Giao diện
🌐 VPC & Networking
Level: Core Solves: Thiết kế network architecture cho enterprise workloads với security, scalability, và hybrid connectivity trên GCP
🎯 Mục tiêu (Outcomes)
Sau khi áp dụng kiến thức trong trang này, bạn sẽ có khả năng:
- Thiết kế GCP VPC với Custom-mode và proper subnet sizing
- Triển khai Shared VPC cho multi-project environments
- Cấu hình Firewall Rules với hierarchical policies
- Enable Private Connectivity qua PSC và Private Google Access
- Implement Hybrid Connectivity với HA VPN hoặc Interconnect
- Phân tích VPC Flow Logs cho security và troubleshooting
✅ Khi nào dùng
| Pattern | Use Case | Lý do |
|---|---|---|
| Shared VPC | Multi-project organization | Centralized network management |
| Custom-mode VPC | Production workloads | Full CIDR control |
| Private Service Connect | Access Google APIs | No public IPs, security |
| HA VPN | Quick hybrid setup | Easy, encrypted, 99.99% SLA |
| Interconnect | High bandwidth needs | Low latency, high throughput |
❌ Khi nào KHÔNG dùng
| Pattern | Vấn đề | Thay thế |
|---|---|---|
| Auto-mode VPC | Preset CIDRs, conflicts | Custom-mode VPC |
| Network tags for firewall | Mutable, security risk | Service account-based rules |
| Classic VPN | Single tunnel, no SLA | HA VPN |
| Public IPs for internal services | Security exposure | Private Google Access |
| VPC Peering for many projects | Doesn't scale | Shared VPC |
⚠️ Cảnh báo từ Raizo
"Một team dùng Auto-mode VPC. 6 tháng sau cần kết nối với on-prem network có overlapping CIDR (10.128.0.0/20). Không thể change VPC mode. Phải recreate tất cả resources. Luôn dùng Custom-mode VPC từ đầu."
Core Concepts
GCP VPC Characteristics
┌─────────────────────────────────────────────────────────────────┐
│ GCP VPC vs AWS VPC │
├─────────────────────────────────────────────────────────────────┤
│ │
│ GCP VPC AWS VPC │
│ ─────── ─────── │
│ • GLOBAL resource • REGIONAL resource │
│ • Subnets are regional • Subnets are zonal (AZ) │
│ • Auto-mode or Custom-mode • Always custom │
│ • Firewall rules at VPC level • Security Groups + NACLs │
│ • Routes are global • Routes per route table │
│ │
│ KEY INSIGHT: GCP VPC spans all regions automatically. │
│ Subnets define regional boundaries, not VPC. │
│ │
└─────────────────────────────────────────────────────────────────┘Enterprise VPC Architecture
┌─────────────────────────────────────────────────────────────────┐
│ ENTERPRISE VPC DESIGN │
├─────────────────────────────────────────────────────────────────┤
│ │
│ VPC: prod-vpc (Global) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ │ │
│ │ Region: asia-southeast1 │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ Subnet: prod-ase1-app │ │ │
│ │ │ CIDR: 10.10.0.0/20 (4,096 IPs) │ │ │
│ │ │ • GKE nodes, Cloud Run, App workloads │ │ │
│ │ └─────────────────────────────────────────────────┘ │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ Subnet: prod-ase1-data │ │ │
│ │ │ CIDR: 10.10.16.0/20 │ │ │
│ │ │ • Cloud SQL, Memorystore, Dataproc │ │ │
│ │ └─────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ Region: us-central1 │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ Subnet: prod-usc1-app │ │ │
│ │ │ CIDR: 10.20.0.0/20 │ │ │
│ │ └─────────────────────────────────────────────────┘ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ⚠️ Use Custom-mode VPC for enterprise (not Auto-mode) │
│ │
└─────────────────────────────────────────────────────────────────┘Shared VPC
Hub-Spoke with Shared VPC
┌─────────────────────────────────────────────────────────────────┐
