I have 2 Google Cloud accounts, account_1 and account_2. On each of those accounts I created a project and I bootstrapped 2 virtual machines.
I want to know if it's possible to place those 4 machines in the same network space, to be able to communicate.
Thanks!
Yes, this is possible using VPC network peering. The shared VPC is different because it's between an organization projects, as you have you VMs in different accounts what you have to do is VPC network peering, check this article. After configuring on both VPCs and set the proper firewall rules you should be able to reach your 4 VMs using the internal IP, although they will not be in the same subnet but they will be able to communicate between them.
Yes, it is possible. Take a look at the Shared VPC Overview documentation.
However, not all resources will be shared, you can check which ones are supported here.
Related
Any one knows if two stations created with the same amazon aws workspaces account share the same network ? Are they linked in any way ? Should I use vpn on each one if I want that they stay independent ?
Thanks
If you have created a workspace in the same AWS VPC, they will be deployed in the same virtual network.
https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-vpc.html
If you require that they are to be running on completely segregated networks, creating multiple VPCs would be your best option. Though with the security groups, you should be able to not allow the 2 workspaces to communicate with each other by ensuring that the inbound rules don't allow any connections to said workspace.
I'm looking for the best way to get access to a service running in container in ECS cluster "A" from another container running in ECS cluster "B".
I don't want to make any ports public.
Currently I found a way to have it working in the same VPC - by adding security group of instance of cluster "B" to inbound rule of security group of cluster "A", after that services from cluster "A" are available in containers running in "B" by 'private ip address'.
But that requires this security rule to be added (which is not convenient) and won't work for different regions. Maybe there's better solution which covers both cases - same VPC and region and different VPCs and regions?
The most flexible solution for your problem is to rely on some kind of service discovery. The AWS-native one would be using Route 53 Service Registry or AWS Cloud Map. The latter one is newer and also the one recommended in the docs. Checkout these two links:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html
https://aws.amazon.com/blogs/aws/amazon-ecs-service-discovery/
You could go for open source solutions like Consul.
All this could be overkill if you just need to link two individual containers. In this case you could create a small script that could be deployed as a Lambda that queries the AWS API and retrieves the target info.
Edit: Since you want to expose multiple ports on the same service you could also use load balancer and declare multiple target groups for your service. This way you could communicate between containers via the load balancer. Notice that this can lead to increased costs because traffic goes through the lb.
Here is an answer that talks about this approach: https://stackoverflow.com/a/57778058/7391331
To avoid adding custom security rules, you could simply perform some VPC peering between regions, which should allow instances in VPC 1 from Region A, view instances in VPC 2 from Region B. This document describes how such connectivity may be established. The same document provides references on how to link VPCs in the same region as well.
Instead of creating a VPN to every GCP project in our organization, can I somehow create a "super" VPN that can access all the projects? I was looking at shared VPC, but I can't figure out from the docs whether shared VPC will solve the problem. I'm not the best at networking and maybe I'm overlooking something. Suggestions welcome.
You have 2 solutions to solve this
Create a project with the VPN and then create peering with other projects. The problem with this is that you are limited to 25 peering per VPC. In addition, VPC peering has another limitation: transitivity is forbidden. If you have a peering between A and B and between B and C, A can'y reach C, the transitivity isn't permitted and that can cause some issues/limitation later in your design.
Use Shared VPC. You have a host project with a VPC with your VPN, and then service project that use either their own VPC (for standalone application) or the shared VPC. You have detail here. However in this solution, all the service project have access to the same VPC, and thus all the VM of the services projects can access to the VPC ressources (others VM, VPN, ...). The firewall rules will be very important; and a good way to solve this is to use firewall rules based on service account.
I have three separate GCP accounts. One account for productA, one account for productB and one account for devops monitoring. Each account has currently 1 project (more to be added in the future) which has multiple VMs. I want to monitor the VMs (for productA/project and productB/project) from the devops GCP account so I can consolidate the monitoring. The monitoring products are Promethesus, Grafana and Graylog (not GCP).
I am not using organisations at the moment (don't use gsuite or cloud identity)
Do I need VPC networking peering or shared VPC?
Any advice or recommendations on how to do this would be much appreciated.
Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network. If your resources are already in different projects, but using the same VPC, the shared VPC concept is already in place.
However, in your case it seems like your resources are using different VPC’s specifically to their own project. Here the concept for VPC peering can be used regardless of whether they belong to the same project or the same organization. It is possible to set up VPC Network Peering between two Shared VPC networks. Here is the Example on VPC Network Peering setup.
On Google cloud, I have setup new three projects - dev, research and prod. So, then created an Shared VPC Host and three Service Projects as listed above. Also intend to have separate VPCs for each of these service projects (to add more security layer), hence also intend to use now VPC Peering. But confused here can we configure both Shared VPCs and VPC Peering on same set of Projects?. If so then i do not find any links on this and also is this an right thing to do?
Peering and Shared have their own usage. With peering, you are limited to 25 per project and the transitivity isn't possible.
For example, with peering, if you set up a peering between dev and research and between research and prod; dev can't reach the prod (transitivity is forbidden), you have to set up a peering between dev and prod for this. The peering can be interesting when you want to share a VPN or Interconnect endpoint. You perform a peering between the interconnect project and these that want to reuse this connexion.
With share VPC, you don't have the transitivity limitation, all the VM can be in the same VPC, even if they are in different projects.
However, with this config, you break the project strong isolation, your dev project can access to the prod without limitation!
Thereby I recommend you to set up VM network with at least "2 legs": 1 in the shared VPC, the other in a project dedicated VPC. And then to set up the correct firewalls rules on your VPC network for limiting interactions in the shared VPC, but by keeping an unrestricted limitation at project level with the leg in the VPC project.
Peering:
Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization. you are limited to 25 per project and the transitivity isn't possible.
VPC sharing:
Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network.