Solved: Re: Whether does request flow from NVAs to Cloud L...

anlex_N

This picture is in the https://cloud.google.com/architecture/blueprints/security-foundations/networking

I think first NAVs should do deep package inspection and other purposes, if no problem, after that, Cloud Load Balancing just can distrubute request.

diannemcm

Hi @anlex_N,

I want to ask: one Cloud Router service support only one VLAN attachment?

No, a single Cloud Router service in Google Cloud can support multiple VLAN attachments.

A single Cloud Router can manage BGP sessions for multiple VLAN attachments, as long as they are in the same region and VPC network. This allows the Cloud Router to advertise routes and learn routes from multiple VLAN attachments. While a Cloud Router can support multiple VLAN attachments, all VLAN attachments associated with a single Cloud Router must belong to the same VPC network and region.

multiple Cloud Router service in one region can share one subnet?

Yes, multiple Cloud Router services in the same region can share a subnet, but with important considerations, BGP Configuration, Route Priority and Resource Isolation.

I think the original phrase is all good for me since it is also stated that “This diagram shows only the production environment, but the same pattern is repeated for each environment.”

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

View solution in original post

DarwinVinoth

As per the screenshot, the traffic is handled by the Load balancer and the NVAs to support hub and spoke connectivity.

anlex_N

Hello, @DarwinVinoth You still do not explain why not firstly NVAs. I think NVAs should do firstly so that it can filter spammer traffic and so on.

diannemcm

Hi @anlex_N,

Welcome to Google Cloud Community!

As stated on the document, you have the option on how to configure your network topology, so the sequence and interaction with Cloud Load Balancing depend on the specific configuration:

Choose the Shared VPC network for each environment topology when you don't want direct network connectivity between environments.
Choose the hub-and-spoke network topology when you want to allow network connectivity between environments that is filtered by an NVA, such as when you rely on existing tools that require a direct network path to every server in your environment.

As for the Hub-and-spoke network topology, the diagram shows the Shared VPC hub project acts as the central hub, connected to spoke networks via VPC Network Peering.

Traffic entering the Google Cloud environment from the on-premises environment via Dedicated Interconnects, routed through Cloud Routers, and processed by NVAs, performing security functions. Each region in the hub has redundantly deployed NVAs behind internal Network Load Balancer instances, serving as gateways to control traffic between spokes. Cloud Load Balancing then distributes the validated traffic to Compute Engine instances in the spoke networks.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

anlex_N

Shared VPC network for each environment topology say:

Connectivity with on-premises resources is enabled through four VLAN attachments to the Dedicated Interconnect instance for each Shared VPC network, using four Cloud Router services (two in each region for redundancy). For more information, see Hybrid connectivity between on-premises environment and Google Cloud.
I want to ask: one Cloud Router service support only one VLAN attachment? multiple Cloud Router service in one region can share one subnet?
I also think that Each environment (production, non-production, and development) has one Shared VPC network. should be replaced by Each environment (production, non-production, and development) has one Shared VPC network in its own environment, Do you think so?

diannemcm

Hi @anlex_N,

I want to ask: one Cloud Router service support only one VLAN attachment?

No, a single Cloud Router service in Google Cloud can support multiple VLAN attachments.

A single Cloud Router can manage BGP sessions for multiple VLAN attachments, as long as they are in the same region and VPC network. This allows the Cloud Router to advertise routes and learn routes from multiple VLAN attachments. While a Cloud Router can support multiple VLAN attachments, all VLAN attachments associated with a single Cloud Router must belong to the same VPC network and region.

multiple Cloud Router service in one region can share one subnet?

Yes, multiple Cloud Router services in the same region can share a subnet, but with important considerations, BGP Configuration, Route Priority and Resource Isolation.

I think the original phrase is all good for me since it is also stated that “This diagram shows only the production environment, but the same pattern is repeated for each environment.”

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

anlex_N

@diannemcm @DarwinVinoth

Thanks, you are my friend! Can you give me your email or discord id? I want to add you to my contacts.

Whether does request flow from NVAs to Cloud Load Balancing?