What you need
To complete this lab, you need:
Internet access
Access to a supported Internet browser:
- The latest version of Google Chrome, Firefox, or Microsoft Edge
- Microsoft Internet Explorer 11+
- Safari 8+ (Safari private mode is not supported)
What you will do
- Create a default-type network, an auto-type network and a custom-type network and associated subnetworks
- Compare connectivity in the various types of networks
- Create routes and firewall rules using IP address and Tags to enable connectivity
- Convert an auto-type network to a custom-type network
- Expand the range of a subnetwork to allow for growth
- Create, expand, and delete subnetworks
What you will learn
- The relationships between networks and subnetworks
- The types of networks and how they differ
- How to use routes to establish path for communication
- How to use firewall rules to restrict communications
- How to expand the range of a subnetwork
- How to convert an auto-type network to a custom-type network
Here is a preview of the lab activities, and the networks you will create.
Part 1: Create the Network Topology
Part 2: Create the VM Instances
Part 3: Work with Routes and Firewall Rules
The scoping and connectivity relationships between zones, regions, networks, and subnets are different from networking in other public clouds.
Step 1 Create a Project
Select an existing project or create a new google cloud project.
- Navigate to https://console.cloud.google.com.
- Click on the project selector dropdown
- Select Create Project
- Give it an appropriate unique name.
Remember the project ID, a unique name across all Google Cloud projects. It will be referred to later in this lab as PROJECT_ID.
The default network is created automatically for you with each new project. The default network layout is not ideal for managing resources. It's main benefit is that it is a fast way to get a project setup and running. It's great for prototyping solutions and for training purposes.
Step 1 Examine the networks in console
Console: Products and Services > Networking > Networks
Notice the Default Network. It has been created automatically for you with a Subnetwork in each Region.
Example:
asia-east1 | default | 10.140.0.0/20 | 10.140.0.1
How many Internal IP addresses are available for VMs in each subnetwork?
- CIDR /20 = 4096 address
- All 1's address is used for broadcast
- All 0's address represents the subnetwork
- First address in the range the '.1' address, belongs to the virtual router / virtual firewall (labeled gateway).
- Therefore, each subnetwork can address 4093 VMs
Step 2 Examine the routes
Console: Products and Services > Networking > Routes
Notice that a route has been created for each subnetwork, and one global route to enable traffic to the Internet.
Step 1 Create an auto-type network
Console: Products and Services > Networking > Networks
Click on [+ Create Network].
|
|
Name: |
|
Description: |
|
Subnetworks |
|
When you click on Automatic, you should see it automatically populate the list of subnetworks to be created.
Step 2 Select the firewall rules
Select all of the firewall rules listed. If they are not selected they won't be created.
Step 3 Create the network
- At the bottom of the dialog are two links labeled "Equivalent REST or command line".
- Click on the REST link to see POST commands for API programming automation of this process.
- Click CLOSE
- Click on the command line link to see commands you could use for automation of this process.
- You could use these commands to create the network by clicking [Run in Cloud Shell] -- but don't do it.
- Click CLOSE
- Click on the [CREATE] button.
Click on the REFRESH button occasionally until the networks are created and appear in the list.
Step 1 Examine the routes
Console: Products and Services > Networking > Routes
Notice that a route has been created for each subnetwork, and one global route was created to enable traffic from anywhere, including the Internet.
Click on the title Destination IP ranges to sort the list of routes.
Notice that there is an identical subnetwork and route in the learnauto network as there is in the Default network. It is possible to have VMs with duplicate Internal IP addresses in the two networks.
Step 2 Examine the firewall rules
Console: Products and Services > Networking > Firewall rules
Verify that firewall rules were created for the learnauto network and its subnetworks.
You will be creating a custom-type network named learncustom. It will have three subnetworks (subnet-1a) 192.168.5.0/24, (subnet-1b) 192.168.3.0/24, in the same region, and (subnet-2) 192.168.7.0/24 in a different region.
