This document in the Google Cloud Architecture Framework provides best practices for securing your network.
Extending your existing network to include cloud environments has many implications for security. Your on-premises approach to multi-layered defenses likely involves a distinct perimeter between the internet and your internal network. You probably protect the perimeter by using physical firewalls, routers, intrusion detection systems, and so on. Because the boundary is clearly defined, you can easily monitor for intrusions and respond accordingly.
When you move to the cloud (either completely or in a hybrid approach), you move beyond your on-premises perimeter. This document describes ways that you can continue to secure your organization's data and workloads on Google Cloud. As mentioned in Manage risks with controls, how you set up and secure your Google Cloud network depends on your business requirements and risk appetite.
This section assumes that you have read the Networking section in the System design category, and that you've already created a basic architecture diagram of your Google Cloud network components. For an example diagram, see Hub-and-spoke.
Deploy zero trust networks
Moving to the cloud means that your network trust model must change. Because your users and your workloads are no longer behind your on-premises perimeter, you can't use perimeter protections in the same way to create a trusted, inner network. The zero trust security model means that no one is trusted by default, whether they are inside or outside of your organization's network. When verifying access requests, the zero trust security model requires you to check both the user's identity and context. Unlike a VPN, you shift access controls from the network perimeter to the users and devices.
In Google Cloud, you can use BeyondCorp Enterprise as your zero trust solution. BeyondCorp Enterprise provides threat and data protection and additional access controls. For more information about how to set it up, see Getting started with BeyondCorp Enterprise.
In addition to BeyondCorp Enterprise, Google Cloud includes Identity-Aware Proxy (IAP). IAP lets you extend zero trust security to your applications both within Google Cloud and on-premises. IAP uses access control policies to provide authentication and authorization for users who access your applications and resources.
Secure connections to your on-premises or multi-cloud environments
Many organizations have workloads both in cloud environments and on-premises. In addition, for resiliency, some organizations use multi-cloud solutions. In these scenarios, it's critical to secure your connectivity between all of your environments.
Google Cloud includes private access methods for VMs that are supported by Cloud VPN or Cloud Interconnect, including the following:
- Use Cross-Cloud Interconnect, as a managed service, to link your VPC networks to other supported cloud providers over high-speed direct connections. With Cross-Cloud Interconnect, you don't have to supply your own router or work with a third-party vendor.
- Use Dedicated Interconnect and Partner Interconnect to link your VPC networks to your on-premises data center or to other cloud providers over high-speed direct connections.
- Use IPsec VPNs to link your Virtual Private Cloud (VPC) networks to your on-premises data center or to other cloud providers.
- Use Private Service Connect endpoints to access published services that are provided by your organization or by another provider.
- Use Private Service Connect endpoints to let your VMs access Google APIs by using internal IP addresses. With Private Service Connect, your VMs don't have to have external IP addresses in order to access Google services.
- If you use GKE Enterprise, consider Anthos Service Mesh egress gateways. If you're not using GKE Enterprise, use a third-party option.
For a comparison between the products, see Choosing a Network Connectivity product.
Disable default networks
When you create a new Google Cloud project, a default Google Cloud VPC network with auto mode IP addresses and pre-populated firewall rules is automatically provisioned. For production deployments, we recommend that you delete the default networks in existing projects, and disable the creation of default networks in new projects.
Virtual Private Cloud networks let you use any internal IP address. To avoid IP address conflicts, we recommend that you first plan your network and IP address allocation across your connected deployments and across your projects. A project allows multiple VPC networks, but it's usually a best practice to limit these networks to one per project in order to enforce access control effectively.
Secure your perimeter
In Google Cloud, you can use various methods to segment and secure your cloud perimeter, including firewalls and VPC Service Controls.
Use Shared VPC to build a production deployment that gives you a single shared network and that isolates workloads into individual projects that can be managed by different teams. Shared VPC provides centralized deployment, management, and control of the network and network security resources across multiple projects. Shared VPC consists of host and service projects that perform the following functions:
- A host project contains the networking and network security-related resources, such as VPC networks, subnets, firewall rules, and hybrid connectivity.
- A service project attaches to a host project. It lets you isolate workloads and users at the project level by using Identity and Access Management (IAM), while it shares the networking resources from the centrally managed host project.
