Loading...
No results found.

Google Cloud Skills Boost

Apply your skills in Google Cloud console

Your Learning progress might get lost. Sign in or Join to save your progress.
close

01

Google Cloud IAM and Networking for Azure Professionals

Course · 8 hours
< 1%
complete
Get access to 700+ labs and courses

VPC Networking (Azure)

Lab 1 hour 30 minutes universal_currency_alt 5 Credits show_chart Introductory
info This lab may incorporate AI tools to support your learning.
Get access to 700+ labs and courses

As a Cloud Architect, you know that one of the pillars of your cloud infrastructure in Azure is your network. How to connect your different resources, how to achieve network segmentation, and how to ensure security are part of your main concerns when working with Google Cloud.

In Azure, you have several regions in which you can deploy as many Virtual Networks (VNets) as you need. These VNets are isolated resources dedicated to communicating your infrastructure and all the deployments that you have within that infrastructure.

In Azure, VNets are regional in their scope and can exist in only one region. Nonetheless, you are able to interconnect them with a Peering Service using the Microsoft backbone to ensure privacy and integrity.

If you are presented with a hybrid scenario, you could use a virtual network gateway to communicate with your local datacenter using Azure.

In Azure, all the virtual networks and the subnets span all availability zones across one region. This means that it’s not necessary to divide them by availability zones. According to best practices, you can create security groups, route tables, and Azure Firewall rules to improve your network security.

With all of this in mind, you will explore the networking services available in Google Cloud to successfully deploy a robust architecture.

Overview

Google Cloud Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Kubernetes Engine containers, and the App Engine flexible environment. In other words, without a VPC network, you cannot create VM instances, containers, or App Engine applications. Therefore, each Google Cloud project has a default network to get you started.

You can think of a VPC network as similar to a physical network, except that it is virtualized within Google Cloud. A VPC network is a global resource that consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network (WAN). VPC networks are logically isolated from each other in Google Cloud.

In this lab, you create an auto mode VPC network with firewall rules and two VM instances. Then, you convert the auto mode network to a custom mode network and create other custom mode networks as shown in the example network diagram below. You also test connectivity across networks.

Objectives

In this lab, you learn how to perform the following tasks:

  • Explore the default VPC network
  • Create an auto mode network with firewall rules
  • Convert an auto mode network to a custom mode network
  • Create custom mode VPC networks with firewall rules
  • Create VM instances using Compute Engine
  • Explore the connectivity for VM instances across VPC networks

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

  1. Sign in to Qwiklabs using an incognito window.

  2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
    There is no pause feature. You can restart if needed, but you have to start at the beginning.

  3. When ready, click Start lab.

  4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

  5. Click Open Google Console.

  6. Click Use another account and copy/paste credentials for this lab into the prompts.
    If you use other credentials, you'll receive errors or incur charges.

  7. Accept the terms and skip the recovery resource page.

Task 1. Explore the default network

Each Google Cloud project has a default network with subnets, routes, and firewall rules.

View the subnets

The default network has a subnet in each Google Cloud region.

  • In the Cloud Console, on the Navigation menu (), click VPC network > VPC networks.
  • Notice the default network with its subnets.
    Each subnet is associated with a Google Cloud region and a private RFC 1918 CIDR block for its internal IP addresses range and a gateway.

View the routes

Routes tell VM instances and the VPC network how to send traffic from an instance to a destination, either inside the network or outside Google Cloud. Each VPC network comes with some default routes to route traffic among its subnets and send traffic from eligible instances to the internet.

  • In the left pane, click Routes.
    Notice that there is a route for each subnet and one for the Default internet gateway (0.0.0.0/0).
    These routes are managed for you, but you can create custom static routes to direct some packets to specific destinations. For example, you can create a route that sends all outbound traffic to an instance configured as a NAT gateway.

View the firewall rules

Each VPC network implements a distributed virtual firewall that you can configure. Firewall rules allow you to control which packets are allowed to travel to which destinations. Every VPC network has two implied firewall rules that block all incoming connections and allow all outgoing connections.

  • In the left pane, click Firewall.
    Notice that there are 4 Ingress firewall rules for the default network:

    • default-allow-icmp
    • default-allow-rdp
    • default-allow-ssh
    • default-allow-internal

    These firewall rules allow ICMP, RDP, and SSH ingress traffic from anywhere (0.0.0.0/0) and all TCP, UDP, and ICMP traffic within the network (10.128.0.0/9). The Targets, Filters, Protocols/ports, and Action columns explain these rules.

Delete the Firewall rules

  1. In the left pane, click Firewall.
  2. Select all default network firewall rules.
  3. Click Delete.
  4. Click Delete to confirm the deletion of the firewall rules.

Delete the default network

  1. In the left pane, click VPC networks.
  2. Select the default network.
  3. Click Delete VPC network.
  4. Click Delete to confirm the deletion of the default network.

Wait for the network to be deleted before continuing.

  1. In the left pane, click Routes.

Notice that there are no routes.

  1. In the left pane, click Firewall.

Notice that there are no firewall rules.

Note: Without a VPC network, there are no routes!

Try to create a VM instance

Verify that you cannot create a VM instance without a VPC network.

  1. On the Navigation menu, click Compute Engine > VM instances.
  2. Click Create Instance.
  3. Accept the default values and click Create.

Notice the error.

  1. Click Create Instance.
  2. Click Advanced options.
  3. Click Networking. Notice the No more networks available error under Network interfaces.
  4. Click Cancel.
Note: As expected, you cannot create a VM instance without a VPC network!

Task 2. Create an auto mode network

You have been tasked to create an auto mode network with two VM instances. Auto mode networks are easy to set up and use because they automatically create subnets in each region. However, you don't have complete control over the subnets created in your VPC network, including regions and IP address ranges used.

Feel free to explore in the Google VPC documentation for more considerations for choosing an auto mode network, but for now, assume that you are using the auto mode network for prototyping purposes.

Create an auto mode VPC network with firewall rules

  1. On the Navigation menu (), click VPC network > VPC networks.
  2. Click Create VPC network.
  3. For Name, type mynetwork
  4. For Subnet creation mode, click Automatic.

Auto mode networks create subnets in each region automatically.

  1. For Firewall rules, select all available rules.

These are the same standard firewall rules that the default network had. The deny-all-ingress and allow-all-egress rules are also displayed, but you cannot select or disable them because they are implied. These two rules have a lower Priority (higher integers indicate lower priorities) so that the allow ICMP, custom, RDP, and SSH rules are considered first.

  1. Click Create.

  2. When the new network is ready, click mynetwork. Note the IP address range for the subnets in and .

Note: If you ever delete the default network, you can quickly re-create it by creating an auto mode network as you just did.

Create a VM instance in

Create a VM instance in the region. Selecting a region and zone determines the subnet and assigns the internal IP address from the subnet's IP address range.

  1. On the Navigation menu (), click Compute Engine > VM instances.

  2. Click Create Instance.

  3. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name mynet-us-vm
    Region
    Zone
    Series E2
    Machine type e2-micro (2 vCPU, 1 GB memory)
    Boot disk Debian GNU/Linux 11 (bullseye)

  4. Click Create.

Create a VM instance in

Create a VM instance in the region.

  1. Click Create instance.

  2. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name mynet-eu-vm
    Region
    Zone
    Series E2
    Machine type e2-micro (2 vCPU, 1 GB memory)
    Boot disk Debian GNU/Linux 11 (bullseye)

  3. Click Create.

Note: The External IP addresses for both VM instances are ephemeral. If an instance is stopped, any ephemeral external IP addresses assigned to the instance are released back into the general Compute Engine pool and become available for use by other projects.

When a stopped instance is started again, a new ephemeral external IP address is assigned to the instance. Alternatively, you can reserve a static external IP address, which assigns the address to your project indefinitely until you explicitly release it.

Verify connectivity for the VM instances

The firewall rules that you created with mynetwork allow ingress SSH and ICMP traffic from within mynetwork (internal IP) and outside that network (external IP).

  1. On the Navigation menu, click Compute Engine > VM instances.

Note the external and internal IP addresses for mynet-eu-vm.

  1. For mynet-us-vm, click SSH to launch a terminal and connect.
Note: You can SSH because of the allow-ssh firewall rule, which allows incoming traffic from anywhere (0.0.0.0/0) for tcp:22. The SSH connection works seamlessly because Compute Engine generates an SSH key for you and stores it in one of the following locations:
  • By default, Compute Engine adds the generated key to project or instance metadata.
  • If your account is configured to use OS Login, Compute Engine stores the generated key with your user account.
Alternatively, you can control access to Linux instances by creating SSH keys and editing public SSH key metadata.
  1. To test connectivity to mynet-eu-vm's internal IP, run the following command, replacing mynet-eu-vm's internal IP:
ping -c 3 <Enter mynet-eu-vm's internal IP here>

You can ping mynet-eu-vm's internal IP because of the allow-custom firewall rule.

  1. To test connectivity to mynet-eu-vm's external IP, run the following command, replacing mynet-eu-vm's external IP:
ping -c 3 <Enter mynet-eu-vm's external IP here>

Note: You can SSH to mynet-us-vm and ping mynet-eu-vm's internal and external IP addresses as expected. Alternatively, you can SSH to mynet-eu-vm and ping mynet-us-vm's internal and external IP addresses, which also works.

Convert the network to a custom mode network

The auto mode network worked great so far, but you have been asked to convert it to a custom mode network so that new subnets aren't automatically created as new regions become available. This could result in overlap with IP addresses used by manually created subnets or static routes, or could interfere with your overall network planning.

  1. On the Navigation menu (), click VPC network > VPC networks.
  2. Click mynetwork to open the network details.
  3. Click Edit.
  4. Select Custom for the Subnet creation mode.
  5. Click Save.
  6. Return to the VPC networks page.

Wait for the Mode of mynetwork to change to Custom.

You can click Refresh while you wait.

Click Check my progress to verify the objective. Create a VPC network and VM instances

Note: Converting an auto mode network to a custom mode network is an easy task, and it provides you with more flexibility. We recommend that you use custom mode networks in production.

Task 3. Create custom mode networks

You have been tasked to create two additional custom networks, managementnet and privatenet, along with firewall rules to allow SSH, ICMP, and RDP ingress traffic and VM instances as shown in this example diagram (with the exception of vm-appliance):

Note that the IP CIDR ranges of these networks do not overlap. This allows you to set up mechanisms such as VPC peering between the networks. If you specify IP CIDR ranges that are different from your on-premises network, you could even configure hybrid connectivity using VPN or Cloud Interconnect.

Create the managementnet network

Create the managementnet network using the Cloud Console.

  1. In the Cloud Console, on the Navigation menu (), click VPC network > VPC networks.

  2. Click Create VPC Network.

  3. For Name, type managementnet

  4. For Subnet creation mode, click Custom.

  5. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name managementsubnet-us
    Region
    IPv4 range 10.240.0.0/20

  6. Click Done.

  7. Click Equivalent Command line.

    These commands illustrate that networks and subnets can be created using the gcloud command line. You will create the privatenet network using these commands with similar parameters.

  8. Click Close.

  9. Click Create.

Create the privatenet network

Create the privatenet network using the gcloud command line.

  1. In the Cloud Console, click Activate Cloud Shell ().
  2. If prompted, click Continue.
  3. To create the privatenet network, run the following command. Click Authorize if prompted.
gcloud compute networks create privatenet --subnet-mode=custom
  1. To create the privatesubnet-us subnet, run the following command:
gcloud compute networks subnets create privatesubnet-us --network=privatenet --region={{{project_0.default_region|Lab region}}} --range=172.16.0.0/24
  1. To create the privatesubnet-eu subnet, run the following command:
gcloud compute networks subnets create privatesubnet-eu --network=privatenet --region={{{project_0.default_region_2|Region 2}}} --range=172.20.0.0/20
  1. To list the available VPC networks, run the following command:
gcloud compute networks list

The output should look like this:

NAME SUBNET_MODE BGP_ROUTING_MODE IPV4_RANGE GATEWAY_IPV4 managementnet CUSTOM REGIONAL mynetwork CUSTOM REGIONAL privatenet CUSTOM REGIONAL
  1. To list the available VPC subnets (sorted by VPC network), run the following command:
gcloud compute networks subnets list --sort-by=NETWORK Note: The managementnet and privatenet networks only have the subnets that you created because they are custom mode networks. mynetwork is also a custom mode network, but it started out as an auto mode network, resulting in subnets in each region.
  1. In the Cloud Console, on the Navigation menu (), click VPC network > VPC networks.
    Verify that the same networks and subnets are listed in the Cloud Console.

Create the firewall rules for managementnet

Create firewall rules to allow SSH, ICMP, and RDP ingress traffic to VM instances on the managementnet network.

  1. In the Cloud Console, on the Navigation menu (), click VPC network > Firewall.

  2. Click Create Firewall Rule.

  3. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name managementnet-allow-icmp-ssh-rdp
    Network managementnet
    Targets All instances in the network
    Source filter IPv4 Ranges
    Source IPv4 ranges 0.0.0.0/0
    Protocols and ports Specified protocols and ports
Note: Make sure to include the /0 in the Source IPv4 ranges to specify all networks.

  1. Select tcp and specify ports 22 and 3389.

  2. Select Other protocols and specify icmp protocol.

  3. Click Equivalent Command line.

    These commands illustrate that firewall rules can also be created using the gcloud command line. You will create the privatenet's firewall rules using these commands with similar parameters.

  4. Click Close.

  5. Click Create.

Create the firewall rules for privatenet

Create the firewall rules for privatenet network using the gcloud command line.

  1. Return to Cloud Shell. If necessary, click Activate Cloud Shell ().
  2. To create the privatenet-allow-icmp-ssh-rdp firewall rule, run the following command:
gcloud compute firewall-rules create privatenet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=privatenet --action=ALLOW --rules=icmp,tcp:22,tcp:3389 --source-ranges=0.0.0.0/0

The output should look like this:

NAME NETWORK DIRECTION PRIORITY ALLOW DENY privatenet-allow-icmp-ssh-rdp privatenet INGRESS 1000 icmp,tcp:22,tcp:3389
  1. To list all the firewall rules (sorted by VPC network), run the following command:
gcloud compute firewall-rules list --sort-by=NETWORK

The output should look like this:

NAME NETWORK DIRECTION PRIORITY ALLOW managementnet-allow-icmp-ssh-rdp managementnet INGRESS 1000 icmp,tcp:22,tcp:3389 mynetwork-allow-icmp mynetwork INGRESS 1000 icmp mynetwork-allow-internal mynetwork INGRESS 65534 all mynetwork-allow-rdp mynetwork INGRESS 1000 tcp:3389 mynetwork-allow-ssh mynetwork INGRESS 1000 tcp:22 privatenet-allow-icmp-ssh-rdp privatenet INGRESS 1000 icmp,tcp:22,tcp:3389

The firewall rules for mynetwork network have been created for you. You can define multiple protocols and ports in one firewall rule (privatenet and managementnet) or spread them across multiple rules (default and mynetwork).

  1. In the Cloud Console, on the Navigation menu (), click VPC network > Firewall.
    Verify that the same firewall rules are listed in the Cloud Console.

Click Check my progress to verify the objective. Create custom mode VPC networks with firewall rules

Next, create two VM instances:

  • managementnet-us-vm in managementsubnet-us
  • privatenet-us-vm in privatesubnet-us

Create the managementnet-us-vm instance

Create the managementnet-us-vm instance using the Cloud Console.

  1. In the Cloud Console, on the Navigation menu (), click Compute Engine > VM instances.

  2. Click Create instance.

  3. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name managementnet-us-vm
    Region
    Zone
    Series E2
    Machine type e2-micro (2 vCPU, 1 GB memory)
    Boot disk Debian GNU/Linux 11 (bullseye)

  4. Click Advanced options.

  5. Click Networking.

  6. For Network interfaces, click the dropdown arrow to edit.

  7. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Network managementnet
    Subnetwork managementsubnet-us
Note: The subnets available for selection are restricted to those in the selected region.

  1. Click Done.

  2. Click Equivalent Command Line.

    This illustrates that VM instances can also be created using the gcloud command line. You will create the privatenet-us-vm instance using these commands with similar parameters.

  3. Click Close.

  4. Click Create.

Create the privatenet-us-vm instance

Create the privatenet-us-vm instance using the gcloud command line.

  1. Return to Cloud Shell. If necessary, click Activate Cloud Shell ().
  2. To create the privatenet-us-vm instance, run the following command:
gcloud compute instances create privatenet-us-vm --zone={{{project_0.default_zone|Lab Zone}}} --machine-type=e2-micro --subnet=privatesubnet-us --image-family=debian-11 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=privatenet-us-vm
  1. To list all the VM instances (sorted by zone), run the following command:
gcloud compute instances list --sort-by=ZONE
  1. In the Cloud Console, on the Navigation menu (), click Compute Engine > VM instances.

Verify that the VM instances are listed in the Cloud Console.

  1. For Columns, select Zone.

    There are three instances in and one instance in . However, these instances are spread across three VPC networks (managementnet, mynetwork, and privatenet), with no instance in the same zone and network as another. In the next task, you explore the effect this has on internal connectivity.

Click Check my progress to verify the objective. Create VM instances

Note: You can explore more networking information on each VM instance by clicking the nic0 link in the Internal IP column. The resulting network interface details page shows the subnet along with the IP CIDR range, the firewall rules and routes that apply to the instance, and other network analysis.

Task 4. Explore the connectivity across networks

Explore the connectivity between the VM instances. Specifically, determine the effect of having VM instances in the same zone versus having instances in the same VPC network.

Ping the external IP addresses

Ping the external IP addresses of the VM instances to determine whether you can reach the instances from the public internet.

  1. In the Cloud Console, on the Navigation menu, click Compute Engine > VM instances.
    Note the external IP addresses for mynet-eu-vm, managementnet-us-vm, and privatenet-us-vm.
  2. For mynet-us-vm, click SSH to launch a terminal and connect.
  3. To test connectivity to mynet-eu-vm's external IP, run the following command, replacing mynet-eu-vm's external IP:
ping -c 3 <Enter mynet-eu-vm's external IP here>

This should work!

  1. To test connectivity to managementnet-us-vm's external IP, run the following command, replacing managementnet-us-vm's external IP:
ping -c 3 <Enter managementnet-us-vm's external IP here>

This should work!

  1. To test connectivity to privatenet-us-vm's external IP, run the following command, replacing privatenet-us-vm's external IP:
ping -c 3 <Enter privatenet-us-vm's external IP here>

This should work!

Note: You can ping the external IP address of all VM instances, even though they are in either a different zone or VPC network. This confirms that public access to those instances is only controlled by the ICMP firewall rules that you established earlier.

Ping the internal IP addresses

Ping the internal IP addresses of the VM instances to determine whether you can reach the instances from within a VPC network.

  1. In the Cloud Console, on the Navigation menu, click Compute Engine > VM instances.
    Note the internal IP addresses for mynet-eu-vm, managementnet-us-vm, and privatenet-us-vm.
  2. Return to the SSH terminal for mynet-us-vm.
  3. To test connectivity to mynet-eu-vm's internal IP, run the following command, replacing mynet-eu-vm's internal IP:
ping -c 3 <Enter mynet-eu-vm's internal IP here> Note: You can ping the internal IP address of mynet-eu-vm because it is on the same VPC network as the source of the ping (mynet-us-vm), even though both VM instances are in separate zones, regions, and continents!
  1. To test connectivity to managementnet-us-vm's internal IP, run the following command, replacing managementnet-us-vm's internal IP:
ping -c 3 <Enter managementnet-us-vm's internal IP here> Note: This should not work, as indicated by a 100% packet loss!
  1. To test connectivity to privatenet-us-vm's internal IP, run the following command, replacing privatenet-us-vm's internal IP:
ping -c 3 <Enter privatenet-us-vm's internal IP here> Note: This should not work either, as indicated by a 100% packet loss! You cannot ping the internal IP address of managementnet-us-vm and privatenet-us-vm because they are in separate VPC networks from the source of the ping (mynet-us-vm), even though they are all in the same zone.

Task 5. Review

In this lab, you explored the default network and determined that you cannot create VM instances without a VPC network. Thus, you created a new auto mode VPC network with subnets, routes, firewall rules, and two VM instances and tested the connectivity for the VM instances. Because auto mode networks aren't recommended for production, you converted the auto mode network to a custom mode network.

Next, you created two more custom mode VPC networks with firewall rules and VM instances using the Cloud Console and the gcloud command line. Then you tested the connectivity across VPC networks, which worked when pinging external IP addresses but not when pinging internal IP addresses.

VPC networks are by default isolated private networking domains. Therefore, no internal IP address communication is allowed between networks, unless you set up mechanisms such as VPC peering or VPN.

Google Cloud offers two modes for creating VPCs: "auto" mode and "custom" mode. In auto mode, Google Cloud manages the IP addressing and routing, similar to how Azure creates VNets. However, in custom mode, users have more control over the VPC configuration, including the ability to define their own IP address ranges and subnets.

  • Custom mode provides more flexibility and control, but it also requires more configuration and management effort.
  • Auto mode is simpler to use and ideal for users who do not need to customize their VPCs extensively.

Here is a recap of the similarities and differences between these services:

Similarities:

  • Azure and Google Cloud offer a networking service to isolate cloud resources and control the networking environment.
  • Both clouds offer features such as subnetting, security groups, and routing tables to help customers manage their network infrastructure.
  • Azure provides VNet peering, which allows customers to connect multiple VNets to each other to create a larger network.

Differences:

  • Azure VNets are designed to operate in an auto mode, where the cloud provider manages the IP addressing and routing for the VNets.
  • Google Cloud VPC can operate in either an auto mode or a custom mode, where users have more control over the VPC configuration.
  • Google Cloud VPC features are more tightly integrated with other Google Cloud services, such as Cloud Identity-Aware Proxy and Cloud Armor, which can provide additional security features.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.
Previous Next

Before you begin

  1. Labs create a Google Cloud project and resources for a fixed time
  2. Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
  3. On the top left of your screen, click Start lab to begin

This content is not currently available

We will notify you via email when it becomes available

Great!

We will contact you via email if it becomes available

One lab at a time

Confirm to end all existing labs and start this one

Use private browsing to run the lab

Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
Preview