│ SHARED VPC ARCHITECTURE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ HOST PROJECT (Network Admin) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ prj-network-hub │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ Shared VPC │ │ │
│ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │
│ │ │ │Subnet A │ │Subnet B │ │Subnet C │ │ │ │
│ │ │ │Team-1 │ │Team-2 │ │Shared │ │ │ │
│ │ │ └────┬────┘ └────┬────┘ └────┬────┘ │ │ │
│ │ └───────┼───────────┼───────────┼─────────────────┘ │ │
│ └──────────┼───────────┼───────────┼──────────────────────┘ │
│ │ │ │ │
│ SERVICE PROJECTS (Workload Teams) │
│ ┌──────────┼───────────┼───────────┼──────────────────────┐ │
│ │ ▼ ▼ ▼ │ │
│ │ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ prj-team-1 │ │ prj-team-2 │ │ │
│ │ │ (GKE, VMs) │ │ (Cloud Run) │ │ │
│ │ └─────────────┘ └─────────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ BENEFITS: │
│ • Centralized network management │
│ • Consistent firewall policies │
│ • Simplified connectivity (no peering needed) │
│ • Clear separation of duties │
│ │
└─────────────────────────────────────────────────────────────────┘Shared VPC IAM Roles
| Role | Scope | Responsibility |
|---|---|---|
| Shared VPC Admin | Organization/Folder | Enable Shared VPC, attach projects |
| Network Admin | Host Project | Create/manage VPC, subnets, firewall |
| Network User | Subnet level | Use subnet in service project |
| Compute Network User | Subnet level | Create VMs in subnet |
bash
# Grant Network User on specific subnet
gcloud compute networks subnets add-iam-policy-binding SUBNET_NAME \
--region=REGION \
--member="serviceAccount:SA@PROJECT.iam.gserviceaccount.com" \
--role="roles/compute.networkUser" \
--project=HOST_PROJECTFirewall Rules
Firewall Rule Hierarchy
┌─────────────────────────────────────────────────────────────────┐
│ FIREWALL RULE PRIORITY │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Priority 0 (Highest) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Hierarchical Firewall Policies (Org/Folder level) │ │
│ │ • Enforced across all projects │ │
│ │ • Cannot be overridden by project rules │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ Priority 1000 (Default) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ VPC Firewall Rules (Project level) │ │
│ │ • Lower number = higher priority │ │
│ │ • Evaluated until first match │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ Priority 65535 (Lowest) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Implied Rules │ │
│ │ • Deny all ingress (65535) │ │
│ │ • Allow all egress (65535) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘Firewall Best Practices
yaml
# Allow internal communication
- name: allow-internal
direction: INGRESS
priority: 1000
sourceRanges: ["10.0.0.0/8"]
allowed:
- IPProtocol: tcp
- IPProtocol: udp
- IPProtocol: icmp
# Allow health checks from GCP
- name: allow-health-checks
direction: INGRESS
priority: 1000
sourceRanges:
- "35.191.0.0/16" # Health check ranges
- "130.211.0.0/22"
targetTags: ["allow-health-check"]
allowed:
- IPProtocol: tcp
ports: ["80", "443", "8080"]
# Deny all other ingress (explicit)
- name: deny-all-ingress
direction: INGRESS
priority: 65000
sourceRanges: ["0.0.0.0/0"]
denied:
- IPProtocol: all💡 Network Tags vs Service Accounts
Prefer Service Account-based firewall rules over network tags. Service accounts are immutable and tied to identity, while tags can be modified by anyone with compute.instances.setTags permission.
