Google Cloud Shared VPC

A Shared Virtual Private Cloud (VPC) is a feature within Google Cloud that enables organizations to connect resources from multiple projects to a common network infrastructure. This shared network, hosted within a designated “host project,” allows secure and efficient communication among resources using internal IP addresses. Service projects, attached to the host project’s network, can utilize specific subnets for their instances. This setup offers a balance between centralized control over network resources, such as subnets and firewalls, and decentralized administration of instances within individual service projects. By segregating administrative responsibilities, organizations can enforce consistent access control policies, enhance security, and … Continue reading Google Cloud Shared VPC

Configuring Google Cloud Workload Identity Federation (AWS)

A workload identity is a special identity used for authentication and access by software applications and services. It helps them connect to other services and resources securely. The most direct method for external workloads to use Google Cloud APIs is by using downloaded service account keys. However, this approach comes with two significant challenges: To address these issues, workload identity federation offers an alternative. This approach allows applications outside of Google Cloud to replace persistent service account keys with short-lived access tokens. This is accomplished by establishing a trust relationship between Google Cloud and an external identity provider. The external … Continue reading Configuring Google Cloud Workload Identity Federation (AWS)

Google Cloud Migration Scenarios

Lab and Configuration Staging The lab diagram for this exercise is show below: Staging Aviatrix Flows of Interest Constraints Migration Approaches The Slicer Constraints Testing Flow 1 and Flow 2 Migration using The Slicer (Switch Traffic) Slicing it: CSR1000v routes: If the Cloud Router custom advertisement is doing (route) summarization, the slice on the avx spoke gateway advertised routes is not required. In this case, we should customize the advertisement to only allow the subnetwork where the avx gateway was deployed. Flow3 and Flow 4 Migration using The Slicer (Switch Traffic) This step requires that all the north-south flows were … Continue reading Google Cloud Migration Scenarios

Apigee not bee :)

Apigee is a Google SaaS platform for developing and managing APIs. Apigee provides an abstraction layer to backend service APIs and provides security, rate limiting, quotas, and analytics. Apigee consists of the following components: A more granular network friendly diagram is show below: A more in depth overview is provided here: https://cloud.google.com/apigee/docs/api-platform/architecture/overview Setting it up There are at least three different ways to provision Apigee: https://cloud.google.com/apigee/docs/api-platform/get-started/provisioning-intro#provisioning-options I’m going to use a free trial wizard to get acquainted with Apigee: The evaluation wizard guides us through the steps: Apigee runtime requires a dedicated /22 range for evaluation: Each Apigee instance requires … Continue reading Apigee not bee 🙂

Scaling Out Secure Dedicated Ingress on GCP

Proposed Architecture The architecture presented below satisfies GCP customers requirements to use third party compute instance based appliances in their flows. The design considers HTTP(S) load balancers due its advanced capabilities. Constraints GCP Load Balancers Decision Chart Update DNS How to Scale Scenario 1 How to Scale Scenario 2 How to Scale Scenario 3 How to Scale Scenario 4 The HC as before is the same as we are checking the health of the compute instances: References https://research.google/pubs/pub44824/ https://cloud.google.com/load-balancing/docs/load-balancing-overview https://cloud.google.com/load-balancing/docs/backend-service Continue reading Scaling Out Secure Dedicated Ingress on GCP

Dedicated Ingress VPC Health Checks

Topology (VPC003) Workload Configuration Instance Group: Health check: Network Load Balancer: (VPC001) Ingress VPC SNAT/DNAT using single NAT: Another option is to use customized NAT: Instance Group: Health Check: External Global HTTP(S) Load Balancer: Testing Packet capture from the proxy instance: Troubleshooting Health check failures: “End-to-End” Health Check In this scenario, the external load balancer health check probes the the internal load balancer: New HC on port 80 (service port): References https://cloud.google.com/load-balancing/docs/health-check-concepts Continue reading Dedicated Ingress VPC Health Checks

Going full DevOps with GCP (Draft)

Google API Access Instances in VPC can reach Google and third-party APIs and services without an external IP address. All Google Cloud APIs and services support private access. The access methods are different for services in VPC networks compared to services in Google’s production infrastructure Advantages: Networking Services API Container Registry Serverless VPC Access Cloud Build Cloud Build is a managed service on Google Cloud Platform infrastructure that allows you to continuously build, test and deploy containers. Private pools are customer-specific resources and can be customized. One customization option is the capability to disable the association of external IPs: Once … Continue reading Going full DevOps with GCP (Draft)

Migrating from GCP… to GCP

Current and Future Architecture Current state: Desired state: vpc001 is composed of the following subnets: vpc001 routing table (filtering routes of interest): On-prem (AS 36180) routing table: Staging On-prem route table after staging is complete (avx gateway is not attached): Attaching the gateway: And advertise the vpc001 subnets with a better metric (please note that RFC 6598 prefixes are not advertised from AVX by default): To avoid traffic switching over to AVX asymmetrically during the staging we have a few options: Switching traffic over (East-West) vpc001 destination routes to vpc002: When Cloud Routers learn a prefix that exactly matches the … Continue reading Migrating from GCP… to GCP

All those (vpc) flow logs… Consolidate vpc flow logs using BigQuery

VPC FlowLogs VPC Flow Logs records a sample of network flow. Logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization. Once the vpc_flows are enabled on all subnets of interest, we can go to Logging to check if we see logs arriving: Sample below: BigQuery Cloud Logging “routes” logs to destinations like buckets, BigQuery or to Pub/Sub: We want to consolidate all logs in a centralized location where we can consume the data ingest. We can use BigQuery to accomplish that creating a sink. Sinks control how Cloud Logging routes logs: We can also set … Continue reading All those (vpc) flow logs… Consolidate vpc flow logs using BigQuery