The Architecture Center provides content resources across a wide variety of networking subjects. This page provides information to help you get started and a list of all networking content in the Architecture Center.
Get started
Google Cloud provides a suite of networking services to help you run your enterprise in the cloud. This page can help you get started with both designing and building a new cloud network and with enhancing your existing network.
Design and build
There are two general approaches to create a network:
- Just get started by creating a simple, but recommended, landing zone deployment and build from there.
- Read all the materials up front, plan everything end-to-end, and then build your design.
If you just want to get started:
- The fastest way is to use Google Cloud Setup in the Google Cloud console. The user interface shows you how to set up your organization, users and groups, administration, billing, networking, monitoring and security so you can get started with Google Cloud. Even if you already have an organization set up, you can use Google Cloud Setup to create well-crafted networks.
- Alternatively, you can follow a manual process using the Landing zone design in Google Cloud document set. In that document set, Decide the network design for your Google Cloud landing zone provides several options for your network design.
If you want to read and plan first:
- For an end-to-end Google Cloud deployment based on security best practices, see the enterprise foundations blueprint. The entire deployment is available as a Terraform configuration, which you can use as is or modify to meet your needs.
- If you are migrating workloads from an existing installation, see Designing networks for migrating enterprise workloads: Architectural approaches.
Enhance
If you already have your Google Cloud network set up, but you want to enhance or modify your setup, the documents listed in the left navigation can help. The documents are organized in the following categories:
- Connect: Connect Google Cloud resources to resources in other clouds, in your on-premises data centers, and in other parts of your Google Cloud deployment.
- Scale: Use load balancing, content delivery networks, and DNS to deliver your applications to your customers at any scale.
- Secure: Protect your applications and network traffic.
- Observe: Monitor and inspect your network configuration and traffic.
Networking resources in the Architecture Center
You can filter the following list of networking resources by typing a product name or a phrase that's in the resource title or description.
Best practices and reference architectures for VPC design This guide introduces best practices and typical enterprise architectures for the design of virtual private clouds (VPCs) with Google Cloud. Products used: Cloud DNS, Cloud Interconnect, Cloud NAT, Cloud Router, Cloud VPN, Virtual Private Cloud |
Build hybrid and multicloud architectures using Google Cloud Provides practical guidance on planning and architecting your hybrid and multi-cloud environments using Google Cloud. Products used: Cloud Load Balancing, Compute Engine, GKE Enterprise, Google Kubernetes Engine (GKE) |
Building internet connectivity for private VMs Describes options for connecting to and from the internet using Compute Engine resources that have private IP addresses. Products used: Cloud Load Balancing, Cloud NAT, Compute Engine, Identity-Aware Proxy |
Controls to restrict access to individually approved APIs Many organizations have a compliance requirement to restrict network access to an explicitly approved list of APIs, based on internal requirements or as part of adopting Assured Workloads. On-premises, this requirement is often addressed with proxy... |
Cross-Cloud Network for distributed applications Describes how to design Cross-Cloud Network for distributed applications. Products used: Cloud Load Balancing, Virtual Private Cloud |
Cross-Cloud Network inter-VPC connectivity using VPC Network Peering Describes how to design the network segmentation structure and connectivity of Cross-Cloud Network for distributed applications. Products used: Cloud Load Balancing, Virtual Private Cloud |
Decide the network design for your Google Cloud landing zone This document describes four common network designs for landing zones, and helps you choose the option that best meets your requirements. Products used: VPC Service Controls, Virtual Private Cloud |
Deploy network monitoring and telemetry capabilities in Google Cloud Network telemetry collects network traffic data from devices on your network so that the data can be analyzed. Network telemetry lets security operations teams detect network-based threats and hunt for advanced adversaries, which is essential for... Products used: Compute Engine, Google Kubernetes Engine (GKE), Virtual Private Cloud |
Deploying FortiGate-VM Next Generation Firewall using Terraform Shows you how to use Terraform to deploy a FortiGate reference architecture to help protect your applications against cyberattacks. Products used: Cloud Load Balancing, Cloud Storage, Compute Engine |
Design secure deployment pipelines Describes best practices for designing secure deployment pipelines based on your confidentiality, integrity, and availability requirements. Products used: App Engine, Cloud Run, Google Kubernetes Engine (GKE) |
Designing networks for migrating enterprise workloads: Architectural approaches This document introduces a series that describes networking and security architectures for enterprises that are migrating data center workloads to Google Cloud. These architectures emphasize advanced connectivity, zero-trust security principles, and... Products used: Cloud CDN, Cloud DNS, Cloud Interconnect, Cloud Intrusion Detection System (Cloud IDS), Cloud Load Balancing, Cloud NAT, Cloud Service Mesh, Cloud VPN, Google Cloud Armor, Identity-Aware Proxy, Network Connectivity Center, VPC Service Controls, Virtual Private Cloud |
