Try to find reasons to use network peering

Remember that VPCs in the GCP world are quite different from networks in the physical world or even on other cloud providers such as AWS. VPCs are more like Autonomous Systems (AS) because each VPC can include multiple disjoint IP address ranges.

Resources that are in the same VPC can communicate using internal IP addresses as well as using a project-internal DNS facility. This is true even if the resources are in different regions. For instance, consider two VMs, one in the US and the other in UK. Provided these are in the same VPC they will be able to communicate using internal IP addresses despite their physical distance.

By contrast if two resources are in different VPCs even if they happen to be in the same region or even on the same underlying bare metal box (remember that GCP VMs are multi-tenanted), they will still have to communicate using external IP addresses, which implies that the network traffic between them will have to pass over the internet.

Communication on internal IP addresses has several advantages:

  • Cost: Remember that network egress traffic incurs charges, and communication over internal IP addresses avoids this.
  • Security: Google's internal networks are relatively invulnerable to intrusion and security attacks. After all, Google has been under siege from hackers for over a decade now. However, once traffic leaves Google's internal networks and touches the internet, all bets are off.
  • Latency: Google internal networks are blazingly fast; this is partially a legacy of Google's investments in YouTube and in trying to get video served at acceptable latencies in all or most regions of the world. Internal traffic on the GCP is able to hitch a ride on these really fast internal links.

This presents us with a trade-off: if we have lots of small, modular VPCs, organization of resources and firewall rules gets cleaner, but network traffic gets slower, costlier, and less secure.

A great way to square this circle is to make use of the feature named VPC peering. This allows a 1:1 link between VPCs so that resources on the peered VPCs can communicate using internal IP addresses. Unlike AWS, GCP is cheaper in this aspect since it only applies standard network charges. So, look for every possible opportunity to use VPC peering.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.58.253.197