While many guides exist to help software engineers learn cloud networking design and architecture concepts, and even prepare for cloud network certifications on AWS and Azure, far fewer resources are available covering the Google Cloud Platform (GCP) Professional Cloud Network Engineer certification exam. Well, look no further! This self-paced guide book is designed to help engineers learn cloud networking best practices on GCP, and prepare for the GCP Professional Cloud Network Engineer certification exam. You will waste no time when you use this study companion. It lets you dive in and learn how GCP differs from other public cloud providers (AWS and Microsoft Azure). You will understand GCP's unique ability to allow virtual private clouds (VPCs) that span across multiple regions. You will know how to leverage GCP as a competitive advantage in the IT engineering community. Key concepts covered on the exam are called out and applied in each chapter of this book, giving you both practice and reinforcement, a far more effective learning tool than rote learning or similar approaches typically enlisted in exam preparation. Enterprises are looking for developers with Google networking skills. Now is the time to skill up! This book shows you how to leverage GCP’s developer-focused, user-friendly approach to understand how the networking components enabling the popular 1B-user Google products (e.g., Gmail, Google Search, YouTube, Google Workspace (formerly G-Suite), Google Maps, Google Photos, and many others) work behind the scenes. What You Will Learn In addition to preparing for the GCP Professional Cloud Network Engineer certification exam, you will learn how to: Architect and design a virtual private cloud Implement a virtual private cloud Configure network services Implement hybrid connectivity Implement network security Manage network operations Optimize network resources Who This Book Is For Software engineers (network, DevOps, SecOps, DataOps, engineers skilled with SDLC), software architects (solution, security, data, infrastructure, cloud, those skilled with TOGAF), and IT professionals. Prerequisites: While this study companion is intended to be self-contained, a basic knowledge of cloud computing along with hands-on experience with a minimum of two modern programming languages (Java, C#) is beneficial in order for readers to fully achieve the objectives of the book.
Author(s): Dario Cabianca
Publisher: Apress
Year: 2023
Language: English
Pages: 702
Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Exam Overview
Exam Content
Exam Subject Areas
Exam Format
Supplementary Study Materials
Sign Up for a Free Tier
Register for the Exam
Schedule the Exam
Rescheduling and Cancellation Policy
Exam Results
Retake Policy
Summary
Chapter 2: Designing, Planning, and Prototyping a Google Cloud Network
Designing an Overall Network Architecture
High Availability, Failover, and Disaster Recovery Strategies
Disaster Recovery
High Availability
Service Level Indicator
Service Level Objective
Recovery Time Objective
Recovery Point Objective
Architecting Your Network for Resilience and High Availability
DNS (Domain Name System) Strategy
Using Hybrid DNS Resolution with Two Authoritative DNS Systems
Using Nonhybrid DNS Resolution
Security and Data Exfiltration Requirements
VPC Service Perimeter
Load Balancing
Applying Quotas per Project and per VPC
Container Networking
Google Kubernetes Engine
Planning IP Address Allocation for Services, Pods, and Nodes
Using VPC-Native Clusters
Using Container-Native Load Balancing
SaaS, PaaS, and IaaS Services
Designing Virtual Private Cloud (VPC) Instances
VPC Specifications
Subnets
IP Address Management and Bring Your Own IP (BYOIP)
External IP Addresses
Internal IP Addresses
Standalone vs. Shared VPC
Standalone
Shared
Multiple vs. Single
Single VPC in Single Host Project
Single Shared VPC with Multiple Service Projects
Multiple Shared VPCs with Multiple Service Projects
Regional vs. Multi-regional
VPC Network Peering
Examples
Firewalls
Example
Custom Routes
Designing a Hybrid and Multi-cloud Network
Drivers for Hybrid and Multi-cloud Networks
Business Requirements
Development Requirements
Operational Requirements
Architectural Requirements
Overall Goals
Designing a Hybrid and Multi-cloud Strategy
Dedicated Interconnect vs. Partner Interconnect
Direct vs. Carrier Peering
IPsec VPN
