Task : Review
You set up virtual private networking
(VPN) between two subnets in different regions. This lab required you to
perform most of the configuration from the command line. When you configure VPN
using the GCP Console, many of the steps are automated. One purpose of this lab
is to show you how to configure VPN manually, so that you will better
understand what the GCP Console does automatically. This can help in
troubleshooting a configuration.
1. Click Open Google Console.
2. Click Use another account and
copy/paste credentials for this lab into the prompts.
If you use other credentials, you'll get errors
or incur charges.
3. Accept the terms and skip the recovery resource
page.
Do not click End Lab unless you
are finished with the lab or want to restart it. This clears your work and
removes the project.
Task 1: Create the networks
Create two custom networks, with
subnets, and start VMs in each.
Create the first
network
1. In the GCP Console, on the Navigation menu ( 
),
click VPC network > VPC networks.
2. Click Create VPC network.
3. Specify the following, and leave the remaining
settings as their defaults:
|
Property |
Value (type value or select option as specified) |
|
Name |
vpn-network-1 |
|
Description |
Enter an optional description |
|
Subnet creation mode |
Custom |
|
Name |
subnet-a |
|
Region |
us-central1 |
|
IP address range |
10.5.4.0/24 |
4. Click Create.
Create the second
network
For the second network, choose a
different region than the first network.
1. Click Create VPC network.
2. Specify the following, and leave the remaining
settings as their defaults:
|
Property |
Value (type value or select option as specified) |
|
Name |
vpn-network-2 |
|
Description |
Enter an optional description |
|
Subnet creation mode |
Custom |
|
Name |
subnet-b |
|
Region |
europe-west1 |
|
IP address range |
10.1.3.0/24 |
3. Click Create.
Click Check my progress to
verify the objective.
Create the networks
Check my progress
Task 2: Create the utility VMs
Create the first
instance
The first VM is created in the same
region as vpn-network-1.
1. On the Navigation menu, click Compute
Engine > VM instances.
2. Click Create.
3. Specify the following, and leave the remaining
settings as their defaults:
|
Property |
Value (type value or select option as specified) |
|
Name |
server-1 |
|
Region |
us-central1 |
|
Zone |
us-central1-b |
|
Machine type |
n1-standard-1 |
4. Click Management, security, disks,
networking, sole tenancy.
5. Click Networking.
6. For Network interfaces, click the
pencil icon to edit.
7. Specify the following, and leave the remaining
settings as their defaults:
|
Property |
Value (type value or select option as specified) |
|
Network |
vpn-network-1 |
|
Subnetwork |
subnet-a |
8. Click Done.
9. Click Create.
Create the second
instance
The second VM is created in the same
region as vpn-network-2.
1. In the Console, navigate to Navigation menu > Compute
Engine > VM instances.
2. Click + CREATE INSTANCE.
3. Specify the following, and leave the remaining
settings as their defaults:
|
Property |
Value (type value or select option as specified) |
|
Name |
server-2 |
|
Region |
europe-west1 |
|
Zone |
europe-west1-b |
|
Machine type |
n1-standard-1 |
4. Click Management, security, disks,
networking, sole tenancy.
5. Click Networking.
6. For Network interfaces, click the
pencil icon to edit.
7. Specify the following, and leave the remaining
settings as their defaults:
|
Property |
Value (type value or select option as specified) |
|
Network |
vpn-network-2 |
|
Subnetwork |
subnet-b |
8. Click Done.
9. Click Create.
Click Check my progress to
verify the objective.
Create the utility VMs
Check my progress
Task 3: Create the firewall rules
Allow ICMP and SSH into each network.
Allow traffic to
vpn-network-1
1. On the Navigation menu, click VPC
network > Firewall rules.
2. Click Create firewall rule.
3. Specify the following, and leave the remaining settings
as their defaults:
|
Property |
Value (type value or select option as specified) |
|
Name |
allow-icmp-ssh-network-1 |
|
Network |
vpn-network-1 |
|
Targets |
All instances in the network |
|
Source filter |
IP ranges |
|
Firewall |
0.0.0.0/0 |
|
Protocols and ports |
Specified protocols and ports |
4. For tcp, specify port 22.
5. For Other protocols, specify the icmp protocol.
Make sure to include the /0 in
the Source IP ranges to specify all networks.
6. Click Create.
Allow traffic to
vpn-network-2
1. Click Create firewall rule.
2. Specify the following, and leave the remaining
settings as their defaults:
|
Property |
Value (type value or select option as specified) |
|
Name |
allow-icmp-ssh-network-2 |
|
Network |
vpn-network-2 |
|
Targets |
All instances in the network |
|
Source filter |
IP ranges |
|
Source IP ranges |
0.0.0.0/0 |
|
Protocols and ports |
Specified protocols and ports |
3. For tcp, specify port 22.
4. For Other protocols, specify the icmp protocol.
Make sure to include the /0 in
the Source IP ranges to specify all networks.
