Google emits Network Intelligence Center to help untangle misconfigured cloud networks
Connectivity tests check config but do *not* actually test connectivity
Google has pulled the dustcovers off a new tool that will monitor and optimise the network performance of VMs and applications deployed to its cloud.
The Choc Factory's Network Intelligence Center, accessed via the Google Cloud Console, currently has four modules. Network Topology and Connectivity Tests are in beta, while Performance Dashboard and Firewall Metrics & Insights are in alpha. Additional modules are promised.
The Network Topology module allows you to visualise a GCP network, see performance metrics and verify policy compliance. This should help you identify whether it is optimised for things like serving users from the closest region. You can also track network topology changes for the last six weeks. The cost is free during beta, but will be based on the number of VMs monitored, at $0.0011 per running VM per hour.
Network Topology works by collecting real-time telemetry from the GCP infrastructure. It infers relationships between resources and generates a graph so you can get a something of a visual of what you have deployed. It does not require any additional agents. The service does not show traffic to Google-managed services such as cloud storage, presumably on the assumption that you cannot control this aspect of performance.
The Connectivity Test module lets you create, save and run tests. These can be within GCP, or between GCP and on-premises or external IP addresses. Google said it has used this module internally to resolve customer issues, and claimed 75 per cent of network outages and performance problems come from mis-configuration. The cost when it comes out of beta will be $0.15 per test, after an allowance of 20 free tests per month.
Perhaps surprising is that according to the docs a connectivity test does not actually send any data. Rather, "Connectivity Tests performs a static reachability analysis that evaluates the GCP resources in your testing path against an ideal configuration model, rather than against the live data plane."
As a consequence, the result "may not represent the actual condition or status of the data plane for your VPC (Virtual Private Cloud) network".
It would then be more accurate therefore to call this feature "Connectivity configuration tests" since it tests the configuration, not the connectivity itself. The result of a test is one of four values: reachable, unreachable, ambiguous or undetermined.
There are several limitations in the beta. The tests do not take account of Google Cloud Armor, which protects against DDoS and other attacks, nor do they look at Google Kubernetes Engine network policy. The tests also cannot see configuration that exists within VMs configured to act as routers, firewalls, VPNs or other such roles, since it has no visibility into them. Similarly, the tests have no knowledge of network configuration outside GCP.
Dash and shadows
Less is known about the two services in alpha. Performance Dashboard will let you visualize packet loss and latency. This should let you see if an application performance issue is caused by the application, or the network. Firewall Metrics & Insights is about firewall rules, including the problem of "shadowed rules", where a rule can never be applied because a preceding rule prevents the packets from reaching it.
Who will use these services? They will be most useful for big GCP customers, perhaps with deployments in multiple regions. Performance and network problems are often tricky to resolve, so additional resources will be appreciated. That said, static network configuration analysis, while useful, is far from being a complete connectivity test tool. ®