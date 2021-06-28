



This is the seventh and final post in the series on Google Cloud VMware Engine and Google Cloud Platform. This post describes common network scenarios such as accessing cloud-native services, viewing routing information, VPN connections, DNS caveats, and other useful resources.

Other posts in this series:

The final addition to this example, started in the previous post, is to include cloud-native services. Cloud storage is a simple example and I chose to use cloud storage because it provides an incredible utility. This figure shows the desired configuration.

My goal is to stage a simple static website into a Google Storage bucket and then mount the bucket as a read-only file system on each web server. The bucket is mounted in / var / www / html and replaces the test page staged on each server. You may be thinking, this is crazy. Want to serve a static site directly from Google Storage? !! This is a valid question, and my answer is that this is just an example, not necessarily a best practice. I could have used Google Filestore instead of Google Storage. This shows that there are multiple ways to do many things in the cloud.

The first step is to create a Google Storage bucket. This is done with the following simple Terraform code.

Provider “google” {project = var.project region = var.region zone = var.zone} resource “google_storage_bucket” “melliott-vmw-static-site” {name = “melliott-vmw-static-site” location = “US “force_destroy = true storage_class =” STANDARD “} resource” google_storage_bucket_acl “” melliott-vmw-static-site-acl “{bucket = google_storage_bucket.melliott-vmw-static-site.name role_entity = [ “OWNER:[email protected]” ] }

Then I found an example of a simple static website. I saved this in a bucket and modified it as needed. After staging this, I completed the following steps on each web server to mount the bucket.

Install the Google Cloud SDK (https://cloud.google.com/sdk/docs/install). Install gcsfuse (https://github.com/GoogleCloudPlatform/gcsfuse/blob/master/docs/installing.md). Used to mount a Google Storage bucket on Linux via FUSE Authenticate to Google Cloud withgcloud authapplication-default login. This will provide you with the URL that you need to paste into your browser to complete the authentication. The verification code returned should be pasted into the web server prompt. Delete the existing files in / var / www / html. Mount the bucket as a read-only file system using gcsfuse-oallow_other-oro. [bucket-name] / var / www / html root @ ubuntu: / var / www # gcsfuse -o allow_other -o ro melliott-vmw-static-site / var / www / html 2021/05/04 16: 19: 10.680365 Use of mount points: / var / www / html 2021/05/04 16: 19: 10.686743 GCS connection is open … 2021/05/04 16: 19: 11.037846 The file system “melliott-vmw-static-site” is mounted. … 2021/05/04 16: 19: 11.0426605 The file system has been successfully mounted. root @ ubuntu: / var / www # root @ ubuntu: / var / www # root @ ubuntu: / var / www # ls / var / www / html Asset error image index.htmlLICENSE.MD README.MD

If you mount the bucket and run anlson / var / www / html, you will see that the static website is mounted correctly.

Browseing the public IP in front of the load balancer VIP now shows static websites hosted on Google storage buckets. Pretty fashionable!

Google private access

I have internet access enabled in my Google Cloud VMware Engine environment, so I access native services through an internet gateway. If you don’t want to allow internet access in your environment, you can still access your native services through private Google Access. Much of the GCP documentation for this feature focuses on accessing the Google API from outside your private cloud, but applying these practices to the Google Cloud VMware Engine isn’t too difficult.

Google Private Access is primarily enabled by DNS, but you need to enable this feature for your configured VPC. The domain name used for this service is private.googleapis.comandrestricted.googleapis.com. I was able to resolve both of these from the VM, but the VM is configured to use the resolver in the Google Cloud VMware Engine environment. If you can’t resolve these hostnames, make sure you’re using the DNS resolver that came with your private cloud. These server addresses are under the private cloud DNS server on the private cloud overview page. Learn more about Google Private Access.

Knowing the location of the routing table can be very helpful when troubleshooting connectivity issues. There are several places to look at GCP and Google Cloud VMware Engine to find this information.

VPC route

To view the route of your VPC in the GCP portal, browse to your VPC network, click on the desired VPC, and then[ルート]Click the tab. If you are using VPC peering, you will see the message “This VPC network is configured to import custom routes using VPC network peering.” Imported custom dynamic routes are omitted from this list and some route conflicts may not be resolved. See the VPC Network Peering section for a complete list of imported custom routes. See Routing Order for information on how GCP resolves conflicts. Basically, this message indicates that you don’t see the private cloud root in this table.

VPC network peering route

To find the root of your Google Cloud VMware Engine environment, browse to your VPC Network Peering and select the service networking-googleapis-com entry for your VPC.[インポートされたルート]The route of the private cloud is displayed under[エクスポートされたルート]Below you will see the subnets in your VPC. You can also use gcloudtool to view these routes.

