Ammett Williams Google Cloud Network
Ammett Williams Google Cloud Network
Ammett Williams Google Cloud Network
Prep Notes by
0
BY AMMETT
White papers you must review
list
Google Cloud Professional Cloud Network Engineer 1-Best practices for enterprise 6- Choosing a load balancer 12- Dedicated Interconnect 17- Cloud DNS
Exam Prep Sheet by Ammett organizations 7- Cloud CDN Overview 13- Partner Interconnect 18- Networking Kubernetes
2- VPC Overview 8- Choosing a VPN option 14- Creating a VPC-native 19- URL_Map
This is my guide based on my preparation for the exam. References 3- Alias IP 9- Cloud Router Cluster 20- Load balancer health
from Google Docs and other sources. 4- VPC Network Peering 10- Direct Peering 15- Private Cluster Kubernetes checks
V1.2: 01-2020 5- Shared VPC 11- Carrier peering 16- Firewall Rules Logging
Organisation What it is Key points What you should know Review documents Video My experience
Structures Resources are organized 1- Flow (Organisation, Folders, Projects, 1- Permissions level necessary to do Cloud Platform hierarchy Hierarchy This area is fundamental please
hierarchically. This allows you to Resources) certain functions understand how to control to get
map your enterprise's 2- Where to manage permissions for 2- Domains, Groups, G Suite domain, the separation and security in
operational structure to GCP, groups, department, entire organisation, Super users.
your domain.
and to manage access control etc
and permissions for groups of
related resources.
Cloud IAM What it is Key points What you should know Review documents Video My experience
IAM which lets you manage 1- Best way to manage (use groups) 1- Permissions level necessary Cloud IAM overview Cloud IAM IAM on a networking exam? Yes,
access control by defining who 2- Roles (primitive, predefined & custom) 2- Permission errors know it well because it will come.
(identity) has what access (role) 3- Roles necessary to do certain 3- How & when to create custom roles Best practices for identity Knowing the roles necessary for
for which resource. functions (network, security, IAM, cloud 4- Service account permissions
certain actions may help if you
storage)
can figure it out.
CIDR RFC-1918 What it is Key points What you should know Review documents Video My experience
You can choose any private RFC 1- The 4 Reserved Address (network, 1- How to assign static internal IP IP Addresses Some form of RFC-1918 will
1918 CIDR block for the primary gateway, google reserved, broadcast) 2- How to change IP Reserve Internal IP Networking with IP Address come. Keep in mind what is
IP address range of the subnet 2- How to assign your own range reserved, auto-mode RFC 1918
addresses.
External IP What it is Key points What you should know Review documents My experience
These are routable on the public 1- This is optional 1- Charged if not attached to VM These can appear but shouldn’t
internet and allow you access to 2- Default is ephemeral-these change 2- How to change ephemeral IP to be too difficult to handle
the internet. 3- Static can be assigned another ephemeral IP
3- How to create static external IP
Reserve External IP
Subnet Types What it is Key points What you should know Video My experience
Subnets are used to separate 1- Default (automatically generated with 1- Custom is fully user controlled Create Custom Subnet Take note of this area. CIDR block
resources and control a project) they have default firewall rules 2- Avoid overlapping ranges host availability for VPC and also
communication between tiers. and a subnet in every region 3- You can convert from auto to custom in Kubernetes.
Access can be controlled via 2- Auto-mode- automatically creates a (one way). Things can get affected.
routes and firewalls subnet in every region (the default subnet 4- You can increase range not decrease
is an auto mode subnet) IP range
10.128.0.0/9
Private Access What it is Key points What you should know Review documents Video My experience
Allows VM with internal (RFC 1- No public IP address 1- Services that support Private access This is a key topic. Especially
1918) IP addresses to reach 2- Enabled on subnet 2- Default route 0.0.0.0/0 next hop “ Private Google Access Access GCP and 3rd party what services are supported and
certain APIs and services 3- Default route default internet gateway” or custom services privately how to set up.
without internet access. routes 199.36.153.4/30 or
199.36.153.8/30 nexthop “default
internet gateway”
1
BY AMMETT
IAM example 1 IAM example 2
Hierarchy Flow
2
BY AMMETT
Private Service What it is Key points What you should know Review documents Video My experience
The private connection enables VM in your 1- External IP addresses are not 1- Works via peering from customer Config private service Access GCP and 3rd party Know difference between Private
VPC network and the services that you required or used to service producer network access services privately services and Private access.
access to communicate exclusively by 2- Service producers network 2- Must define CIDR range for Know which services use which.
using internal (RFC 1918) IP addresses. 3- Private IP services.
