Are you too late to go cloud native?
You’re never too late to choose a cloud native approach, no matter what stage of cloud maturity or digital transformation...
When designing your network in GCP, you need to decide if you want to go fully GCP native or use a virtual network appliance to manage your VPCs. GCP only has simple layer 4 firewalls, and we need to have all traffic going between our zones to go through our firewall for IPS/IDS functionality. There are two ways to do this:
We set up 3 VPC’s in the host project: prod, shared services(sst) and non prod. We peer the prod and non prod to the sst. In the sst network we create a VPN connection to our on premise where we have a firewall. Since it’s not possible to traverse a VPC in GCP the prod and the non prod can not reach each other. We setup the default route to go via on premise, from there traffic can be routed back GCP or to the internet. To limit traffic going through the VPN we enable private google access in the VPCs.
With the firewall in the cloud our GCP networking gets more complex but we are not anymore dependent on the on premises connection. For this we need to add four more VPC’s and remove the sst. We create a service project that will host the firewall VM. The VM will have one NIC in each VPC except Connection HUB, but that VPC will be peered to hybrid and management.
Each VPC except DMZ & Connection Hub have their default route set to the corresponding NIC of the firewall. We keep the private google connectivity in all the VPC to minimize traffic through the VM.
To keep this blog post simple, some important topics have been skipped.
Learn more at: nordcloud.com/multi-cloud/google-cloud-platform/
Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.