Google Cloud Platform - Networking 101 overview

Internet -

Global VPC

Global Network |

Fiber Optic

Internet

Isa collection of connected devices for
‘the purpose of communication. his can
bea physica or logical connection

‘Cable made up of optical pairs that
transit data using ight

Pubic network of networks which
‘exchanges routes through BGP

Networking 101 sheet

[What are the economic advantages of
[using the Google Cloud network?
Check blog here:

= Download report here.

Region

Point of
presence (PoP)

On-prem

Local Area
Network (LAN)

ual LAN
(aN)

point from the internet to

Networking 101 sheet .!

How much regions, zone and PoP
exist in Google Cloud?

controlled by the enterprise

Where are the regions located?
list here,

How is Google global network
designed?
heck lst here

Virtual
Private Cloud
(vec)

VPC modes

VPC subnets

IP address.

Subnet mask

Private IP
(REC1918)

Public IP

DHCP

Static IP

Ephemeral IP

\VPC is a Logical representation of an on-prem
network. This sa global constructin GCP

‘There are two modes in GCP, Auto mode and
custom mode

In GCP these are regional and assigned to an IP
adress range

unique address used to identity host on network.
Made up of network and host portions

‘This segments and IP address into network and
host portions. It determines how must host are
‘avaiable on the network. This can be manipulated
0 form CIDR blocks

“Miss a 32 bit. 4 octet address. Written in binary or
dotted decimal formar. Eg. 192.16810.20 or
11000000.10101000.00001010.00010100

‘Thisis 128 bit, hexadecimal address.
2001088:7654:3210.FEDC:BA9864:3203

A specialrange that can be used internally by
‘anyone. These are non internet routable

IP address thats routable on the internet

Dynamic Host Control protocol. À method to
‘utomaticaly assign an IP address toa client

‘An IP that does not change after being assigned,

‘Temporary IP thats not reserved

VPCs and IP addressing

Bring Your Own IP

rc) Cloud
|Whatis the amount of reserved IP's in
Alle IP "Additional addresses that can be assigned to your SEP subnet?
UM. these can be taken from the primary or © Counts
secondary adress range
|Whatis the smallest GCP private
Secondary IP Secondary range of IP address that can be assigned ‘subnet?
to yourvm © 129 with 4host.
Formular 2° - 4
Restricted.googleapi Access external GCP APIs via google private
scom|P network. 19.36:153.4/30. Used when VPC service Can IPV6 be used?

controls are enabled and you need to access only .
VPC service control supported APIs

Private.googleapis.c
omip network. 19936:153.8/30

Network Time
Protocol (NTP)
network.

Use externa P adresses that you own in Google

‘Access external GCP APIs via google private

Is used to synchronize systems timer across a
network. Thisis used on both internal and external

Networking 101 sheet

Yes, see hi

‘Can | set private and public static P's
my VPC?
© Yes, see below:
= External static
Internal static

IPv4 Address
142 . 168 . 200

on roue nochco ose

Subnet

255 . 255 . 255

CO

2 ot dam

TPv4 segment
142.168.200. 2 /24

What isthe OS!
Model

Application
Layer (Layer 7)

Presentation
Layer (Layer 6)

Session Layer
(layer 5)

Transport layer:
(layer 4)

Network layer
(layer 3)

Data layer
(layer 2)

Physical layer
(layer)

OSI model and Internet Model

(A7 layer conceptual model that provides
interoperability of the TCP stack

User interface and appication. Protocols examples
HTTP, HTML.

Formats data to be presented, Protocols examples
JPEG, ASCIL GIF

‘Creates, tracks, ends the sessions between different
systems

Handles message delivery using connection and
‘connectioniess protocols. Protocol examples TCP,
wor

Focuses on subnets, route path selection, Protocols
‘examples IP, ICMP. Router work here

Focuses of transferring data frames over physical
layer Protocol, ARP, PPP VLANS. Switches work here

‘Transmission of raw bits over physical mediums.
Examples network cables, wireless

Networking 101 sheet

OST model

‘GCP Services operating at different OSI layers

Layer7

Layer 4
Layera

Layer2

HTTPS Load balances,
Cloud Armor

Load balancers

Interconnect

Imereonnect VLANS

|Wnatis interoperability?
® The ability to communicate
between different
‘communication devices ina
standard way.

Does a physical layer existin the
cloud?
+ Yes, there are hardware
devices located in Google
Data Centers. These are
100% managed by Google.