Private Services Access
Private Google Access
┌─────────────────────────────────────────────────────────────────┐
│ PRIVATE GOOGLE ACCESS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ WITHOUT Private Google Access: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ VM (no external IP) ──X──► Google APIs (storage.google │ │
│ │ apis.com) │ │
│ │ ❌ Cannot reach Google APIs │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ WITH Private Google Access: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ VM (no external IP) ────► Google APIs │ │
│ │ (via internal routing) │ │
│ │ ✅ Traffic stays on Google network │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Enable per subnet: │
│ gcloud compute networks subnets update SUBNET \ │
│ --enable-private-ip-google-access │
│ │
└─────────────────────────────────────────────────────────────────┘Private Service Connect
Hybrid Connectivity
Cloud Interconnect vs Cloud VPN
| Aspect | Dedicated Interconnect | Partner Interconnect | Cloud VPN |
|---|---|---|---|
| Bandwidth | 10-200 Gbps | 50 Mbps - 50 Gbps | Up to 3 Gbps |
| Latency | Lowest | Low | Variable |
| Setup Time | Weeks | Days | Minutes |
| Cost | Highest | Medium | Lowest |
| Encryption | MACsec optional | MACsec optional | IPsec always |
| SLA | 99.99% (with redundancy) | 99.99% | 99.99% |
HA VPN Architecture
┌─────────────────────────────────────────────────────────────────┐
│ HA VPN TOPOLOGY │
├─────────────────────────────────────────────────────────────────┤
│ │
│ GCP Region On-Premises │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ │ │ │ │
│ │ ┌───────────────┐ │ │ ┌───────────────┐ │ │
│ │ │ HA VPN Gateway│ │ │ │ VPN Device │ │ │
│ │ │ Interface 0 │◄─┼────────────┼─►│ Tunnel 0 │ │ │
│ │ │ Interface 1 │◄─┼────────────┼─►│ Tunnel 1 │ │ │
│ │ └───────────────┘ │ │ └───────────────┘ │ │
│ │ │ │ │ │ │
│ │ ▼ │ │ │ │
│ │ ┌───────────────┐ │ │ │ │
│ │ │ Cloud Router │ │ │ │ │
│ │ │ (BGP) │ │ │ │ │
│ │ └───────────────┘ │ │ │ │
│ │ │ │ │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
│ 99.99% SLA requires: │
│ • 2 tunnels from each HA VPN interface │
│ • BGP sessions on all tunnels │
│ • Proper failover configuration │
│ │
└─────────────────────────────────────────────────────────────────┘VPC Flow Logs
Configuration
bash
gcloud compute networks subnets update SUBNET_NAME \
--enable-flow-logs \
--logging-aggregation-interval=interval-5-sec \
--logging-flow-sampling=0.5 \
--logging-metadata=include-all \
--logging-filter-expr="src_ip != '10.0.0.1'"Log Analysis (BigQuery)
sql
-- Top talkers by bytes
SELECT
jsonPayload.connection.src_ip,
jsonPayload.connection.dest_ip,
SUM(CAST(jsonPayload.bytes_sent AS INT64)) as total_bytes
FROM `project.dataset.compute_googleapis_com_vpc_flows_*`
WHERE _TABLE_SUFFIX >= '20240101'
GROUP BY 1, 2
ORDER BY total_bytes DESC
LIMIT 10;
-- Denied connections
SELECT
jsonPayload.connection.src_ip,
jsonPayload.connection.dest_ip,
jsonPayload.connection.dest_port,
COUNT(*) as deny_count
FROM `project.dataset.compute_googleapis_com_vpc_flows_*`
WHERE jsonPayload.reporter = 'DEST'
AND jsonPayload.disposition = 'DENIED'
GROUP BY 1, 2, 3
ORDER BY deny_count DESC;Best Practices Checklist
- [ ] Use Custom-mode VPC (not Auto-mode)
- [ ] Implement Shared VPC for multi-project environments
- [ ] Enable Private Google Access on all subnets
- [ ] Use Service Account-based firewall rules
- [ ] Implement Hierarchical Firewall Policies at org level
- [ ] Enable VPC Flow Logs for security analysis
- [ ] Plan CIDR ranges for future growth (no overlap)
- [ ] Use HA VPN or Interconnect for hybrid connectivity
⚖️ Trade-offs
Trade-off 1: Shared VPC vs VPC Peering
| Khía cạnh | Shared VPC | VPC Peering |
|---|---|---|
| Centralized management | Yes | No |
| Firewall policies | Unified | Per-VPC |
| Scaling | Tốt | Limited |
| Setup complexity | Medium | Low |
| IAM separation | Clear | Separate |
Khuyến nghị: Shared VPC cho enterprise. VPC Peering cho isolated workloads hoặc third-party.