5. Click Create.
Click Check my progress to
verify the objective.
Create the firewall rules
Check my progress
Task 4: Verify network connectivity
You should be able to ping the external
IP of server-2, but not its internal IP.
Test connectivity
from server-1 to server-2
1. On the Navigation menu, click Compute
Engine > VM instances.
2. Note the external and internal IP addresses
for server-2.
3. For server-1, click SSH to
launch a terminal and connect.
4. To test connectivity to server-2's external IP, run
the following command, replacing server-2's external IP with the value noted
earlier:
ping -c 3 <Enter server-2's external IP here>
5. To test connectivity to server-2's internal IP, run
the following command, replacing server-2's internal IP with the value noted
earlier:
ping -c 3 <Enter server-2's internal IP here>
You should see 100% packet loss when pinging the
internal IP.
6. Exit the SSH terminal.
Test connectivity
from server-2 to server-1
1. Note the external and internal IP addresses
for server-1.
2. For server-2, click SSH to
launch a terminal and connect.
3. To test connectivity to server-1's external IP, run
the following command, replacing server-1's external IP with the value noted
earlier:
ping -c 3 <Enter server-1's external IP here>
4. To test connectivity to server-1's internal IP, run
the following command, replacing server-1's internal IP with the value noted
earlier:
ping -c 3 <Enter server-1's internal IP here>
You should see similar results.
5. Exit the SSH terminal.
Why are we testing both server-1 to server-2 and server-2 to server-1?
For the purposes of this lab, the path from
subnet-a to subnet-b is not the same as the path from subnet-b to subnet-a. You
are using one tunnel to pass traffic in each direction. And if both tunnels are
not established, you won't be able to ping the remote server on its internal
IP. The ping might reach the remote server, but the response can't be returned.
This makes it much easier to debug the lab during
class. In practice, a single tunnel could be used with symmetric configuration.
However, it is more common to have multiple tunnels or multiple gateways and
VPNs for production work, because a single tunnel could be a single point of
failure.
Task 5: Create and prepare the VPN gateways
Create the VPN gateways and do all
the setup work to establish the VPN tunnels. You will be doing this from the
command line using Cloud Shell. Cloud Shell is used instead of the GCP Console
so you can learn about the available options and how they fit together. The GCP
Console conceals much of the complexity.
Create two VPN gateways, one in each
region. Create forwarding rules for EPS, UDP:500, and UDP:4500 for each
gateway.
Project ID
1. In the GCP Console, on the Navigation menu,
click Home.
2. Note the Project ID; it is referred to as
[PROJECT_ID] in the following steps.
3. Click Activate Cloud Shell ( 
). If
prompted, click Continue.
4. To verify that gcloud is
configured to [PROJECT_ID], run the following command:
gcloud config list project
If the project ID is undefined or does not match
[PROJECT_ID], update it using
gcloud config set project <Enter
PROJECT_ID here>
Set up the VPN for
both networks
1. In Cloud Shell, to create the vpn-1 gateway,
run the following command:
gcloud compute target-vpn-gateways \
create vpn-1 \
--network vpn-network-1 \
--region us-central1
2. To create the vpn-2 gateway, run
the following command:
gcloud compute target-vpn-gateways \
create vpn-2 \
--network vpn-network-2 \
--region europe-west1
Reserve a static IP
for each network
1. To reserve a Static IP for the vpn-1 gateway,
run the following command:
gcloud compute addresses create --region
us-central1 vpn-1-static-ip
2. To view the Static IP for the vpn-1 gateway,
run the following command:
gcloud compute addresses list
3. To store the Static IP for the vpn-1 gateway,
in an environment variable, run the following command, and replace the IP
address with the address from the output of the last command:
export STATIC_IP_VPN_1=<Enter IP address for vpn-1 here>
4. To reserve a Static IP for the vpn-2 gateway,
run the following command:
gcloud compute addresses create --region
europe-west1 vpn-2-static-ip
5. To view the Static IP for the vpn-2 gateway,
run the following command:
gcloud compute addresses list
6. To store the Static IP for the vpn-2 gateway,
in an environment variable, run the following command, and replace the IP
address with the address from the output of the last command:
export STATIC_IP_VPN_2=<Enter IP address for vpn-2 here>
Click Check my progress to
verify the objective.
Create VPN gateways
Check my progress
Create forwarding
rules for both vpn gateways
The forwarding rules forward traffic
arriving on the external IP to the VPN gateway. It connects them together.
Create three forwarding rules for the protocols necessary for VPN.