Whats the
Internet
Model

‘Application
Layer

Transport
layer

Internet layer

Link layer

A layer model conceptual
model ofthe TCRIP stack

User interface and.
application.
Responsible for end to end

dota handing of data
streams

Responsible for routing
packets through networks

From a device itinteracts
with physical network

(4 Internet model

Transmission
Control
Protocol (TCP)

Transmission
Control Block
(ree)

Sliding window

Three-way

handshake

SYN

ACK

FIN

User Datagram
Protocol (UDP)

TCP, Three-way handshake, UDP, QUIC

‘Tisis a connection oriented protocol that
hanches reablty, low and congestion control of
packets It establishes a connection before
‘ending a packet

‘Contains al the information about the connection
‘and implements the sing window

Determines the amount of bytes that one system
‘can send tothe other. Once the agreed bytes are
received and processed, the sender sends
another set of bytes to the receiver unti all data
issont

‘This the sequence to form a TCP connection. It
involve the SYN, SNACK. ACK flag exchange
between clentserver

‘These indicate the state ofthe connection

‘The SYN or synchronize flags sent to start the
TCP connection process.

‘The ACK or the acknowledgement fag. This
‘confirms that data was received

A flag sent to request termination of connection,

“This a best effort delvery protocol

Quick UDP Internet
Connections(QUIC)

A Google made transport layer
Protocol. This buit on top of UDP

Transport Layer Security Aprotocolthatprovides
ms) cryptography by using certificates

TC? Three-way hondshoke
Client Server

Responde to
sm

Initiotes TC?

Networking 101 sheet

How does TCP differ from UDP?
‘© TCPis connection oriented,
UDP is best effort.

What layer of the OSlis TCP and UDP.
found?
+ These exist at layer 4,
transport layer.

Packet, Frame, MTU

Data These are frames, packets,
messages datagrams They may exist at diferent Networking 10tshest

types layers of the OSI model

How do the different message types
Maximum The size of the largest unit of data work? =
transfer that canbe transmitted over the

unit (MTU) network Denn

| What MTU option do you have in

Tete Theke haltet BE
Thott) al hover! shee Te aoe
een Carey 40,460, 1800,
EE .
Eos
Mey roro :
neat Tee ravelywerk n Googe Ci?

+ Currently no.

Multicast These are sent to subscribed groups
message onanetuork

Broadcast These are sent to every device on à
message network

/ Domain Name Service
| (ons)

ein E

Internal DNS.

DNS Security
Extensions (ONSSEC)

Hybrid DNS

‘Address resolution
Protocol (ARP)

Reverse ARP (RARP)

Media Accoss Control
address(MAC)

Network Address.
Translation (NAT)

\ ES
\ cousnar ©

Resolves names to IP addresses

‘Google Cloud DNS offering
Used internal within a private network

Uses digital signature to secure DNS
information

DNS configured between cloud and
‘on:prem or external networks

Protocol used to resolve IP address to à
MACHink layer adress. Maintained in the
AARP table,

This ie the inverse of ARP. Used to resolve
MAC to IP addresses.

Unique hexadecimal identifier assigned to
a network interface controler (NIC) card.
Usual a 12 digit hexadecimal number.

‘Allows private IP ranges to communicate
‘withthe intenet. Maintains a NAT table of
private to public address & port mappings.
for communications.

Google Cloud managed NAT service

7

ARP, RARP, DNS & NAT

Pirate on

browser
What is www.superherocom
coo: P IP address

=

Hl

Ne the TP ie xxxt0

Networking 101 sheet

How can | configure Hybrid DNS?
+ See. docs.

How is cloud NAT configured?
© See docs.

[Can you use ARP inside a subnet in
ocr?
+ No,all communication
between VMs only happens
‘through the virtual gateway
no ARP between VMs is.

supported.
wu suparhere com Root DNS
ie xoxo TE on tao Server
che =
short =
Local DNS =
Server -
top level
Authorative DNS. Big den D
re ou
=

Routing

Router

#,
Cloud Router Far

Routing table

Routing modes

Static routing

Dynamic routing

Route
summarization

next-hop

Software Defined
Networking (SDN)

Routing, Cloud Router, Dynamic Routing, BGP, MPLS

Selecting a path for traffic to flow within internal
networks or between diferent networks

‘Allows communication between different networks.

‘Google Cloud router that allows you to dynamically
‘exchange routes between your VPC and on-prem
using BGP

Arepository of al the routing information within a
network

‘These are static or dynamic

‘These routes are fixed an dont update. They usualy
have to be manual adjusted

‘These routes update toreflect current state

Used to reduce the number of route advertised to
neighbours. See example,

‘The address ofthe next router in the transit route of
a packet

A software based networking approach that uses
application programming interfaces (API to
‘communicate with underlying infrastructure to
Control the network trafic

Border Gateway
Protocol (3S?)