Step 1 Create a custom network
Console: Products and Services > Networking > Networks
Click on [+ Create Network].
|
|
Name: |
|
Description: |
|
Subnetworks |
|
Step 2 Specify the subnetworks
Use the dialog to add three subnetworks as follows.
Click [+ Add subnetwork] to add another.
First subnetwork:
|
|
Name: |
|
Region: |
|
IP address range: |
|
Second subnetwork:
|
|
Name: |
|
Region: |
|
IP address range: |
|
Third subnetwork:
|
|
Name: |
|
Region: |
|
IP address range: |
|
It should look something like this:
Click the [Create] button.
Step 3 Examine the results: routes
Did creating the custom network automatically create routes?
Console: Products and Services > Networking > Routes
You can click on Network in the table header to sort by Network name. You should see routes created for each subnetwork.
Step 4 Examine the results: firewall rules
Did creating the custom network automatically create routes?
Console: Products and Services > Networking > Firewall rules
You can click on Network in the table header to sort by Network name.
No default firewall rules were created for the custom network. You will have to manually add default rules in during the next step.
Step 5 Create default firewall rules for the learncustom network
Notice that for the other networks, the default network and the learnauto network, that GCP automatically created default firewall rules allowing SSH traffic (tcp:22), icmp traffic, and rdp (tcp:3389) traffic for Windows VMs.
Add a firewall rule to provide the same access for the learncustom network.
Console: Products and Services > Networking > Firewall rules
Click on [+ Create Firewall Rule]
|
|
Name: |
|
Network: |
|
Source filter: |
|
Allowed protocols and ports: |
|
Target tags: |
|
Click the [Create] button.
You will attempt to modify the network by adding a subnetwork with an overlapping address range but in a different region. What do you predict will happen?
Console: Products and Services > Networking > Routes
Click on learncustom.
Click on [Add subnetwork]
|
|
Name: |
|
Region: |
|
IP address range: |
|
It appears that the dialog has accepted the input.
Click [Add] to create the subnetwork.
You should see something like this:
For the purposes of exploring the Cloud Virtual Network, you will create five micro VMs in different locations in the network. You will not install any additional software on them. They will not be running any applications. You will just be using them to explore the connectivity across the topologies in the network.
Name | Network | Region | Zone |
learn-1 |
|
|
|
learn-2 |
|
|
|
learn-3 |
|
|
|
learn-4 |
|
|
|
learn-5 |
|
|
|
Step 1 Create the learn-1 VM
Console: Products and Services > Compute Engine > VM instances
Click on [+ Create Instance]
|
|
Name: |
|
Zone: |
|
Machine type: |
|
Click on the line that says Management, disk, networking, SSH keys to access the advanced options.
Click on the Networking tab.
|
|
Network: |
|
Subnetwork: |
|
Click the [Create] button.
Step 2 Create the learn-2 VM
Console: Products and Services > Compute Engine > VM instances
Click on [+ Create Instance]
|
|
Name: |
|
Zone: |
|
Machine type: |
|
Click on the line that says Management, disk, networking, SSH keys to access the advanced options.
Click on the Networking tab.
|
|
Network: |
|
Subnetwork: |
|
Click the [Create] button.
Step 3 Create the learn-3 VM
Console: Products and Services > Compute Engine > VM instances
Click on [+ Create Instance]
|
|
Name: |
|
Zone: |
|
Machine type: |
|
Click on the line that says Management, disk, networking, SSH keys to access the advanced options.
Click on the Networking tab.
|
|
Network: |
|
Subnetwork: |
|
Click the [Create] button.
Step 4 Create the learn-4 VM
Console: Products and Services > Compute Engine > VM instances
Click on [+ Create Instance]
|
|
Name: |
|
Zone: |
|
Machine type: |
|
Click on the line that says Management, disk, networking, SSH keys to access the advanced options.
