Stay organized with collections
Save and categorize content based on your preferences.
For comprehensive visibility into your Google Cloud-based
Virtual Private Cloud (VPC) network traffic and advanced network security
protections for your workloads, you might need purpose-built appliances from
third-party independent software vendors (ISVs). Purpose-built appliances
such as deep packet inspection (DPI) engines let you inspect the
payload of the packets in addition to protocol headers. Deploying the
appliances in bump-in-the-wire mode lets you gain network visibility
and add advanced security protections to your existing networks without
making any changes to their routing policies.
To help you seamlessly integrate these third-party appliances with your network,
Google Cloud offers an out-of-band Network Security Integration service.
This service provides the following capabilities:
Comprehensive visibility into your workloads' traffic
Network Security Integration services use the producer-consumer model for data
inspection and monitoring of traffic data. The consumer consumes the services
offered by the producer:
A service producer network contains a set of scalable third-party network
appliances that are deployed as backends to an internal load balancer.
A service consumer uses a firewall policy to select specific traffic and
redirect the selected traffic to a group of endpoints.
The endpoint group in a consumer network sends the selected traffic to a
service producer, where the internal load balancer distributes
the traffic to the third-party appliances for inspection.
Figure 1 shows the high-level deployment architecture of the
Network Security Integration services where both the consumer and producer are in
the same organization.
Figure 1. High-level deployment architecture of the Network Security Integration services (click to enlarge).
Service producers and consumers
The producer and consumer VPC networks are configured as follows:
A producer VPC network contains an internal forwarding rule
that serves as the entry point to an internal passthrough Network Load Balancer.
The load balancer connects to a backend, which can either be a managed or an
unmanaged instance group, and contains the deployed third-party network
appliances.
This backend is also referred to as a network service producer deployment.
When you create a network service deployment, you specify the name of the
forwarding rule that is associated with the internal passthrough Network Load Balancer.
Network Security Integration forwards the traffic for inspection to the producer
deployment, which corresponds to the forwarding rule name.
A consumer VPC network contains Google Cloud workloads.
These workloads run on the virtual machine (VM) instances. You can select
the workload traffic to inspect by defining rules in firewall policies.
These rules can filter traffic by using multiple attributes such as IP
addresses or IP ranges, network tags, or service accounts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Network Security Integration overview\n\nFor comprehensive visibility into your Google Cloud-based\nVirtual Private Cloud (VPC) network traffic and advanced network security\nprotections for your workloads, you might need purpose-built appliances from\nthird-party independent software vendors (ISVs). Purpose-built appliances\nsuch as deep packet inspection (DPI) engines let you inspect the\npayload of the packets in addition to protocol headers. Deploying the\nappliances in bump-in-the-wire mode lets you gain network visibility\nand add advanced security protections to your existing networks without\nmaking any changes to their routing policies.\n\nTo help you seamlessly integrate these third-party appliances with your network,\nGoogle Cloud offers an out-of-band Network Security Integration service.\nThis service provides the following capabilities:\n\n- Comprehensive visibility into your workloads' traffic\n- Support for advanced network security protections\n- Application and network performance monitoring\n\nFor more information about out-of-band integration, see\n[Out-of-band integration overview](/network-security-integration/docs/out-of-band/out-of-band-integration-overview).\n\nNetwork Security Integration services use the producer-consumer model for data\ninspection and monitoring of traffic data. The consumer consumes the services\noffered by the producer:\n\n- A service producer network contains a set of scalable third-party network appliances that are deployed as backends to an internal load balancer.\n- A service consumer uses a firewall policy to select specific traffic and redirect the selected traffic to a group of endpoints.\n- The endpoint group in a consumer network sends the selected traffic to a service producer, where the internal load balancer distributes the traffic to the third-party appliances for inspection.\n\nFigure 1 shows the high-level deployment architecture of the\nNetwork Security Integration services where both the consumer and producer are in\nthe same organization.\n[](/static/network-security-integration/images/nsi-overview.svg) **Figure 1.** High-level deployment architecture of the Network Security Integration services (click to enlarge).\n\nService producers and consumers\n-------------------------------\n\nThe producer and consumer VPC networks are configured as follows:\n\n- A producer VPC network contains an internal forwarding rule\n that serves as the entry point to an internal passthrough Network Load Balancer.\n The load balancer connects to a backend, which can either be a managed or an\n unmanaged instance group, and contains the deployed third-party network\n appliances.\n This backend is also referred to as a *network service producer deployment*.\n When you create a network service deployment, you specify the name of the\n forwarding rule that is associated with the internal passthrough Network Load Balancer.\n Network Security Integration forwards the traffic for inspection to the producer\n deployment, which corresponds to the forwarding rule name.\n\n- A consumer VPC network contains Google Cloud workloads.\n These workloads run on the virtual machine (VM) instances. You can select\n the workload traffic to inspect by defining rules in firewall policies.\n These rules can filter traffic by using multiple attributes such as IP\n addresses or IP ranges, network tags, or service accounts.\n\nWhat's next\n-----------\n\n- [Out-of-band integration overview](/network-security-integration/docs/out-of-band/out-of-band-integration-overview)\n- [Monitor out-of-band integration](/network-security-integration/docs/out-of-band/monitor-out-of-band-integration)\n- [Understand GENEVE format](/network-security-integration/docs/understand-geneve)"]]