Part 2 – Two Different Types of GCP Network Designs

This is a 2-Part Series on GCP Networking.

Part 2 - Two Different Types of GCP Network Designs

When designing your network in GCP, you need to decide if you want to go fully GCP native or use a virtual network appliance to manage your VPCs. GCP only has simple layer 4 firewalls, and we need to have all traffic going between our zones to go through our firewall for IPS/IDS functionality. There are two ways to do this:

GCP Native Solution

We set up 3 VPC’s in the host project: prod, shared services(sst) and non prod. We peer the prod and non prod to the sst.  In the sst network we create a VPN connection to our on premise where we have a firewall. Since it's not possible to traverse a VPC in GCP the prod and the non prod can not reach each other. We setup the default route to go via on premise, from there traffic can be routed back GCP or to the internet. To limit traffic going through the VPN we enable private google access in the VPCs. 

• This design is simple and the only additional cost is that of the VPN/Interconnect
• It is compliant with company policy
• On-prem becomes single point of failure if internet/other zone connectivity is needed

GCP Native Diagram

Firewall Appliance Solution

With the firewall in the cloud our GCP networking gets more complex but we are not anymore dependent on the on premises connection. For this we need to add four more VPC’s and remove the sst. We create a service project that will host the firewall VM. The VM will have one NIC in each VPC except Connection HUB, but that VPC will be peered to hybrid and management. 

• DMZ -  The NIC in this VPC have an external IPv4 address and act as NAT
• Prod / Non Prod - The two internal zones
• Management  - Its good practice to use a separate nic for management of the firewall
• Hybrid - This is for our on premises connections
• Connection Hub -  This VPC functions like the SST in the GCP native solution

Each VPC except DMZ & Connection Hub have their default route set to the corresponding NIC of the firewall.  We keep the private google connectivity in all the VPC to minimize traffic through the VM.

Firewall Appliance Diagram

To keep this blog post simple, some important topics have been skipped.

• It's possible to exfiltrate data via a GCP service like cloud storage, this can be tightened by using VPC Service Controls
• Multiple firewall VM’s should be used,  these can be placed behind an internal load balancer that can be setup as gateway in the VPC  routing
• Cloud NAT can be used if egress to internet can be unfiltered
  • If cloud NAT is used, the default gateway will be the internet gateway. This means that public IP addresses can be added to VM’s.  Use organization policy to prevent  public IP’s on VM’s
    

Learn more at: nordcloud.com/multi-cloud/google-cloud-platform/