Technical Theory

Creating a VPC Network with Custom Subnets and Firewall Rules in Google Cloud

Introduction

This tutorial will guide you through the process of creating a Virtual Private Cloud (VPC) network in Google Cloud with two custom subnets. We’ll then deploy virtual machines (VMs) into each subnet and configure firewall rules to allow bidirectional ping (ICMP) communication between the VMs. This setup is useful for testing network connectivity and understanding basic Google Cloud networking concepts. We will attempt to use Free Tier eligible resources to minimize cost.

Prerequisites:

  • A Google Cloud account with billing enabled.
  • The Google Cloud SDK (gcloud CLI) installed and configured.

Task 1: Setting up the Environment

Before we begin, ensure you have the gcloud CLI configured and authenticated.

  1. Authenticate with Google Cloud:

    NODE_TYPE // bash 
    gcloud auth login
    This command will open a browser window asking you to authenticate with your Google account.

  2. Set the project:

    NODE_TYPE // bash 
    gcloud config set project YOUR_PROJECT_ID

    Replace YOUR_PROJECT_ID with your actual Google Cloud project ID.

    Make sure you replace YOUR_PROJECT_ID with the correct ID to avoid unexpected errors.

  3. Set the default compute region and zone (optional, but recommended):

    NODE_TYPE // bash 
    gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a
    Choose a region and zone that supports Free Tier resources if you want to minimize costs. us-central1 is often a good choice.

Task 2: Creating the VPC Network

We’ll now create the VPC network.

  1. Create the VPC network named my-vpc-network:

    NODE_TYPE // bash 
    gcloud compute networks create my-vpc-network --subnet-mode custom
    The --subnet-mode custom flag indicates that we will manually create the subnets.

Task 3: Creating the Subnets

Next, we’ll create two custom subnets within the VPC network.

  1. Create the first subnet, subnet-a, in the us-central1 region with a CIDR block of 10.10.10.0/24:

    NODE_TYPE // bash 
    gcloud compute networks subnets create subnet-a \
    --network my-vpc-network \
    --region us-central1 \
    --range 10.10.10.0/24

  2. Create the second subnet, subnet-b, in the us-central1 region with a CIDR block of 10.10.20.0/24:

    NODE_TYPE // bash 
    gcloud compute networks subnets create subnet-b \
    --network my-vpc-network \
    --region us-central1 \
    --range 10.10.20.0/24

Task 4: Creating the Virtual Machines

Now, let’s create two virtual machines, one in each subnet. We’ll use the f1-micro machine type to stay within the Free Tier limits, where available.

  1. Create VM vm-a in subnet-a:

    NODE_TYPE // bash 
    gcloud compute instances create vm-a \
    --network-interface subnet=subnet-a,no-address \
    --machine-type f1-micro \
    --zone us-central1-a \
    --image-family debian-11 \
    --image-project debian-cloud \
    --boot-disk-size 10GB
    The no-address flag prevents the VM from being assigned an external IP, enhancing security.

  2. Create VM vm-b in subnet-b:

    NODE_TYPE // bash 
    gcloud compute instances create vm-b \
    --network-interface subnet=subnet-b,no-address \
    --machine-type f1-micro \
    --zone us-central1-a \
    --image-family debian-11 \
    --image-project debian-cloud \
    --boot-disk-size 10GB

Task 5: Creating Firewall Rules

To allow ping (ICMP) communication between the VMs, we need to create a firewall rule.

  1. Create a firewall rule named allow-icmp to allow ingress ICMP traffic from the 10.10.0.0/16 range (encompassing both subnets) to all VMs in the my-vpc-network:

    NODE_TYPE // bash 
    gcloud compute firewall-rules create allow-icmp \
    --network my-vpc-network \
    --allow icmp \
    --source-ranges 10.10.0.0/16

Task 6: Testing Connectivity

To test connectivity, you will need to SSH into each VM and then ping the other.

  1. Get the internal IP address of vm-a:

    NODE_TYPE // bash 
    gcloud compute instances describe vm-a --zone us-central1-a | grep networkIP

    The output will look similar to:

    NODE_TYPE // output 
    networkIP: 10.10.10.3

  2. Get the internal IP address of vm-b:

    NODE_TYPE // bash 
    gcloud compute instances describe vm-b --zone us-central1-a | grep networkIP

    The output will look similar to:

    NODE_TYPE // output 
    networkIP: 10.10.20.3

  3. SSH into vm-a:

    NODE_TYPE // bash 
    gcloud compute ssh vm-a --zone us-central1-a --quiet
    The --quiet flag suppresses non-error output from gcloud.

  4. Ping vm-b from vm-a using its internal IP address:

    NODE_TYPE // bash 
    ping -c 3 10.10.20.3
    NODE_TYPE // output 
    PING 10.10.20.3 (10.10.20.3) 56(84) bytes of data.
64 bytes from 10.10.20.3: icmp_seq=1 ttl=63 time=0.454 ms
64 bytes from 10.10.20.3: icmp_seq=2 ttl=63 time=0.352 ms
64 bytes from 10.10.20.3: icmp_seq=3 ttl=63 time=0.349 ms

--- 10.10.20.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2053ms
rtt min/avg/max/mdev = 0.349/0.385/0.454/0.050 ms

  5. Exit SSH session to vm-a

    NODE_TYPE // bash 
    exit

  6. SSH into vm-b:

    NODE_TYPE // bash 
    gcloud compute ssh vm-b --zone us-central1-a --quiet

  7. Ping vm-a from vm-b using its internal IP address:

    NODE_TYPE // bash 
    ping -c 3 10.10.10.3
    NODE_TYPE // output 
    PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data.
64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=0.402 ms
64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=0.349 ms
64 bytes from 10.10.10.3: icmp_seq=3 ttl=63 time=0.344 ms

--- 10.10.10.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2047ms
rtt min/avg/max/mdev = 0.344/0.365/0.402/0.028 ms

  8. Exit SSH session to vm-b

    NODE_TYPE // bash 
    exit

Task 7: Cleaning Up

To avoid incurring unnecessary costs, delete the resources created in this tutorial.

  1. Delete the firewall rule:

    NODE_TYPE // bash 
    gcloud compute firewall-rules delete allow-icmp

  2. Delete the VMs:

    NODE_TYPE // bash 
    gcloud compute instances delete vm-a vm-b --zone us-central1-a

  3. Delete the subnets:

    NODE_TYPE // bash 
    gcloud compute networks subnets delete subnet-a --region us-central1
gcloud compute networks subnets delete subnet-b --region us-central1

  4. Delete the VPC network:

    NODE_TYPE // bash 
    gcloud compute networks delete my-vpc-network

Congratulations

You have successfully created a VPC network with two custom subnets, deployed VMs into each subnet, and configured firewall rules to allow bidirectional ping communication. You also learned how to clean up these resources to avoid unnecessary costs. This hands-on experience will help you understand the fundamental networking concepts in Google Cloud.

Next Topic

Theory

Creating a Virtual Private Cloud Network with a Custom Network in Google Cloud
Theory

Creating a Debian Linux VM with Startup Script and Custom Metadata on Google Cloud
Theory

Creating a Debian VM with a Custom Service Account on Google Cloud