‘Autonomous System
(as)

‘Autonomous System
Number (ASN)

External BGP (eBGP)

Internal BGP (IBGP)

Multiple Exit
Discriminator (MED)

AS-path-prepend

Muitiprotocol label
‘switching (MPLS)

Bidirectional
Forwarding Detection
(BD)

's the path vector protocolo! the internet.
Made up of Autonomous systems (AS) and
uses TCP port 179

sa colection of connected internet Protocol
{(P) routing prefixes under the contro of one or
more network operators

‘The number used to identify an AS. This can be
16 bit or bit

[BGP connection formed between different
ASS

(Connection formed within the same AS

This aone of several SGP attributes used to
influence path selection. This son transitive
‘and the lower metre wins

Thisis one of several BGP atributes used to

fluence path selection. This is amandatory
attribute. The shorter path should be
prefered

‘Thisisa switching method that uses labels
instead of IP information to transmit packets
across the backbone core at high speed

This a protocol that detects failure quickdy on
links when enabled. In GCP you can use this
feature with Cloud router

Networking 101 sheet

What is Google Cloud Platforms
network virtualization stack called?
© Andromeda

Max amount of BGP routes advertised
to Cloud router?
© Presentiy 250. See current
limit here

How can you control path selection
‘using BGP attributes in GCP?
+ MED is supported.

[What s the ASN number used in GCP
for partner interconnect?
© Presently ASN 16550 is
‘automatically assigned.

optical circuit switching

wave division multiplexing

Clos topology

Merchant switch silicon

Data Center Fabric

Top-of-Rack switches

OpenFlow

Leaf and Spine

East West traffic.

North South Traffic

Colocation

Maps optical input to output ports to form a connection
(OM technology allows you to combine multiple optical signal onto a single optical fiber

A non blocking, multistage switching network, used in data center switching fabrics

Chip made by 3Ps that are sold to any consumers to design a product based on it

This isa Data Center design comprised of leaf and spine switches that alowslow latency
‘and scalable data center operations.

These switches ae place in the same rack as other equipment to connect all equipment in
the rack and to connect to other TOR switches in the DC

OpenFiowis a communications protocol that alows network controllers to directly program
the network forwarding plane

A to layer full mesh topology. Has leaf switches and spine switches

Communication traffic flow between devices ina Data center

In and out communication trafic low between Data center and outside networks

3P Data Center facilities where multiple tenants can house their datacenter equipment

How can learn more about Google
data centers?

[Where are the data Centers located?

Are there any interesting
publications?
+ Checkout

Dedicated.

a

Partner Interconnect

ale

Virtual private,
network (VPN)

ceca

Carrier Peering
Direct Peering
Shared VPC

VPC Network Peering

Trafic Director «|

Connectivity, Hybrid Connectivity

Dedicated connection between Google and your
private network. Avalable from 10 GBI to 100.
Bits. Has high availablity configurations and
you can use multiple inks

High avaliable connection between Google and
your network provisioned through a Service
Provider. Avaliable from SO MBUS to 10 GB.
Has high availabilty configuration and you can.
use multiple links

‘This offers secure connection between two
locations over a secure IPSEC tunnel

Google Cloud VPN service

Google Cloud service that enables you to access
‘Google Workspace and other Google apps via
service provider connection

Google Cloud service that enables you to access
{google Workspace and other Google apps via
direct connection to Google edge

GCP service that allow you to provision and,
connect host projects and service projects

GCP service that low you to connect between
different VPC'sin the same or separate project
‘and organizations. 1-t0-1peering that isnot
transitive. Max peering per VPC is 25 connections

Google Cloud service that offers a fully managed
Lraffic control plane for service mesh

Cross Cloud
Interconnect

a

Dedicated connection between Google and your
Cloud providers network. Availabe from 10 Gbps to
100 Gbps. Has high availablity configurations and you
can use multiple inks

ae

D Gogo

© Google Ci

Networking 101 sheet

[Shared VPC or VPC network
peering?
‘© Thebest practices VPC
design document willbe

helpful.
Are VPNs redundant?
® Youhave high availability
configuration options.

Dedicated or Partner Interconnect?
+ Depends on several
factors.

Can | connect to other cloud
providers?
© Yes check out Cross-Cloud
Interconnect.

Where can find GCP Networking

reference Architectures?
® Cloud Architecture
Centre
© Designing networking
docs

Network Security

L
/ Firewalls: Allow. & filter traffic based on N
/ sca pea opera erreurs Networking 101 sheet

