Connecting to Google Cloud: your networking options explained
Solution Architect, Google Cloud
So, your organization recently decided to adopt Google Cloud. Now you just need to decide how you’re going to connect your applications to it... Public IP addresses, or VPN? Via an interconnect or through peering? Should you want to go the interconnect route, should it be direct or through a partner? Likewise, for peering, should you go direct or through a carrier? When it comes to connecting to Google Cloud, there’s no lack of options.
The answer to these questions, of course, lies in your applications and business requirements. Here on the Solutions Architecture team, we find that you can assess those requirements by answering three simple questions:
Do any of your on-prem servers or user computers with private addressing need to connect to Google Cloud resources with private addressing?
Do the bandwidth and performance of your current connection to Google services currently meet your business requirements?
Do you already have, or are you willing to install and manage, access and routing equipment in one of Google’s point of presence (POP) locations?
Depending on your answers, Google Cloud provides a wide assortment of network connectivity options to meet your needs, using either public networks, peering, or interconnect technologies. Here’s the decision flowchart that walks you through each of the three questions, and the best associated GCP connectivity option.
Deciding how to connect to Google Cloud
Public network connectivity
By far the simplest connectivity option to connect your environment to Google Cloud is simply to use a standard internet connection that you already have, assuming it meets your bandwidth needs. If so, you can connect to Google Cloud over the internet in two ways.
A: Cloud VPN
If you need private-to-private connectivity (Yes on 1) and your internet connection meets your business requirements (Yes on 2), then building a Cloud VPN is your best bet. This configuration allows users to access private RFC1918 addresses on resources in your VPC from on-prem computers also using private RFC1918 addresses. This traffic flows through the VPN tunnel. High availability VPN offers the best SLA in the industry, with a guaranteed uptime of 99.99%.
A Cloud VPN connection setup between the example.com network and your VPC.
B: Public IP addresses
If you don’t need private access (No on 1) and your Internet connection is meeting your business requirements (Yes on 2), then you can simply use public IP addresses to connect to Google services, including G Suite, Google APIs, and any Cloud resources you have deployed via their public IP address. Of course, regardless of the connectivity option you chose, it is a best practice to always encrypt your data at rest as well as in transit. You can also bring your own IP addresses to Google’s network across all regions to minimize downtime during migration and reduce your networking infrastructure cost. After you bring your own IPs, GCP advertises them globally to all peers.
If you don’t need RFC1918-to-RFC1918 private address connectivity and your current connection to Google Cloud isn’t performing well, then peering may be your best connectivity option. Conceptually, peering gets your network as close as possible to Google Cloud public IP addresses.
Peering has several technical requirements that your company must meet to be considered for the program. If your company meets the requirements, you will first need to register your interest to peer and then choose between one of two options.
C: Direct Peering
Direct Peering is a good option if you already have a footprint in one of Google’s POPs—or you’re willing to lease co-location space and install and support routing equipment. In this configuration, you run BGP over a link to exchange network routes. All traffic destined to Google rides over this new link, while traffic to other sites on the internet rides your regular internet connection.
Direct Peering allows you to establish a direct peering connection between your business network and Google's edge network and exchange high-throughput cloud traffic.
D: Carrier Peering
If installing equipment isn’t an option or you would prefer to work with a service provider partner as an intermediary to peer with Google, then Carrier Peering is the way to go. In this configuration, you connect to Google via a new link connection that you install to a partner carrier that is already connected to the Google network itself. You will run BGP or use static routing over that link. All traffic destined to Google rides over this new link. Traffic to other sites on the internet rides your regular internet connection.
With carrier peering, traffic flows through an intermediary.
Interconnects are similar to peering in that the connections get your network as close as possible to the Google network. Interconnects are different from peering in that they give you connectivity using private address space into your Google VPC. If you need RFC1918-to-RFC1918 private address connectivity then you’ll need to provision either a dedicated or partner interconnect.
E: Partner Interconnect
If you need private, high-performance connectivity to Google Cloud, but installing equipment isn’t an option—or you would prefer to work with a service provider partner as an intermediary, then we recommend you go with a Partner Interconnect. You can find Google Cloud connectivity partners at Cloud Pathfinder by Cloudscene.
Partner Interconnect provides connectivity between your on-premises network and your VPC network through a supported service provider.
The Partner Interconnect option is similar to carrier peering in that you connect to a partner service provider that is directly connected to Google. But because this is an interconnect connection, you also are adding a virtual attachment circuit on top of the physical line to get you your required RFC1918-to-RFC1918 private address connectivity. All traffic destined to your Google VPC rides over this new link. Traffic to other sites on the internet rides your regular internet connection.
F: Dedicated Interconnect
Last but not least, there’s Dedicated Interconnect, which provides you with a private circuit direct to Google. This is a good option if you already have a footprint (or are willing to lease co-lo space and install and support routing equipment) in a Google POP.
With Dedicated Interconnect, you install a link directly to Google by choosing a 10 Gbps or 100 Gbps pipe. In addition, you provision a virtual attachment circuit over the physical link. You run BGP or use static routing over that link to connect to your VPC. It is this attachment circuit that gives you the RFC1918-to-RFC1918 private address connectivity. All traffic destined to your Google Cloud VPC rides over this new link. Traffic to other sites on the internet rides your regular internet connection.
Now that you have made a decision it’s good to sanity check it against some additional data. This following chart compares each of the six connectivity options against nine different connection characteristics. You can use the chart as a high level reference to understand your choice and compare it to the other options. You should feel comfortable with the service level that your option provides through the data points.
Option comparison. (Click to enlarge)
Option comparison. (Click to enlarge)
There are lots of different reasons to choose one connectivity option over another. For example, maybe today Cloud VPN would meet your needs today, but your business is growing fast, and an interconnect is in order. Use this chart as a starting point and then reach out to your Google Cloud sales representative, who can discuss your concerns in more detail, and can pull in network specialists and solution architects to help you make the right choice for your business.