Loading...
No results found.

Apply your skills in Google Cloud console

Your Learning progress might get lost. Sign in or Join to save your progress.
close

04

Essential Google Cloud Infrastructure: Foundation

Course · 6 hours 45 minutes
< 1%
complete
Get access to 700+ labs and courses

VPC Networking

Lab 1 hour 30 minutes universal_currency_alt 5 Credits show_chart Introductory
info This lab may incorporate AI tools to support your learning.
Get access to 700+ labs and courses

Overview

Google Cloud Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Kubernetes Engine containers, and the App Engine flexible environment. In other words, without a VPC network, you cannot create VM instances, containers, or App Engine applications. Therefore, each Google Cloud project has a default network to get you started.

You can think of a VPC network as similar to a physical network, except that it is virtualized within Google Cloud. A VPC network is a global resource that consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network (WAN). VPC networks are logically isolated from each other in Google Cloud.

In this lab, you create an auto mode VPC network with firewall rules and two VM instances. Then, you convert the auto mode network to a custom mode network and create other custom mode networks as shown in the example network diagram below. You also test connectivity across networks.

Objectives

In this lab, you learn how to perform the following tasks:

  • Explore the default VPC network
  • Create an auto mode network with firewall rules
  • Convert an auto mode network to a custom mode network
  • Create custom mode VPC networks with firewall rules
  • Create VM instances using Compute Engine
  • Explore the connectivity for VM instances across VPC networks

Setup and Requirements

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Cloud console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab

  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

    The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.

  3. If necessary, copy the Username below and paste it into the Sign in dialog.

    {{{user_0.username | "Username"}}}

    You can also find the Username in the Lab Details panel.

  4. Click Next.

  5. Copy the Password below and paste it into the Welcome dialog.

    {{{user_0.password | "Password"}}}

    You can also find the Password in the Lab Details panel.

  6. Click Next.

    Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

  7. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To view a menu with a list of Google Cloud products and services, click the Navigation menu at the top-left, or type the service or product name in the Search field.

Task 1. Explore the default network

Each Google Cloud project has a default network with subnets, routes, and firewall rules.

View the subnets

The default network has a subnet in each Google Cloud region.

  • In the Google Cloud console, in the Navigation menu (), click VPC network > VPC networks.
  • Notice the default network with its subnets.
    Each subnet is associated with a Google Cloud region and a private RFC 1918 CIDR block for its internal IP addresses range and a gateway.

View the routes

Routes tell VM instances and the VPC network how to send traffic from an instance to a destination, either inside the network or outside Google Cloud. Each VPC network comes with some default routes to route traffic among its subnets and send traffic from eligible instances to the internet.

  1. In the left pane, click Routes.

  2. In the Network dropdown list, click default.

  3. In the Region dropdown list, click .

  4. Click View.

Notice that there is a route for each subnet and one for the Default internet gateway (0.0.0.0/0).
These routes are managed for you, but you can create custom static routes to direct some packets to specific destinations. For example, you can create a route that sends all outbound traffic to an instance configured as a NAT gateway.

View the firewall rules

Each VPC network implements a distributed virtual firewall that you can configure. Firewall rules allow you to control which packets are allowed to travel to which destinations. Every VPC network has two implied firewall rules that block all incoming connections and allow all outgoing connections.

  • In the left pane, click Firewall.
    Notice that there are 4 Ingress firewall rules for the default network:

    • default-allow-icmp
    • default-allow-rdp
    • default-allow-ssh
    • default-allow-internal

    These firewall rules allow ICMP, RDP, and SSH ingress traffic from anywhere (0.0.0.0/0) and all TCP, UDP, and ICMP traffic within the network (10.128.0.0/9). The Targets, Filters, Protocols/ports, and Action columns explain these rules.

Delete the Firewall rules

  1. In the left pane, click Firewall policies.
  2. From VPC firewall rules, select all default network firewall rules.
  3. Click Delete.
  4. Click Delete to confirm the deletion of the firewall rules.

Delete the default network

  1. In the Navigation menu (), click VPC network > VPC networks.
  2. Select the default network.
  3. Click Delete VPC network, and type default.
  4. Click Delete to confirm the deletion of the default network.

Wait for the network to be deleted before continuing.

  1. In the left pane, click Routes.

Notice that there are no routes.

  1. In the left pane, click Firewall.

Notice that there are no firewall rules.

Note: Without a VPC network, there are no routes!

Try to create a VM instance

Verify that you cannot create a VM instance without a VPC network.

