Network Topology overview

Network Topology is a visualization tool that shows the topology of your Virtual Private Cloud (VPC) networks, hybrid connectivity to and from your on-premises networks, connectivity to Google-managed services, and the associated metrics. You can also view metrics and details of network traffic to other Shared VPC networks and inter-region traffic. Network Topology combines configuration information with real-time operational data in a single view. This view makes it easier to understand networking relationships between various workloads on Google Cloud and their current state, such as the traffic paths and throughput between virtual machine (VM) instances.

Network Topology lays out information in a graph format, where the nodes and lines represent entities and connections in your network.

How it works

Network Topology collects real-time telemetry and configuration data from Google's infrastructure to visualize your resources. It captures elements such as configuration information, metrics, and logs to infer relationships between resources in a project or in multiple projects. After collecting each element, Network Topology combines them to generate a graph that represents your deployment.

Benefits

Using Network Topology provides the following benefits:

  • You can quickly view the topology of your deployments. No additional configurations or agents are required to use Network Topology.

  • You can use Network Topology graphs to understand your Google Cloud infrastructure. You don't need to view multiple logs or use third-party tools.

  • You can use Network Topology to help you analyze the performance of your network. You can drill down and view various metrics that can help you identify unexpected patterns.

  • You can use filters to help you quickly highlight and focus on specific resources, especially when you need to quickly diagnose and troubleshoot issues.

Considerations

Network Topology captures six weeks of history.

Network Topology visualizes entities and connections only if they have communicated (sent or received traffic) during the selected time period. A connection between entities exists if base entities in their respective hierarchies are in communication. For example, Network Topology connects regions us-east4 and europe-west1 if at least one VM instance in each region communicates with the other. Although other resources might exist, Network Topology doesn't show them if they didn't receive or send traffic.

For more information, see Data collection and freshness.

Resources and traffic

A Network Topology graph shows your resources and traffic as entities and connections. Network Topology aggregates related resources into hierarchical entities, where each resource type has its own hierarchy. The following sections describe the resources (entities) and traffic paths (connections) that Network Topology can graph.

Entities

A base entity is the lowest level of a particular hierarchy and represents a resource that can directly communicate with other resources over a network, such as a VM instance.

When you have multiple networks and a large number of base entities, displaying everything in a flat view can be overwhelming. To address this issue, Network Topology aggregates base entities into hierarchical entities that you can expand or collapse. When you first view a Network Topology graph, it aggregates all of the base entities into their top-level hierarchy.

For example, Network Topology aggregates VM instances into their instance group, then aggregates instance groups into a Google Cloud zone, and so on.

Network Topology represents a base or hierarchical entity as a circular node in a graph. Each base entity possesses its own hierarchy. For example, load balancers have a different hierarchy than VM instances.

The following table shows the base entities and their aggregation hierarchies. In a graph, Network Topology represents each base entity by using an icon shown in the table.

Base entity Icon Description Aggregation hierarchy
(top to bottom)
VM instance Icon for VM instance. A Compute Engine VM instance region >
network >
subnet >
zone >
instance group >
instance

