E-learningLatestNews

VPC IN GCP – CONFIGURING NETWORK TAGS

VPC IN GCP. Google Cloud VPC is global, scalable, and flexible. Thus, it provides networking for Compute Engine VM, GKE containers, and the App Engine environment.  

VPC in GCP can automatically set up your virtual topology, configuring prefix ranges for your subnets and network policies, or you can configure your own. Subsequently, you can also expand CIDR ranges without downtime.

VPC network example (click to enlarge)
VPC in GCP Overview

You can think of a VPC in GCP network the same way you’d think of a physical network, except that it is virtualized within Google Cloud. In addition, a VPC network is a global resource that consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network. Hence, VPC networks are logically isolated from each other in Google Cloud.

What are network tags – VPC in GCP?

VPC IN GCP - Configuring network tags

A tag is simply a character string added to a tags field in a resource, such as Compute Engine virtual machine (VM) instances or instance templates. Furthermore, a tag is not a separate resource, so you cannot create it separately. Therefore, all resources with that string are considered to have that tag. Tags enable you to make firewall rules and routes applicable to specific VM instances.

You can assign network tags to new VMs at creation time, or you can edit the set of assigned tags at any time later. In addition, you can edit network tags without stopping a VM.

VPC in GCP Tag specifications

Furthermore, the network tags that you assign to an instance apply to all of the instance’s network interfaces. After all, a network tag only applies to the VPC networks that are directly attached to the instance’s network interfaces. Above all, this is true even for VPC Network Peering, because peered networks remain distinct networks. Thus, the network tags are still only meaningful in the network to which the instance’s network interface is attached.

Thus, network tags must start with a lowercase letter and can contain lowercase letters, numbers, and hyphens. Tags must end with a lowercase letter or number.

Note: Networks tags don’t need to be unique across multiple VPC networks. The same tags can be used in different networks for unique purposes in each.

VPC IN GCP – TAGS

TAG permissions

TaskRequired Role
Assign a network tag to a new instance when it is createdProject owner or editor or Instance Admin
Add or remove network tags for existing instances
Add, remove, or edit firewall rulesProject owner or editor or Security Admin

TAG Limits

LimitValueDescription
Maximum number of tags per VM64All tags for a VM must be unique. You can assign up to 64 different tags per VM.
Maximum number of characters for each tag63
Acceptable characters for a taglowercase letters, numbers, dashesAdditionally:
• Tags must start with a lowercase letter.
• Tags must end with either a number or a lowercase letter.

Firewall rules and routes

Every firewall rule in Google Cloud must have a target which defines the instances to which it applies. The default target is all instances in the network, but you can specify instances as targets using either target tags or target service accounts.

The target tag defines the Google Cloud VMs to which the rule applies. The rule is applied to a specific VPC network. It is made applicable to the primary internal IP address associated with the network interface of any instance attached to that VPC network that has a matching network tag.

Ingress and Egress rules

Ingress rules apply to traffic entering your VPC network. For ingress rules, the targets are destination VMs in Google Cloud

Egress rules apply to traffic leaving your VPC network. For egress rules, the targets are source VMs in Google Cloud

Example

Consider an ingress firewall rule that allows traffic on TCP port 80 from any source. The rule has a target tag of http-server. This rule would apply only to instances that have the http-server network tag, which means that incoming traffic on port 80 would be allowed to those instances

GCP Network TAGS and rules

When you use an ingress firewall rule with source tags, you might observe a propagation delay. This delay is typically a few seconds, but it can be, in rare cases, a few minutes. When you make the following changes, the ingress firewall rule can take time to apply to or be removed from an associated instance

1. Starting or stopping an instance that has a tag that is associated with a rule’s source tag

2. Starting an instance that has a tag that is associated with a rule’s target tag

3. Adding or removing tags from an instance if the tags are used in the source or target fields of a rule

4. Adding or removing source or target tags from a rule

Interaction with routes

When you create a route, you specify a VPC network within VPC in GCP, and can specify tags so that the route is only applicable to traffic sent from the primary internal IP address of the network interface attached to that VPC network for instances with matching network tags.

DevOps Engineer

How to add a network TAG using Terraform while creating a VM

resource "google_compute_instance" "default" {
  project      = var.project_id # Replace this with your project ID in quotes
  zone         = "southamerica-east1-b"
  name         = "backend-instance"
  machine_type = "e2-medium"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }
  network_interface {
    network = "default"
  }
  tags = ["health-check", "ssh"]
}

In other words, you can also use the Google Console to create network TAGS within VPC in GCP:

  1. Go to the VM instances page.
    Go to the VM instances page
  2. You can then click Create instance.
  3. Subsequently, click Management, security, disks, networking, sole tenancy to open that section.
  4. Click the Networking tab.
  5. In the Network tags field, specify one or more tags, separated by commas.
  6. Populate other fields for the VM.
  7. Click Create.