GCP NCC, NGFW, Policy Based Routing, Hierarchical Firewall Policies and Armor integration #173
Description
20260323 Impl
20260317 Current Diagram
Links
- https://docs.cloud.google.com/vpc/docs/policy-based-routes#:~:text=Policy%2Dbased%20routes%20let%20you,the%20path%20of%20network%20traffic.
- https://docs.cloud.google.com/firewall/docs/firewall-policies
- https://docs.cloud.google.com/firewall/docs/about-firewalls
- https://docs.cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/overview
- Configure NGFW firewall endpoints gcp-infrastructure-as-code#18
- GCP Archetype - NCC, NGFW and Armor GoogleCloudZone/gcp-landing-zone#5
- see GCP NCC, NGFW, Policy Based Routing, Hierarchical Firewall Policies and Armor integration #173
- see 2023 older Investigate NCC Network Connectivity Center as hub/spoke VPC sharing option beyond VPC Peering GoogleCloudPlatform/pubsec-declarative-toolkit#420
Previous Work
- NCC Investigate NCC Network Connectivity Center as hub/spoke VPC sharing option beyond VPC Peering GoogleCloudPlatform/pubsec-declarative-toolkit#420
- NCC throughput to Doha Qatar - Prototype Site-to-Site Data Transfer (via NCC or VMs) via Dual Dedicated Interconnect with POP on/off-ramp for sustained 10gbps+ throughput at the lowest latency within CA and CA to EU GoogleCloudPlatform/pubsec-declarative-toolkit#756
- NGFW Architecture Update: prepare for Google Firewall Plus / NGFW GoogleCloudPlatform/pubsec-declarative-toolkit#616
- NGFW FR: Add Cloud NGFW Essential capability with optional Standard or Enterprise based IPS in the TEF 3-networks-hub-and-spoke folder and associated terraform-google-modules GoogleCloudPlatform/pbmm-on-gcp-onboarding#396
- serverless endpoint - Use Case: POC Serverless Canary Application (frontend/backend/persistence) as a Profile 3 LZ workload with PSC, PSA and VPC-SC GoogleCloudPlatform/pubsec-declarative-toolkit#418
- SCED partner interconnect validation - slide 39 https://docs.google.com/presentation/d/1Ztqn7G2rWFlssVwC7r5Xl-WFSFCbVo6MoHJffrXScmw/edit?slide=id.g220aed46817_0_972#slide=id.g220aed46817_0_972
- DNS peering/forwarding - Interconnect: Add private DNS zones with domain forwarding/peering to enable Private Google Access or Private Service Connect workload calls from on-prem - using AWS VPN for Interconnect simulation GoogleCloudPlatform/pubsec-declarative-toolkit#468
Requirements
R1 - Split PB Medium from PB Hight
R2 - Blast Radius environments in prod - split high attack apps out from the rest in PB High
R4 - NCC Hub split - 1 or more hub-spoke sets per env? check mesh vs start topology req.
R5 - DNS forwarding/peering from SC2G - GoogleCloudPlatform/pubsec-declarative-toolkit#468
R6 - Use Shared VPC for NCC spokes of main prod/nprod... host projects - https://docs.cloud.google.com/vpc/docs/provisioning-shared-vpc
R7 - Gateway API per tenant - with provisioned L4 LB
R8 - GKE pod to pod encryption via mTLS - envoy
R9 - SCTP in use https://docs.cloud.google.com/kubernetes-engine/docs/how-to/deploy-workloads-with-sctp
Constraints
C1 - NGFW bandwidth: are we ok with 2-10 Gbps throughput through the NGFW - adding NGFW to NCC will reduce the full VM to VM bandwidth across spokes (in mesh topology) with NCC only
C2 - NCC bandwidth
C3 - Peering limits - the 250 peering limit on NCC is up from the non-NCC limit of 25
C4 - go over lack of static route forwarding - but we have normal BGP dynamic route forwarding in NCC
C5 - NGFW does not do TLS inspection intranode for pods with the same affinity to a GKE node - https://docs.cloud.google.com/firewall/docs/about-firewalls#firewall-plus
use GKE Dataplane V2 - eBPF cilium - https://docs.cloud.google.com/kubernetes-engine/docs/concepts/dataplane-v2
Infrastructure as Code
NCC
- https://docs.cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/overview
- NCC (not in TEF) - see floating svpc transitivity - https://github.com/terraform-google-modules/terraform-example-foundation/blob/main/3-networks-hub-and-spoke/modules/transitivity/main.tf
- https://github.com/terraform-google-modules/terraform-google-network/tree/main/modules/network-connectivity-center
- https://github.com/terraform-google-modules/terraform-google-network/tree/main/examples/network_connectivity_center
- above uses https://registry.terraform.io/modules/terraform-google-modules/network/google/latest/submodules/network-connectivity-center
Review
- https://docs.cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility
- https://docs.cloud.google.com/kubernetes-engine/docs/how-to/prepare-environment-multi-cluster-gateways
- https://docs.cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/connectivity-topologies
- https://docs.cloud.google.com/firewall/docs/about-firewalls
- https://docs.cloud.google.com/kubernetes-engine/docs/concepts/gateway-api
- https://docs.cloud.google.com/kubernetes-engine/docs/how-to/configure-gateway-resources
- https://docs.cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-gateways
- https://docs.cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration
- https://docs.cloud.google.com/armor/docs/security-policy-overview
- https://en.wikipedia.org/wiki/Stream_Control_Transmission_Protocol
Design Issues
DI10: Can NGFW be part of NCC as a spoke
DI11: NCC Preset Topologies
- switch to star topology (simpler routing for GKE) from default mesh - https://docs.cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/connectivity-topologies
- preview Hybrid Inspection - via NCC Gateway - for prod/nprod/.. https://docs.cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/ncc-gateway-overview
- mesh = spoke connectivity
- star = no spoke connectivity
DI12: Gateway API TLS passthrough - prototype https://gateway-api.sigs.k8s.io/guides/tls/#clientserver-and-tls
Metadata
Metadata
Assignees
Labels
No labels