Thinking about an Associate Cloud Engineer certification? Great news, the Cloud Engineering quest is designed to help you get there (psst, tune in Friday for a game and study session — follow us for codes).
As you advance in this quest, you will stumble upon a very interesting lab Networking 102. This lab covers simple to complex network requirements. You will learn about deploying resources to create networks and subnetworks and experiment with different functionalities and features. This lab is not part of Friday’s game, so let’s take an in-depth look at it here.
Ready to score 100% on Networking 102? Let’s get started! Use code 1q-ace-102 for 9 Qwiklabs credits to get this lab free of charge for the next 24 hours — claim the offer here.
Before we dissect this lab and its various aspects, keep in mind that you will get more out of this lab if you read and understand some of the background info rather than just performing and proceeding. Networking 102 explains various networking concepts which are really interesting — nerd alert — I recommend that you go through the theoretical part of this lab with the same zeal as you would for the practical part :)
Create Virtual Private Networks (VPC) and Instances
After the basic setup in the lab you will begin with the first task, creating VPC and instances. You will use the gcloud commands to create VPC networks and instances.
You will be creating two networks namely: mynetwork and privatenet. For mynetwork you will create a subnet in the auto mode which means this network will be automatically created with predefined specifications (like default VPC). For the network privatenet, you will create the subnet in custom mode in which you will have to specify certain flags or in simple terms options. Here is some detailed information about the different flags which you can use to create custom subnets.
It will take some time for the creation of the networks. Your final output will look like this:
After the networks are created, you need to create different instances. You will run five commands with different specifications in order to understand and test the networks. Creation of instances takes about five to seven minutes.
Before proceeding make sure you have the green ticks for all the instances as displayed in the above image.
How Default and User-Created VPC Networks are Configured
This section explains the firewall rules which are created by default when we created the networks. You will learn how to view and verify the firewall rules applied to the networks. In order to check if your network is up and running you have to ping www.google.com and if everything is good, you will see something like this.
Going further, this section provides step by step instructions to delete VM instances as well as the VPC. Not as important for the lab — but when you’re running your own projects, knowing how to clean up resources will save money.
User Created Networks
In the above section we saw how default network works, now we will take a look at how custom networks works. This section highlights the importance of creating firewall rules for your network as you will not be able to connect to the SSH via custom network.
Advanced Firewall Rules
This section will give you an overview about the types of firewall rules and their different functionalities. This section will give you an insight into the following topics:
- Stateful Firewalls
- Firewall Rules and IAM
- Allow/Ingress Rules
- Deny/Egress rules
You will learn how to implement Allow/Ingress Rules and Deny/Egress Rules.
When you Allow/Ingress Rules, you give permission to connect to the SSH of a particular network.
When you follow the instructions as given in the lab guide you will notice that earlier you were not able to SSH but after adding the custom firewall rules, you are able to SSH and can connect to other custom networks as well. You will perform this ping test to verify the same:
This process is known as Allow/Ingress rules, in the next step you will Deny/Egress rules and you will learn how to explicitly deny the rules which you had earlier allowed. This means, you cannot ping to the other custom networks.
Using Cloud Routes
Cloud Routes is a vast concept and this lab just has the gist of this concept explained. This section is pretty self explanatory. It explains how to convert a private network into a NAT Gateway. You can easily get through in this section by following the lab instructions.
Network-specific IAM roles
This is the last section of this lab. You will explore Network-specific IAM roles. This is a vast and important topic. This lab covers General Networking roles, XPN Networking roles and most importantly you will learn how to transfer the IAM Role, which is crucial. Interested in digging deeper into IAM and roles? Check out this recent talk on Best Practices for Identity and Authorization with GCP with Googlers Blake T., Breno de Medeiros, and Naveen Chand.
Well that’s about it, you have successfully completed this lab and leveled-up in cloud networking! We hope you had fun with this lab and the rest of the Cloud Engineering Quest… and hope you can join us for Friday’s game!