OCI FortiGate HA Cluster – Reference Architecture: Code Review and Fixes
Introduction OCI Quick Start repositories on GitHub are collections of Terraform scripts and configurations provided by Oracle. These repositories ... Read More
Découvrez pourquoi Eclipsys a été nommée 2023 Best Workplaces in Technology, Great Place to Work® Canada et Canada's Top 100 SME !
En savoir plus !During my preparation for the GCP Associate Cloud Engineer Exam, I first got myself a free tier account which usually lasts 3 months. This allowed me to play with the Cloud Console as it’s the fastest way to get to know a cloud provider’s services and offers. Being already familiar with Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI), I didn’t expect to see much difference in the core infrastructure services. That’s where I was actually wrong because I found something very peculiar that didn’t take long to notice. The service in question was Google Cloud Platform (GCP) Networking, the Virtual Private Cloud (VPC) to be precise. Today, we will see what makes this network resource so special when coming from another Cloud provider along with some features that are specific to Google’s VPC.
Unlike any other Cloud platform, there is no VPC level CIDR block (Classless Inter-Domain Routing) range in GCP. The only level where the CIDR Block range is defined is in a subnet. If like me, you come from AWS or Microsoft Azure, this will first confuse you and it will take you a moment to process this curiosity. Here’s why!
First Google Cloud Platform Networking Takeaways
The below table can help visualize at which level the networking resources are defined for each Cloud platform.
In GCP the subnet is the only resource where a CIDR block range is defined. Each subnet is dedicated to a region and can contain different IP ranges as long as they don’t overlap. Global by nature, a VPC can even have multiple subnets within different regions with the same CIDR Block range which makes it unique in the cloud networking space.
Each new project starts with a default network including 28 subnets in 28 regions worldwide and 4 default firewall rules.
My first reaction was obviously “why?”, but the short answer is because of the benefits of having multiregional subnets seamlessly routed with each other allowing their resources to communicate across regions.
Subnet creation mode: There are two
10.128.0.0/9
CIDR block. New subnets are automatically added for new regions to auto mode VPCs (inside the same CIDR Block)
* No VPC peering is allowed between auto mode VPCs due to their IP range overlap
Example
A subnet may have a secondary CIDR range, from which a secondary IP range of a VM may be allocated(alias IP).
The range must not overlap with any already defined subnet primary/secondary range in the region, or else you get an error.
You can always expand the IP range of an instance’s subnet even after creation. This will allow you to avoid headaches when all your IPs run out and you have new instances to provision in the same subnet. See CLI command below
expand-ip-range command
$ gcloud compute networks subnets expand-ip-range
MYSUBNET
--region=us-central1 --prefix-length=16
Firewall rules are global resources akin to security groups that filter instance-based data flow and can be applied via Instances/ network tags, service accounts, and Instance Groups.
FIREWALL RULES
Ingress Rules
The source can be either IP range, service accounts or network tag depending on the target type. You can use a combination of IP ranges + tags or IP ranges + service accounts but not both tags and service accounts in the same rule.
Egress Rules
The destination is always an IP range no matter the type of target chosen.
Within an Organization, VPCs can be shared among multiple projects and paired with other VPCs so a centralized team can manage network security.
Components
Consideration and limits
Both are addressing methods that allow packets to reach the destination across the internet but only one is using google private network(anycast). The other difference between these two is the overall effectiveness and latency of route traffic.
As for Azure, as soon as you enable an external IP address to an instance; It’ll immediately have internet access or NAT gateway if exists. No concept of a public subnet like we find in AWS.
Introduction OCI Quick Start repositories on GitHub are collections of Terraform scripts and configurations provided by Oracle. These repositories ... Read More
Introduction So far, I have used Oracle AutoUpgrade, many times in 3 different OS’. Yet the more you think you’ve seen it all and reached the ... Read More