At 66degrees, security is always top of mind for our clients and us when we architect Google Cloud solutions. Starting with Google’s extensive list of security best practices, we bake security into every aspect of our designs.
One of the most important security controls we offer our clients is a private network. Like other cloud providers, Google Cloud defaults to having almost all of the servers and services exposed to the internet, either in the form of public IP addresses or publicly accessible APIs. This creates a significant challenge when trying to restrict access to and from these services, and ensure services have the minimum amount of permissions required, including permissions to network resources.
In part one of our private networking series, I’ll walk through how to design private networks on Google Cloud, starting with:
- Organizational Policies
- Shared VPCs
- Cloud NAT
- Private Google Access
- Traffic management
Organizational Policies
The first step to creating a private network starts with an organizational policy.
You need to prevent Compute Engine VMs from having an external IP address. To do this, you enforce the constraints/compute.vmExternalIpAccess on your entire organization or on specific projects. Every organization’s security needs are different, so you’ll need to understand yours before deciding the best way to apply this organizational policy.
Once you have limited the ability for virtual machines to acquire public IP addresses, it’s time to design how internal networking will look.
Shared VPCs
We typically encourage our clients to use a Google Cloud Shared VPC architecture for their projects:
Image Credits: Google Cloud
A Shared VPC architecture focuses on centralizing control of networking into one project, commonly referred to as the “Shared VPC Host Project.” From here, you can centrally manage subnets, firewall rules, and routes. You can also delegate access to these resources to other projects, commonly referred to as “Service Projects.”
Google provides a deep dive on setting up a Shared VPC here.
With your Shared VPC architecture set up, you’ll now need a way for your virtual machines to access resources on the internet.
Cloud NAT
Without a public IP address, your Compute Engine VMs will be unable to reach resources on the internet. To fix this, you’ll need to set up Cloud NAT.
Cloud NAT allows Compute Engine VMs to access resources on the internet by providing them a static block of external IP addresses to use for external connectivity. You’ll need a Cloud Router in which to attach the Cloud NAT instance. (See this guide for more information.)
An added benefit of using Cloud NAT is ensuring the external traffic of your instances comes from a static, predictable block of IP addresses. A lot of our clients leverage vendors that limit their services by IP address, and Cloud NAT easily meets this requirement.
Cloud NAT will help with accessing resources on the internet, but what about services on Google Cloud?
Private Google Access
Without internet access, your Compute Engine VMs will not be able to access Google Cloud services like Google Cloud Storage or Secrets Manager directly. Instead, you’ll need to set up Private Google Access.
Private Google Access is enabled on each subnet in your VPC and allows instances to connect to Google Cloud services and APIs through private networking. The process to set this up has multiple steps and requires some architecture considerations for your use cases. See this guide for details.
You now have access to internet resources and Google Cloud services. All that’s left is to tighten up your firewall rules and figure out how external clients can access your services.
Traffic Management
Your private network is now isolated from the internet, but you have two problems left to solve: restricting outbound traffic and allowing inbound traffic from clients on the internet.
Firewall rules can be used to restrict outbound traffic to the internet. By default, all egress traffic is allowed on Google Cloud. To change this, create a firewall rule to deny outbound traffic and allow only specific traffic to the resources on your VPC and the internet your services need access to. We recommend using service accounts wherever possible in your firewall policies, as they allow administrators to delegate firewall policy usage without needing to give users the ability to self-manage firewall policies. You can also leverage hierarchical firewall policies to allow self-management of firewall policies.
To allow clients on the internet to access your private network services, use Google Cloud Load Balancing. Your private Compute Engine VMs can be used as backend services, allowing clients on the internet to access them securely. Review the list of load balancers available and choose the one most suitable for your workloads.
Get a Secure Start on Google Cloud
Private networks are just one of many security controls you can use to get a secure start on the cloud. Talk to 66degrees’ cloud experts about elevating your Google Cloud security posture with expert guidance, configuration, and support.