  1. On the Navigation menu, click Compute Engine > VM instances.
  2. Click Create Instance.
  3. Accept the default values and click Create.

An error is shown on the Networking tab.

  1. Click Go to Issues.

    In Network Interfaces, notice the No more networks available error under Network interfaces.

  2. Click Cancel.

Note: As expected, you cannot create a VM instance without a VPC network!

Task 2. Create an auto mode network

You have been tasked to create an auto mode network with two VM instances. Auto mode networks are easy to set up and use because they automatically create subnets in each region. However, you don't have complete control over the subnets created in your VPC network, including regions and IP address ranges used.

Feel free to explore in the Google VPC documentation for more considerations for choosing an auto mode network, but for now, assume that you are using the auto mode network for prototyping purposes.

Create an auto mode VPC network with firewall rules

  1. In the Navigation menu (), click VPC network > VPC networks.
  2. Click Create VPC network.
  3. For Name, type mynetwork
  4. For Subnet creation mode, click Automatic.

Auto mode networks create subnets in each region automatically.

  1. For Firewall rules, select all available rules.

These are the same standard firewall rules that the default network had. The deny-all-ingress and allow-all-egress rules are also displayed, but you cannot select or disable them because they are implied. These two rules have a lower Priority (higher integers indicate lower priorities) so that the allow ICMP, custom, RDP, and SSH rules are considered first.

  1. Click Create.

  2. When the new network is ready, click mynetwork > Subnets. Note the IP address range for the subnets in and .

Note: If you ever delete the default network, you can quickly re-create it by creating an auto mode network as you just did.

Create a VM instance in

Create a VM instance in the region. Selecting a region and zone determines the subnet and assigns the internal IP address from the subnet's IP address range.

  1. In the Navigation menu (), click Compute Engine > VM instances.

  2. Click Create Instance.

  3. Specify the following:

    Property Value (type value or select option as specified)
    Name mynet-us-vm
    Region
    Zone

  4. For Series, select E2.

  5. For Machine type, select e2-micro (2 vCPU, 1 GB memory).

  6. Click OS and storage.

  7. If the Image shown is not Debian GNU/Linux 12 (bookworm), click Change and select Debian GNU/Linux 12 (bookworm), and then click Select.

  8. Click Create.

Create a VM instance in

Create a VM instance in the region.

  1. Click Create instance.

  2. Specify the following:

    Property Value (type value or select option as specified)
    Name mynet-notus-vm
    Region
    Zone

  3. For Series, select E2.

  4. For Machine type, select e2-micro (2 vCPU, 1 GB memory).

  5. Click OS and storage.

  6. If the Image shown is not Debian GNU/Linux 12 (bookworm), click Change and select Debian GNU/Linux 12 (bookworm), and then click Select.

  7. Click Create.

Note: The External IP addresses for both VM instances are ephemeral. If an instance is stopped, any ephemeral external IP addresses assigned to the instance are released back into the general Compute Engine pool and become available for use by other projects.

When a stopped instance is started again, a new ephemeral external IP address is assigned to the instance. Alternatively, you can reserve a static external IP address, which assigns the address to your project indefinitely until you explicitly release it.

Verify connectivity for the VM instances

The firewall rules that you created with mynetwork allow ingress SSH and ICMP traffic from within mynetwork (internal IP) and outside that network (external IP).

  1. In the Navigation menu, click Compute Engine > VM instances.

Note the external and internal IP addresses for mynet-notus-vm.

  1. For mynet-us-vm, click SSH to launch a terminal and connect. If prompted, click Authorize.
Note: If the connection to the VM fails with an error SSH authentication failed, click Retry to re-establish the connection. Note: You can SSH because of the allow-ssh firewall rule, which allows incoming traffic from anywhere (0.0.0.0/0) for tcp:22. The SSH connection works seamlessly because Compute Engine generates an SSH key for you and stores it in one of the following locations:
  • By default, Compute Engine adds the generated key to project or instance metadata.
  • If your account is configured to use OS Login, Compute Engine stores the generated key with your user account.
Alternatively, you can control access to Linux instances by creating SSH keys and editing public SSH key metadata.
  1. To test connectivity to mynet-notus-vm's internal IP, run the following command, replacing mynet-notus-vm's internal IP:
ping -c 3 <Enter mynet-notus-vm's internal IP here>

You can ping mynet-notus-vm's internal IP because of the allow-custom firewall rule.

