This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Whether does request flow from NVAs to Cloud Load Balancing?

Posted 2 weeks ago
anlex_N
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

anlex_N_0-1751244359154.png

This picture is in the https://cloud.google.com/architecture/blueprints/security-foundations/networking

I think first NAVs should do deep package inspection and other purposes, if no problem, after that, Cloud Load Balancing just can distrubute request.

1 4 86
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
DarwinVinoth
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

As per the screenshot, the traffic is handled by the Load balancer and the NVAs to support hub and spoke connectivity.  

0 Likes

Posted on --/--/---- --:-- AM
anlex_N
Bronze 1
Bronze 1
In response to DarwinVinoth
Reply posted on --/--/---- --:-- AM

Hello, @DarwinVinoth You still do not explain why not firstly NVAs. I think NVAs should do firstly so that it can filter spammer traffic and so on.

0 Likes

Posted on --/--/---- --:-- AM
diannemcm
Staff
Reply posted on --/--/---- --:-- AM

Hi @anlex_N,

Welcome to Google Cloud Community!

As stated on the document, you have the option on how to configure your network topology, so the sequence and interaction with Cloud Load Balancing depend on the specific configuration:

  1. Choose the Shared VPC network for each environment topology when you don't want direct network connectivity between environments. 
  2. Choose the hub-and-spoke network topology when you want to allow network connectivity between environments that is filtered by an NVA, such as when you rely on existing tools that require a direct network path to every server in your environment.

As for the Hub-and-spoke network topology, the diagram shows the Shared VPC hub project acts as the central hub, connected to spoke networks via VPC Network Peering. 

Traffic entering the Google Cloud environment from the on-premises environment via Dedicated Interconnects, routed through Cloud Routers, and processed by NVAs, performing security functions. Each region in the hub has redundantly deployed NVAs behind internal Network Load Balancer instances, serving as gateways to control traffic between spokes. Cloud Load Balancing then distributes the validated traffic to Compute Engine instances in the spoke networks.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes

Posted on --/--/---- --:-- AM
anlex_N
Bronze 1
Bronze 1
In response to diannemcm
Reply posted on --/--/---- --:-- AM

 

 

Shared VPC network for each environment topology say:

  1. Connectivity with on-premises resources is enabled through four VLAN attachments to the Dedicated Interconnect instance for each Shared VPC network, using four Cloud Router services (two in each region for redundancy). For more information, see Hybrid connectivity between on-premises environment and Google Cloud.
    I want to ask: one Cloud Router service support only one VLAN attachment? multiple Cloud Router service in one region can share one subnet?

    I also think that Each environment (production, non-production, and development) has one Shared VPC network. should be replaced by Each environment (production, non-production, and development) has one Shared VPC network in its own environment, Do you think so?

0 Likes
Top Labels in this Space