Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Dec 2022 14:03:32 -0800
From:      Rob Ballantyne <robballantyne3@gmail.com>
To:        freebsd-cloud@freebsd.org
Subject:   What is a VPC (google's specifically but it could be more general) really?
Message-ID:  <CAKLrb5do6Evnn2WKKeAsUJrHWExCp5N=QF5wvTituoFyYmOc0A@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
--000000000000c128d905efe506ec
Content-Type: text/plain; charset="UTF-8"

Hello,

  I have a question about what the internal structure and forwarding is
within Google's VPCs.

  I started into a project using OpenVPN to bind my home network to an
isolated VPC in Google's Cloud when I discovered the routing didn't work
quite the way I thought.  I had assumed that VPCs would look like a private
VLAN (Layer2) into which Google's infrastructure would inject L3 router
interfaces and/or ip/ethernet filters.

  I set up a private VPC and two test FreeBSD boxes to test and see exactly
how VPC configures routing.

  First, I just used a standard install of 13.1 and the routing table after
everything is up and configured looks like:

----
Internet:
Destination        Gateway            Flags     Netif Expire
default            10.1.1.1           UGS      vtnet0
10.1.1.1           link#1             UHS      vtnet0
10.1.1.20          link#1             UH          lo0
127.0.0.1          link#2             UH          lo0
----

  This looked a little unusual to me so (there was no link local route for
all the addresses in the VPC), I commented out the rc.conf entry
'google_network_daemon_enable=YES' and setup the vtnet0 interface up
manually with: 'ifconfig_vtnet0="inet 10.1.1.20 netmask 255.255.255.0"'
The resulting routing table:

----
Internet:
Destination        Gateway            Flags     Netif Expire
10.1.1.0/24        link#1             U        vtnet0
10.1.1.20          link#1             UHS         lo0
127.0.0.1          link#2             UH          lo0
----

  This configuration wasn't able to communicate. The latter routing table
looks more usual though, with a 10.1.1.0/24 route to the local link.

  So, it appears to me that VPCs are really configured to be a
point-to-point (star really) network where the Google router interface
(10.1.1.1 in this case) has to handle all forwarding between nodes of a
network.

  I've searched around the web to try and confirm this but there is scant
detail on how exactly forwarding works within a single VPC.

  My VPN project involved using a bastion VPN host that would have
terminated the VPN/SSL tunnel and routed traffic between my home network
and the isolated network behind the bastion.

  Before I make final decisions on configuration, I wanted to know if my
understanding is correct and whether there is any documentation on this
that I've somehow missed.

  FreeBSD is, of course, the host of choice for this operation!

  If anyone does know any details, any info would be greatly appreciated.

