In Which of the Following Applications Can a Virtual Ip Address Be Used? [choose All That Apply].

Google Cloud alias IP ranges let yous assign ranges of internal IP addresses equally aliases to a virtual automobile'south (VM) network interfaces. This is useful if you lot take multiple services running on a VM and y'all want to assign each service a dissimilar IP address. Alias IP ranges besides work with GKE Pods.

Overview

If you have merely one service running on a VM, you tin reference information technology using the interface's master IP address. If you have multiple services running on a VM, y'all may want to assign each one a dissimilar internal IP address. Yous can exercise this with Alias IP ranges.

Subnet primary and secondary CIDR ranges

All subnets have a primary CIDR range, which is the range of internal IP addresses that define the subnet. Each VM instance gets its chief internal IP address from this range. Yous can likewise allocate alias IP ranges from that master range, or y'all can add a secondary range to the subnet and allocate alias IP ranges from the secondary range. Utilise of alias IP ranges does not require secondary subnet ranges. These secondary subnet ranges merely provide an organizational tool.

Allonym IP ranges defined in a VM network interface

Using IP aliasing, you can configure multiple internal IP addresses, representing containers or applications hosted in a VM, without having to define a separate network interface. Yous tin assign VM alias IP ranges from either the subnet's chief or secondary ranges.

Configuring alias IP ranges describes commands for setting up a subnet with secondary ranges and for assigning alias IP addresses to VMs.

The following diagram provides a basic illustration of master and secondary CIDR ranges and VM allonym IP ranges on the VM's chief interface:

Primary and secondary CIDR ranges and VM allonym IP ranges (click to overstate)

• A primary CIDR range x.i.0.0/16 is configured as function of a subnet.
• A secondary CIDR range 10.2.0.0/20 is configured as part of a subnet.
• The VM chief IP 10.ane.0.2 is allocated from the primary CIDR range, 10.1.0.0/xvi, while an allonym IP range, 10.2.i.0/24, is allocated in the VM from the secondary CIDR range, x.two.0.0/twenty.
• The addresses in the alias IP range are used as the IP addresses of the containers hosted in the VM.

Central benefits of alias IP ranges

When alias IP ranges are configured, Google Deject automatically installs Virtual Private Cloud (VPC) network routes for primary and alias IP ranges for the subnet of the primary network interface. Your container orchestrator does not demand to specify VPC network connectivity for these routes. This simplifies routing traffic and managing your containers. You lot do need to perform in-guest configuration as described in Alias IP ranges central properties.

When container IP addresses are allocated by Google Cloud, validation processes in Google Cloud ensure that container pod IP addresses do not conflict with VM IP addresses.

When alias IP addresses are configured, anti-spoofing checks are performed against traffic, ensuring that traffic exiting VMs uses VM IP addresses and pod IP addresses as source addresses. The anti-spoofing checks verify that VMs do non transport traffic with arbitrary source IP addresses. Use of static routes for container networking would be a less secure arroyo compared to IP aliasing because it would require anti-spoofing checks to be disabled on container host VMs (anti-spoofing checks are disabled when IP forwarding is enabled).

Alias IP ranges are routable within the Google Deject virtual network without requiring additional routes. You do not have to add a route for every IP alias and you practise not have to take road quotas into account.

Alias IP addresses tin exist appear by Cloud Router to an on-premises network continued via VPN or Interconnect.

In that location are advantages to allocating alias IP ranges from a secondary CIDR range. By allocating from a range split up from the range used for master IP addresses, yous can carve up infrastructure (VMs) from services (containers). When you configure separate address spaces for infrastructure and services, you can gear up up firewall controls for VM alias IP addresses separately from the firewall controls for a VM's primary IP addresses. For example, you tin can allow sure traffic for container pods and deny similar traffic for the VM's primary IP address.

Container compages in Google Deject

Consider a scenario in which yous desire to configure containerized services on meridian of Google Cloud. Yous need to create the VMs that will host the services, and, additionally, the containers.