Click on the Networking tab.
|
|
Network: |
|
Subnetwork: |
|
Click the [Create] button.
Step 5 Create the learn-5 VM
Console: Products and Services > Compute Engine > VM instances
Click on [+ Create Instance]
|
|
Name: |
|
Zone: |
|
Machine type: |
|
Click on the line that says Management, disk, networking, SSH keys to access the advanced options.
Click on the Networking tab.
|
|
Network: |
|
Subnetwork: |
|
Click the [Create] button.
Step 6 Verify that all the test VMs are running
Console: Products and Services > Compute Engine > VM instances
It should look something like this:
You will SSH to the VMs and use ping to test connectivity between VMs. This will help you understand how the Cloud Virtual Network topology behaves.
One service of GCP is Cloud DNS. Cloud DNS provides IP translation. When you created the VMs, their addresses were automatically populated into Cloud DNS. For this reason, when you SSH to a VM you can use the ping command with the symbolic name of the target VM, and it will be translated for you to the IP address.
You can break out of the ping command at any time by pressing <ctrl><c>.
Step 1 ping from learn-1
Console: Products and Services > Compute Engine > VM instances
Click on the link to SSH to learn-1.
$ ping learn-1
Notice how DNS translates for you.
This should succeed.
Now try to reach learn-2.
$ ping learn-2
Can you explain why this fails?
It is because DNS is scoped to network. The VM learn-2 is not in the default network where learn-1 is located. So the symbolic name can't be translated.
Locate the internal IP address and the external IP address for learn-2.
Try to ping learn-2's internal IP address.
$ ping <learn-2's internal IP>
Did this work?
No. learn-1 is in the default network and learn-2 is in the learnauto network. Even though both VMs are located in the same region, us-east1 and in the same zone, us-east-1b, they cannot communicate over internal IP.
Try to ping learn-2's external IP address.
$ ping <learn-2's external IP>
This works.
Step 2 traceroute from learn-1
Verify that traceroute is working by tracing the route to a public website.
$ sudo traceroute cnn.com -I
Press <ctrl><c> to stop the command.
Did it work?
Yes.
Now use traceroute to find the path to learn-2's external IP.
$ sudo traceroute <learn-2's external IP> -I
How many hops was it from learn-1 to learn-2's external IP?
One.
Step 3 ping to learn-3
You already know that learn-3 is in a different network from learn-1, so it's internal IP will not be reachable.
Try to ping learn-3's external IP address.
$ ping <learn-3's external IP>
Press <ctrl><c> to stop the command.
Why didn't this work? You were able to reach learn-2's external IP, why not learn-3's?
Recall that learn-2 is in an auto-type network, so firewall rules were automatically created that enabled ingress traffic to reach its external IP. However, learn-3 is in a custom-type network, and no firewall rules were established. You created a firewall rule to permit access.
Take another look at that firewall rule.
Console: Products and Services > Networking > Firewall rules
Notice that the default firewall rules were established to "Apply to all targets". You created the firewall rule with tighter security. It will only permit traffic to VMs that have the Target tag allow-defaults.
Locate the learn-3 VM in console.
Console: Products and Services > Compute Engine > VM instances
Click on learn-3. to access details about the VM.
Click on edit: 
In the Tags section, add allow-defaults.
Click [Save] at the bottom of the page.
Return to the SSH terminal for learn-1 (or reconnect if needed).
Try again to ping learn-3's external IP address.
$ ping <learn-3's external IP>
This time it should work.
Step 1 ping to the other VMs
Open an SSH terminal to learn-3.
Try the following. Can you explain all the behaviors?
$ ping learn-4 $ ping learn-5 $ sudo traceroute learn-5 -I
DNS translation is working for both learn-4 and learn-5 because all of these VMs are in the same network as learn-4, the learncustom network.
Console: Products and Services > Compute Engine > VM instances
Try to SSH to learn-4.
