on 12-13-2021 10:48 AM - edited on 12-13-2021 03:05 PM by Lauren_vdv
In this article, you'll find recommendations and best practices focused on the topic of Networking, as part of the System Design Pillar of the Google Cloud Architecture Framework.
Throughout this article, we often refer to the design your network infrastructure documentation. We suggest you review this documentation to learn basic concepts before evaluating the following assessment questions and recommendations.
Do you require network-level isolation between different workload environments (e.g. development vs production)?
Since several design choices on an organizational level can’t be easily reversed later on in the process, make Virtual Private Cloud network design an early part of designing your organizational setup in Google Cloud.
Keep the design of your VPC network topology simple to help ensure a manageable, reliable, and well-understood architecture.
We recommend that enterprises use VPC networks in custom mode to better integrate into existing IP address management schemes and to provide explicit control over which cloud regions are included in the VPC.
For organizations with multiple teams, Shared VPC provides an effective tool to extend the architectural simplicity of a single VPC network across multiple working groups.
Do you plan to centrally manage network and network security configuration?
Make your naming conventions simple, intuitive, and consistent. This ensures that administrators and end users understand the purpose of each resource, where it’s located, and how it’s differentiated from other resources.
In the context of network security, you can use connectivity tests to verify that traffic you intend to prevent between two endpoints is, in fact, blocked. By defining a test between two endpoints and evaluating the results, you can validate that traffic would be blocked and exactly why it’s blocked (e.g. a specific VPC firewall rule).
With Private Service Connect (PSC) for Google APIs, you can create private endpoints for accessing Google services using your own IP addressing scheme. The private endpoints are accessible from within your VPC and through hybrid connectivity that terminates in your VPC.
How are you defining intra- and inter-workload communication requirements (i.e. who needs to talk to who)?
When possible, manage traffic with Google Cloud native firewall rules as this will help manage L3 traffic within your VPCs. Also, try to ensure your firewalls are not too broad. You can use hierarchical firewall policies to apply common firewall rules across your VPC networks.
Additionally, as your deployments mature, employ service account-based access controls. This ensures only authorized resources can access appropriate resources in your network. If you’re using network tags to control network traffic, use Forseti Security to automate configuration monitoring.
Google Cloud Marketplace features a large ecosystem of third-party solutions that will help you deploy security capabilities to monitor VPC traffic effectively.
Do your workloads require access to the internet?
Limit access to the internet to only those resources that need access. Resources with only a private, internal IP address can still access many Google APIs and services through Private Google Access.
Do your scale requirements exceed per-project or VPC limits?
After you draft your VPC architecture, a good practice is to review VPC limits to ensure it meets your scaling requirements, especially to accommodate peak traffic resource usage.
As you decouple your workloads, consider isolating workloads using different VPCs. This allows you to address various considerations across the other Google Cloud Architecture Framework pillars.
Do you plan to use third-party virtual network appliances within the cloud environment?
Evaluate Google Cloud's native capabilities to control and monitor traffic as these products are meant to help scale your networking capabilities. Using a third-party appliance may limit your scaling capabilities due to VM-based management overhead.
Verify if your vendor provides support for Google Cloud. Google Cloud Marketplace features a large ecosystem of appliance vendors, including how-to guides, tutorials, and best practices.
Refer to the Google Cloud documentation on centralized network appliances to understand best practices for designing your VPC communication.
Is private communication required between services deployed in different VPC networks?
The next step after deciding to implement multiple VPC networks is connecting those VPC networks. VPC networks are isolated tenant spaces within Google's Andromeda SDN (software-defined networking), and there are several ways that they can communicate with each other. A full comparison of the available options are provided here.
Based on your bandwidth, latency, and SLA requirements, choose the best connection option.
How many services require private communication between each other?
Use Network Telemetry to enhance visibility into your cloud network.
Identify traffic and access patterns that may impose security or operational risks to your organization in near real time. Network Telemetry provides both network and security operations with in-depth, responsive logs for Google Cloud networking services.
Virtual Private Cloud (VPC): Hierarchically manage resources by project, folder, and organization
Shared VPC: Enables an organization to connect resources from multiple projects to a common VPC network, so they can communicate with each other securely and efficiently using internal IP addresses from that network
Cloud Load Balancing: High performance, scalable load balancing on Google Cloud
Cloud Armor: Help protect your applications and websites against denial of service and web attacks
Cloud CDN: Fast, reliable web and video content delivery with global scale and reach
Cloud DNS: Reliable, resilient, low-latency DNS serving from Google's worldwide network with everything you need to register, manage, and serve your domains
Cloud NAT: NAT service for giving private instances internet access
Private Service Connect: Creates a private and secure connection from your VPCs to Google, third parties, or your own services
Cloud Hybrid Connectivity: Connect your infrastructure to Google Cloud on your terms, from anywhere
Network Connectivity Center: Reimagine how you deploy, manage, and scale your networks
Network Intelligence Center: A comprehensive network monitoring, verification, and optimization platform
We've just covered Networking as part of the System Design Pillar of the Google Cloud Architecture Framework. There are several other topics within the System Design Pillar that may be of interest to you:
Networking (you're here!)