Many Thanks,
Rob Ballantyne

--000000000000c128d905efe506ec
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:monospac=
e,monospace">Hello,</div><div class=3D"gmail_default" style=3D"font-family:=
monospace,monospace"><br></div><div class=3D"gmail_default" style=3D"font-f=
amily:monospace,monospace">=C2=A0 I have a question about what the internal=
 structure and forwarding is within Google&#39;s VPCs.</div><div class=3D"g=
mail_default" style=3D"font-family:monospace,monospace"><br></div><div clas=
s=3D"gmail_default" style=3D"font-family:monospace,monospace">=C2=A0 I star=
ted into a project using OpenVPN to bind my home network to an isolated VPC=
 in Google&#39;s Cloud when I discovered the routing didn&#39;t work quite =
the way I thought.=C2=A0 I had assumed that VPCs would look like a private =
VLAN (Layer2) into which Google&#39;s infrastructure would inject L3 router=
 interfaces and/or ip/ethernet filters.</div><div class=3D"gmail_default" s=
tyle=3D"font-family:monospace,monospace"><br></div><div class=3D"gmail_defa=
ult" style=3D"font-family:monospace,monospace">=C2=A0 I set up a private VP=
C and two test FreeBSD boxes to test and see exactly how VPC configures rou=
ting.=C2=A0=C2=A0</div><div class=3D"gmail_default" style=3D"font-family:mo=
nospace,monospace"><br></div><div class=3D"gmail_default" style=3D"font-fam=
ily:monospace,monospace">=C2=A0 First, I just used a standard install of 13=
.1 and the routing table after everything is up and configured looks like:<=
/div><div class=3D"gmail_default" style=3D"font-family:monospace,monospace"=
><br></div><div class=3D"gmail_default" style=3D"font-family:monospace,mono=
space">----</div><div class=3D"gmail_default" style=3D"font-family:monospac=
e,monospace">Internet:<br>Destination =C2=A0 =C2=A0 =C2=A0 =C2=A0Gateway =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Flags =C2=A0 =C2=A0 Netif Expire<b=
r>default =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A010.1.1.1 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 UGS =C2=A0 =C2=A0 =C2=A0vtnet0<br>10.1.1.1 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 link#1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U=
HS =C2=A0 =C2=A0 =C2=A0vtnet0<br>10.1.1.20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0link#1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 UH =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0lo0<br>127.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0link#2 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 UH =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0lo0<br></div><div class=3D"gmail_default" style=3D"font-family:monospace=
,monospace"><div class=3D"gmail_default">----</div><br class=3D"gmail-Apple=
-interchange-newline"></div><div class=3D"gmail_default" style=3D"font-fami=
ly:monospace,monospace">=C2=A0 This looked a little unusual to me so (there=
 was no link local route for all the addresses in the VPC), I commented out=
 the rc.conf entry &#39;google_network_daemon_enable=3DYES&#39; and setup t=
he vtnet0 interface up manually with: &#39;ifconfig_vtnet0=3D&quot;inet 10.=
1.1.20 netmask 255.255.255.0&quot;&#39;=C2=A0 The resulting routing table:<=
/div><div class=3D"gmail_default" style=3D"font-family:monospace,monospace"=
><br></div><div class=3D"gmail_default" style=3D"font-family:monospace,mono=
space">----</div><div class=3D"gmail_default" style=3D"font-family:monospac=
e,monospace">Internet:<br>Destination =C2=A0 =C2=A0 =C2=A0 =C2=A0Gateway =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Flags =C2=A0 =C2=A0 Netif Expire<b=
r><a href=3D"http://10.1.1.0/24">10.1.1.0/24</a>; =C2=A0 =C2=A0 =C2=A0 =C2=
=A0link#1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 U =C2=A0 =C2=A0 =C2=A0 =
=C2=A0vtnet0<br>10.1.1.20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0link#1 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 UHS =C2=A0 =C2=A0 =C2=A0 =C2=A0 lo0<br>1=
27.0.0.1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0link#2 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 UH =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lo0<br></div><div cl=
ass=3D"gmail_default" style=3D"font-family:monospace,monospace">----</div><=
div class=3D"gmail_default" style=3D"font-family:monospace,monospace"><br><=
/div><div class=3D"gmail_default" style=3D"font-family:monospace,monospace"=
>=C2=A0 This configuration wasn&#39;t able to communicate. The latter routi=
ng table looks more usual though, with a <a href=3D"http://10.1.1.0/24">10.=
1.1.0/24</a> route to the local link.</div><div class=3D"gmail_default" sty=
le=3D"font-family:monospace,monospace"><br></div><div class=3D"gmail_defaul=
t" style=3D"font-family:monospace,monospace">=C2=A0 So, it appears to me th=
at VPCs=C2=A0are really configured to be a point-to-point (star really) net=
work where the Google router interface (10.1.1.1 in this case) has to handl=
e all forwarding between nodes of a network.</div><div class=3D"gmail_defau=
lt" style=3D"font-family:monospace,monospace"><br></div><div class=3D"gmail=
_default" style=3D"font-family:monospace,monospace">=C2=A0 I&#39;ve searche=
d around the web to try and confirm this but there is scant detail on how e=
xactly forwarding works within a single VPC.</div><div class=3D"gmail_defau=
lt" style=3D"font-family:monospace,monospace"><br></div><div class=3D"gmail=
_default" style=3D"font-family:monospace,monospace">=C2=A0 My VPN project i=
nvolved using a bastion VPN host that would have terminated the VPN/SSL tun=
nel and routed traffic between my home network and the isolated network beh=
ind the bastion.</div><div class=3D"gmail_default" style=3D"font-family:mon=
ospace,monospace"><br></div><div class=3D"gmail_default" style=3D"font-fami=
ly:monospace,monospace">=C2=A0 Before I make final decisions on configurati=
on, I wanted=C2=A0to know if my understanding is correct and whether there =
is any documentation on this that I&#39;ve somehow missed.</div><div class=
=3D"gmail_default" style=3D"font-family:monospace,monospace"><br></div><div=
 class=3D"gmail_default" style=3D"font-family:monospace,monospace">=C2=A0 F=
reeBSD is, of course, the host of choice for this operation!</div><div clas=
s=3D"gmail_default" style=3D"font-family:monospace,monospace"><br></div><di=
v class=3D"gmail_default" style=3D"font-family:monospace,monospace">=C2=A0 =
If anyone does know any details, any info would be greatly appreciated.</di=
v><div class=3D"gmail_default" style=3D"font-family:monospace,monospace"><b=
r></div><div class=3D"gmail_default" style=3D"font-family:monospace,monospa=
ce">Many Thanks,</div><div class=3D"gmail_default" style=3D"font-family:mon=
ospace,monospace">Rob Ballantyne</div></div>

--000000000000c128d905efe506ec--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKLrb5do6Evnn2WKKeAsUJrHWExCp5N=QF5wvTituoFyYmOc0A>