
        Peering vs Shared VPC:
        Peering: Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization. you are limited to 25 per project and the transitivity isn't possible.
        VPC sharing: Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network.
        
        VPC peering
        
        allows private RFC 1918 connectivity across TWO VPC networks
        
        need to peer connection from both side: for consumer and producer, allows to use internal IP
        
        internal network, no security and latency
        
        can peer different organisation
        
        should be used in one project
        
        DE-Centriled network admin - important