E Tellme about Google Cloud Firewall?
tra used to deny alow accessin a Cloud erewak doe:
Google Cloud. eg. IP. source, tag. em
“SEINE Deco. | What can help with DDoS attacks?
+ Cloud Armor, Autoscalng,
Distributed deri Thisisa type of atackthatatfect pee
ofservice (000s) avalalty of service by overloading
serene) [Wat are some Google Cloud security |
. services?
Cloud Amor (1) Googe Cadence ht roves ie
‘tering at Osilayer7104 sal
products
VPC service ‘Google Cloud service that allows you claret eben Cues oc
controls the ability to create perimeters that + Fromlowest 0 to highest
a potectresouces nd dota 65835.
Cloud Google Cloud service that controls | How does Cloud firewall handle
ldentty-Awore... accesso Your appication and connect state?
Prony (AP) {esti tt ony authorized users © These are stateful firewalls,
securty {J Googe Cloud service ratas asa
Command enter discovery treat detection. and
eat prevention components
Beyond Corp Google loud zero trust mod: m1

Ciuaios II: Google couts ntuson Detection
System. Detect and logs potetl
À reste y

Jarre
SSL proxy

TCP proxy

Network Le

Internal LB

NEG

Ingress

Content
Delivery
Network
(con

Cloud CDN

\ Media con

Traffic handling, Load balancing, Content Delivery

(Global oad balancer for HTTPIS) traffic.
(Global load balancer for SSL trafic
(Global oad balancer for TCP traffic.

Regional LB used to load balance TCP traffic (available
internaly and external)

Regional LB used with a VPC.

[Network Endpoint Group are used to attach a backend
Pool to aload balancing service in Google Kubernetes
Engine

‘lows HTTP(S) traffic connections to a kubernetes
cluster

Caches content at a distribution endpoint closest 10
customer.

¡Google Clouds standard web acceleration CON,
offering.

Eso Cnuss media deivery slo. Con hand ig
throughput media Ike streaming.

Hypertext
Transfer
Protocol
CHTTP)

HrTes

Protocol used for transmitting hypermedia documents.
Thisisa standard on the interet, more commonly init
secure form HTTP(S)

Secure version of HTTP enabled by using TLS on the

zum .

Networking 101 sheet

[Whatis a Global LB?
© Operates globally andcan
load balance and spill over

traffic between regions.

‘What s a regional LB?
© Operateinthe region itis
created,

‘What type of LB existin Google
(Cloud?
© See summary of LB

How does CDN reduce latency?
© Byretuming traffic to the
user from the closest.
networking point.

—

Lo}

‘What is Google LB software called.
© Itscalled Maglev

Can Google Cloud support streaming
media?
© Yes, Media CDN supports
this

nslookup

Domain
Information
‘groper (dig)

Ipconfig or
ifconfig

Flow logs

Network
Intelligence
Center

Cloud Audit
Logs

Cloud
Operations

Packet
Mirroring

My
Traceroute
mr)

Troubleshooting & Monitoring

This tool checks the avaibilty of host by using
Her re Service AGCP managed service that gives you a single

Directory place to publish, discover, and connect services
Shows the hops between source and destination Tepdump& — tepdumpisa command-line packet analyzer.
wireshark Wireshark sa packet inspector.

‘Alows you to resolve IP from host name

Performs DNS lookup and displays the answers of the
query

‘Show the IP address, subnet and gateway information
of a system

This GCP service tolls you about the traffic low in your
vec Pinging wn

Reply # 2 time

GCP service that provides you with afew tools to gain Reply fron tin
silty into your network, Reply fron 3 ino
Reply from 142 ytes=22 time=3ns

Networking 101 sheet .!

[What protocol does ping use?
© Intemet Control Message
Protocol (CMP)

[Are flow logs enabled by default on
ocr?
© Thishas tobe enabled by

¡What are the component of Network
Inteligence Center?
+ Thisis made up of
= Network Topology
- Connectivity test
- Performance dashboard
Firewall Insights.

(Google Cloud logs that provide information on
activities in your cloud. A few are: Admin Activity, Data
Access, system events and Polcy denied, audit logs

je Cloud tool that allows you to monitor log and
10,
trace application and systems in your envronments.

Packet Miroring clones the traffic on the network and
forwards it for examination. See more here

Is an application that combines the functions of the
‘traceroute and ping programs in one network
‘diagnostic too!

sa

wa

+s
so
”
vs

so
wo
m

\mz

What happens when you type www.google.com in a browser

(Open browser type www.google.com

‘Browser cache is checked to see'f P information was cached | an

I #2 has no infor system checks host fe for address information

I #3 has no info, system queries local DNS

fa has no info query sent to Service Provider (SP) DNS
Local DNS

SP has no info query sent to Root level DNS
Root level returns the Top level ONS
‘Top level DNs returns the Authoritative DNS who has the record

‘Authoritative DNS returns @ DNS response with the IP address and
DNS TTL information

‘The system now has the IP address andintiates a TCP connection to
the server

TCP three-way handshake takes place, TLS Secure authentication
Process takes place and secure connection is setup.

HTTP(SJHTML process begins to return information as required

Top level Networking 101 sheet

Authoritative DNS

See more Google Cloud services on
the Develop cheat sheet