Google Cloud Hybrid Connectivity

From Luis Gallego Hurtado - Not Another IT guy
Jump to: navigation, search

GCP-VPC-Hybrid-connectivity-decision-tree 850x767.png

Google Cloud VPN

Google Cloud Virtual Private Network (VPN) is a IP Sec tunnel that allows you to connect your VPC network to your physical, on-premises network or another cloud provider using a secure Virtual Private Network.

  • Useful when bandwith and overhead of IPSec encryption is not a problem.
  • It is possible to add static routes, or use Cloud Router, which runs as a GCP Daemon and exchanges routes with the on-premises network in a dynamic way.
  • You can create a BGP (Border Gateway Protocol) link from the Cloud Router in your VPC to the Cloud Router in another VPC by providing the Google ASN (Autonomous System Number) from external router.
  • It supports Google Cloud Router.
  • It supports secured traffic exchange. Traffic is encrypted by default by VPN Gateway.
  • 1,5-3 Gbps per tunnel. You can use ECMP (equal-cost multi-path) over multiple VPN tunnels to increase the throughput.
  • 99.9% Service availability SLA.

Google Cloud VPN with static routes

  • Public IP in both peers.
  • It can be either global or regional.
  • 3 Gbps.
  • Horizontal scaling with multiple tunnels.

Google Cloud VPN with Google Cloud Router

  • One router per region
  • Peers with BGP (Border Gateway Protocol) on premises, thanks to ASN (Autonomous System Number).
  • All local IPs are linked to BGP.
  • All subnets in the region are advertised.

Google Gloud Interconnect

It allows you to connect your VPC network to your on-premises network using a high speed physical connection (peering with Google), i.e. a direct pipe from GCP to a private datacenter.

You can either use a Dedicated Private Interconnect, or a Dedicated Partner Interconnect, using a carrier's infrastructure, in case you don't meet Google requirements.

Dedicate Private Interconnect gives you a pipe of you 10GBps or more. If you don't need it, consider using Google Cloud VPN instead. * Low latency.

  • Highly available. It has SLAs.
  • It supports RFC 1918 (address allocation for private networks).
  • No public or external IP address are supported since they are not needed for connecting.
  • Routes are learned by Google Cloud Routers in your project and applied as custom dynamic routes.
  • Data is not encrypted. If needed, you can use application level encryption or your own VPN.
  • It has maintenance costs.
  • It is a layer 2 connection.
  • 10-80 Gbps per interconnect.

VPC Network Peering

VPC Network Peering allow you to connect one VPC network to one or many other networks.

VPC Network Peering gives you access to public or external IP addresses. You can either use a Direct Peering for peering, or a Carrier/Partner Peering, with an ISP, in case you don't meet Google requirements.

Direct peering has very low egress fees.

  • Useful for connecting different organizations.
  • No SLAs.
  • It does not exchange network information.
  • It makes Google Services and G Suite available privately across different networks.
  • The networks can be in the same GCP project, different projects, or projects in different organizations. One network can be out of GCP.
  • Reduced Internet egress fees to your on-premises network from your GCP resources in same continental location.
  • With VPC Network Peering, all communication happens using private, IP addresses. Subject to firewall rules.
  • It supports RFC 1918 (address allocation for private networks), when used with VPN.
  • It relies on preprogrammed routes for VM to VM communication. Routes do not appear in any VPC network.
  • It is not transitive.
  • Security policies remain independent and can limit communication ability between VPCs.
  • 15,500 total VMs across all peering VPCs.
  • A network can have up to 25 directly peered networks in total.
  • No setup or maintenance costs.
  • It is a layer 3 connection.

In order to enable peering between 2 VPCs, you need to create 2 VPC peering connections for each directional communication, and do not have any overlapping withing IP ranges.

On creating the VPC peering connection, you can import and export the custom routes of your VPC, and you can also import and export subnet routes with public IPs.

Shared VPC

You can share a VPC network from one project (called a host project) to other projects (called service projects) in your GCP organization.

  • Useful for connecting resources across different projects within same organization.
  • You can grant access to entire Shared VPC networks or selected subnets.
  • It relies on Google Suite, since the account used for creating the Shared VPC must be the same owning the organization in Google Suite.

Quotas and limits

  • Up to 100 service projects per host project.
  • Up to 100 shared VPC host projects.
  • A service project can be attached only to 1 host project.

Google Cloud Router

Google Cloud Router enables dynamic route updates between your Compute Engine VPN and your non-Google network. Cloud Router eliminates the need to configure static routes.

It is a fully distributed and managed Google Cloud service. It scales with your network traffic, as it is not a physical device, that might cause a bottleneck.

  • You need one router per region.
  • It peers with your on-premises VPN gateway or router.
  • It dynamically discovers routes.
  • It dynamically exchange topology information of all subnets of the region through BGP (Border Gateway Protocol), linking all local IPs.
  • It supports graceful restart.
  • It supports ECMP (equal-cost multi-path) routing.
  • It has primary/backup tunnels for failover.
  • It works with a private ASN (Autonomous System Number) on GCP and either private or public ASN on-premises.
  • On creating the router, you assigne a Google ASN (Autonomous System Number) that can be used to create a VPN from another VPC to such router.