Google Cloud Hybrid Connectivity

From Luis Gallego Hurtado - Not Another IT guy
Jump to: navigation, search


GCP-VPC-Hybrid-connectivity-decision-tree 850x767.png

Google Cloud VPN

It allows you to connect your VPC network to your physical, on-premises network or another cloud provider using a secure Virtual Private Network.

  • To be used if bandwith and overhead of IPSec encryption is not a problem.
  • It is possible to add static routes, or use Cloud Router, which runs as a GCP Daemon and exchanges routs with the on-premises network in a dynamic way.
  • 99.9% Service availability SLA.
  • It supports Google Cloud Router.
  • It supports secured traffic exchange.

Google Gloud Interconnect

It allows you to connect your VPC network to your on-premises network using a high speed physical connection (peering with Google), i.e. a direct pipe from GCP to a private datacenter.

You can either use a Dedicated Private Interconnect, or a Dedicated Partner Interconnect, using a carrier's infrastructure, in case you don't meet Google requirements.

Dedicate Private Interconnect gives you a pipe of you 10GBps or more. If you don't need it, consider using Google Cloud VPN instead.

  • Low latency.
  • Highly available. It has SLAs.
  • It supports RFC 1918 (address allocation for private networks).
  • No public or external IP address are supported since they are not needed for connecting.
  • Routes are learned by Google Cloud Routers in your project and applied as custom dynamic routes.
  • Data is not encrypted. If needed, you can use application level encryption or your own VPN.
  • It has maintenance costs.

VPC Network Peering

VPC Network Peering allow you to connect one VPC network to one or many other networks.

You can either use a Direct Peering for peering, which supports public or external IP addresses, or a Carrier/Partner Peering, using a carrier's infrastructure, which supports public or external IP addresses with an ISP, in case you don't meet Google requirements. Direct peering has very low egress fees.

  • Useful for connecting different organizations.
  • It makes Google Services and G Suite available privately across different networks.
  • The networks can be in the same GCP project, different projects, or projects in different organizations. One network can be out of GCP.
  • With VPC Network Peering, all communication happens using private, IP addresses. Subject to firewall rules.
  • It supports RFC 1918 (address allocation for private networks), with VPN.
  • It relies on preprogrammed routes for VM to VM communication. Routes do not appear in any VPC network.
  • It is not transitive.
  • Security policies remain independent and can limit communication ability between VPCs.
  • 15,500 total VMs across all peering VPCs.
  • A network can have up to 25 directly peered networks in total.
  • No setup or maintenance costs.

In order to enable peering between 2 VPCs, you need to create 2 VPC peering connections for each directional communication, and do not have any overlapping withing IP ranges.

On creating the VPC peering connection, you can import and export the custom routes of your VPC, and you can also import and export subnet routes with public IPs.

Shared VPC

You can share a VPC network from one project (called a host project) to other projects (called service projects) in your GCP organization.

  • Useful for connecting resources across different projects within same organization.
  • You can grant access to entire Shared VPC networks or selected subnets.
  • It relies on Google Suite, since the account used for creating the Shared VPC must be the same owning the organization in Google Suite.

Quotas and limits

  • Up to 100 service projects per host project.
  • Up to 100 shared VPC host projects.
  • A service project can be attached only to 1 host project.

Google Cloud Router

Google Cloud Router enables dynamic route updates between your Compute Engine VPN and your non-Google network. Cloud Router eliminates the need to configure static routes.

It is a fully distributed and managed Google Cloud service. It scales with your network traffic, as it is not a physical device, that might cause a bottleneck.

  • You need one router per region.
  • It peers with your on-premises VPN gateway or router.
  • It dynamically discovers routes.
  • It dynamically exchange topology information of all subnets of the region through BGP (Border Gateway Protocol), linking all local IPs.
  • It supports graceful restart.
  • It supports ECMP (equal-cost multi-path) routing.
  • It has primary/backup tunnels for failover.
  • It works with a private ASN (Autonomous System Number) on GCP and either private or public ASN on-premises.