Trade-off 2: Interconnect vs VPN
| Khía cạnh | Cloud Interconnect | HA VPN |
|---|---|---|
| Bandwidth | Lên đến 200 Gbps | 3 Gbps/tunnel |
| Latency | Lowest | Variable |
| Setup time | Tuần | Phút |
| Cost | Cao | Thấp |
| Encryption | Optional (MACsec) | Always (IPsec) |
Trade-off 3: Flow Logs Sampling Rate
| Sampling | Storage Cost | Visibility | Use Case |
|---|---|---|---|
| 100% | Very high | Full | Security investigations |
| 50% | Medium | Good | Production monitoring |
| 10% | Low | Limited | Cost-sensitive |
| Off | None | None | Non-critical |
🚨 Failure Modes
Failure Mode 1: CIDR Conflicts
🔥 Incident thực tế
Team A và Team B cả hai dùng 10.0.0.0/16. Khi cần connect qua VPC Peering, không thể route. Phải renumber toàn bộ một VPC. 2 tuần downtime.
| Cách phát hiện | Cách phòng tránh |
|---|---|
| Peering creation fails | Central IPAM planning |
| Route conflicts | Non-overlapping CIDR allocation |
| Connectivity issues | Use /16 block per environment |
Failure Mode 2: Firewall Misconfiguration
| Cách phát hiện | Cách phòng tránh |
|---|---|
| Unexpected connectivity | Test in staging |
| Security scan findings | IaC cho firewall rules |
| Flow log shows denied traffic | Hierarchical policies |
Failure Mode 3: Hybrid Connectivity Failure
| Cách phát hiỆn | Cách phòng tránh |
|---|---|
| BGP session down | Monitor Cloud Router BGP |
| Tunnel status unhealthy | Redundant tunnels |
| Latency spikes | Multi-path routing |
🔐 Security Baseline
Network Security Requirements
| Requirement | Implementation | Verification |
|---|---|---|
| No public IPs | Org policy enforced | Cloud Asset Inventory |
| Private Google Access | Enabled all subnets | Subnet audit |
| Hierarchical Firewall | Org-level policies | Policy review |
| VPC Flow Logs | Enabled, exported | Log sink verified |
| SA-based firewall | No network tags | Rule audit |
Firewall Rule Strategy
┌─────────────────────────────────────────────────────────────────┐
│ FIREWALL RULE LAYERS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ L1: Org Hierarchical Policy (Deny known bad IPs) │
│ L2: Folder Hierarchical Policy (Prod stricter than dev) │
│ L3: VPC Firewall Rules (Allow internal, health checks) │
│ L4: Implied Deny All Ingress │
│ │
└─────────────────────────────────────────────────────────────────┘📊 Ops Readiness
Metrics cần Monitoring
| Metric | Source | Alert Threshold |
|---|---|---|
| VPN tunnel status | Cloud Monitoring | Any down |
| BGP session status | Cloud Router | Session down |
| Firewall denied connections | Flow Logs | Spike |
| Subnet IP utilization | Cloud Monitoring | > 80% |
| Interconnect circuit status | Cloud Monitoring | Any issues |
Runbook Entry Points
| Tình huống | Runbook |
|---|---|
| VPN tunnel down | runbook/vpn-troubleshooting.md |
| BGP flapping | runbook/bgp-troubleshooting.md |
| Connectivity issues | runbook/network-connectivity-debug.md |
| Firewall blocking traffic | runbook/firewall-investigation.md |
| Subnet exhaustion | runbook/subnet-expansion.md |
| Interconnect issues | runbook/interconnect-troubleshooting.md |
✅ Design Review Checklist
VPC Design
- [ ] Custom-mode VPC
- [ ] CIDR plan documented
- [ ] No overlapping ranges
- [ ] Subnet sizing adequate
Connectivity
- [ ] Private Google Access enabled
- [ ] PSC cho managed services
- [ ] Hybrid connectivity redundant
- [ ] BGP configured properly
Security
- [ ] Hierarchical firewall policies
- [ ] SA-based firewall rules
- [ ] VPC Flow Logs enabled
- [ ] No public IPs unnecessary
Operations
- [ ] Network monitoring configured
- [ ] Flow logs exported
- [ ] Runbooks documented
- [ ] CIDR tracking maintained
📎 Liên kết
- 📎 AWS VPC & Networking - So sánh với AWS networking model
- 📎 Compute Patterns - Network requirements cho compute options
- 📎 Security & Data Perimeter - VPC Service Controls
- 📎 Terraform Modules - IaC patterns cho VPC deployment
- 📎 GCP Observability - Network monitoring