We know what a "network" is. It is when we connect computers together wired or wirelessly. For example, our home wifi network, or a bunch of servers connected using a switch and ethernet cables.
A VPC network is similiar, but instead of being physical networks, they are logical. So, a VPC is a virtual network created inside of Google's infrastructure using Andromeda. Andromeda is a software defined network. We are not gonna discuss about it now.
Google VPCs are Global. Meaning we can have two machines in different region to be in the same VPC network
By default when we create a GCP project, a default network is created. So we are already using a VPC network.
So, by default all the new VMs we create are part of this default network.
Checkout this diagram by GCP : HERE
Even then, why do we need a network?
Let's say we have a VPC network called production and this contains all the VMs that is powering our production infrastructure.
- All the VMs can talk to each other through this private network, without going through the internet
- We can restrict VMs internet access, like maybe a few servers don't need internet access at all.
- Since this is a private network, the bandwidth costs are saved a lot
- Performance is also a lot better than going through the internet
- We have a great control over what machine can connect to what using firewalls
- We can use internal load balancers.
By default in a new network, nothing can connect to each other. We need firewall rules to make that happen.
In GCP we can add a network tag to each instance. Using this we can create firewall rules.
Consider this setup. If we add tag nginx-proxy to Nginx, webapp to the web app 1 and 2, and database to the database
server.
Now we can create firewall rules saying
- allow
nginx-proxyto talk towebappon port80over protocoltcp - allow
webappto talk todatabaseon port3306over protocoltcp
We can use source and target tags for firewall rules, but this is only applicable for internal traffic It does not work for external traffic