This post covers some quick tips, including Q/A and useful links from Day 3 of Google Cloud Architect Training, covering Module 3: Virtual Networks and Module 4: Cloud IAM, where we have covered topics like VPC Networking, Firewall Rules, Subnets, Routes, VPC networking mode: Auto-mode & Custom VPC and basics of Cloud IAM.
We also covered hands-on, Lab 5, Lab 6, and Lab 7 out of our 25+ extensive labs.
The previous week, In Day 2 session, we got an overview of concepts of Virtual Machines, also known as Compute Engine in Google Cloud, Machine & disk types.
A week before Day 1 session we got an overview of Cloud Concepts, Introduction of GCP Console, Various Google Cloud Services, and an Introduction to Virtual Machines.
Google Cloud Networking Services
Networking is one of the most important and basics of Google Cloud Platform Services. These services help users load-balance traffic across resources, create DNS records, and connect their existing network to Google’s network. The types of networking services available are as follows:
- Virtual Private Cloud (VPC)
- Cloud Load Balancing
- Cloud DNS
- Cloud CDN
- Google Cloud Interconnect
Check more on Google Cloud Networking Services
Virtual Private Cloud (VPC)
A virtual private cloud (VPC) is a secure, isolated private cloud hosted within a public cloud. Customers can run code, store data, host websites, etc, which they could do in an ordinary private cloud, but the only difference is that that private cloud is hosted remotely by a public cloud provider.
It combines the scalability and convenience of public cloud computing with the data isolation of private cloud computing.
Google Cloud VPC
Google Cloud VPC provides networking functionality to Compute Engine VM instances, Google Kubernetes Engine clusters, and App Engine flexible environment. It provides networking for customers’ cloud-based resources and services that are global, scalable, and flexible.
VPC Components
VPC components are as follows:
1) VPC Networks
A Virtual Private Cloud (VPC) network is a virtual version of a physical network, implemented inside of Google’s production network, using Andromeda.
2) Subnets
Each VPC network consists of one or more useful IP range partitions called subnets, and each subnet is associated with a region. VPC networks do not have any IP address ranges associated with them. IP ranges are defined for the subnets. Subnets are regional resources. Each subnet defines a range of IP addresses.
Q1: Is it possible that two organizations can create a subnet with the same range under the same region?
Ans: Yes, two different organizations can have the same range of subnets. Similarly, even two different networks can have the same subnet range of IPs as well.
3) IP Addresses
Resources such as VM instances and load balancers have IP addresses in Google Cloud, enabling Google Cloud resources to communicate with other resources in Google Cloud, on-premises networks, or on the public internet.
4) Firewall
Firewall rules manage traffic even if it is entirely within the network, including communication among VM instances.
Read more about Firewall Rules in Google Cloud
Q2: Is firewall creation a way to secure the VPC network?
Firewall rules control incoming and outgoing traffic, making it a way to secure the VPC network.
Q3: Is there any provision to add a custom firewall rule (business specific) for custom mode?
Firewall rules can be added to VPC networks in all modes – default, auto, and custom. Enabled firewall rules are always enforced, even if the associated operating system and configuration haven’t been started.
5) Routes
Routes define network traffic paths from a virtual machine (VM) instance to other destinations. These destinations can be inside your Google Cloud Virtual Private Cloud (VPC) network (for example, in another VM) or outside it.
Q4: Can you explain Routes/Routing?
Ans: Routes determine the path that network traffic takes from the source VM to various destinations.
Managing the working of these routes is known as routing. Several variables affect the working of these routes – like a Routing table (made by Google), priority list, what kind of access the routes need, etc.
VPC Subnet Creation Modes
Google Cloud offers three types of VPC networks, determined by their subnet creation mode:
- Default-mode VPC
- Auto-mode VPC
- Custom-mode VPC
Q5: What is the difference between auto mode and default mode?