4- Cloud SQL supports this 3- Connect within same region
Alias IP What it is Key points What you should know Review documents My experience
Alias IP ranges let you assign ranges of 1- Main address from primary 1- Use of alias IP ranges does not Alias IP Pay attention here. Alias IP can be
internal IP addresses as aliases to a (VM) CIDR require secondary subnet ranges. used in VM and Kubernetes.
nic. This is useful if you have multiple 2- Alias can be from main CIDR or These secondary subnet ranges Configuring Alias IP
services running on a VM and you want to 3- Alias IP can be from secondary merely provide an organizational tool.
assign each service a different IP address. rages.
Alias IP ranges also work with GKE Pods.
VPC What it is Key points What you should know Review documents Video My experience
A VPC network is your virtual network in 1- VPC are global SDN 1- Internal and external access VPC Overview VPC Deep Dive Core area. Let me put it like this; If
the cloud just like an on premise physical 2- How to get traffic flowing 2- Controlling access and firewalls you do not understand all of the
network or data centre or office network. 3- Using RFC 1918 subnets 3- How to Connect VPC together elements of a VPC; then don’t do
4- Internal and external access (peering or sharing)
the exam.
Routes What it is Key points What you should know Review documents Video My experience
These define the paths network traffic 1- The route table is defined at 1- Type (system and custom) Routes in GCP You cannot have networking
takes from a VM instance to other network level 2- Default route & Subnet route without routes. (Static, dynamic,
destinations. These destinations can be 2- The routing to next hop where 3- Static and Dynamic routes Cloud Router subnet, custom, default, import,
inside or outside of your VPC. should the next hop be 4- Routing order
export)
Cloud Router What it is Key points What you should know Review documents My experience
This enables you too dynamically 1- Cloud Router automatically 1- Global dynamic routing Another critical area. Know how
exchange routes between (VPC) and on- learns new subnets in your VPC 2- Regional dynamic routing Cloud Router these are setup. Has lot of small
premises networks by using Border network and announces them to parts get familiar.
Gateway Protocol (BGP). your on-premises network
BGP What it is Key points What you should know Review documents My experience
Border Gateway Protocol is 1- The ASN number range (64512 - 1- MED (route priority) A question or 3 may come on
a protocol that manages how packets are 65534, 4200000000 – 2- What can be configured without Establishing BGP sessions BGP. Know what is required,
routed across the internet through the 4294967294) BGP problems and how it works.
exchange of routing and reachability 2- IP range used 169.254.0.0/16 3- Troubleshooting Troubleshooting Cloud
information between edge routers. Router
Firewall What it is Key points What you should know Review documents Video My experience
Allow or deny traffic to and from your 1- How they work (Stateful) & 1- How to restrict traffic Firewalls You can’t allow everything on your
virtual machine (VM) etc, based on Scope Firewalls network so expect a few firewall
configurations you specify. 2- Implied rules questions in the networking exam
3- Default rules Network and security
also.
telemetry
Firewall logging What it is Key points What you should know Review documents My experience
Firewall Rules Logging allows you audit, 1- Individually enabled 1- Troubleshooting viewing (Log Firewall Logging You should have an idea where to
verify, and analyze the effects of your 2- Supported for TCP & UDP only entries missing, cannot view logs, look, what rules are logged,
firewall rules. 3- Cannot enable on implied or where to apply logs) priorities and how to fix.
default rules
3
BY AMMETT
Alias IP image example Cloud Router for VPNs with VPC network
4
BY AMMETT
HTTP(S) Load balancer SSL Proxy TCP Proxy Network Load balancer Internal load balancer Kubernetes Load balancing Review documents
Choosing a load balanced
Troubleshooting health
HTTPS logging
Kubernetes HTTP(s) LB ingress
DDoS URL-Mapping Managed Instance Groups Unmanaged Instance Canary Deployments Rolling Deployments Review documents
Groups Rolling Updates
Managed instances
Unmanaged instances
URL_Map
5
BY AMMETT
Kubernetes networking example Choosing a Load balancer diagram
6
BY AMMETT
Google Kubernetes Engine Cluster Node Pods IP tables Kubernetes subnetting Review documents
Networking in Kubernetes
7
BY AMMETT
Cloud DNS Session Affinity Logging Flow logs Route based VPN Policy based routing Review documents
DNS
Troubleshooting health
HTTPS logging
Network and Tunnel routing
Compute instance Key Management DNSSEC Cloud Armour Cloud NAT IKEv1 Review documents
DNSSEC
Rolling Updates
URL_Map
NAT
Connecting using advanced methods
8
BY AMMETT
NAT image Cloud Armour image
9
BY AMMETT
VPC Sharing What it is Key points What you should know Review documents Video My experience
Used to connect to a common VPC network. 1- Centralised management 1- When to use (depend of services Hybrid Connectivity This will pop up. Who knows
Resources in those projects can communicate 2- Firewall control and controls necessary etc) CONNECTIVITY peering is sharing . Core topic
with each other securely and efficiently across 3- Internal RFC1918 communication 2- Who gets billed Shared VPC
project boundaries using internal IPs.