  1. To test connectivity to mynet-notus-vm's external IP, run the following command, replacing mynet-notus-vm's external IP:
ping -c 3 <Enter mynet-notus-vm's external IP here>

Note: You can SSH to mynet-us-vm and ping mynet-notus-vm's internal and external IP addresses as expected. Alternatively, you can SSH to mynet-notus-vm and ping mynet-us-vm's internal and external IP addresses, which also works.

Convert the network to a custom mode network

The auto mode network worked great so far, but you have been asked to convert it to a custom mode network so that new subnets aren't automatically created as new regions become available. This could result in overlap with IP addresses used by manually created subnets or static routes, or could interfere with your overall network planning.

  1. In the Navigation menu (), click VPC network > VPC networks.
  2. Click mynetwork to open the network details.
  3. Click Edit.
  4. Select Custom for the Subnet creation mode.
  5. Click Save.
  6. Return to the VPC networks page.

Wait for the Mode of mynetwork to change to Custom.

You can click Refresh while you wait.

Click Check my progress to verify the objective. Create a VPC network and VM instances

Note: Converting an auto mode network to a custom mode network is an easy task, and it provides you with more flexibility. We recommend that you use custom mode networks in production.

Task 3. Create custom mode networks

You have been tasked to create two additional custom networks, managementnet and privatenet, along with firewall rules to allow SSH, ICMP, and RDP ingress traffic and VM instances as shown in this example diagram (with the exception of vm-appliance):

Note that the IP CIDR ranges of these networks do not overlap. This allows you to set up mechanisms such as VPC peering between the networks. If you specify IP CIDR ranges that are different from your on-premises network, you could even configure hybrid connectivity using VPN or Cloud Interconnect.

Create the managementnet network

Create the managementnet network using the Cloud console.

  1. In the Google Cloud console, on the Navigation menu (), click VPC network > VPC networks.

  2. Click Create VPC Network.

  3. For Name, type managementnet

  4. For Subnet creation mode, click Custom.

  5. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name managementsubnet-us
    Region
    IPv4 range 10.240.0.0/20

  6. Click Done.

  7. Click Equivalent Command line.

    These commands illustrate that networks and subnets can be created using the gcloud command line. You will create the privatenet network using these commands with similar parameters.

  8. Click Close.

  9. Click Create.

Create the privatenet network

Create the privatenet network using the gcloud command line.

  1. In the Google Cloud console, click Activate Cloud Shell ().
  2. If prompted, click Continue.
  3. To create the privatenet network, run the following command. Click Authorize if prompted.
gcloud compute networks create privatenet --subnet-mode=custom
  1. To create the privatesubnet-us subnet, run the following command:
gcloud compute networks subnets create privatesubnet-us --network=privatenet --region={{{project_0.default_region|Region 1}}} --range=172.16.0.0/24
  1. To create the privatesubnet-notus subnet, run the following command:
gcloud compute networks subnets create privatesubnet-notus --network=privatenet --region={{{project_0.default_region_2|Region 2}}} --range=172.20.0.0/20
  1. To list the available VPC networks, run the following command:
gcloud compute networks list

The output should look like this:

NAME: managementnet SUBNET_MODE: CUSTOM BGP_ROUTING_MODE: REGIONAL IPV4_RANGE: GATEWAY_IPV4: NAME: mynetwork SUBNET_MODE: CUSTOM BGP_ROUTING_MODE: REGIONAL IPV4_RANGE: GATEWAY_IPV4: NAME: privatenet SUBNET_MODE: CUSTOM BGP_ROUTING_MODE: REGIONAL IPV4_RANGE: GATEWAY_IPV4:
  1. To list the available VPC subnets (sorted by VPC network), run the following command:
gcloud compute networks subnets list --sort-by=NETWORK Note: The managementnet and privatenet networks only have the subnets that you created because they are custom mode networks. mynetwork is also a custom mode network, but it started out as an auto mode network, resulting in subnets in each region.
  1. In the Google Cloud console, in the Navigation menu (), click VPC network > VPC networks.
    Verify that the same networks and subnets are listed in the Cloud console.

Create the firewall rules for managementnet

Create firewall rules to allow SSH, ICMP, and RDP ingress traffic to VM instances on the managementnet network.

  1. In the Google Cloud console, in the Navigation menu (), click VPC network > Firewall.

  2. Click Create firewall rule.

  3. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name managementnet-allow-icmp-ssh-rdp
    Network managementnet
    Targets All instances in the network
    Source filter IPv4 Ranges
    Source IPv4 ranges 0.0.0.0/0
    Protocols and ports Specified protocols and ports
Note: Make sure to include the /0 in the Source IPv4 ranges to specify all networks.