View imported routes: gcloudcomputenetworks Peering list -routesservicenetworking-googleapis-com –network =[VPC Name] –region =[REGION]]–direction = INCOMING View exported routes: gcloud Compute Network Peering List-Routes servicenetworking-googleapis-com –network =[VPC Name] –region =[REGION]]–direction = OUTGOING

Example result:

melliott @ melliott-a01 gcp-bucket% gcloud Computation Network Peering List-Root servicenetworking-googleapis-com –network = gcve-usw2 –region = us-west2 –direction = INCOMING DEST_RANGE TYPE NEXT_HOP_REGION PRIORITY STATUS 192.168.80.0/29 DYNAMIC_PEERING_ROUTE us-west20 Accepted 192.168.80.0/29 DYNAMIC_PEERING_ROUTE us-west20 Accepted 192.168.80.16/29 DYNAMIC_PEERING_ROUTE us-west20 Accepted 192.168.80.16/29 DYNAMIC_PEERING_ROUTE us-west20 Accepted 192.168.80.8/29DY 192.168.8. west20 accepted 192.168.80.112/28 DYNAMIC_PEERING_ROUTE us-west20 accepted 192.168.80.112/28 DYNAMIC_PEERING_ROUTE us-west20 accepted 10.30.28.0/24 DYNAMIC_PEERING_ROUTE us-west20 accepted 10.30.28.0 us-west20 accepted 192.168.81.0/24 DYNAMIC_PEERING_ROUTE us-west20 accepted 24DYNAMIC_PEERING_ROUTE us-west20 accepted 192.168.83.0/24 DYNAMIC_PEERING_ROUTE us-west20 accepted 192.168.83.0/24 DYNAMIC_ PEERING_ROUTE us-west20 accepted NSX-T

The routing and forwarding tables can be downloaded through the NSX-T Manager web interface or API. It’s also pretty easy to get the routing table using PowerCLI. The following example displays the routing table from a T0 router in a Google Cloud VMware Engine environment.

Import-Module VMware.PowerCLI Connect-NsxtServer -Server my-nsxt-manager.gve.goog $ t0s = Get-NsxtPolicyService -Name com.vmware.nsx_policy.infra.tier0s $ t0_name = $ t0s.list (). results.display_name $ t0.list ($ t0_name) .results.route_entries | Select-Object network, next_hop, route_type | Sort-Object -Property network network next_hop route_type ——- ——— ——— 0.0.0.0/0 192.168.81.225 t0s 0.0.0.0/0192.168. 81.241 t0s 10.30.28.0 / 24 169.254.160.3 t1c 10.30.28.0 / 24 169.254.160.3 t1c 169.254.0.0/24 t0c 169.254.160.0 / 31 t0c 169.254.160.0 / 31 t0c 169.254.160.2 / 31 t0c 169.254.160.2 / 31 t0c 192.168.81.224/28 t0c 192.168.81.240/28 t0c 192.168.83.0/24 169.254.160.1 t1c 192.168.83.0/24 169.254.160.1 t1c

We didn’t talk much about VPNs in this blog series, but VPNs are an important component that deserves more attention. If you’re waiting to install a cloud interconnect, you can easily connect to your private cloud by provisioning a VPN on Google Cloud Platform. It can also be used as a backup connection in the event of a primary connection failure. NSX-T can terminate IPSec VPN, but we recommend using CloudVPN instead. This ensures that you can connect to Google Cloud Platform-based resources with Google Cloud VMware Engine.

Here are some examples of Terraform code for provisioning VPN-related resources needed by GCP. Sample code can be found in the gcve-ha-vpn subdirectory of https://github.com/shamsway/gcp-terraform-examples. This example creates the minimum configuration required to launch VPN to Google Cloud Platform / Google Cloud VMware Engine. It is assumed that you have already created a VPC and configured peering with your private cloud. This example does not create a redundant VPN solution, but it can be easily extended by creating secondary cloud routers, interfaces, and BGP peers. For more information on HA VPN topology, see the GCP documentation. Even after using the sample code, you still need to configure the VPN settings on your site. Google provides configuration examples from several different vendors for using third-party VPNs with CloudVPN. I’ve written about VPNs and other connection methods for cloud connections earlier in Cloud Connection 101.

I finally saved the most important topics. Since DNS is an important component of operating in the cloud, here are some tips and recommendations to ensure success. Cloud DNS has a 100% uptime SLA, which is less common. This service is so important to GCP that Google basically guarantees it’s always available. This is the type of guarantee that provides peace of mind, especially if many other services and applications rely on it.

For Google Cloud VMware Engine, you need to be able to properly resolve the hostname of vCenter, NSX, HCX, and other applications deployed in your environment. These topics are explained in detail at the following links.

The basic points are as follows. A DNS server running in a GoogleCloud VMware Engine environment can resolve A records for management applications running in a private cloud (vCenter, NSX, HCX, etc.). If you have configured VPC peering with your private cloud, Cloud DNS will automatically configure the forwarding of requests to the Google Cloud VMware Engine DNS server with any gve.goog host name. This will allow you to resolve A records from your VPC or bastion host. The final step is to make sure that you can properly resolve Google Cloud VMware Engine related hostnames in your local environment. If you’re using Windows Server for DNS, you’ll need to configure a conditional forwarder for gve.goog with a DNS server running on Google Cloud VMware Engine. Other scenarios, such as configuring BIND, are described in the documentation links above.

This is a nuisance to post, so don’t waste too many words here. Have you enjoyed this blog series? There is no doubt that there will be more Google Cloud VMware Engine related blogs in the future. Please contact @ NetworkBrouhahaha at any time and tell us what topics you would like us to cover. thank you for reading!

The Google Cloud VMware Engine Hands-on Labs can be found at https://labs.hol.vmware.com/ and can search for HOL-2179-01-ISM.