Define firewall policies and rules at the organization, folder, and VPC network level. You can configure firewall rules to permit or deny traffic to or from VM instances. For examples, see Global and regional network firewall policy examples and Hierarchical firewall policy examples. In addition to defining rules based on IP addresses, protocols, and ports, you can manage traffic and apply firewall rules based on the service account that's used by a VM instance or by using secure tags.
To control the movement of data in Google services and to set up context-based perimeter security, consider VPC Service Controls. VPC Service Controls provides an extra layer of security for Google Cloud services that's independent of IAM and firewall rules and policies. For example, VPC Service Controls lets you set up perimeters between confidential and non-confidential data so that you can apply controls that help prevent data exfiltration.
Use Google Cloud Armor security policies to allow, deny, or redirect requests to your external Application Load Balancer at the Google Cloud edge, as close as possible to the source of incoming traffic. These policies prevent unwelcome traffic from consuming resources or entering your network.
Use Secure Web Proxy to apply granular access policies to your egress web traffic and to monitor access to untrusted web services.
Inspect your network traffic
You can use Cloud IDS and Packet Mirroring to help you ensure the security and compliance of workloads running in Compute Engine and Google Kubernetes Engine (GKE).
Use Cloud Intrusion Detection System (currently in preview) to get visibility in to the traffic moving into and out of your VPC networks. Cloud IDS creates a Google-managed peered network that has mirrored VMs. Palo Alto Networks threat protection technologies mirror and inspect the traffic. For more information, see Cloud IDS overview.
Packet Mirroring clones traffic of specified VM instances in your VPC network and forwards it for collection, retention, and examination. After you configure Packet Mirroring, you can use Cloud IDS or third-party tools to collect and inspect network traffic at scale. Inspecting network traffic in this way helps provide intrusion detection and application performance monitoring.
Use a web application firewall
For external web applications and services, you can enable Google Cloud Armor to provide distributed denial-of-service (DDoS) protection and web application firewall (WAF) capabilities. Google Cloud Armor supports Google Cloud workloads that are exposed using external HTTP(S) load balancing, TCP Proxy load balancing, or SSL Proxy load balancing.
Google Cloud Armor is offered in two service tiers, Standard and Managed Protection Plus. To take full advantage of advanced Google Cloud Armor capabilities, you should invest in Managed Protection Plus for your key workloads.
Automate infrastructure provisioning
Automation lets you create immutable infrastructure, which means that it can't be changed after provisioning. This measure gives your operations team a known good state, fast rollback, and troubleshooting capabilities. For automation, you can use tools such as Terraform, Jenkins, and Cloud Build.
To help you build an environment that uses automation, Google Cloud provides a series of security blueprints that are in turn built on the enterprise foundations blueprint. The security foundations blueprint provides Google's opinionated design for a secure application environment and describes step by step how to configure and deploy your Google Cloud estate. Using the instructions and the scripts that are part of the security foundations blueprint, you can configure an environment that meets our security best practices and guidelines. You can build on that blueprint with additional blueprints or design your own automation.
For more information about automation, see Use a CI/CD pipeline for data-processing workflows.
Monitor your network
Monitor your network and your traffic using telemetry.
VPC Flow Logs and Firewall Rules Logging provide near real-time visibility into the traffic and firewall usage in your Google Cloud environment. For example, Firewall Rules Logging logs traffic to and from Compute Engine VM instances. When you combine these tools with Cloud Logging and Cloud Monitoring, you can track, alert, and visualize traffic and access patterns to improve the operational security of your deployment.
Firewall Insights lets you review which firewall rules matched incoming and outgoing connections and whether the connections were allowed or denied. The shadowed rules feature helps you tune your firewall configuration by showing you which rules are never triggered because another rule is always triggered first.
Use Network Intelligence Center to see how your network topology and architecture are performing. You can get detailed insights into network performance and you can then optimize your deployment to eliminate any bottlenecks in your service. Connectivity Tests provide you with insights into the firewall rules and policies that are applied to the network path.
For more information about monitoring, see Implement logging and detective controls.
What's next
Learn more about network security with the following resources:
- Implement data security (next document in this series)
- Best practices and reference architectures for VPC design
- IAM roles for administering VPC Service Controls
- Onboarding as a Security Command Center partner
- Viewing vulnerabilities and threats in Security Command Center
- Packet Mirroring: Visualize and protect your cloud network
- Using Packet Mirroring for intrusion detection
- Using Packet Mirroring with a partner IDS solution