Ans: Default mode VPC networks are created automatically when you initiate a project. On the other hand, auto mode networks need to be created manually. In auto mode, you can add more subnets by yourself, if needed – which is not possible in default mode.
Read more about VPC Subnet Creation mode.
Q6: What is the difference between peering and network sharing?
Ans: Google Cloud has a VPC Network peering feature, which allows peering with a shared VPC. This implies that the host project can allow other projects to use some of its networks.
This is very similar to regular Shared VPC, with a few key differences. In the case of Shared VPC, any new subnets created in the host project will also be reflected in the other (shared) project.
Google Cloud IAM
Google Identity and Access Management is a web service that gives cloud administrators the authority to decide who can take a particular action on a particular resource.
In simple words, IAM lets one decide who (Identity) has what role (Access) to which resource.
Check more on Google Cloud IAM
Q7: Which of the Google Cloud services support IAM?
Ans: All Google Cloud services use IAM to make sure that only authorized identities can access them. In addition, some services provide IAM roles specific to their services or support, granting access at the resource level.
Read more about IAM Support
IAM Roles
A role in IAM is an entity that defines a set of permissions, which are to be granted to selected users. There are three types of roles in Google IAM:
- Primitive/Basic Roles: It includes the Owner, Editor, and Viewer roles that existed before the introduction of IAM.
- Predefined Roles: These provide granular access for a specific service and are managed by Google Cloud.
- Custom Roles: These provide granular access according to a user-specified list of permissions.
Check more about IAM Roles.
Q8: What is the difference between basic roles and predefined roles?
Ans. Basic roles are the legacy Owner, Editor, and Viewer roles. IAM provides predefined roles, which enable more granular access than the basic roles.
Q9: If a company wants to have a Google Cloud Account, is it necessary that the organization admin must be one of their employees?
Ans: Yes, to manage access to various resources, the admin must be an employee of the concerned company. These Organization admins are responsible for granting roles to the employees as per the need, which controls what permissions they have.
Q10: How can I find out what roles are granted on a resource?
Ans: You can find out what roles are granted on a resource using the Cloud Console, the getIamPolicy() method, or the gcloud command-line tool.
Quiz Time (Sample Exam Questions)!
With our Google Professional Cloud Architect training program, we cover 200+ sample exam questions to help you prepare for the certification.
Check out one of the questions and see if you can crack this…
Ques: Your customer is moving their corporate applications to Google Cloud. The security team wants detailed visibility of all resources in the organization. You use Resource Manager to set yourself up as the Organization Administrator. Which Cloud Identity and Access Management (Cloud IAM) roles should you give to the security team while following Google recommended practices?
A. Organization viewer, Project owner
B. Organization viewer, Project viewer
C. Organization administrator, Project browser
D. Project owner, Network administrator
Comment your answer in the comment box below.
Here is the answer to the question shared last week (Scroll down at the end of this post for the question).
Ques: You have been asked to build a backend using Clojure and host it on Google Cloud with full freedom of choosing OS, applications, libraries, etc. Which service will you prefer?
A. Compute Engine
B. App Engine Standard
C. Cloud Function
D. Cloud Run
Answer: A
Explanation: Compute Engine gives you complete flexibility in choosing the type of OS, libraries, and applications you want to use.
Feedback
We always improve and be the best version of ourselves from the previous session, hence constantly asking for feedback from our attendees.
Here’s the feedback that we received from our trainees who had attended the session…
Related References
- GCP Professional Cloud Architect: Everything You Need To Know
- Google Cloud Services & Tools
- Google Cloud Functions
- Google Kubernetes Engine
- Google Identity & Access Management (IAM)
Next Task For You
If you are also interested and want to know more about the Google Professional Cloud Architect certification, register for our Free Class.
The post Day 3 [Google Professional Cloud Architect] Q/A: Virtual Private Cloud and Introduction to Cloud IAM appeared first on Cloud Training Program.