External HTTP(S) load balancer

External network load balancer

TCP proxy load balancer

SSL proxy load balancer

Icon for load balancer. The base entity for external load balancer components, such as the forwarding rule and backend service. external load balancing >
load balancer
Internal load balancer Icon for load balancer. The base entity for internal load balancer components, such as the forwarding rule and backend service. internal load balancing >
load balancer
Cloud NAT gateway Icon for NAT gateway. A NAT gateway region >
network >
NATs >
NAT gateway
VPC Network Peering Icon for peer networks. A VPC peering endpoint that is shown when you don't have permissions to view the peer network. If you do, Network Topology shows the resources of the peer network. peer networks >
network
Country Icon for countries where external clients are located. Network Topology shows the country where external clients are located. These clients are outside of Google Cloud. They are typically hosts that communicate with resources in your network over external IP addresses. business region* >
country#
Cloud Interconnect Icon for Interconnect connection. Network Topology shows the Dedicated Interconnect or Partner Interconnect connections. For more information, see the Cloud Interconnect overview. interconnect
VLAN attachments Icon for VLAN attachments. Network Topology shows the VLAN attachments to Dedicated Interconnect or Partner Interconnect connections. interconnect >
interconnect attachments
Cloud VPN gateway Icon for VPN gateway. Network Topology shows the Cloud VPN gateway connections. For more information, see the Cloud VPN overview. gateway >
Cloud VPN Icon for VPN gateway. Network Topology shows the Cloud VPN connections. gateway >
vpn tunnel
On-premises Icon for on-premises entities. Network Topology shows the on-premises networks. An on-premises network can refer to any remote network that is outside the Google Cloud domain. on-premises
Google-managed services Icon for Google-managed services. Network Topology shows the Google-managed service instance. Google services >
Google service

*A business region can be one of the following entities: Americas for North and South America, APAC for Asia and Oceania, and EMEA for Europe, the Middle East, and Africa.
#Google uses the external IP addresses to categorize the origin of the external client. However, the IP address might not indicate the actual location of the client. For example, if you deliver content through Cloud CDN, the IP address observed by Network Topology might not be the actual address of the external client.

Connections

Network Topology represents traffic between entities as lines, such as traffic between VM instances. Network Topology connects entities if at least one side of the connection is sending traffic.

Network Topology shows connections at various levels of a hierarchy as long as their base entities are in communication. For example, Network Topology shows a connection between two regions if at least one VM instance in each region is communicating with the other.

Network Topology supports only TCP traffic for certain traffic paths. The following list describes the paths that Network Topology visualizes between entities:

  • Traffic in a VPC network such as traffic between VM instances and internal load balancers that are in the same network.
  • Traffic across peered VPC networks such as traffic between VM instances and internal load balancers that are in peer VPC networks.
  • Traffic between Google Cloud and the internet such as traffic between clients on the internet and entities (for example, VM instances or external HTTP(S) load balancers that have external IP addresses).
  • Traffic to and from Cloud VPN gateways and Cloud Interconnect connections.

Google-managed services

Network Topology also visualizes traffic to and from Google-managed services. Google Cloud users can use Network Topology to audit their networking configuration and troubleshoot networking issues related to the different Google services in use.

Network Topology supports direct access of VMs to Google-managed services by using a default route with a next hop as the default-internet-gateway or Private Google Access. It does not support the following access methods to Google-managed services:

  • External traffic from the internet
  • Direct Google access from the VMs
  • Private Google access from on-premises hosts

Network Topology doesn't show traffic to or from some of the Google-managed services such as App Engine Memcache, Filestore, Memorystore, Cloud SQL, and partner and marketplace solutions.

IP address considerations

For traffic between VM instances in Google Cloud that communicate using external IP addresses, Network Topology does not display a single connection directly between the VMs. Instead, Network Topology displays the traffic as if it were to and from an external location by using two connections: one connection between the first VM and the country of the second VM, and another connection between the second VM and the country of the first VM.

Network interface considerations

Network Topology only visualizes traffic to or from the first network interface (nic0) of a VM.

For VMs that use internal IP addresses to communicate, Network Topology only displays a connection if both VMs are communicating by using their first network interface (nic0-to-nic0).

For VMs that use external IP addresses to communicate, Network Topology normally displays two connections as described in IP address considerations. However, if only one of the VMs is using nic0, Network Topology only displays a connection for that VM. For example, if one VM is communicating through nic0 and the other VM is communicating through nic1, Network Topology only displays a connection between the nic0 VM and a country.

Multiple projects

Network Topology visualizes resources in your project, or you can use Cloud Monitoring, which can visualize metrics for multiple Google Cloud projects. When you configure Cloud Monitoring to have access to the metrics for multiple projects, Network Topology can show network traffic that crosses multiple projects.