1. To create ESP forwarding for vpn-1, run
the following command:
gcloud compute \
forwarding-rules create vpn-1-esp \
--region us-central1 \
--ip-protocol ESP
\
--address $STATIC_IP_VPN_1 \
--target-vpn-gateway vpn-1
2. To create ESP forwarding for vpn-2, run
the following command:
gcloud compute \
forwarding-rules create vpn-2-esp \
--region europe-west1 \
--ip-protocol ESP
\
--address $STATIC_IP_VPN_2 \
--target-vpn-gateway vpn-2
3. To create UDP500 forwarding for vpn-1,
run the following command:
gcloud compute \
forwarding-rules create vpn-1-udp500 \
--region us-central1 \
--ip-protocol UDP \
--ports 500 \
--address $STATIC_IP_VPN_1 \
--target-vpn-gateway vpn-1
4. To create UDP500 forwarding for vpn-2,
run the following command:
gcloud compute \
forwarding-rules create vpn-2-udp500 \
--region europe-west1 \
--ip-protocol UDP \
--ports 500 \
--address $STATIC_IP_VPN_2 \
--target-vpn-gateway vpn-2
5. To create UDP4500 forwarding for vpn-1,
run the following command:
gcloud compute \
forwarding-rules create vpn-1-udp4500 \
--region us-central1 \
--ip-protocol UDP --ports 4500 \
--address $STATIC_IP_VPN_1 \
--target-vpn-gateway vpn-1
6. To create UDP4500 forwarding for vpn-2,
run the following command:
gcloud compute \
forwarding-rules create vpn-2-udp4500 \
--region europe-west1 \
--ip-protocol UDP --ports 4500 \
--address $STATIC_IP_VPN_2 \
--target-vpn-gateway vpn-2
Verify the external
IP addresses and VPN gateways
They should be in use by the
forwarding rules you just created.
1. In the GCP Console, on the Navigation menu ( ),
click VPC network > External IP addresses.
2. Verify that both regions have an external IP
address reserved and that all three forwarding rules are displayed in the In
use by column.
Alternatively, you can reserve static addresses and
set forwarding rules through this section of the GCP Console.
3. In Cloud Shell, to verify the VPN gateways, run the
following command:
gcloud compute target-vpn-gateways list
You should see the VPN gateways.
Click Check my progress to
verify the objective.
Create forwarding rules for both vpn gateways
Check my progress
Task 6: Create tunnels
Create the tunnels between the VPN
gateways. After the tunnels exist, create a static route to enable traffic to
be forwarded into the tunnel. If this is successful, you can ping a local VM in
one location on its internal IP from a VM in a different location.
1. To create the tunnel for traffic from Network-1 to Network-2,
run the following command:
gcloud compute \
vpn-tunnels create tunnel1to2 \
--peer-address $STATIC_IP_VPN_2 \
--region us-central1 \
--ike-version 2 \
--shared-secret gcprocks \
--target-vpn-gateway vpn-1 \
--local-traffic-selector 0.0.0.0/0 \
--remote-traffic-selector 0.0.0.0/0
2. To create the tunnel for traffic from Network-2 to Network-1,
run the following command:
gcloud compute \
vpn-tunnels create tunnel2to1 \
--peer-address $STATIC_IP_VPN_1 \
--region europe-west1 \
--ike-version 2 \
--shared-secret gcprocks \
--target-vpn-gateway vpn-2 \
--local-traffic-selector 0.0.0.0/0 \
--remote-traffic-selector 0.0.0.0/0
3. To verify that the tunnels are created, run the
following command:
gcloud compute vpn-tunnels list
It may take a couple of minutes for the VPNs to
connect to their peers. If the connection fails, it means something was entered
incorrectly in the previous commands. Be very careful about spaces or
copy-paste errors.
At this point, the gateways are connected and
communicating. But there is no method to direct traffic from one subnet to the
other. You must establish static routes.
Click Check my progress to
verify the objective.
Create tunnels
Check my progress
Task 7: Create static routes
1. To create a static route from Network-1 to Network-2,
run the following command:
gcloud compute
\
routes create route1to2 \
--network vpn-network-1 \
--next-hop-vpn-tunnel tunnel1to2 \
--next-hop-vpn-tunnel-region us-central1 \
--destination-range 10.1.3.0/24
2. To create a static route from Network-2 to Network-1,
run the following command:
gcloud compute
\
routes create route2to1 \
--network vpn-network-2 \
--next-hop-vpn-tunnel tunnel2to1 \
--next-hop-vpn-tunnel-region europe-west1 \
--destination-range 10.5.4.0/24
Click Check my progress to
verify the objective.
Create static routes
Check my progress
Task 8: Verify VPN connectivity
Verify server-1 to
server-2 connectivity
1. In the GCP Console, on the Navigation menu,
click Compute Engine > VM instances.
2. For server-1, click SSH to
launch a terminal and connect.
3. To test connectivity to server-2's
internal IP, run the following command:
ping -c 3 <insert server-2's internal IP here>
4. Exit the server-1 SSH terminal.
5. For server-2, click SSH to
launch a terminal and connect.
6. To test connectivity to server-1's
internal IP, run the following command:
ping -c 3 <insert server-1's internal IP here>
0 comments:
Post a Comment