  1. Select tcp and specify ports 22 and 3389.

  2. Select Other protocols and specify icmp protocol.

  3. Click Equivalent Command line.

    These commands illustrate that firewall rules can also be created using the gcloud command line. You will create the privatenet's firewall rules using these commands with similar parameters.

  4. Click Close.

  5. Click Create.

Create the firewall rules for privatenet

Create the firewall rules for privatenet network using the gcloud command line.

  1. Return to Cloud Shell. If necessary, click Activate Cloud Shell ().
  2. To create the privatenet-allow-icmp-ssh-rdp firewall rule, run the following command:
gcloud compute firewall-rules create privatenet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=privatenet --action=ALLOW --rules=icmp,tcp:22,tcp:3389 --source-ranges=0.0.0.0/0

The output should look like this:

NAME: privatenet-allow-icmp-ssh-rdp NETWORK: privatenet DIRECTION: INGRESS PRIORITY: 1000 ALLOW: icmp,tcp:22,tcp:3389 DENY: DISABLED: False
  1. To list all the firewall rules (sorted by VPC network), run the following command:
gcloud compute firewall-rules list --sort-by=NETWORK

The output should look like this:

NAME: managementnet-allow-icmp-ssh-rdp NETWORK: managementnet DIRECTION: INGRESS PRIORITY: 1000 ALLOW: tcp:22,tcp:3389,icmp DENY: DISABLED: False NAME: mynetwork-allow-custom NETWORK: mynetwork DIRECTION: INGRESS PRIORITY: 65534 ALLOW: all DENY: DISABLED: False NAME: mynetwork-allow-icmp NETWORK: mynetwork DIRECTION: INGRESS PRIORITY: 65534 ALLOW: icmp DENY: DISABLED: False NAME: mynetwork-allow-rdp NETWORK: mynetwork DIRECTION: INGRESS PRIORITY: 65534 ALLOW: tcp:3389 DENY: DISABLED: False NAME: mynetwork-allow-ssh NETWORK: mynetwork DIRECTION: INGRESS PRIORITY: 65534 ALLOW: tcp:22 DENY: DISABLED: False NAME: privatenet-allow-icmp-ssh-rdp NETWORK: privatenet DIRECTION: INGRESS PRIORITY: 1000 ALLOW: icmp,tcp:22,tcp:3389 DENY: DISABLED: False

The firewall rules for mynetwork network have been created for you. You can define multiple protocols and ports in one firewall rule (privatenet and managementnet) or spread them across multiple rules (default and mynetwork).

  1. In the Cloud console, on the Navigation menu (), click VPC network > Firewall.
    Verify that the same firewall rules are listed in the Cloud console.

Click Check my progress to verify the objective. Create custom mode VPC networks with firewall rules

Next, create two VM instances:

  • managementnet-us-vm in managementsubnet-us
  • privatenet-us-vm in privatesubnet-us

Create the managementnet-us-vm instance

Create the managementnet-us-vm instance using the Cloud console.

  1. In the Google Cloud console, in the Navigation menu (), click Compute Engine > VM instances.

  2. Click Create instance.

  3. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name managementnet-us-vm
    Region
    Zone
    Series E2
    Machine type e2-micro (2 vCPU, 1 core, 1 GB memory)
    Boot disk Debian GNU/Linux 12 (bookworm)

  4. Click Networking.

  5. For Network interfaces, click the dropdown arrow to edit.

  6. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Network managementnet
    Subnetwork managementsubnet-us
Note: The subnets available for selection are restricted to those in the selected region.

  1. Click Done.

  2. Click Equivalent Code.

    This illustrates that VM instances can also be created using the gcloud command line. You will create the privatenet-us-vm instance using these commands with similar parameters.

  3. Click Create.

Create the privatenet-us-vm instance

Create the privatenet-us-vm instance using the gcloud command line.

  1. Return to Cloud Shell. If necessary, click Activate Cloud Shell ().
  2. To create the privatenet-us-vm instance, run the following command:
gcloud compute instances create privatenet-us-vm --zone={{{project_0.default_zone|Zone 1}}} --machine-type=e2-micro --subnet=privatesubnet-us --image-family=debian-12 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=privatenet-us-vm
  1. To list all the VM instances (sorted by zone), run the following command:
gcloud compute instances list --sort-by=ZONE
  1. In the Cloud console, in the Navigation menu (), click Compute Engine > VM instances.