Bandwidth and Constraints Provided by Hybrid Connectivity Solutions
Cloud Router
VPC Routing
Cloud Router Overview
Multi-cloud and Hybrid Topologies
Mirrored
Meshed
Gated Egress
Gated Ingress
Gated Ingress and Egress
Handover
Regional vs. Global VPC Routing Mode
Failover and Disaster Recovery Strategy
High Availability (HA) VPN
Redundant VPC
Accessing Google Services/APIs Privately from On-Premises Locations
Private Google Access
Private Service Connect
IP Address Management Across On-Premises Locations and Cloud
Designing an IP Addressing Plan for Google Kubernetes Engine (GKE)
GKE VPC-Native Clusters
Optimizing GKE IP Ranges
Flexible Pod Density
Expanding GKE IP Ranges
Non-RFC 1918
Privately Used Public IP (PUPI)
Public and Private Cluster Nodes
Control Plane Public vs. Private Endpoints
Private Cluster with Disabled Public Endpoint
Private Cluster with Limited Public Endpoint Access
Private Cluster with Unlimited Public Endpoint Access
Summary
Exam Questions
Question 2.1 (VPC Peering)
Rationale
Question 2.2 (Private Google Access)
Rationale
Chapter 3: Implementing Virtual Private Cloud Instances
Configuring VPCs
Configuring VPC Resources
Creating VPCs
Creating Subnets
Listing Subnets
Listing VPCs
Deleting VPCs
Configuring VPC Peering
Creating a Shared VPC and Sharing Subnets with Other Projects
Host and Service Project Concepts
Shared VPC Deep Dive
Assigning Roles to Principals
Creating the Shared VPC
Creating the Service Projects
Enabling Compute API for Service and Host Projects
Enabling Host Project
Attaching Service Projects
Assigning Individual Subnet-Level Roles to Service Project Admins
Using a Shared VPC
Listing Usable Subnets
Creating VMs
Verifying VM Connectivity
Deleting VMs
Shared VPC Summary
Sharing Subnets Using Folders
Configuring API Access to Google Services (e.g., Private Google Access, Public Interfaces)
Configuring Private Google Access (PGA)
Configuring Private Service Connect (PSC)
Expanding VPC Subnet Ranges After Creation
Configuring Routing
Static vs. Dynamic Routing
Static Routes
Dynamic Routes
Routing Order
Global vs. Regional Dynamic Routing
Viewing Inter-region Routes Programmed by a Cloud Router
Updating the Base Priority for Advertised Routes
Routing Policies Using Tags and Priorities
Internal Load Balancer As a Next Hop
Custom Route Import/Export over VPC Peering
Configuring and Maintaining Google Kubernetes Engine Clusters
VPC-Native Clusters Using Alias IP Ranges
Clusters with Shared VPC
Clusters with Shared VPC Deep Dive
Enabling Container API for Service and Host Projects
Assigning Subnet-Level Roles to Service Accounts
Assigning Host Service Agent User Role to GKE Service Accounts
Listing Usable Subnets
Creating GKE Clusters
Testing Connectivity
Deleting GKE Clusters
Creating Cluster Network Policies
Cloning the GKE Sample Apps from GitHub
Creating a Network Policy–Enabled GKE Cluster
Restricting Ingress Traffic
Validating Ingress Network Policy
Restricting Egress Traffic
Validating Egress Network Policy
Deleting the Cluster
Additional Guidelines
Private Clusters and Private Control Plane Endpoints
Adding Authorized Networks for Cluster Control Plane Endpoints
Configuring and Managing Firewall Rules
Target Network Tags and Service Accounts
Syntax for Creating Firewall Rules
Priority
Example
Protocols and Ports
Direction
Example
Firewall Rule Logs
Firewall Rule Summary
Exam Questions
Question 3.1 (Routing)
Rationale
Question 3.2 (Firewall Rules)
Rationale
Question 3.3 (Firewall Rules, VPC Flow Logs)
Rationale
Question 3.4 (Firewall Rules, Target Network Tags)
Rationale
Chapter 4: Implementing Virtual Private Cloud Service Controls
VPC Service Controls Introduction
Creating and Configuring Access Levels and Service Perimeters
Perimeters
Access Levels
Service Perimeter Deep Dive
Enabling Access Context Manager and Cloud Resource Manager APIs
Creating an Access Policy for the Organization
Creating an Access Level
Creating a Perimeter
Testing the Perimeter
Deleting the Buckets
VPC Accessible Services
Perimeter Bridges
Audit Logging
Dry-Run Mode
Dry-Run Concepts
Perimeter Dry-Run
Setting Up Private Connectivity to Google APIs
Updating the Access Level
Updating the Perimeter
Testing the Perimeter
Creating a Perimeter Dry-Run by Limiting VPC Allowed Services
Testing the Perimeter Dry-Run
Enforcing the Perimeter Dry-Run
Testing the Enforced Perimeter
Cleaning Up
Final Considerations