For example, assume that you have two VM instances in two different projects. vm-a is in project-a, and vm-b is in project-b. Both VM instances communicate with each other and are in a Shared VPC network. If you only have visibility into project-b, Network Topology shows vm-b but nothing to indicate that it communicated with vm-a. However, if you configure Cloud Monitoring to view metrics for both projects, Network Topology shows vm-a, vm-b, and their communication.

Cloud Monitoring is especially useful for Shared VPC and VPC Network Peering scenarios, where resources or networks can be in different projects. For more information, see Viewing metrics for multiple projects.

Project aggregation

When you view multiple projects in a Network Topology graph, you can aggregate Google Cloud entities by project and then by their standard hierarchies. This option enables you to view resources by project. Entities outside of Google Cloud, such as external clients, aren't included in project aggregation.

As an example, if you aggregate by project and then expand a project, the graph shows a region entity for each region that contains a VM instance. If you don't use project aggregation, the graph shows all of the entities as if they were in the same project. To enable project aggregation, see Aggregating projects.

Data collection and freshness

Network Topology captures six weeks of history.

The Network Topology history is divided into hourly segments, which start at the beginning of an hour. For each hourly segment, the graph shows base entities and their communication that occurred during that hour. For example, if two instances communicated with each other and then were destroyed during the hour, they would appear for that hour even though they no longer exist.

The visualization of entities and their connections includes overlaid metrics on the connections where applicable. Network Topology also displays separate time series charts that show metrics such as the traffic throughput between communicating entities or the CPU utilization of VM instances. The time series charts do not have the same hourly constraints as the visualized entities, connections, and overlaid metrics.

For more information about viewing metrics, see Using Network Topology.

Present segment

When you view the present time, the Network Topology graph shows an hourly segment from the previous hour. Each time that you load a graph, Network Topology shows the latest available segment.

For more details about each component and its data during the present segment, see the following table.

For this component Data comes from this time period And is available at this time Example
Entities and connections The previous hour Immediately after each hour1 If the current time is 01:19 PM, the graph visualizes entities that communicated from 12:00 AM to 01:00 PM, but the graph can change. At 01:20 PM the graph is fixed and won't change.
Overlaid metric values Last 5 minutes of the previous hour2 As entities and connections become available If the current time is 10:37 AM and the currently selected metric is Traffic, the overlaid values are an average from 09:55 AM to 10:00 AM.
Time series charts Real-time, with historical data from a timeframe that you specify. The default timeframe shows minute-by-minute metric values from the past hour. The available timeframes range from 1 hour to 6 weeks3. At most 7 minutes after an activity If the current time is 10:37 AM and you open the time series charts for a VM, you see minute-by-minute metric values for the hour from 09:37 AM to 10:37 AM.

1The graph can change up to 20 minutes after the end of an hour.
2The traffic and packet loss metrics use the average of the last 5 minutes, while latency uses the median.
3The aggregation interval, or how often the data is sampled, depends on the timeframe. For example, the 1 hour timeframe has an aggregation interval of 1 minute, while the 1 day timeframe has an aggregation interval of 5 minutes.

Past segments

For details about each component and its data when viewing past segments, see the following table.

For this component Data comes from this time period Example
Entities and connections An hour that you select from the past 11:00 AM to 12:00 PM from the previous day
Overlaid metric values Last 5 minutes of the selected hour1 If you select the segment that runs from 11:00 AM to 12:00 PM on the previous day and the currently selected metric is Traffic, the overlaid values are an average from 11:55 AM to 12:00 PM.
Time series charts Real-time, with historical data from a timeframe that you specify. The default timeframe shows minute-by-minute metric values from the past hour. The available timeframes range from 1 hour to 6 weeks2. If you set the timeframe of the time series chart to 1 day, the chart shows metric values from the current time to 24 hours ago using a 5-minute aggregation interval.

1The traffic and packet loss metrics use the average of the last 5 minutes, while latency uses the median.
2The aggregation interval, or how often the data is sampled, depends on the timeframe. For example, the 1 hour timeframe has an aggregation interval of 1 minute, while the 1 day timeframe has an aggregation interval of 5 minutes.

What's next