Scribd
Upload
13 views3 pages

External and Internal Networking GCP

networking concept gcp

Uploaded by

arif.putra.gcp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views3 pages

External and Internal Networking GCP

networking concept gcp

Uploaded by

arif.putra.gcp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

GCP Networking: A Tale of Two

Perimeters (External vs. Internal)


In Google Cloud Platform (GCP), networking is fundamentally divided into two distinct realms:
external and internal. Understanding this division is crucial for designing secure, scalable,
and cost-effective cloud architectures. The primary difference lies in where the traffic
originates and what it's trying to reach.
●​ External Networking is your gateway to and from the public internet. It's how you expose
your applications to the world and how your cloud resources access outside services.
●​ Internal Networking is the private, isolated world within your Virtual Private Cloud (VPC).
It's designed for secure and efficient communication between your cloud resources,
shielded from the public internet.
Think of your GCP environment as a secure corporate office building.
●​ External networking is the public-facing lobby, the mailroom, and the delivery docks. It's
where you interact with the outside world—receiving visitors (incoming traffic) and
sending out packages (outgoing traffic). Security here is paramount, with guards
(firewalls) and receptionists (load balancers) carefully managing who comes and goes.
●​ Internal networking is the secure, keycard-access-only floors of the building.
Communication between employees and departments (VMs, services) is fast, private, and
doesn't require going out to the public street.
This document will explore the components, use cases, and security considerations for both
of these networking paradigms.

External Networking: Facing the Internet 🌐


When your application needs to be accessible to users on the internet, or your instances need
to fetch updates or connect to external APIs, you're using external networking.

Key Components:
●​ External IP Addresses: These are publicly routable IP addresses that you can assign to
resources like Compute Engine virtual machines (VMs) or external load balancers. They
can be ephemeral (changing when a VM is stopped) or static (reserved and persistent).
●​ External Load Balancers: These are managed services that distribute incoming internet
traffic across multiple backend instances. GCP offers several types, including:
○​ Global External Application Load Balancer (Layer 7): For distributing HTTP/S traffic
globally to backends in multiple regions.
○​ External Passthrough Network Load Balancer (Layer 4): For distributing TCP/UDP
traffic within a single region.
●​ Cloud NAT (Network Address Translation): Allows instances without external IP
addresses to initiate outbound connections to the internet (e.g., for downloading software
updates) without allowing unsolicited inbound connections.
●​ Firewall Rules: Acts as a virtual firewall for your VPC, allowing you to control incoming
(ingress) and outgoing (egress) traffic. For external networking, you'd create rules to allow
traffic from specific internet IP ranges (e.g., 0.0.0.0/0 for all) on certain ports (like TCP
80/443).

Common Use Cases:


●​ Hosting public websites and web applications.
●​ Providing public-facing APIs.
●​ Running online gaming servers.

🔒
●​ Allowing VMs to access external services, package repositories, or APIs.

Internal Networking: The Secure Private Backbone


Internal networking is for all communication that happens within your VPC network. It's
inherently more secure because it's not exposed to the public internet by default.
Performance is also typically better and more predictable, as traffic stays on Google's private
global network.

Key Components:
●​ Internal IP Addresses: Every VM instance is assigned a primary internal IP address from
its subnet's IP range. These addresses are only reachable from within the same VPC
network or connected networks (via VPC Peering or VPN).
●​ Internal Load Balancers: These distribute traffic that originates inside your VPC. They
are essential for building multi-tier applications (e.g., web servers talking to application
servers, which talk to databases).
○​ Internal Application Load Balancer (Layer 7): A managed Envoy proxy-based load
balancer for internal HTTP/S traffic.
○​ Internal Passthrough Network Load Balancer (Layer 4): For distributing internal
TCP/UDP traffic.
●​ VPC Network Peering: Allows you to connect two VPC networks so that resources in
each network can communicate internally as if they were in the same network.
●​ Cloud VPN & Interconnect: Securely connect your on-premises network to your GCP
VPC, extending your internal network into the cloud.

Common Use Cases:


●​ Multi-tier Applications: A public-facing web tier (with an external load balancer)
communicating with a private application or database tier (using an internal load
balancer).
●​ Microservices Communication: Services within a Kubernetes cluster or across different
managed instance groups communicating with each other.
●​ Hybrid Cloud: On-premises servers securely accessing databases or services running in
GCP.
●​ Shared Services: A central "hub" project hosting shared services like a database that is
accessed by multiple "spoke" projects via a Shared VPC or VPC Peering.

Security: A Tale of Two Strategies


Your security posture will differ significantly between the two networking types.
●​ External Security: The focus is on a "deny-all, allow-by-exception" model. You should
only open the specific ports needed for your application to function and restrict the
source IP ranges as much as possible. Services like Cloud Armor can provide DDoS
protection and Web Application Firewall (WAF) capabilities for your external load
balancers.
●​ Internal Security: While traffic is private, a "zero-trust" approach is still recommended.
Use firewall rules to restrict communication between different tiers of your application.
For example, only allow the web server tier to talk to the application server tier on a
specific port, and only allow the application tier to talk to the database tier.
By thoughtfully designing your network with a clear distinction between the external perimeter
and the internal backbone, you can build a GCP environment that is both powerful and secure.

This video provides a helpful overview of internal and external IP addresses for virtual
machines in GCP.
For a visual guide, you can refer to this video on Internal and External IP Addresses in GCP.

You might also like