Design your network infrastructure

This document in the Google Cloud Architecture Framework provides best practices to deploy your system based on networking design. You learn how to choose and implement Virtual Private Cloud (VPC), and how to test and manage network security.

Core principles

Networking design is critical to successful system design because it helps you optimize for performance and secure application communications with internal and external services. When you choose networking services, it's important to evaluate your application needs and evaluate how the applications will communicate with each other. For example, while some components require global services, other components might need to be geo-located in a specific region.

Google's private network connects regional locations to more than 100 global network points of presence. Google Cloud uses software-defined networking and distributed systems technologies to host and deliver your services around the world. Google's core element for networking within Google Cloud is the global VPC. VPC uses Google's global high-speed network to link your applications across regions while supporting privacy and reliability. Google ensures that your content is delivered with high throughput by using technologies like Bottleneck Bandwidth and Round-trip propagation time (BBR) congestion-control intelligence.

Developing your cloud networking design includes the following steps:

  1. Design the workload VPC architecture. Start by identifying how many Google Cloud projects and VPC networks you require.
  2. Add inter-VPC connectivity. Design how your workloads connect to other workloads in different VPC networks.
  3. Design hybrid network connectivity. Design how your workload VPCs connect to on-premises and other cloud environments.

When you design your Google Cloud network, consider the following:

To see a complete list of VPC specifications, see Specifications.

Workload VPC architecture

This section provides best practices for designing workload VPC architectures to support your system.

Consider VPC network design early

Make VPC network design an early part of designing your organizational setup in Google Cloud. Organizational-level design choices can't be easily reversed later in the process. For more information, see Best practices and reference architectures for VPC design and Best practices for enterprise organizations.

Start with a single VPC network

For many use cases that include resources with common requirements, a single VPC network provides the features that you need. Single VPC networks are simple to create, maintain, and understand. For more information, see VPC Network Specifications.

Keep VPC network topology simple

To ensure a manageable, reliable, and well-understood architecture, keep the design of your VPC network topology as simple as possible.

Use VPC networks in custom mode

To ensure that Google Cloud networking integrates seamlessly with your existing networking systems, we recommend that you use custom mode when you create VPC networks. Using custom mode helps you integrate Google Cloud networking into existing IP address management schemes and it lets you control which cloud regions are included in the VPC. For more information, see VPC.

Inter-VPC connectivity

This section provides best practices for designing inter-VPC connectivity to support your system.

Choose a VPC connection

If you decide to implement multiple VPC networks, you need to connect those networks. VPC networks are isolated tenant spaces within Google's Andromeda software-defined network (SDN). There are several ways that VPC networks can communicate with each other; choose how you connect your network based on your bandwidth, latency, and service level agreement (SLA) requirements.

To learn more about connection options, see Choose the VPC connection method that meets your cost, performance, and security needs.

Use Shared VPC to administer multiple working groups

For organizations with multiple teams, Shared VPC provides an effective tool to extend the architectural simplicity of a single VPC network across multiple working groups.

Use simple naming conventions

Choose simple, intuitive, and consistent naming conventions. Doing so helps administrators and users to understand the purpose of each resource, where it's located, and how it's differentiated from other resources.

Use connectivity tests to verify network security

In the context of network security, you can use connectivity tests to verify that traffic you intend to prevent between two endpoints is blocked. To verify that traffic is blocked and why it's blocked, define a test between two endpoints and evaluate the results. For example, you might test a VPC feature that lets you define rules that support blocking traffic. For more information, see Connectivity Tests overview.

Use Private Service Connect to create private endpoints

To create private endpoints that let you access Google services with your own IP address scheme, use Private Service Connect. You can access the private endpoints from within your VPC and through hybrid connectivity that terminates in your VPC.

Secure and limit external connectivity

Limit internet access only to those resources that need it. Resources with only a private, internal IP address can still access many Google APIs and services through Private Google Access.

Use Network Telemetry to enhance visibility into your cloud network

Identify traffic and access patterns that can impose security or operational risks to your organization in near real time. Network Telemetry provides both network and security operations with in-depth, responsive logs for Google Cloud networking services.

What's next

Learn best practices for storage management, including the following:

Explore other categories in the Architecture Framework such as reliability, operational excellence, and security, privacy, and compliance.