What you need

To complete this lab, you need:

Internet access

Access to a supported Internet browser:

What you will do

What you will learn

Here is a preview of the lab activities, and the networks you will create.

Part 1: Create the Network Topology

Part 2: Create the VM Instances

Part 3: Work with Routes and Firewall Rules

The scoping and connectivity relationships between zones, regions, networks, and subnets are different from networking in other public clouds.

Step 1 Create a Project

Select an existing project or create a new google cloud project.

Remember the project ID, a unique name across all Google Cloud projects. It will be referred to later in this lab as PROJECT_ID.

The default network is created automatically for you with each new project. The default network layout is not ideal for managing resources. It's main benefit is that it is a fast way to get a project setup and running. It's great for prototyping solutions and for training purposes.

Step 1 Examine the networks in console

Console: Products and Services > Networking > Networks

Notice the Default Network. It has been created automatically for you with a Subnetwork in each Region.

Example:

asia-east1 | default | 10.140.0.0/20 | 10.140.0.1

How many Internal IP addresses are available for VMs in each subnetwork?

  1. CIDR /20 = 4096 address
  2. All 1's address is used for broadcast
  3. All 0's address represents the subnetwork
  4. First address in the range the '.1' address, belongs to the virtual router / virtual firewall (labeled gateway).
  5. Therefore, each subnetwork can address 4093 VMs

Step 2 Examine the routes

Console: Products and Services > Networking > Routes

Notice that a route has been created for each subnetwork, and one global route to enable traffic to the Internet.

Step 1 Create an auto-type network

Console: Products and Services > Networking > Networks

Click on [+ Create Network].

Property

Value

Name:

learnauto

Description:

Learn about auto-type networks

Subnetworks

Click on the [Automatic] tab

When you click on Automatic, you should see it automatically populate the list of subnetworks to be created.

Step 2 Select the firewall rules

Select all of the firewall rules listed. If they are not selected they won't be created.

Step 3 Create the network

  1. At the bottom of the dialog are two links labeled "Equivalent REST or command line".
  2. Click on the REST link to see POST commands for API programming automation of this process.
  3. Click CLOSE
  4. Click on the command line link to see commands you could use for automation of this process.
  5. You could use these commands to create the network by clicking [Run in Cloud Shell] -- but don't do it.
  1. Click CLOSE
  2. Click on the [CREATE] button.

Click on the REFRESH button occasionally until the networks are created and appear in the list.

Step 1 Examine the routes

Console: Products and Services > Networking > Routes

Notice that a route has been created for each subnetwork, and one global route was created to enable traffic from anywhere, including the Internet.

Click on the title Destination IP ranges to sort the list of routes.

Notice that there is an identical subnetwork and route in the learnauto network as there is in the Default network. It is possible to have VMs with duplicate Internal IP addresses in the two networks.

Step 2 Examine the firewall rules

Console: Products and Services > Networking > Firewall rules

Verify that firewall rules were created for the learnauto network and its subnetworks.

You will be creating a custom-type network named learncustom. It will have three subnetworks (subnet-1a) 192.168.5.0/24, (subnet-1b) 192.168.3.0/24, in the same region, and (subnet-2) 192.168.7.0/24 in a different region.

Step 1 Create a custom network

Console: Products and Services > Networking > Networks

Click on [+ Create Network].

Property

Value

Name:

learncustom

Description:

Learn about custom networks

Subnetworks

Click on the [Custom] tab

Step 2 Specify the subnetworks

Use the dialog to add three subnetworks as follows.

Click [+ Add subnetwork] to add another.

First subnetwork:

Property

Value

Name:

subnet-1a

Region:

us-east1

IP address range:

192.168.5.0/24

Second subnetwork:

Property

Value

Name:

subnet-1b

Region:

us-east1

IP address range:

192.168.3.0/24

Third subnetwork:

Property

Value

Name:

subnet-1a

Region:

us-west1

IP address range:

192.168.7.0/24

It should look something like this:

Click the [Create] button.

