Nagendra's Blog: vpc

Wednesday, November 8, 2023

Google Cloud VPC Configuration

Virtual Private Cloud

Virtual Private Cloud (VPC) is the virtual instance of the network within Google Cloud that provides connectivity for compute and other resources. Unlike AWS, VPC is global in Google cloud so any compute resources created irrespective of the region or Availability Zone (AZ) can be part of the same VPC can communicate among themselves by default. The subnets are regional resources and so cannot span across different regions. Each region can be assigned with one or more subnet from within the VPC.

In this article, we will discuss about 4 different ways of creating a VPC in Google Cloud as below:

Google Cloud Console
gcloud CLI
Terraform

Google Cloud Console

Below is a quick one-minute video showing the steps to create the VPC.

This section explains the use of the Google Cloud console to create a new VPC using the below simple steps:

Go to console.cloud.google.com/networking to create a new VPC network. It could be noted that for each project, a default VPC will be created with subnets assigned for each, and this “default” VPC can be deleted by the admin to avoid creating any confusion.
Use the CREATE VPC NETWORK button to create a new VPC for this project. It takes the user to the VPC creation page.
Configure a unique name for the VPC and set the MTU value based on the requirement.
Select the relevant subnet creation mode.

Custom will let the user manually create the subnets on a per-region basis.
Automatic will assign subnets for all the regions automatically.

Configure the relevant firewall rules that the user would like to apply to the VPC. Any instances connected/using this VPC will be assigned to these firewall rules.
Select the relevant Dynamic routing mode based on the requirement which influences how the prefixes/routes learned from external networks using Cloud router will be propagated within the VPC. This can be changed even after creating the VPC.

Regional will instruct the cloud router to make the externally learned routes available only to the instances within the same region.
Global will instruct the cloud router to make the externally learned routes available for all the instances irrespective of the region.

Gcloud CLI

Gcloud command line is another approach to configure the VPC using CLI. Below is an example way of configuring a new VPC with the following parameters:

Name – nyacorp-vpc1
Project – nyacorp
Description – “VPC1 for NYACORP”
Subnet Creation Mode – Automatic
MTU – 1500
Dynamic Routing Mode – Regional.

gcloud compute networks create nyacorp-vpc1 --project=nyacorp --description=VPC1\ for\ NYACORP --subnet-mode=auto --mtu=1500 --bgp-routing-mode=regional

Any additional Firewall rules can be created using the below CLI:

gcloud compute firewall-rules create nyacorp-vpc1-allow-custom --project=nyacorp --network=projects/nyacorp/global/networks/nyacorp-vpc1 --description=Allows\ connection\ from\ any\ source\ to\ any\ instance\ on\ the\ network\ using\ custom\ protocols. --direction=INGRESS --priority=65534 --source-ranges=10.128.0.0/9 --action=ALLOW --rules=all

VPC Configuration using Terraform

The basic terraform configuration involves the below steps:

Define the provider as google with the project and credentials details. Optionally include the region if the configuration is specific to the region.
Define the google_compute_network resource where the VPC specific details such as below are configured:

Name (Mandatory)
Description (Optional)
Auto_subnet_create mode defining the subnets
Routing_mode defining the Dynamic Routing mode.

When the auto_subnet_create is disabled (using false as the configuration option), subnets are configured using google_compute_subnetwork resource.

The sample terraform configuration is as below:

provider "google" {
    project="Terraform-Project"
    credentials = "${file("credentials.json")}"
}

resource "google_compute_network" "nyacorp-vpc1" {
    # Ref - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network
    name = "nyacorp-vpc1"
    description = "VPC1 for NYACORP"
    auto_create_subnetworks = false
    routing_mode = "REGIONAL"
}

resource "google_compute_subnetwork" "public" {
    # Ref - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork
    name = "public-subnet"
    ip_cidr_range = "10.1.0.0/20"
    region = "us-east1"
    network = google_compute_network.nyacorp-vpc1.id
}

Once the terraform configuration is applied using “terraform apply”, the relevant VPC and the subnet will be configured.s

Friday, August 18, 2023

VPC Configuration using AWS Portal and Terraform

Virtual Private Cloud (VPC) is one of the (essential) services from AWS that offers cloud users the ability to create isolated instances of virtual data centers. VPC offers complete control over the cloud networking for the instances created in the AWS cloud. It allows us to create multiple subnets for micro segmenting the virtual instances in different subnets and leverage the network ACL and Security Groups to control inter-subnet communication. It also offers internet connectivity to the instances created in the AWS cloud.

By default, each AWS region will be created with a “Default” VPC that cannot be deleted. Any VPC has region-wide scope with a default CIDR of 172.31.0.0/16. Any VPC can be configured with one or more subnets from the CIDR block where each subnet is local to the Availability Zone (AZ) within the AWS region.

We can custom configure our own VPC to cater the business need. It involves the basic four steps as shown below:

Create a VPC in the relevant AWS region and assign the name.
Configure one or more subnets for each AZ within the AWS region.
Configure one or more route-table
Configure the Internet Gateway.

This article explains how to configure VPC using both the AWS portal and terraform configuration.

VPC Configuration using AWS Portal

The user is expected to have AWS account created and logged into the portal to create the VPC. Below is the configuration procedure depicted while creating the VPC from the AWS portal:

A graphical representation of the VPC creation flow is shown in the portal as below:

VPC Configuration using Terraform

The basic terraform configuration involves the below:

Create terraform variable listing one or more Availability Zones with a type string
Create terraform variable listing one or more subnets with a type string
Create aws_vpc resource to configure the VPC
Create aws_subnet resource to configure the subnets in each AZs within the region.

The same configuration is as below:

resource aws_vpc "nyacorp-new" {
    cidr_block = "172.16.0.0/16"
    instance_tenancy = "default"

    tags = {
        Name = "NyaCorp-VPC"
    }
}

variable "availability_zones" {
    type = list(string)
    default = ["us-east-1a", "us-east-1b"]
}

variable "public_subnet_cidr_block" {
    type = list(string)
    default = ["172.16.0.0/20", "172.16.128.0/20"]
}

variable "private_subnet_cidr_block" {
    type = list(string)
    default =["172.16.16.0/20", "172.16.144.0/20"]
}

resource "aws_subnet" "public_subnets" {
    count = length(var.public_subnet_cidr_block)
    vpc_id = aws_vpc.nyacorp-new.id
    availability_zone = element(var.availability_zones, count.index)
    cidr_block = element(var.public_subnet_cidr_block, count.index)
}

resource "aws_subnet" "private_subnets" {
    count = length(var.private_subnet_cidr_block)
    vpc_id = aws_vpc.nyacorp-new.id
    availability_zone = element(var.availability_zones, count.index)
    cidr_block = element(var.private_subnet_cidr_block, count.index)
}

Once the terraform configuration is applied using "terraform apply", it could be noted that the VPC is created along with the subnets. But the internet gateway is not. While portal-based configuration, creates the internet gateway by default for the VPC, it needs to explicitly be configured while using Terraform.

Below is the resource configuration required to create the internet gateway for the VPC:

resource "aws_internet_gateway" "nyacorp-igw" {
    vpc_id = aws_vpc.nyacorp-new.id

    tags = {
        Name = "NyaCorp-IGW"
    }
}

There are other different ways to configure the VPC or to configure more granular details using terraform. This article attempts to clarify the basic requirements to configure the VPC using the AWS portal and using Terraform.