VPC IN GCP – CONFIGURING NETWORK TAGS
VPC IN GCP. Google Cloud VPC is global, scalable, and flexible. Thus, it provides networking for Compute Engine VM, GKE containers, and the App Engine environment.
VPC in GCP can automatically set up your virtual topology, configuring prefix ranges for your subnets and network policies, or you can configure your own. Subsequently, you can also expand CIDR ranges without downtime.
You can think of a VPC in GCP network the same way you’d think of a physical network, except that it is virtualized within Google Cloud. In addition, a VPC network is a global resource that consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network. Hence, VPC networks are logically isolated from each other in Google Cloud.
What are network tags – VPC in GCP?
A tag is simply a character string added to a tags field in a resource, such as Compute Engine virtual machine (VM) instances or instance templates. Furthermore, a tag is not a separate resource, so you cannot create it separately. Therefore, all resources with that string are considered to have that tag. Tags enable you to make firewall rules and routes applicable to specific VM instances.
You can assign network tags to new VMs at creation time, or you can edit the set of assigned tags at any time later. In addition, you can edit network tags without stopping a VM.
VPC in GCP Tag specifications
Furthermore, the network tags that you assign to an instance apply to all of the instance’s network interfaces. After all, a network tag only applies to the VPC networks that are directly attached to the instance’s network interfaces. Above all, this is true even for VPC Network Peering, because peered networks remain distinct networks. Thus, the network tags are still only meaningful in the network to which the instance’s network interface is attached.
Thus, network tags must start with a lowercase letter and can contain lowercase letters, numbers, and hyphens. Tags must end with a lowercase letter or number.
TAG permissions
Task | Required Role |
---|---|
Assign a network tag to a new instance when it is created | Project owner or editor or Instance Admin |
Add or remove network tags for existing instances | |
Add, remove, or edit firewall rules | Project owner or editor or Security Admin |
TAG Limits
Limit | Value | Description |
---|---|---|
Maximum number of tags per VM | 64 | All tags for a VM must be unique. You can assign up to 64 different tags per VM. |
Maximum number of characters for each tag | 63 | |
Acceptable characters for a tag | lowercase letters, numbers, dashes | Additionally: • Tags must start with a lowercase letter. • Tags must end with either a number or a lowercase letter. |
Firewall rules and routes
Every firewall rule in Google Cloud must have a target which defines the instances to which it applies. The default target is all instances in the network, but you can specify instances as targets using either target tags or target service accounts.
The target tag defines the Google Cloud VMs to which the rule applies. The rule is applied to a specific VPC network. It is made applicable to the primary internal IP address associated with the network interface of any instance attached to that VPC network that has a matching network tag.
Ingress and Egress rules
Ingress rules apply to traffic entering your VPC network. For ingress rules, the targets are destination VMs in Google Cloud
Egress rules apply to traffic leaving your VPC network. For egress rules, the targets are source VMs in Google Cloud
Example
Consider an ingress firewall rule that allows traffic on TCP port 80
from any source. The rule has a target tag of http-server
. This rule would apply only to instances that have the http-server
network tag, which means that incoming traffic on port 80
would be allowed to those instances
GCP Network TAGS and rules
When you use an ingress firewall rule with source tags, you might observe a propagation delay. This delay is typically a few seconds, but it can be, in rare cases, a few minutes. When you make the following changes, the ingress firewall rule can take time to apply to or be removed from an associated instance
1. Starting or stopping an instance that has a tag that is associated with a rule’s source tag
2. Starting an instance that has a tag that is associated with a rule’s target tag
3. Adding or removing tags from an instance if the tags are used in the source or target fields of a rule
4. Adding or removing source or target tags from a rule
Interaction with routes
When you create a route, you specify a VPC network within VPC in GCP, and can specify tags so that the route is only applicable to traffic sent from the primary internal IP address of the network interface attached to that VPC network for instances with matching network tags.
How to add a network TAG using Terraform while creating a VM
resource "google_compute_instance" "default" {
project = var.project_id # Replace this with your project ID in quotes
zone = "southamerica-east1-b"
name = "backend-instance"
machine_type = "e2-medium"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
network = "default"
}
tags = ["health-check", "ssh"]
}
In other words, you can also use the Google Console to create network TAGS within VPC in GCP:
- Go to the VM instances page.
Go to the VM instances page - You can then click Create instance.
- Subsequently, click Management, security, disks, networking, sole tenancy to open that section.
- Click the Networking tab.
- In the Network tags field, specify one or more tags, separated by commas.
- Populate other fields for the VM.
- Click Create.