Step 3 Examine the results: routes

Did creating the custom network automatically create routes?

Console: Products and Services > Networking > Routes

You can click on Network in the table header to sort by Network name. You should see routes created for each subnetwork.

Step 4 Examine the results: firewall rules

Did creating the custom network automatically create routes?

Console: Products and Services > Networking > Firewall rules

You can click on Network in the table header to sort by Network name.

No default firewall rules were created for the custom network. You will have to manually add default rules in during the next step.

Step 5 Create default firewall rules for the learncustom network

Notice that for the other networks, the default network and the learnauto network, that GCP automatically created default firewall rules allowing SSH traffic (tcp:22), icmp traffic, and rdp (tcp:3389) traffic for Windows VMs.

Add a firewall rule to provide the same access for the learncustom network.

Console: Products and Services > Networking > Firewall rules

Click on [+ Create Firewall Rule]

Property

Value

Name:

allow-ssh-icmp-rdp-learncustom

Network:

learncustom

Source filter:

Allow from any source (0.0.0.0)

Allowed protocols and ports:

icmp; tcp:22; tcp:3389

Target tags:

allow-defaults

Click the [Create] button.

You will attempt to modify the network by adding a subnetwork with an overlapping address range but in a different region. What do you predict will happen?

Console: Products and Services > Networking > Routes

Click on learncustom.

Click on [Add subnetwork]

Property

Value

Name:

subnet-3

Region:

europe-west1

IP address range:

192.168.5.0/24

It appears that the dialog has accepted the input.

Click [Add] to create the subnetwork.

You should see something like this:

For the purposes of exploring the Cloud Virtual Network, you will create five micro VMs in different locations in the network. You will not install any additional software on them. They will not be running any applications. You will just be using them to explore the connectivity across the topologies in the network.

Name

Network

Region

Zone

learn-1

default

us-east1

us-east1-b

learn-2

learnauto

us-east1

us-east1-b

learn-3

learncustom

us-east1

us-east1-b

learn-4

learncustom

us-east1

us-east1-c

learn-5

learncustom

us-west1

us-west1-a

Step 1 Create the learn-1 VM

Console: Products and Services > Compute Engine > VM instances

Click on [+ Create Instance]

Property

Value

Name:

learn-1

Zone:

us-east1-b

Machine type:

micro (1 shared vCPU)

Click on the line that says Management, disk, networking, SSH keys to access the advanced options.

Click on the Networking tab.

Property

Value

Network:

default

Subnetwork:

default

Click the [Create] button.

Step 2 Create the learn-2 VM

Console: Products and Services > Compute Engine > VM instances

Click on [+ Create Instance]

Property

Value

Name:

learn-2

Zone:

us-east1-b

Machine type:

micro (1 shared vCPU)

Click on the line that says Management, disk, networking, SSH keys to access the advanced options.

Click on the Networking tab.

Property

Value

Network:

learnauto

Subnetwork:

learnauto

Click the [Create] button.

Step 3 Create the learn-3 VM

Console: Products and Services > Compute Engine > VM instances

Click on [+ Create Instance]

Property

Value

Name:

learn-3

Zone:

us-east1-b

Machine type:

micro (1 shared vCPU)

Click on the line that says Management, disk, networking, SSH keys to access the advanced options.

Click on the Networking tab.

Property

Value

Network:

learncustom

Subnetwork:

subnet-1a

Click the [Create] button.

Step 4 Create the learn-4 VM

Console: Products and Services > Compute Engine > VM instances

Click on [+ Create Instance]

Property

Value

Name:

learn-4

Zone:

us-east1-c

Machine type:

micro (1 shared vCPU)

Click on the line that says Management, disk, networking, SSH keys to access the advanced options.

Click on the Networking tab.

Property

Value

Network:

learncustom

Subnetwork:

subnet-1a

Click the [Create] button.