FortiGate architecture in Google Cloud Describes the overall concepts around deploying a FortiGate Next Generation Firewall (NGFW) in Google Cloud. Products used: Cloud Load Balancing, Cloud NAT, Compute Engine, Virtual Private Cloud |
From edge to mesh: Deploy service mesh applications through GKE Gateway Products used: Cloud Load Balancing, Cloud Service Mesh, Google Kubernetes Engine (GKE) |
From edge to mesh: Expose service mesh applications through GKE Gateway Combines Cloud Service Mesh with Cloud Load Balancing to expose applications in a service mesh to internet clients. Products used: Cloud Load Balancing, Cloud Service Mesh, Google Kubernetes Engine (GKE) |
Products used: Cloud Endpoints, Cloud Load Balancing, Cloud Service Mesh, Google Cloud Armor, Google Kubernetes Engine (GKE) |
Describes exposing applications externally through Google Kubernetes Engine (GKE) Gateways running on multiple GKE clusters within a service mesh. Products used: Cloud Endpoints, Cloud Load Balancing, Cloud Service Mesh, Google Cloud Armor, Google Kubernetes Engine (GKE) |
Discusses how the gated egress pattern is based on exposing select APIs from various environments to workloads that are deployed in Google Cloud. Products used: Cloud Interconnect, Cloud NAT, Cloud VPN, Compute Engine, Google Kubernetes Engine (GKE) |
Gated egress and gated ingress Discusses scenarios that demand bidirectional usage of selected APIs between workloads that run in various environments. Products used: Cloud Interconnect, Cloud NAT, Cloud VPN, Compute Engine, Google Kubernetes Engine (GKE) |
Discusses exposing select APIs of workloads running in Google Cloud to the private computing environment without exposing them to the public internet. Products used: Cloud Interconnect, Cloud NAT, Cloud VPN, Compute Engine, Google Kubernetes Engine (GKE) |
Hub-and-spoke network architecture Evaluate the architectural options for designing hub-and-spoke network topologies in Google Cloud. Products used: Cloud NAT, Cloud VPN, Virtual Private Cloud |
Hybrid and multicloud monitoring and logging patterns Discusses monitoring and logging architectures for hybrid and multicloud deployments, and provides best practices for implementing them by using Google Cloud. Products used: Cloud Logging, Cloud Monitoring, GKE Enterprise, Google Distributed Cloud, Google Kubernetes Engine (GKE) |
Hybrid and multicloud secure networking architecture patterns Discusses several common secure network architecture patterns that you can use for hybrid and multicloud architectures. Products used: Cloud DNS, Cloud Interconnect, Cloud NAT, Cloud VPN, Compute Engine, Google Cloud Armor, Google Kubernetes Engine (GKE) |
Implement your Google Cloud landing zone network design This document provides steps and guidance to implement your chosen network design for your landing zone. Products used: Virtual Private Cloud |
Jump Start Solution: Load balanced managed VMs Deploy an autoscaling group of Compute Engine VMs with a load balancer as the frontend. |
Landing zone design in Google Cloud This series shows how to design and build a landing zone in Google Cloud, guiding you through high-level decisions about identity onboarding, resource hierarchy, network design, and security. |
Manage and scale networking for Windows applications that run on managed Kubernetes Discusses how to manage networking for Windows applications that run on Google Kubernetes Engine using Cloud Service Mesh and Envoy gateways. Products used: Cloud Load Balancing, Cloud Service Mesh, Google Kubernetes Engine (GKE) |
Patterns for connecting other cloud service providers with Google Cloud Helps cloud architects and operations professionals decide how to connect Google Cloud with other cloud service providers (CSP) such as Amazon Web Services (AWS) and Microsoft Azure. Products used: Cloud Interconnect, Dedicated Interconnect, Partner Interconnect |
This guide is intended to help you address concerns unique to Google Kubernetes Engine (GKE) applications when you are implementing customer responsibilities for Payment Card Industry Data Security Standard (PCI DSS) requirements. Disclaimer: This... Products used: Google Cloud Armor, Google Kubernetes Engine (GKE), Sensitive Data Protection |
Secure virtual private cloud networks with the Palo Alto VM-Series NGFW Describes the networking concepts that you need to understand to deploy Palo Alto Networks VM-Series next generation firewall (NGFW) in Google Cloud. Products used: Cloud Storage |
Security blueprint: PCI on GKE The PCI on GKE blueprint contains a set of Terraform configurations and scripts that demonstrate how to bootstrap a PCI environment in Google Cloud. The core of this blueprint is the Online Boutique application, where users can browse items, add them... Products used: Google Kubernetes Engine (GKE) |
Use Google Cloud Armor, load balancing, and Cloud CDN to deploy programmable global front ends Provides an architecture that uses a global front end which incorporates Google Cloud best practices to help scale, secure, and accelerate the delivery of your internet-facing applications. |
VMware Engine network security using centralized appliances Design advanced network security for Google Cloud VMware Engine workloads to provide network protection features like DDoS mitigation, SSL offloading, NGFW, IPS/IDS, and DPI. Products used: Cloud CDN, Cloud Interconnect, Cloud Load Balancing, Cloud VPN, Google Cloud VMware Engine, Virtual Private Cloud |