I have two networks listed in the "Remote network IP ranges" and the VPN is flapping between them. Only one of the remote networks is ever reachable at a time. How can I get it to keep both networks available all the time?
As Google Cloud VPN doesn't support multiple SAs, you need to establish one SA with a traffic Selector that has all the subnets which most of the routers should have it, If your hardware doesn't support it then you need to create one tunnel for every subnet.
Related
I'm trying to build a webserver in Google Cloud Platform that hosts multiple websites (GBP, IE, FR, DK etc.)
Generally, we assign a range of IPs to the server statically, set the bindings in IIS, then loadbalance using a virtual IP.
It seems near enough impossible to assign another internal IP in GCP. Lots of guides about additional external IPs, but we don't want a public facing webserver like this.
Anybody have any idea on how to add additional internal IPs to a VM / Instance?
Also, I have tried changing the internal address I have assigned to the Instance to static in network adapter settings, next thing I know I can't access my VM for love nor money, had to delete and re-create. If I go into advanced settings to add additional static IPs, w'ere set to DHCP apparently, so can't add additional IPs.
Thanks all.
Answer that I recieved from GCE discussion group, in Google Groups:
"You can add additional internal IP addresses to a VM instance. This is possible by enabling IP forwarding for the VM, creating a static network route, adding appropriate firewall rules, and setting additional internal IP addresses to network adapter of Windows. These steps are described in this article for Linux machines (https://cloud.google.com/compute/docs/networking#set_a_static_target_ip_address). The same steps are valid for Windows VMs. You will need to keep the initial internal IP address, subnet mask, gateway address and DNS settings of the adapter and manually enter them in properties of IPv4 of the network adapter. The below is a screenshot of my configuration on a VM instance (Windows 2008 R2) that perfectly works."
Update:
Now, you can create instances with multiple network interfaces On Google Compute Engine and assign IPs. For more information, refer to this public documentation link. However, currently it has following limitations:
Alias IP ranges are not supported on any network interface on a VM
that has multiple network interfaces enabled.
You cannot modify or delete the network interfaces after the VM has
been created.
Is it possible to route/forward all tcp traffic for a specific port originating from one instances group to that tcp port for a specific instance in a 2nd project? In a single project this is not difficult, but without static IP's (auto-scaling instance group with hundreds of instances) it is not clear how to route across proejcts.
Use Shared VPC. It allows you to share a VPC network across projects in the same organization.
I found these answers in need of further details or perhaps outdated? First, for those who don't know, a VPC is a Virtual Private Cloud network. Yes, you need a VPC, but not necessarily a shared one that requires an organization configuration. An easy solution is to use VPC Network Peering.
When you create a compute engine instance, you are assigned to a VPC, the "default" VPC. If you have instances in more than 1 project and you want to communicate between them, then you need to create another VPC that doesn't share the same subnet as the default VPC, but only if the two projects have the same default subnet.
One VPC might have 10.142.0.0/20 for its network and another might have 10.143.0.0/20 for its network. This would be fine, but if they both have 10.142.0.0/20, that won't work and you'd need to create a new VPC.
Now, you go to VPC network menu option in the console and add a new VPC, if needed. If you do that, then you need to set up firewall and routing similar to that of the default VPC. If you don't, then traffic on the same VPC, between compute engines, will not be possible.
Now, go to the VPC network peering option and create an entry in one project that points to the VPC of the other project. It will tell you that it is waiting to connect. Now go to the other project and create a network peering entry that has the opposite configuration. For example, in project A, with VPC AA and project B with VPC BB, you create an entry in project A that uses AA and points to BB. In project B, you create an entry that uses BB and points to AA. After some validation, the connection, if valid, will connect. Once connected, it creates all of the routes necessary to get between the two project VPCs.
Now, if your firewall settings are correct, you should be able to send and receive traffic between projects.
The "only" way to connect between your instances on different Google Cloud projects is either through VPN or using the public IP. By using the Public IP, I mean either through a NAT gateway or directly from instance to instance using the public IP. You can have more information about Google Cloud VPN in this Help Center article.
i need to know if the following scenario is possible using Google Cloud:
I need to have a IPSec VPN with a partner, the thing is that at their side they will allow only one of my hosts access their network, at their side they configure a ACL as follows: network-object host X.X.X.4.
So, is a must that in the negotiation of phase 2, Google Cloud send as local address the ip number allowed by their X.X.X.4, and not the network X.X.X.0/something, if that happens phase 2 will crash.
Is possible to configure the VPN using this requirement?
Regards,
Will.
You could try creating a /30 network in your project and hosts the VM that you would like to interact with the partner and setup the VPN tunnel
If you have another network, where other VM/Apps exists, setup a cross-vpn between the VPN tunnels in your project, just that they are in different network within the same project.
if I create default2 network in GCE with 192.168.3.0/24 network, how do I route with default network? do I have to create routable instance which will act as a router?
The networks are completely isolated so you can two instances that belong to different networks with the same internal IP and that's why it's not possible to communicate between instances that belong to different networks using the internal IP
Also, as stated in the documentation:
Any communication between instances in different networks, even within the same project, must be through external IP addresses.
As you said, the best way to allow traffic between these networks is setting up a VPN gateway but this will require to have different IP address ranges in those networks because routing of network packets may get confused.
I'm planning to create a web site that runs on several different machines in Google Cloud Compute, and I'm serious thinking to use the Network Load Balancing of Google. But I have some questions regards security and usability.
My machines can have a private ip address with the http port opened ?( we don't when some hacker is trying to get in ours servers)
My http response will have the machine own ip address or the ip in the Network Load Balance ?
Does Google protect the opened port in Google Cloud Compute machine against SYN,Pack flow attacks( like a router)?
You could use the HTTP/S load balancing to do what you want. https://cloud.google.com/compute/docs/load-balancing/http/
See https://cloud.google.com/compute/docs/load-balancing/http/cross-region-example#optional_remove_external_ips_except_for_a_bastion_host for removing external IPs.
Responses will come from the load balanced IP, not your VMs' IPs.
Yes for some types of malicious traffic, because the load balancing layer is doing full proxying. This means TCP and SSL termination both happen before your VMs.
if your machines have only private IP (RFC 1918 space) and no external IP, then configuring NLB doesn't make them externally accessible directly on port 80 (if thats what you configure for your service).
google does handle some level of attacks, but if you are like for a full-fledged ddos, then implementing additional layer on your end helps.
No. Is only possible to have the port 80(http) open if and only if the instance has a public ip address; however, it is possible to limit the machine instances affected with a bastion host.
No. Using the Network Load Balance will protect the ip address of you machine, but is possible (in theory) to gather the machine external ip address with random ip address scans or some flaw in the application.
GCE machine instances have some sort of protection, but they are susceptible to TCP or UDP flood according to securityfocus.