Step 5 Create the learn-5 VM

Console: Products and Services > Compute Engine > VM instances

Click on [+ Create Instance]

Property

Value

Name:

learn-5

Zone:

us-west-1a

Machine type:

micro (1 shared vCPU)

Click on the line that says Management, disk, networking, SSH keys to access the advanced options.

Click on the Networking tab.

Property

Value

Network:

learncustom

Subnetwork:

subnet-2

Click the [Create] button.

Step 6 Verify that all the test VMs are running

Console: Products and Services > Compute Engine > VM instances

It should look something like this:

You will SSH to the VMs and use ping to test connectivity between VMs. This will help you understand how the Cloud Virtual Network topology behaves.

One service of GCP is Cloud DNS. Cloud DNS provides IP translation. When you created the VMs, their addresses were automatically populated into Cloud DNS. For this reason, when you SSH to a VM you can use the ping command with the symbolic name of the target VM, and it will be translated for you to the IP address.

You can break out of the ping command at any time by pressing <ctrl><c>.

Step 1 ping from learn-1

Console: Products and Services > Compute Engine > VM instances

Click on the link to SSH to learn-1.

$ ping learn-1

Notice how DNS translates for you.

This should succeed.

Now try to reach learn-2.

$ ping learn-2

Can you explain why this fails?

It is because DNS is scoped to network. The VM learn-2 is not in the default network where learn-1 is located. So the symbolic name can't be translated.

Locate the internal IP address and the external IP address for learn-2.

Try to ping learn-2's internal IP address.

$ ping <learn-2's internal IP>

Did this work?

No. learn-1 is in the default network and learn-2 is in the learnauto network. Even though both VMs are located in the same region, us-east1 and in the same zone, us-east-1b, they cannot communicate over internal IP.

Try to ping learn-2's external IP address.

$ ping <learn-2's external IP>

This works.

Step 2 traceroute from learn-1

Verify that traceroute is working by tracing the route to a public website.

$ sudo traceroute cnn.com -I

Press <ctrl><c> to stop the command.

Did it work?

Yes.

Now use traceroute to find the path to learn-2's external IP.

$ sudo traceroute <learn-2's external IP> -I

How many hops was it from learn-1 to learn-2's external IP?

One.

Step 3 ping to learn-3

You already know that learn-3 is in a different network from learn-1, so it's internal IP will not be reachable.

Try to ping learn-3's external IP address.

$ ping <learn-3's external IP>

Press <ctrl><c> to stop the command.

Why didn't this work? You were able to reach learn-2's external IP, why not learn-3's?

Recall that learn-2 is in an auto-type network, so firewall rules were automatically created that enabled ingress traffic to reach its external IP. However, learn-3 is in a custom-type network, and no firewall rules were established. You created a firewall rule to permit access.

Take another look at that firewall rule.

Console: Products and Services > Networking > Firewall rules

Notice that the default firewall rules were established to "Apply to all targets". You created the firewall rule with tighter security. It will only permit traffic to VMs that have the Target tag allow-defaults.

Locate the learn-3 VM in console.

Console: Products and Services > Compute Engine > VM instances

Click on learn-3. to access details about the VM.

Click on edit:

In the Tags section, add allow-defaults.

Click [Save] at the bottom of the page.

Return to the SSH terminal for learn-1 (or reconnect if needed).

Try again to ping learn-3's external IP address.

$ ping <learn-3's external IP>

This time it should work.

Step 1 ping to the other VMs

Open an SSH terminal to learn-3.

Try the following. Can you explain all the behaviors?

$ ping learn-4
$ ping learn-5
$ sudo traceroute learn-5 -I

DNS translation is working for both learn-4 and learn-5 because all of these VMs are in the same network as learn-4, the learncustom network.

Console: Products and Services > Compute Engine > VM instances

Try to SSH to learn-4.

The firewall rule for the learncustom network only delivers traffic to VMs with the target tag allow-defaults.

