For comprehensive visibility into your Google Cloud-based Virtual Private Cloud (VPC) network traffic and advanced network security protections for your workloads, you might need purpose-built appliances from third-party independent software vendors (ISVs). Purpose-built appliances such as deep packet inspection (DPI) engines let you inspect the payload of the packets in addition to protocol headers. Deploying the appliances in bump-in-the-wire mode lets you gain network visibility and add advanced security protections to your existing networks without making any changes to their routing policies.
To help you seamlessly integrate these third-party appliances with your network, Google Cloud offers an out-of-band Network Security Integration service. This service provides the following capabilities:
- Comprehensive visibility into your workloads' traffic
- Support for advanced network security protections
- Application and network performance monitoring
For more information about out-of-band integration, see Out-of-band integration overview.
Network Security Integration services use the producer-consumer model for data inspection and monitoring of traffic data. The consumer consumes the services offered by the producer:
- A service producer network contains a set of scalable third-party network appliances that are deployed as backends to an internal load balancer.
- A service consumer uses a firewall policy to select specific traffic and redirect the selected traffic to a group of endpoints.
- The endpoint group in a consumer network sends the selected traffic to a service producer, where the internal load balancer distributes the traffic to the third-party appliances for inspection.
Figure 1 shows the high-level deployment architecture of the Network Security Integration services where both the consumer and producer are in the same organization.
Service producers and consumers
The producer and consumer VPC networks are configured as follows:
A producer VPC network contains an internal forwarding rule that serves as the entry point to an internal passthrough Network Load Balancer. The load balancer connects to a backend, which can either be a managed or an unmanaged instance group, and contains the deployed third-party network appliances. This backend is also referred to as a network service producer deployment. When you create a network service deployment, you specify the name of the forwarding rule that is associated with the internal passthrough Network Load Balancer. Network Security Integration forwards the traffic for inspection to the producer deployment, which corresponds to the forwarding rule name.
A consumer VPC network contains Google Cloud workloads. These workloads run on the virtual machine (VM) instances. You can select the workload traffic to inspect by defining rules in firewall policies. These rules can filter traffic by using multiple attributes such as IP addresses or IP ranges, network tags, or service accounts.