Google Cloud & AWS have different implementation for a VPC. In GCP VPC are associated with projects. What's confusing me is that in a GCP project you can have two different VPC but with same subnet CIDR. If anyone has any resource which can clear my doubts please
In GCP, 2 VPC networks in the same project must have different names, so they are distinguishable and completely independent/isolated. VMs in one VPC network have to go through external IP addresses to talk to VMs in other VPC network. Or you can connect them through VPC Peering, so that they can talk to each other through internal IPs. See:
GCP - VPC Network Overview.
GCP - VPC Network Peering
A feature you can use in this case is to create a Peering in the VPC, this function will allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.
VPC Network Peering enables you to connect VPC networks so that workloads in different VPC networks can communicate internally. Traffic stays within Google's network and doesn't traverse the public internet.
VPC Network Peering gives you several advantages over using external IP addresses or VPNs to connect networks, including: Network Latency,Network Security and Network Cost.
For information about Peering and VPC,see:
VPC: https://cloud.google.com/vpc/docs/vpc
Peering: https://cloud.google.com/vpc/docs/vpc-peering
Related
I understand VPC Peering is used to establish connection between 2 VPCs. And to connect to another Application/Service in another VPC, VPC Endpoint Service is used. But can't a VPC Endpoint Service be connected via VPC peering?
A use-case/scenario will help
You can find a lot of info on VPC peering here:
https://docs.aws.amazon.com/de_de/vpc/latest/peering/what-is-vpc-peering.html
It is, like you already said - a (network) connection of two VPCs.
A VPC Endpoint gives you some more options - you could say it is build on top of the VPC peering idea.
Here is a short articel about it:
https://catalog.workshops.aws/networking/en-US/intermediate/5-vpc-endpoint-services/10-vpc-endpoint-services-overview
It also menntions some use cases, like
Application in a VPC that has no VPN or TGW access to other VPCS.
Application in a VPC which has overlapping IP addresses with the VPC you want to share it with
Sharing an application with external consumers in other AWS accounts (even via MarketPlace)
Limit the firewall rules for access to an on premise application by using Privatelink as a single point of access for all VPCs in a region
Background
I have two Google Cloud VPC networks. VPC A and B. B network was peered into A network.
The VPC A has a NAT gateway with connectivity to the internet.
Instances running in VPC B has no internet connectivity.
Question
I want to connect VPC B to use A NAT in order to get internet connectivity.
How to do it?
As per VPC Network Peering interaction this isn't possible:
Cloud NAT gateways are associated with subnet IP address ranges in a single region and a single VPC network. A Cloud NAT gateway created in one VPC network cannot provide NAT to VMs in other VPC networks connected by using VPC Network Peering, even if the VMs in peered networks are in the same region as the gateway.
It is possible to achieve the result you are looking for by using a Shared VPC instead of VPC Network Peering, this would allow an organization to connect resources from multiple projects to a common VPC network.
Here you have be the steps you need to follow to create a Shared VPC.
I need to set up a connection between VPCs. My plan was VPC peering but customer asks for Private Link as they heard it is the secure way. But I am mostly concerned with performance overhead with the private link. What I understood (maybe wrong); in the Private Link architecture there is an extra NLB. Does not this introduce a latency because of extra network hop?
VPC peering and Private Link serve two different purposes.
VPC peering enables you to connect two VPC in a same way you would connect to local networks together, and remote networks using VPN. VPC peering allows network traffic from one VPC to the second VPC. For example, you can SSH from an instance in VPC A into an instance in VPC B.
Private Link is used to expose individual services of yours in VPC A to VPC B. But this does not allow for free flow of network traffic from VPC A to VPC B. For example, let's say you've developed very cool application for image segmentation. The application and all its databases and other resources that it requires are in VPC A. Now a friend comes and he/she would like to use your application. But the friend is in VPC B. Since your application is private, not exposed to the internet, a way for your friend to use the app would be to expose it through Private Link. For this you create NLB in-front of your application, and your friend will get network interface in his VPC B through which he can access your private application in VPC A.
Based on this and your question, there is no clear answer as the two options are used for different purposes. I would suggest to clarify exactly what are your or your customer requirements.
But generally, both will be equally fast. AWS docs write about VPC peering the following:
AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.
Other examples from AWS docs is here:
Example: Services Using AWS PrivateLink and VPC Peering
Edit: Based on #Michael comment.
In google cloud I want to understand relation between project and VPC. Can vpc span multiple projects? or Can we say vpc is always in one project?
Per definition a VPC pertains only to a certain project, but you can share a VPC creating a shared VPC. Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, so that they can communicate with each other securely and efficiently using internal IPs from that network. If you go here you can find some examples of shared VPCs.
Projects can contain multiple VPC networks. Unless you create an organizational policy that prohibits it, new projects start with a default network (an auto mode VPC network) that has one subnetwork (subnet) in each region.
You can also see more information about shared VPC: Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network.
More information: https://cloud.google.com/vpc/docs/shared-vpc#use_cases
We also have VPC Peering: VPC networks can be connected to other VPC networks in different projects or organizations by using VPC Network Peering.
More information: https://cloud.google.com/vpc/docs/vpc-peering
I am able to connect two VPC networks in a GCP project using Cloud VPN with dyanmic routing or Just using VPC Network peering. Cloud VPN with dynamic routing behaves same as VPC network peering. I am trying to understand when to use VPC network peering and When to use Cloud VPN with dynamic routing.
From google cloud docs - https://cloud.google.com/vpc/docs/vpc-peering
VPC Network Peering gives you several advantages over using external IP addresses or VPNs to connect networks, including:
Network Latency: Public IP networking suffers higher latency than private networking.
Network Security: Service owners do not need to have their services exposed to the public Internet and deal with its associated risks.
Network Cost: GCP charges egress bandwidth pricing for networks using external IPs to communicate even if the traffic is within the same zone.
If however, the networks peer they can use internal IPs to communicate and save on those egress costs. Regular network pricing still applies to all traffic.