Apigee not bee :)

Apigee is a Google SaaS platform for developing and managing APIs. Apigee provides an abstraction layer to backend service APIs and provides security, rate limiting, quotas, and analytics. Apigee consists of the following components: A more granular network friendly diagram is show below: A more in depth overview is provided here: https://cloud.google.com/apigee/docs/api-platform/architecture/overview Setting it up There are at least three different ways to provision Apigee: https://cloud.google.com/apigee/docs/api-platform/get-started/provisioning-intro#provisioning-options I’m going to use a free trial wizard to get acquainted with Apigee: The evaluation wizard guides us through the steps: Apigee runtime requires a dedicated /22 range for evaluation: Each Apigee instance requires … Continue reading Apigee not bee 🙂

Scaling Out Secure Dedicated Ingress on GCP

Proposed Architecture The architecture presented below satisfies GCP customers requirements to use third party compute instance based appliances in their flows. The design considers HTTP(S) load balancers due its advanced capabilities. Constraints GCP Load Balancers Decision Chart Update DNS How to Scale Scenario 1 How to Scale Scenario 2 How to Scale Scenario 3 How to Scale Scenario 4 The HC as before is the same as we are checking the health of the compute instances: References https://research.google/pubs/pub44824/ https://cloud.google.com/load-balancing/docs/load-balancing-overview https://cloud.google.com/load-balancing/docs/backend-service Continue reading Scaling Out Secure Dedicated Ingress on GCP

Dedicated Ingress VPC Health Checks

Topology (VPC003) Workload Configuration Instance Group: Health check: Network Load Balancer: (VPC001) Ingress VPC SNAT/DNAT using single NAT: Another option is to use customized NAT: Instance Group: Health Check: External Global HTTP(S) Load Balancer: Testing Packet capture from the proxy instance: Troubleshooting Health check failures: “End-to-End” Health Check In this scenario, the external load balancer health check probes the the internal load balancer: New HC on port 80 (service port): References https://cloud.google.com/load-balancing/docs/health-check-concepts Continue reading Dedicated Ingress VPC Health Checks

Migrating from GCP… to GCP

Current and Future Architecture Current state: Desired state: vpc001 is composed of the following subnets: vpc001 routing table (filtering routes of interest): On-prem (AS 36180) routing table: Staging On-prem route table after staging is complete (avx gateway is not attached): Attaching the gateway: And advertise the vpc001 subnets with a better metric (please note that RFC 6598 prefixes are not advertised from AVX by default): To avoid traffic switching over to AVX asymmetrically during the staging we have a few options: Switching traffic over (East-West) vpc001 destination routes to vpc002: When Cloud Routers learn a prefix that exactly matches the … Continue reading Migrating from GCP… to GCP

All those (vpc) flow logs… Consolidate vpc flow logs using BigQuery

VPC FlowLogs VPC Flow Logs records a sample of network flow. Logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization. Once the vpc_flows are enabled on all subnets of interest, we can go to Logging to check if we see logs arriving: Sample below: BigQuery Cloud Logging “routes” logs to destinations like buckets, BigQuery or to Pub/Sub: We want to consolidate all logs in a centralized location where we can consume the data ingest. We can use BigQuery to accomplish that creating a sink. Sinks control how Cloud Logging routes logs: We can also set … Continue reading All those (vpc) flow logs… Consolidate vpc flow logs using BigQuery

Using a GCP LB to provide DNS High-Availability

DNS uses UDP port 53 for most of it operations but relies on TCP for operations that requires the transmission of packets exceeding 512 bytes. When the message size exceeds 512 bytes, it triggers a ‘TC’ bit (Truncation) in DNS to inform the client that the message length has exceeded the allowed size. The client needs then to re-transmit over TCP (size limit is 64000 bytes). Back End Configuration If you happen to run the HC across a device like routers or firewall you will need to configure DNAT for those devices to properly reply back to the HC of … Continue reading Using a GCP LB to provide DNS High-Availability

GCP Routing Without Subtitles

Topology 1 Metric 100 comes from: Topology 2 Topology 3 CSR: Subnetworks 10.11.64-66 are on us-east1. Adding a new subnet to vpc001 but located in us-central1: is advertised from central gateway. Topology 4 Default Config: Import/Export: Topology 5 CSR1000v RIB: Using the same AS vpc001 and vpc002 does not exchange routes. If we change vpc002 CR to a different AS (64515): Topology 6 Topology 7 Topology 8 References https://cloud.google.com/vpc/docs/using-routes#gcloud https://cloud.google.com/network-connectivity/docs/router/support/troubleshooting https://developer.hashicorp.com/terraform/tutorials/kubernetes/gke?in=terraform%2Fkubernetes&utm_offer=ARTICLE_PAGE https://cloud.google.com/vpc/docs/routes Continue reading GCP Routing Without Subtitles

“Terraform-ing” your way towards Secure Multi Cloud Networking with Aviatrix

I’m going to Terraform an entire Aviatrix deployment using terraform on this blog, mainly the controller and copilot. There is always discussion around the controller and copilot deployment using automation but I’m assume if you are reading this post you are already convinced. Management Network I’m creating a new management network and subnet. This step is not necessary but it helps validating that the gcp controller terraform module can deploy a controller into an existing vpc: Controller Deployment The module gcp-controller allows you to launch the Aviatrix Controller and create the Aviatrix access account connecting to the Controller in Google … Continue reading “Terraform-ing” your way towards Secure Multi Cloud Networking with Aviatrix

Using Aviatrix for Google Cloud VMware Services Secure Cloud Networking Part 1

Google Cloud VMware Engine VMware Engine is a Google managed VMware software-defined data center (SDDC). It consists of the following components:  VMware vSphere vCenter Server vSAN NSX-T HCX (application migration and workload re-balancing across data centers and clouds) VMWare Engine is not available in all regions. Check the regions where the service is available following the link below: https://cloud.google.com/about/locations/#americas I’m going to use central-1 for my tests. Configuration The first step is enable the VMware Engine API: Once the API is enable, you have access to the engine dashboard: I’m going to create a private cloud for testing with a single node: … Continue reading Using Aviatrix for Google Cloud VMware Services Secure Cloud Networking Part 1