Shared VPC with VPC Service Controls
VPC Peering with VPC Service Controls
Exam Questions
Question 4.1 (Perimeter with Shared VPC)
Rationale
Question 4.2 (Dry-Run)
Rationale
Chapter 5: Configuring Load Balancing
Google Cloud Load Balancer Family
Backend Services and Network Endpoint Groups (NEGs)
Configuring Managed Instance Groups (MIGs)
Configuring a Zonal Network Endpoint Group (NEG)
Firewall Rules to Allow Traffic and Health Checks to Backend Services
Configuring External HTTP(S) Load Balancers Including Backends and Backend Services with Balancing Method, Session Affinity, and Capacity Scaling/Scaler
Modes of Operation
Architecture
Forwarding Rule
Target HTTP(S) Proxy
Multiple SSL Certificates
Self-Managed and Google-Managed SSL Certificates
SSL Policies
URL Map
Backend Service
Backends
Container-Native Global HTTP(S) Load Balancing Deep Dive
Container-Native Load Balancing Through Ingress
Container-Native Load Balancing Through Standalone Zonal NEGs
Global HTTP(S) Load Balancing with Managed Instance Groups
External TCP and SSL Proxy Load Balancers
External SSL Proxy Load Balancer
External TCP Proxy Load Balancer
Network Load Balancers
Examples
Implementation
Internal HTTP(S) and TCP Proxy Load Balancers
Load Balancer Summary
Protocol Forwarding
Accommodating Workload Increases Using Autoscaling vs. Manual Scaling
Configuring Cloud Armor Policies
Security Policies
Adaptive Protection
Web Application Firewall (WAF) Rules
Configure Custom Rules Language Attributes
Attaching Security Policies to Backend Services
Example
Configuring Cloud CDN
Interaction with HTTP(S) Load Balancer
Enabling and Disabling Cloud CDN
Cacheable Responses
Using Cache Keys
Customizing Cache Keys
Enabling Cloud CDN
Updating Cache Keys to Remove Protocol, Host, and Query String
Updating Cache Keys to Add Protocol, Host, and Query String
Updating Cache Keys to Use an Include or Exclude List of Query Strings
Updating Cache Keys to Use HTTP Headers
Updating Cache Keys to Use Named Cookies
Cache Invalidation
Path Pattern
Invalidating a Single File
Invalidate the Whole Directory
Invalidate Everything
Signed URLs
Configuring Signed Request Keys
Signing URLs
Custom Origins
Specifying a Custom Origin
Best Practices
Use TLS Everywhere
Restrict Ingress Traffic with Cloud Armor and Identity-Aware Proxy (IAP)
Enable Cloud CDN for Cacheable Content
Enable HTTP/2 As Appropriate
Optimize Network for Performance or Cost Based on Your Requirements
Leverage User-Defined HTTP Request Headers to Manage Metadata
Exam Questions
Question 5.1 (Backend Services)
Rationale
Question 5.2 (Backend Services, Max CPU %, Capacity)
Rationale
Question 5.3 (Backend Services, Canary A/B Testing)
Rationale
Question 5.4 (HTTPS Load Balancer, Cloud CDN)
Rationale
Question 5.5 (HTTPS Load Balancer, Autoscale)
Rationale
Chapter 6: Configuring Advanced Network Services
Configuring and Maintaining Cloud DNS
Managing Zones and Records
Creating Public Zones
Creating Private Zones
Creating Forwarding Zones
Creating Peering Zones
Managing Records
Migrating to Cloud DNS
Create a Managed Zone for Your Domain
Export the DNS Configuration from Your Existing Provider
Import Your Existing DNS Configuration to Cloud DNS
Verify the Migration
Update Your Registrar's Name Server Records
Wait for Changes and Then Verify
DNS Security Extensions (DNSSEC)
Forwarding and DNS Server Policies
Inbound Server Policy
Outbound Server Policy
Integrating On-Premises DNS with Google Cloud
Approach 1: Keep DNS Resolution On-Premises
Approach 2: Move DNS Resolution to Cloud DNS
Approach 3 (Recommended): Use a Hybrid Approach with Two Authoritative DNS Systems
Split-Horizon DNS
Split-Horizon Use Cases
DNS Peering
Understanding the Cloud DNS Peering Solution
Private DNS Logging
Configuring Cloud NAT
Architecture
Creating a Cloud NAT Instance
Addressing and Port Allocations
Static Port Allocation
Dynamic Port Allocation
Customizing Timeouts
Logging and Monitoring
Enabling Cloud NAT Logging
Filtering NAT Logs
Verifying NAT Logging Status
Viewing NAT Logs
Monitoring
Restrictions per Organization Policy Constraints
Configuring Network Packet Inspection
Configuring Packet Mirroring
Packet Mirroring in Single and Multi-VPC Topologies
Mirrored Sources and Collector Instances Located in the Same VPC
Mirrored Sources and Collector Instances Located in Peered VPCs
Collector Instances Located in Shared VPC Service Project