In this scenario, you want to route traffic from and to the containers to and from on-premises locations that are continued through a VPN. However, yous don't want the primary VM IP addresses to be reachable through the VPN. To create this configuration, the container IP range demand to exist routable through the VPN, but non the VM chief IP range. At VM cosmos time, yous too want to automatically assign a pool of IP addresses that are used for the container.

To create this configuration, do the post-obit:

• When yous create the subnet, you configure
  • One primary CIDR range, for example, 10.128.0.0/sixteen
  • 1 secondary CIDR range, for example, 172.16.0.0/16
• Utilize an instance template to create VMs and automatically assign each the following:
  • A primary IP from the 10.128.0.0/16 range
  • An Alias range /24 from the secondary CIDR 172.xvi.0.0/16 space, and so that y'all can assign each container on a VM an IP from the /24 secondary CIDR range
• Create ii firewall rules.
  • Ane dominion that denies traffic traveling beyond the VPN from on-premises from reaching the subnet primary CIDR range.
  • One rule that allows traffic traveling across the VPN from on-premises to achieve the subnet secondary CIDR range.

Case: Configuring containers with alias IP ranges

Using alias IP ranges, container IP addresses can exist allocated from a secondary CIDR range and configured every bit allonym IP addresses in the VM that is hosting the container.

Configuring containers with alias IP addresses (click to enlarge)

To create the configuration illustrated above:

1. Create a subnet with a CIDR range 10.128.0.0/sixteen, from which VM IP addresses are allocated from, and a secondary CIDR range 172.16.0.0/twenty for the containers' exclusive apply, which will be configured as allonym IP ranges in the VM that is hosting them:

                 gcloud compute networks subnets create subnet-a \     --network network-a \     --range 10.128.0.0/xvi \     --secondary-range container-range=172.16.0.0/20                          

2. Create VMs with a main IP from range 10.128.0.0/16 and an allonym IP range 172.sixteen.0.0/24 from the secondary CIDR range 172.xvi.0.0/20 for the containers in that VM to use:

                 gcloud compute instances create vm1 [...] \     --network-interface subnet=subnet-a,aliases=container-range:172.sixteen.0.0/24 gcloud compute instances create vm2 [...] \     --network-interface subnet=subnet-a,aliases=container-range:172.16.1.0/24                          

3. Container IP addresses are configured in Google Cloud as alias IP addresses. In this setup, both primary and alias IPs will be reachable through the VPN tunnel. If Cloud Router is configured, it will automatically advertise the secondary subnet range 172.16.0.0/xx. For more information on using VPN with Cloud Router, see Creating a VPN tunnel using dynamic routing.

Refer to Configuring alias IP addresses and ranges for more information on the commands used to create this configuration.

Case: Several alias IP ranges configured in a unmarried VM instance

Alias IP ranges allow you lot to manage IP resource allotment for applications running within VMs, including with containers.

You may have a deployment in which some containers are migratable across VMs and some are not. The migratable containers can be configured using /32 ranges, making it like shooting fish in a barrel to migrate them individually. The non-migratable containers tin be configured using a larger range, since they will stay together.

In these type of deployments, you might require more than than one allonym IP range per VM instance, for instance a /27 for non-migratable containers and several /32s for migratable containers.

Configuring VMs with multiple alias IP ranges (click to enlarge)

In club to configure this instance, utilise the post-obit gcloud commands:

gcloud compute networks create vpc1 --subnet-fashion custom        

gcloud compute networks subnets create subnet1 --region us-central1 --network vpc1 --range 10.128.0.0/xvi --secondary-range secondaryrange1=172.16.0.0/20        

gcloud compute instances create vm1 --zone us-central1-a --network-interface "subnet=subnet1,aliases=secondaryrange1:172.sixteen.0.0/27;secondaryrange1:172.16.one.0/32"        

gcloud compute instances create vm2 --zone us-central1-a --network-interface "subnet=subnet1,aliases=secondaryrange1:172.16.0.32/27;secondaryrange1:172.16.1.i/32"        

Alias IP addresses in auto style VPC networks and subnets

In auto mode VPC networks, a subnet exists in each region. These automatically created subnets each have a master CIDR range, but no secondary range. To use alias IP with an machine mode VPC network, you can allocate alias IP ranges from the automatically created subnet'due south primary CIDR range or add a secondary range to the automatically created subnet and allocate alias IP ranges from the new secondary range.