Step 2 Edit the firewall rule

Console: Products and Services > Networking > Firewall rules

Click on the rule allow-ssh-icmp-rdp-learncustom to get to it's details.

Click on edit:

In the Target tags section, remove allow-defaults. It will now apply to all targets.

Click the [Save] button.

Step 3 Try again

Everything should work this time:

$ ping learn-4
$ ping learn-5
$ sudo traceroute learn-5 -I

SSH to learn-4.

In this section, you convert an auto-type network to a custom-type network to gain more fine-grained control over the subnetworks.

A new policy for Network learnauto is to be implemented. There will no longer be assets in us-central1 region. New projects will instead shift planned assets from us-central1 to a new subnetwork in us-east1 region to be named new-useast.

Implement the policy. To accomplish this you will delete the learnauto us-central1 subnetwork and create the new subnetwork in us-east1 to allow for the work that was originally planned for the us-central1 region.

Step 1 Convert the network mode

Console: Products and Services > Networking > Networks

Click on the learnauto network to view network details.

Notice that there is no option to select the subnetworks. You can only delete the entire network.

You won't be able to delete the subnetwork or create the new one because it's an auto-type network. You will have to convert it to a custom-type network to gain more control.

Return to the networks page.

Under Mode, you will see a pull-down menu that currently says "Auto subnetworks".

Click on edit:

Use the pulldown menu to select "Custom".

Click the [Save] button.

Step 2 Delete the subnetwork

Click on the learnauto network to return to the network details. You should now be able to select and delete the us-central1 subnetwork.

Step 3 Create the new subnetwork

create the new subnetwork in us-east1.

Reflecting the new tighter policies, the new subnetwork is CIDR /26. How many VMs can that support?

/26 = 64 addresses, minus broadcast, subnet, and gateway = 61 VMs.

Return to the networks page and click on the learnauto network to return to the network details.

Property

Value

Name:

new-useast

Region:

us-east1

IP address range:

10.133.5.0/26

Click [Add].

The projects in the new-useast subnetwork have been a success, however, the original range of /26 was too restrictive. Expand the subnetwork to support at least 500 VMs.

Step 1 Prepare to modify the address range

Console: Products and Services > Networking > Networks

Click on the learnauto network to view network details.

Some features available in GCP are not yet supported in the console web user interface. This is one of those commands that must be entered manually into Cloud Shell.

Click on the Cloud Shell icon in the upper right part of the top menu bar to open Cloud Shell.

Step 2 Increase the address range

Enter the following command:

$ gcloud compute networks subnets \
expand-ip-range new-useast  \
--prefix-length 24 \
--region us-east1
The IP range of subnetwork [new-useast] will be expanded from 10.133.5.0/26 to 10.133.5.0/24. This operation may take several minutes to complete and cannot be undone.
Do you want to continue (Y/n)?  Y

Step 3 Verify the change

There is no refresh button on the network details page to see the result. Return to the networks page.

Click on Refresh until you see that the range has expanded.

Before you can delete networks and subnets, you must delete all VMs and firewall rules.

Console: Products and Services > Compute Engine > VM instances

Step 1 Delete the VMs

Select all the VMs and delete them.

Step 2 Delete the firewall rules you created

Console: Products and Services > Networking > Firewall rules

Select all firewall rules that you created and delete them.

Step 3 Networks

Console: Products and Services > Networking > Networks

Click learncustom to see Network details.

Delete the network.

Console: Products and Services > Networking > Networks

Click learnauto to see Network details.

Delete the network.

Do not delete the Default network.

Step 4 Delete the project

Console: Products and Services > IAM & Admin > Settings

Click on the Delete Project button:

The following message is displayed:

You now know how to delete a project, and what will happen to any remaining assets.

Do not delete the project.

Click [Cancel].

┬ęGoogle, Inc. or its affiliates. All rights reserved. Do not distribute.