Jump to Content
Security & Identity

How Google Cloud NAT helped strengthen Macy’s security

July 7, 2023
Brandon Maltzman

Cloud Security Architect

Macy’s is well known for its high-end fashion worldwide. What is not as well known are the strong measures it takes to ensure its customers’ data remains secure. When Macy’s decided to move its infrastructure from on-premises to Google Cloud, it required the move be done without sacrificing security or degrading the user experience.

Migrating from on-premises to the cloud isn’t always a simple feat, especially when one of Macy’s key requirements was a managed solution that could secure their workloads’ internet access without impacting throughput and latency.

Implementing Cloud NAT at scale

Applying security safeguards without creating additional friction can be difficult, especially for Macy’s and its more than 40 million active users. Macy’s needed a way to perform network address translation to ensure its clusters could create outbound connections to the internet without needing public IP addresses. Every use case led back to Cloud NAT.

Cloud NAT is a distributed, cloud-first service that provides network address translation for workloads without external IP addresses. These workloads typically access the internet to download updates or interact with SaaS services. 

Cloud NAT provided a means for Macy’s workloads to initiate outbound connections by translating the associated private IP addresses to one or more shared public IP addresses. This enabled Macy’s to reach the outside world while preventing the outside world from initiating a connection to it. What was even better for Macy’s was that Cloud NAT simplified the configuration and maintenance with no additional networking, forwarding, or routing configuration required.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_Google_Cloud_NAT.max-1600x1600.png

Ensuring continued high performance

The software-defined networking that underpins Cloud NAT equipped Macy’s with more than just the benefit of simplified management. High availability is built into the product since it doesn’t depend on any virtual machine or physical gateway device, and it is available across different regions if a zone goes down. With an uptime SLA of 99.99%, Macy’s could feel confident that their operations would run without disruption.

Cloud NAT can also be configured to automatically scale the number of NAT IP addresses used. The proxyless architecture enables a chokepoint-free NAT operation so that workloads’ throughput and latency are minimally impacted. The myriad of benefits associated with using Cloud NAT over a traditional proxy are depicted below.

https://storage.googleapis.com/gweb-cloudblog-publish/images/2_Google_Cloud_NAT.max-1700x1700.png

Lastly, Cloud NAT works with Google Compute Engine, Google Kubernetes Engine, and Serverless VPC Access connectors to support Cloud Functions, Cloud Run, and Google App Engine Standard. The built-in cloud integrations helped give Macy's the confidence to deploy Cloud NAT knowing it met all the predefined requirements.

https://storage.googleapis.com/gweb-cloudblog-publish/images/3_Google_Cloud_NAT.max-1100x1100.png

Upholding the highest security standards

Macy’s took advantage of Cloud NAT’s built-in logging and monitoring capabilities. NAT logs are automatically forwarded to a SIEM tool for transformation and analysis. This innate functionality provides greater insight into Macy’s environment and allows the security team to take action if any anomalous behavior is detected.

Cloud NAT’s inherent security and extensive benefits made it a straightforward decision for Macy’s. However, Cloud NAT is only one component of Macy’s defense-in-depth strategy, as illustrated below. It works with the existing Cloud Firewall rules to ensure only appropriate traffic is entering and exiting workloads. 

None of the Cloud Firewall rules previously established needed to be reconfigured since Cloud NAT sits in front of the firewall. Existing egress firewall rules are evaluated for each packet before it hits the NAT, and ingress firewalls rules are evaluated after the packet hits the NAT. Cloud NAT does not permit any unsolicited inbound requests from the internet even if firewall rules would otherwise permit those requests.

https://storage.googleapis.com/gweb-cloudblog-publish/images/4_Google_Cloud_NAT.max-1500x1500.png

Macy’s continues to prove that security will never go out of style.

Learn more about Cloud NAT

Cloud NAT provides a path to help ensure your private resources stay private. Please watch this video on protecting your network with Cloud NAT to learn more about how it can help secure your environment. You can also get started using our quick start guide.

Posted in