VPC Peering What it is Key points What you should know Review documents Connecting to My experience
Access G Suite and Google Cloud features over 1- When to peer 1- How to peer to a shared VPC VPC Peering Datacentre This will come. Know
VPN or the internet, while cutting egress fees. 2- What services you have access to requirements of peering and how
Connect directly with Direct Peering, or choose to peer to shared networks. Core
a partner with Carrier Peering. topic
VPN What it is Key points What you should know Review documents My experience
Connect your on-premises or other public cloud 1- How to setup 1- Multiple tunnels Cloud VPN Core area. Make sure you know
networks to GCP Virtual Private Cloud (VPC) 2- IPSEC used 2- ECMP VPN very well. Know high
securely over the internet through IPSec VPN 3- Best practices availability, multi tunnelling
various scenarios for use.
Dedicated What it is Key points What you should know Review documents My experience
Interconnect Use dedicated Interconnect to connect to 1- Single mode fiber 10GBase-LR 1- Type (system and custom) Dedicated Interconnect Core area well represented in
Google's network through a highly available, low 2- LACP for links & 802.1q Vlan 2- Default route & Subnet route exam. Did I say well represented?
latency connection. (10GB higher) 3- Support EBGP with multihop 3- Static and Dynamic routes
4-Ipv4 link local addresses 4- Min 10GB
5- Meet at Co Location facilities 5- Layer2
Partner Connect What it is Key points What you should know Review documents My experience
Use Google Cloud Interconnect - Partner 1- Best case use 1- The IP Range used Core area well represented in
(Partner Interconnect) to connect to Google 2- Min size 50MB 2- How to assign static internal Partner Interconnect exam also. If you don’t know all
through a supported service provider. (from 50 3- Not over the internet 3- How to change IP the interconnect option well don’t
MB up) do the exam.
VLAN What it is Key points What you should know Review documents My experience
VLAN attachments (also known 1- Works with Cloud router 1- Create VLAN attachments over Questions on this point may
as InterconnectAttachments) determine which 2- Maximum speed 10 Gbps Cloud Interconnect connections Creating VLAN attachment appears. You need a VLAN for
Virtual Private Cloud networks can reach your 3- Multiple VLANs that have passed all tests and that what?
on-premises network through an interconnect are ready to use
Dynamic routing What it is Key points What you should know Review documents My experience
Dynamic routing is suitable for any size 1- Cloud router necessary 1- IP automatically updated and Setting the network How are routes updated?
network. It frees you from maintaining static 2- BGP session necessary propagated dynamic routing mode Manually or automatically.
routes. Also, if a link fails, dynamic routing can 2- Modes are Global or regional Understand how this works.
automatically reroute traffic if possible.
Stackdriver What it is Key points What you should know Review documents Video My experience
Stackdriver Logging allows you to store, search, 1- Individually enabled 1- Troubleshooting viewing (Log Stackdriver You should have an idea where to
analyze, monitor, and alert on log data and events 2- Logging is supported for TCP and entries missing, cannot view logs, Stackdriver look, what rules are logged,
from Google Cloud Platform and Amazon Web UDP only where to apply logs) priorities and how to fix.
Services (AWS).
10
BY AMMETT
Connection options Interconnect comparison
ps. These are my notes and tips that helped me pass the networking
exam on the second attempt this is a tough exam. Every area on the
document represents a topic that has a strong probability of appearing.
Google may change the exam requirements at any time so always review
the outline.
The knowledge is free it just cost me some time to put together. Please
share with your network who may be interested in GCP Networking or
need a quick refresher on networking topics.
You can also check my other Google prep notes for the Security, DevOps
and Engineer exam HERE
Bonne Journée
11
BY AMMETT