Collector Instances Located in Shared VPC Host Project
Mirror Sources and Collector Instances Using Multi-NIC VMs
Capturing Relevant Traffic Using Packet Mirroring Source and Traffic Filters
Routing and Inspecting Inter-VPC Traffic Using Multi-NIC VMs (e.g., Next-Generation Firewall Appliances)
Configuring an Internal Load Balancer As a Next Hop for Highly Available Multi-NIC VM Routing
Configuring the Networks
Configuring the Firewall Rules
Creating the Common Managed Instance Group (MIG)
Creating the Forwarding Rules
Creating the Custom Static Routes That Define the Load Balancers As the Next Hops
Creating the First VM
Creating the Second VM
Verifying Load Balancer Health Status
Testing Connectivity from the Testing VM
Testing Connectivity from the Production VM
Exam Questions
Question 6.1 (Cloud DNS)
Rationale
Question 6.2 (Cloud NAT)
Rationale
Question 6.3 (Cloud DNS)
Rationale
Chapter 7: Implementing Hybrid Connectivity
Configuring Cloud Interconnect
Dedicated Interconnect Connections and VLAN Attachments
Prerequisites
How It Works
VLAN Attachments
Configuring Dedicated Interconnect
Ordering a Dedicated Interconnect Connection
Retrieving LOA-CFAs
Testing a Single-Circuit Connection (One 10 Gbps or 100 Gbps Circuit)
Creating a VLAN Attachment
Configuring On-Premises Devices
Partner Interconnect Connections and VLAN Attachments
Prerequisites
How It Works
VLAN Attachments
Configuring Partner Interconnect
Establishing Connectivity with a Supported Service Provider (Partner)
Creating a VLAN Attachment
Ordering a Connection to Google Cloud
Activating Your Connection
Configuring On-Premises Devices
Configuring a Site-to-Site IPsec VPN
High Availability VPN (Dynamic Routing)
How It Works
Configuring an HA VPN Gateway and a Tunnel Pair to a Peer VPN Gateway
Creating an HA VPN Gateway
Creating a Peer VPN Gateway Resource
Creating a Cloud Router
Creating IPsec Tunnels
Establishing BGP Sessions
Configure On-Premises Devices
Classic VPN (e.g., Route-Based Routing, Policy-Based Routing)
Policy-Based Routing
Route-Based Routing
Configuring Cloud Router
Border Gateway Protocol (BGP) Attributes (e.g., ASN, Route Priority/MED, Link-Local Addresses)
Autonomous System Number (ASN)
Route Priorities and Multi-exit Discriminators (MEDs)
BGP Peering IP Addresses
IPv6 Support
Default Route Advertisements via BGP
Custom Route Advertisements via BGP
Deploying Reliable and Redundant Cloud Routers
Resilience
Reliability
High Availability
Security
Exam Questions
Question 7.1 (Interconnect Attachments)
Rationale
Question 7.2 (Cloud VPN)
Rationale
Question 7.3 (Cloud VPN)
Rationale
Question 7.4 (Partner Interconnect)
Rationale
Question 7.5 (Cloud Router)
Rationale
Chapter 8: Managing Network Operations
Logging and Monitoring with Google Cloud’s Operations Suite
Reviewing Logs for Networking Components (e.g., VPN, Cloud Router, VPC Service Controls)
Cloud Logging
Log Types
Cloud Logging Deep Dive
Monitoring Networking Components (e.g., VPN, Cloud Interconnect Connections and Interconnect Attachments, Cloud Router, Load Balancers, Google Cloud Armor, Cloud NAT)
Cloud Monitoring
Cloud Monitoring Deep Dive
Managing and Maintaining Security
Firewalls (e.g., Cloud-Based, Private)
Network Firewall Policies
Diagnosing and Resolving IAM Issues (e.g., Shared VPC, Security/Network Admin)
Policy Troubleshooter
Maintaining and Troubleshooting Connectivity Issues
Draining and Redirecting Traffic Flows with HTTP(S) Load Balancing
How It Works
Enabling Connection Draining
Monitoring Ingress and Egress Traffic Using VPC Flow Logs
How It Works
Enabling VPC Flow Logs
Cost Considerations
Viewing Flow Logs
Monitoring Firewall Logs and Firewall Insights
Firewall Rules Logging
Firewall Insights
Managing and Troubleshooting VPNs
Troubleshooting Cloud Router BGP Peering Issues
BGP Session Failed to Establish
IP Addresses for BGP Sessions
Invalid Value for the Field resource.bgp.asn
iBGP Between Cloud Routers in a Single Region Doesn't Work
Monitoring, Maintaining, and Troubleshooting Latency and Traffic Flow
Testing Latency and Network Throughput
Using Network Intelligence Center to Visualize Topology, Test Connectivity, and Monitor Performance
Exam Questions
Question 8.1 (VPC Flow Logs, Firewall Rule Logs)
Rationale
Question 8.2 (Firewall Rule Logs)
Rationale
Question 8.3 (IAM)
Rationale
Question 8.4 (IAM)
Rationale
Question 8.5 (Troubleshooting VPN)
Rationale
Index