Shared VPC and VPC peering
In the simplest cloud environment, a single project might have one VPC network, spanning many regions, with VM instances hosting very large and complicated applications. However, many organizations commonly deploy multiple, isolated projects with multiple VPC networks and subnets.
Shared VPC lets you share a network across several projects in your Google Cloud organization. VPC Network Peering lets you configure private communication across projects in the same or different organizations.
Shared VPC
Shared VPC lets an organization connect resources from multiple projects to a common VPC network. This lets the resources communicate with each other securely and efficiently using internal IP addresses from that network.
When you use shared VPC, you designate a project as a host project and attach one or more other service projects to it. In this case, the Web Application Server’s project is the host project, and the three other projects are the service projects. The overall VPC network is called the shared VPC network.
VPC Peering:
VPC Network Peering, in contrast, allows private RFC 1918 connectivity across two VPC networks, regardless of whether they belong to the same project or the same organization. Each VPC network will have firewall rules that define what traffic is allowed or denied between the networks.
For example, in the diagram there are two organizations that represent a consumer and a producer, respectively. Each organization has its own organization node, VPC network, VM instances, Network Admin, and Instance Admin. In order for VPC Network Peering to be established successfully, the Producer Network Admin needs to peer the Producer Network with the Consumer Network, and the Consumer Network Admin needs to peer the Consumer Network with the Producer Network. When both peering connections are created, the VPC Network Peering session becomes Active and routes are exchanged. This lets the virtual machine instances communicate privately using their internal IP addresses.
VPC Network Peering is a decentralized or distributed approach to multi-project networking, because each VPC network may remain under the control of separate administrator groups and maintains its own global firewall and routing tables. Historically, such projects would consider external IP addresses or VPNs to facilitate private communication between VPC networks. However, VPC Network Peering does not incur the network latency, security, and cost drawbacks that are present when using external IP addresses or VPNs.
No comments:
Post a Comment