Verify that the VM instances are listed in the Cloud console.

  1. For Columns, select Zone.

    There are three instances in and one instance in . However, these instances are spread across three VPC networks (managementnet, mynetwork, and privatenet), with no instance in the same zone and network as another. In the next task, you explore the effect this has on internal connectivity.

Click Check my progress to verify the objective. Create VM instances

Note: You can explore more networking information on each VM instance by clicking the nic0 link in the Internal IP column. The resulting network interface details page shows the subnet along with the IP CIDR range, the firewall rules and routes that apply to the instance, and other network analysis.

Task 4. Explore the connectivity across networks

Explore the connectivity between the VM instances. Specifically, determine the effect of having VM instances in the same zone versus having instances in the same VPC network.

Ping the external IP addresses

Ping the external IP addresses of the VM instances to determine whether you can reach the instances from the public internet.

  1. In the Google Cloud console, in the Navigation menu, click Compute Engine > VM instances.
    Note the external IP addresses for mynet-notus-vm, managementnet-us-vm, and privatenet-us-vm.

  2. For mynet-us-vm, click SSH to launch a terminal and connect. Click Authorize if prompted.

  3. To test connectivity to mynet-notus-vm's external IP, run the following command, replacing mynet-notus-vm's external IP:

ping -c 3 <Enter mynet-notus-vm's external IP here>

This should work!

  1. To test connectivity to managementnet-us-vm's external IP, run the following command, replacing managementnet-us-vm's external IP:
ping -c 3 <Enter managementnet-us-vm's external IP here>

This should work!

  1. To test connectivity to privatenet-us-vm's external IP, run the following command, replacing privatenet-us-vm's external IP:
ping -c 3 <Enter privatenet-us-vm's external IP here>

This should work!

Note: You can ping the external IP address of all VM instances, even though they are in either a different zone or VPC network. This confirms that public access to those instances is only controlled by the ICMP firewall rules that you established earlier.

Ping the internal IP addresses

Ping the internal IP addresses of the VM instances to determine whether you can reach the instances from within a VPC network.

  1. In the Cloud console, in the Navigation menu, click Compute Engine > VM instances.
    Note the internal IP addresses for mynet-notus-vm, managementnet-us-vm, and privatenet-us-vm.
  2. Return to the SSH terminal for mynet-us-vm.
  3. To test connectivity to mynet-notus-vm's internal IP, run the following command, replacing mynet-notus-vm's internal IP:
ping -c 3 <Enter mynet-notus-vm's internal IP here> Note: You can ping the internal IP address of mynet-notus-vm because it is on the same VPC network as the source of the ping (mynet-us-vm), even though both VM instances are in separate zones, regions, and continents!
  1. To test connectivity to managementnet-us-vm's internal IP, run the following command, replacing managementnet-us-vm's internal IP:
ping -c 3 <Enter managementnet-us-vm's internal IP here> Note: This should not work, as indicated by a 100% packet loss!
  1. To test connectivity to privatenet-us-vm's internal IP, run the following command, replacing privatenet-us-vm's internal IP:
ping -c 3 <Enter privatenet-us-vm's internal IP here> Note: This should not work either, as indicated by a 100% packet loss! You cannot ping the internal IP address of managementnet-us-vm and privatenet-us-vm because they are in separate VPC networks from the source of the ping (mynet-us-vm), even though they are all in the same zone.

Task 5. Review

In this lab, you explored the default network and determined that you cannot create VM instances without a VPC network. Thus, you created a new auto mode VPC network with subnets, routes, firewall rules, and two VM instances and tested the connectivity for the VM instances. Because auto mode networks aren't recommended for production, you converted the auto mode network to a custom mode network.

Next, you created two more custom mode VPC networks with firewall rules and VM instances using the Cloud console and the gcloud command line. Then you tested the connectivity across VPC networks, which worked when pinging external IP addresses but not when pinging internal IP addresses.

VPC networks are by default isolated private networking domains. Therefore, no internal IP address communication is allowed between networks, unless you set up mechanisms such as VPC peering or VPN.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.
Previous Next

Before you begin

  1. Labs create a Google Cloud project and resources for a fixed time
  2. Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
  3. On the top left of your screen, click Start lab to begin

This content is not currently available

We will notify you via email when it becomes available

Great!

We will contact you via email if it becomes available

One lab at a time

Confirm to end all existing labs and start this one

Use private browsing to run the lab

Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
Preview