VPC - bobbae/gcp GitHub Wiki

Google Cloud Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) containers, and the App Engine flexible environment.

VPC provides networking for your cloud-based services that is global, scalable, and flexible.

https://www.youtube.com/watch?v=wmP6SQe5J7g

Google Cloud Virtual Private Cloud (VPC) Network Peering allows private connectivity across two VPC networks regardless of whether or not they belong to the same project or the same organization.

VPC networks use Linux's VIRTIO network module to model Ethernet card and router functionality, but higher levels of the networking stack, such as ARP lookups, are handled using standard networking software.

A Virtual Private Cloud (VPC) network is a virtual version of a physical network, implemented inside of Google's production network, using Andromeda.

Cloud Platform firewalls, routing, and forwarding rules all leverage the underlying internal Andromeda APIs and infrastructure.

VPC Design considerations

https://medium.com/@pbijjala/vpc-design-considerations-for-google-cloud-71ce67427256

Migrate from on-prem to cloud using VPC

https://www.youtube.com/watch?v=cNb7xKyya5c

Shared VPC

https://cloud.google.com/vpc/docs/shared-vpc

Shared VPC and VPC Peering

Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it.

The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network.

Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls.

Google Cloud VPC Network Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.

VPC Network Peering enables you to connect VPC networks so that workloads in different VPC networks can communicate internally. Traffic stays within Google's network and doesn't traverse the public internet.

https://medium.com/google-cloud/everything-you-always-wanted-to-know-about-vpc-peering-but-were-afraid-to-ask-2b26267ba7d9

VPC network Sharing and Peering

Shared VPC allows you to export subnets from a VPC network in a host project to other service projects in the same organization. Instances in the service projects can have network connections in the shared subnets of the host project.

https://cloud.google.com/vpc/docs/shared-vpc

https://cloud.google.com/vpc/docs/vpc-peering

VPC Service Controls

VPC Service Controls improves your ability to mitigate the risk of data exfiltration from Google Cloud services such as Cloud Storage and BigQuery. You can use VPC Service Controls to create perimeters that protect the resources and data of services that you explicitly specify.

https://blog.scalesec.com/vpc-service-controls-in-plain-english-a5ce9779393e

VPC Service Controls provides an extra layer of security defense for Google Cloud services that is independent of Identity and Access Management (IAM). While IAM enables granular identity-based access control, VPC Service Controls enables broader context-based perimeter security, including controlling data egress across the perimeter. We recommend using both VPC Service Controls and IAM for defense in depth.

https://cloud.google.com/vpc-service-controls

https://medium.com/@omniai/vpc-service-control-is-a-unique-option-available-on-the-gcp-platform-that-delivers-a-layer-of-ea752be64e8f

https://medium.com/google-cloud/google-cloud-vpc-service-controls-lessons-learned-670619c3d82c

VPC Service Controls — Secured Data Sharing

https://medium.com/kpmg-uk-engineering/vpc-service-controls-secured-data-sharing-267502eed5fc

Auto mode vs Custom mode VPC network creation

https://cloud.google.com/vpc/docs/vpc#subnet-ranges

Access APIs and services

Private Service Connect

https://cloud.google.com/vpc/docs/private-service-connect

Exposing the client behind Private Service Connect

https://medium.com/google-cloud/exposing-the-client-behind-psc-2471a851ae23

Private service connect to connect privately with google APIs and services

https://faun.pub/private-service-connect-to-connect-privately-with-google-apis-and-services-e91da2f26a7a

Private Service Access

https://cloud.google.com/vpc/docs/private-services-access

Private Google Access

https://cloud.google.com/vpc/docs/private-google-access

Configure Private Google Access

When a Compute Engine VM lacks an external IP address assigned to its network interface, it can only send packets to other internal IP address destinations. You can allow these VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM's network interface.

https://cloud.google.com/vpc/docs/configure-private-google-access

Private Google Access on-prem hybrid

https://cloud.google.com/vpc/docs/private-google-access-hybrid

IPAM Autopilot

https://medium.com/google-cloud/ipam-autopilot-for-gcp-vpcs-8af97adf33c4