The firewall rule for the learncustom network only delivers traffic to VMs with the target tag allow-defaults.
Step 2 Edit the firewall rule
Console: Products and Services > Networking > Firewall rules
Click on the rule allow-ssh-icmp-rdp-learncustom to get to it's details.
Click on edit:
In the Target tags section, remove allow-defaults. It will now apply to all targets.
Click the [Save] button.
Step 3 Try again
Everything should work this time:
$ ping learn-4 $ ping learn-5 $ sudo traceroute learn-5 -I
SSH to learn-4.
In this section, you convert an auto-type network to a custom-type network to gain more fine-grained control over the subnetworks.
A new policy for Network learnauto is to be implemented. There will no longer be assets in us-central1 region. New projects will instead shift planned assets from us-central1 to a new subnetwork in us-east1 region to be named new-useast.
Implement the policy. To accomplish this you will delete the learnauto us-central1 subnetwork and create the new subnetwork in us-east1 to allow for the work that was originally planned for the us-central1 region.
Step 1 Convert the network mode
Console: Products and Services > Networking > Networks
Click on the learnauto network to view network details.
Notice that there is no option to select the subnetworks. You can only delete the entire network.
You won't be able to delete the subnetwork or create the new one because it's an auto-type network. You will have to convert it to a custom-type network to gain more control.
Return to the networks page.
Under Mode, you will see a pull-down menu that currently says "Auto subnetworks".
Click on edit:
Use the pulldown menu to select "Custom".
Click the [Save] button.
Step 2 Delete the subnetwork
Click on the learnauto network to return to the network details. You should now be able to select and delete the us-central1 subnetwork.
Step 3 Create the new subnetwork
create the new subnetwork in us-east1.
Reflecting the new tighter policies, the new subnetwork is CIDR /26. How many VMs can that support?
/26 = 64 addresses, minus broadcast, subnet, and gateway = 61 VMs.
Return to the networks page and click on the learnauto network to return to the network details.
|
|
Name: |
|
Region: |
|
IP address range: |
|
Click [Add].
The projects in the new-useast subnetwork have been a success, however, the original range of /26 was too restrictive. Expand the subnetwork to support at least 500 VMs.
Step 1 Prepare to modify the address range
Console: Products and Services > Networking > Networks
Click on the learnauto network to view network details.
Some features available in GCP are not yet supported in the console web user interface. This is one of those commands that must be entered manually into Cloud Shell.
Click on the Cloud Shell icon in the upper right part of the top menu bar to open Cloud Shell.
Step 2 Increase the address range
Enter the following command:
$ gcloud compute networks subnets \ expand-ip-range new-useast \ --prefix-length 24 \ --region us-east1
The IP range of subnetwork [new-useast] will be expanded from 10.133.5.0/26 to 10.133.5.0/24. This operation may take several minutes to complete and cannot be undone. Do you want to continue (Y/n)? Y
Step 3 Verify the change
There is no refresh button on the network details page to see the result. Return to the networks page.
Click on Refresh until you see that the range has expanded.
Before you can delete networks and subnets, you must delete all VMs and firewall rules.
Console: Products and Services > Compute Engine > VM instances
Step 1 Delete the VMs
Select all the VMs and delete them.
Step 2 Delete the firewall rules you created
Console: Products and Services > Networking > Firewall rules
Select all firewall rules that you created and delete them.
Step 3 Networks
Console: Products and Services > Networking > Networks
Click learncustom to see Network details.
Delete the network.
Console: Products and Services > Networking > Networks
Click learnauto to see Network details.
Delete the network.
Do not delete the Default network.
Step 4 Delete the project
Console: Products and Services > IAM & Admin > Settings
Click on the Delete Project button: 
The following message is displayed:
You now know how to delete a project, and what will happen to any remaining assets.
Do not delete the project.
Click [Cancel].
©Google, Inc. or its affiliates. All rights reserved. Do not distribute.