Cross-Cloud Network for distributed applications

Last reviewed 2024-04-05 UTC

Cross-Cloud Network enables an architecture for the assembly of distributed applications. Cross-Cloud Network lets you distribute workloads and services across multiple cloud and on-premises networks. This solution provides application developers and operators the experience of a single cloud across multiple clouds. This solution uses and also expands the established uses of hybrid and multicloud networking.

This guide is intended for network architects and engineers who want to design and build distributed applications on Cross-Cloud Network. This guide provides you with a comprehensive understanding of Cross-Cloud Network design considerations.

This design guide is a series that includes the following documents:

The architecture supports regional and global application stacks, and it's organized in the following functional layers:

  • Network segmentation and connectivity: involves the Virtual Private Cloud (VPC) segmentation structure and IP connectivity across VPCs and to external networks.
  • Service networking: involves the deployment of application services, which are load balanced and made available across projects and organizations.
  • Network security: enables the enforcement of security for intra-cloud and inter-cloud communications, using both built-in cloud security and network virtual appliances (NVAs).

Network segmentation and connectivity

Segmentation structure and connectivity is the foundation of the design. The following diagram shows a VPC segmentation structure, which you can implement by using either a consolidated or segmented infrastructure. This diagram doesn't show the connections between the networks.

VPC segmentation structure for Cross-Cloud Network design

This structure includes the following components:

  • Transit VPC: Handles external network connections and routing policies. This VPC also serves as a shared connectivity hub for other VPCs.
  • Central services VPC: Contains services that your organization creates and hosts itself. The services are provided to application VPCs through a hub. Though not required, we recommend that this be a Shared VPC.
  • Managed services VPC: Contains the services provided by other entities. The services are made accessible to applications running in VPC networks by using Private Service Connect or private services access.

Your choice of segmentation structure for the application VPCs depends on the scale of application VPCs required, whether you plan to deploy perimeter firewalls in Cross-Cloud Network or externally, and the choice of central or distributed service publication.

Cross-Cloud Network supports the deployment of regional application stacks and global application stacks. Both of these application resiliency archetypes are supported by the proposed segmentation structure with the inter-VPC connectivity pattern.

You can achieve inter-VPC connectivity between segments by using a combination of VPC Network Peering and HA-VPN hub-and-spoke patterns. Alternatively, you can use Network Connectivity Center to include all VPCs as spokes in a Network Connectivity Center hub.

The design of the DNS infrastructure is also defined in the context of the segmentation structure, independent of the connectivity pattern.

Service networking

Different application deployment archetypes lead to different patterns for service networking. For Cross-Cloud Network design, focus on the Multi-regional deployment archetype, in which an application stack runs independently in multiple zones across two or more Google Cloud regions.

A multi-regional deployment archetype has the following features that are useful for Cross-Cloud Network design:

  • You can use DNS routing policies to route incoming traffic to the regional load balancers.
  • The regional load balancers can then distribute the traffic to the application stack.
  • You can implement regional failover by re-anchoring the DNS mappings of the application stack with a DNS failover routing policy.

An alternative to the multi-regional deployment archetype would be the global deployment archetype, in which a single stack is built on global load balancers and spans multiple regions. Consider the following features of this archetype when working with Cross-Cloud Network design:

  • The load balancers distribute traffic to the region that's nearest to the user.
  • The internet-facing frontends are global, but the internal-facing frontends are regional with global access, so you can reach them in failover scenarios.
  • You can use geolocation DNS routing policies and DNS health checks on the internal service layers of the application stack.

How you provide access to managed published services depends on the service that needs to be reached. The different private reachability models are modularized and orthogonal to the design of the application stack.

Depending on the service, you can use Private Service Connect or private services access for private access. You can build an application stack by combining built-in services and services published by other organizations. The service stacks can be regional or global to meet your required level of resiliency and optimized access latency.

Network security

For workload security, we recommend that you use firewall policies from Google Cloud.

If your organization requires additional advanced capabilities to meet security or compliance requirements, you can incorporate perimeter security firewalls by inserting Next-Generation Firewall (NGFW) Network Virtual Appliances (NVAs).

You can insert NGFW NVAs in a single network interface (single-NIC mode) or over multiple network interfaces (multi-NIC mode). The NGFW NVAs can support security zones or Classless Inter-Domain Routing (CIDR)-based perimeter policies. Cross-Cloud Network deploys perimeter NGFW NVAs by using a transit VPC and VPC routing policies.

What's next

Contributors

Authors:

Other contributors: