Speed, Efficiency & Control:

Advanced Packet Routing Techniques in a Google Compute Engine Network

John Cormie, Staff Software Engineer

Sunil James, Product Manager

An Overview of Google Compute Engine (GCE) Networking

We'll keep it brief ...

GCE Network Basics

• Private networks / private IP addresses

​

• Public static IP addresses

​

• Simple yet robust network security

​

• Performant

Developers Want More Control ...

• Enable hybrid cloud by securely connecting existing datacenters to their private GCE networks.

​

• Allow private VMs to share one Internet-facing IP address.

​

• Instrument proxies within the network to enforce acceptable-use policies and reduce bandwidth consumption.

Introducing GCE Advanced Routing

Speed, Efficiency & Control

GCE Advanced Routing: Delivering Control

• A massively scalable global virtual router sites at the core of each GCE network.

​

• Every VM in the network is directly connected to this virtual router.

​

• The virtual router selects the next hop for a source VM's packet by consulting that VM's implicit routing table.

10.100.0.0/16 -> default-route-78...�0.0.0.0/0 -> default-route-6807...

10.100.0.0/16 -> default-route-78...�0.0.0.0/0 -> default-route-6807...�172.12.0.0/16 -> vpn-gateway

Internet

vm-1

vpn-gateway

10.100.0.0/16 -> default-route-78...�0.0.0.0/0 -> default-route-6807...�172.12.0.0/16 -> vpn-gateway

vm-2

GCE Advanced Routing begins to let you configure this router to more explicitly control traffic routing.

GCE Advanced Routing: An Overview

• Routes enable you to send packets to VMs (or gateways) for subsequent processing:

​

• Interconnect an existing WAN via IPSec VPN
• Establish many-to-one NAT
• Configure transparent proxies

​

• Each Cloud project includes one collection of routes containing all routes for all GCE networks within that project

​

• Every GCE network has two default routes:
• A route directing traffic to the Internet
• A route directing traffic to other VMs within the network

GCE Advanced Routing: The Components

• Route Name: vpn-route for a route allowing VPN access, for example.

​

• Network: The acme-staging network, for example.

​

• Destination Range: 192.168.0.0/16, for example.

​

• Instance Tags: The list of VM tags that a route applies to.

​

• Next-Hop: Specifies the VM or gateway where matching traffic should next be sent to.

​

• Priority Value: Priority breaks ties when there is more than one most specific matching route.

Routes are comprised of:

GCE Advanced Routing: Route Selection

1. GCE discards all but the most specific routes matching a packet’s destination.

​

• If there are multiple equally specific routes, the virtual router only keeps those with the lowest priority value (most preferred).

​

• The virtual router computes a hash of the following parts of the packet and uses it to select the next-hop from the remaining ties:

​

• IP protocol field
• source and destination IP addresses
• source and destination port

GCE Advanced Routing: IP Forwarding

• By default, GCE guarantees the authenticity of the source IP address of a packet sent from a VM.

​

• But a VM acting as a router needs to send packets with source addresses other than its own. To allow this, enable the canIPForward flag at VM creation time.

​

• This allows VMs to accept packets for forwarding, and to send forwarded packets.

gcutil --project=<project-id> addinstance <instance-name> .... --can_ip_forward=true.

A Few Examples ...

GCE Advanced Routing: Route Table Construction Example

GCE Advanced Routing: Most Specific Matching Example

GCE Advanced Routing: Flow Hashing Example

Demo: Establishing a VPN Gateway

An Existing Application

First try ...

Second try ...

Third time's a charm

Summary

Questions?

It's now or never ... kidding

One more thing ...

Coming Soon ... Load Balancing

Interested? goo.gl/PNrKD

​

GCE Early Access Program: goo.gl/GSqJo

Thank You!

For help, support, advice, or to discuss the technology:

​

gce-discussion@googlegroups.com