Alternatively, you can create a new subnet with secondary ranges in the automobile mode VPC network every bit long as none of its ranges overlap with ten.128.0.0/ix. Yous can so create VM instances in the new subnet and classify alias IP ranges from whatsoever range on that subnet.

See Adding secondary CIDR ranges to an existing subnet if you want to add secondary ranges to your subnet.

Allonym IP addresses in custom manner networks and subnets

In custom-style networks:

• All of the subnets are created manually
• 1 primary CIDR range is mandatory.
• You can optionally create secondary CIDR ranges.

Alias IP ranges key properties

The following properties apply to alias IP ranges configured in VMs:

• From the VM Os perspective, the primary IP address and the default gateway are typically allocated using DHCP. Allonym IP addresses can exist configured in the VM Bone, which is typically Linux or Windows, manually or by using scripts.
• The primary IP address and the alias IP range of the interface must be allocated from CIDR ranges configured as part of the same subnet. Note the following requirements:
  • The primary IP accost must be allocated from the CIDR main range.
  • The alias IP range can exist allocated either from the primary CIDR range or from a secondary CIDR range of that same subnet.
  • For a VM network interface, the allonym IP must exist from the aforementioned subnet resource that provides the IP address for the chief network interface. You can't select a primary or secondary CIDR range from another subnet resource.
  • The primary IP address tin can be user-configured with a static private IP accost or system car-allocated with an ephemeral static IP accost.
  • Alias IP ranges are optional and they are not automatically added. An allonym IP range tin be configured during instance creation or modification.
  • An alias IP range can exist configured as an explicit CIDR range (for example, 10.128.1.0/24), a single IP accost (for case, ten.128.vii.29), or as a netmask (/24). An alias IP range tin can be fully specified or auto-allocated by specifying the netmask.
  • Because all subnets in a VPC network share a single default gateway, all alias IP addresses within an interface share the aforementioned default gateway as the primary IP address.

Alias IPs within an interface share the same default gateway as the primary IP address (click to enlarge)

DNS with alias IP addresses

Google Cloud automatically configures internal DNS for the primary IP of the primary interface of every VM example. This associates the instance host proper name with the primary interface primary IP address. However, the DNS lookup on that host proper name merely works in the network that contains the primary interface.

Google Cloud does not automatically associate any other IP addresses with the host proper noun. Google Cloud does not associate alias IP addresses on the chief interface with the host name, and it does non associate whatsoever IP addresses of secondary interfaces with the host proper noun.

You tin can manually configure DNS to associate other IP addresses.

Firewalls

All ingress or egress traffic, including traffic for Allonym IP ranges, is evaluated by a VPC firewall rule for a matching target tag or target service business relationship. For details almost targets and Allonym IPs, come across Targets and IP addresses.

Alias IP ranges are not included when yous specify sources for an ingress firewall dominion using source tags or source service accounts.

Static routes

In a static road, the next-hop IP address must be the primary IP address of the virtual machine instance. An alias IP accost is not supported as the next-hop IP address.

VPC Network Peering

VPC Network Peering allows you to peer two VPC networks so that the VMs in the two networks can communicate via internal, private IP addresses.

Both primary and secondary IP ranges of a subnet are reachable by VM instances in a peered network.

Subnet overlap checks beyond peered networks ensure that primary and secondary ranges do not overlap with any peered ranges.

IP aliasing with network peering (click to enlarge)

What's next

• Larn how to configure alias IP addresses and alias IP ranges.

mackerrasjustantrind.blogspot.com

Source: https://cloud.google.com/vpc/docs/alias-ip

Share this post