Network Intelligence Center

Network Intelligence Center (NIC) is a Google Cloud native platform that provides visibility, monitoring, and diagnostics for your Virtual Private Cloud (VPC) networks. It is not a single tool but a suite of integrated services designed to help you understand network topology, monitor performance, test connectivity, and optimize firewall rules. NIC is built on top of Google's global network infrastructure and leverages telemetry data from VPC Flow Logs, Cloud NAT, and other sources.

Traditional network monitoring often relies on manual configuration of monitoring agents or third-party tools. In Google Cloud, where networks can span multiple regions, projects, and on-premises connections, engineers need a unified, cloud-native solution. NIC addresses this by:

The ACE exam tests your ability to select the right NIC tool for a given scenario, interpret its output, and understand its limitations.

NIC collects data from several sources within Google Cloud: - VPC Flow Logs: Sample network flows (by default, 1 sample per 10 packets, but configurable to 1 per 100 packets or 1 per 2 packets). These logs capture source/destination IP, ports, protocols, and packet/byte counts. - Cloud NAT Logs: Records NAT translations for instances without external IPs. - Firewall Rules: Metadata about rule configurations and hit counts. - Network Telemetry: Latency and throughput data from Google's backbone.

This data is aggregated and processed by NIC's backend services. For example, the Performance Dashboard uses latency measurements from Google's edge locations to compute median latency between regions. The Network Topology tool constructs a graph of your VPC resources (instances, load balancers, VPN gateways) and their connections by querying the Resource Manager and Compute Engine APIs.

#### 1. Network Topology - Purpose: Visualize your entire VPC network, including on-premises connections via Cloud VPN or Interconnect. - Data: Shows resources (VMs, load balancers, etc.) and their interconnections. Color-coded to indicate health (green = healthy, red = unhealthy). - Limitations: Only displays resources that are actively running. Does not show individual packets or real-time traffic. - Exam Tip: Use Network Topology for a high-level view of network architecture. It is often the first step in troubleshooting connectivity issues.

#### 2. Performance Dashboard - Purpose: Monitor latency and packet loss between Google Cloud regions and from Google Cloud to the internet. - Data: Aggregates measurements from Google's infrastructure. Latency is displayed as median and 95th percentile values. - Default: Shows the last 6 hours of data by default, but can be extended to 30 days. - Exam Tip: Use this to verify that your multi-region application is meeting latency SLAs. If you see unexpected latency spikes, check for network congestion or routing misconfigurations.

#### 3. Connectivity Tests - Purpose: Diagnose reachability between two endpoints (e.g., a VM and an on-premises server). - How it works: Simulates a packet traversal through your VPC network, evaluating firewall rules, routes, and other policies. It does not send real traffic. - Output: A step-by-step analysis showing which rules allowed or denied the traffic, and the path taken. - Exam Tip: This is the go-to tool for verifying firewall rules and route configurations. It is free to use and provides immediate feedback.

#### 4. Firewall Insights - Purpose: Analyze firewall rule usage to identify overly permissive rules, unused rules, and shadowed rules. - Data: Uses VPC Flow Logs to determine which rules are actually being hit. Provides recommendations for rule optimization. - Metrics: Shows the number of denied flows per rule, helping you identify rules that are blocking legitimate traffic. - Exam Tip: Use Firewall Insights to reduce attack surface and simplify rule management. The exam may ask you to interpret a recommendation (e.g., 'Rule X is shadowed by Rule Y').

While NIC is primarily accessed through the Google Cloud Console, some features are available via the gcloud command-line tool.

Enable VPC Flow Logs (required for Firewall Insights and some NIC features):

gcloud compute networks subnets update SUBNET_NAME \
    --region=REGION \
    --enable-flow-logs \
    --logging-aggregation-interval=INTERVAL \
    --logging-flow-sampling=SAMPLING_RATE \
    --logging-metadata=METADATA

Run a connectivity test via gcloud:

gcloud network-management connectivity-tests create TEST_NAME \
    --source-project=SOURCE_PROJECT \
    --source-ip=SOURCE_IP \
    --destination-project=DEST_PROJECT \
    --destination-ip=DEST_IP \
    --protocol=PROTOCOL \
    --destination-port=PORT

List firewall insights:

gcloud network-management firewall-insights list

NIC integrates with Cloud Monitoring to send custom metrics and alerts. For example, you can create an alerting policy that triggers when the latency between two regions exceeds a threshold. NIC also works with Cloud Audit Logs to track changes to firewall rules and network configurations. Additionally, VPC Flow Logs generated by NIC can be exported to BigQuery for custom analysis.

A global e-commerce company runs its application in Google Cloud across three regions: us-east1, europe-west1, and asia-east1. Users report inconsistent performance, with some regions experiencing high latency. The network team uses the Performance Dashboard to compare latency between regions. They discover that latency from europe-west1 to asia-east1 is 250ms, while us-east1 to asia-east1 is 150ms. The team suspects routing issues. They then run Connectivity Tests from a test VM in europe-west1 to a VM in asia-east1, confirming that traffic takes a suboptimal path due to a misconfigured Cloud Router. After fixing the BGP advertisement, latency drops to 140ms. This scenario demonstrates how NIC's tools work together to diagnose and resolve performance issues. In production, the team also sets up Cloud Monitoring alerts based on NIC metrics to proactively detect latency spikes.

A financial services company must comply with PCI DSS, which requires strict network segmentation. They have hundreds of firewall rules accumulated over years. The security team uses Firewall Insights to analyze rule usage. They find that 30% of rules have zero hits in the last 90 days, indicating they are unused. Another 20% are shadowed—for example, a rule allowing SSH from a specific IP is shadowed by a broader allow rule. The team uses Firewall Insights' recommendations to remove unused rules and reorder rules to eliminate shadowing. This reduces the attack surface and simplifies audits. In this scenario, VPC Flow Logs must be enabled on all subnets for Firewall Insights to work. The team also exports flow logs to BigQuery for custom compliance reporting.

A company uses Cloud VPN to connect its on-premises data center to Google Cloud. An application team reports that a new VM cannot reach a legacy database on-premises. The network engineer first uses Network Topology to verify that the VPN tunnel is up and the on-premises network is visible. Then, they run a Connectivity Test from the VM's internal IP to the on-premises database IP. The test reveals that the VPC firewall rule 'allow-db' is missing the on-premises subnet as a source. After updating the rule, connectivity is restored. This scenario highlights how NIC provides a structured troubleshooting workflow. Without NIC, the engineer would have to manually check firewall rules, routes, and VPN status—a time-consuming process.