Table of contents
Open Table of contents
1. Mô hình Mirrored
- Continuous integration/continuous deployment (CI/CD) and administrative systems can deploy and manage workloads across computing environments.
- Monitoring and other administrative tooling works across computing environments.
- Workloads cannot communicate across computing environments.
Các biến thể của mô hình Mirroed
Mô hình thông thường
Mô hình với Kubernetes
Kiến trúc đối với K8S (Không cần phải peer 2 VPC với nhau vì môi trường CI/CD có thể connect tới cụm thông qua đường public)
Best practices
- Ensure that any CI/CD systems required for deploying or reconfiguring production deployments are deployed in a highly available fashion. Additionally, consider using redundant virtual private network (VPN) or interconnect links to increase availability.
- Configure VM instances in the development and testing VPC to have public IP addresses so that those instances can access the internet directly. Otherwise, deploy Cloud NAT in the same VPC to handle egress traffic.
- To use public networks, use Private Google Access to avoid communication between VPC workloads and Google APIs.
- Also consider the general best practices for hybrid and multi-cloud networking topologies.
2. Mô hình Meshed
- On the Google Cloud side, you deploy workloads into a single shared VPC.
- You connect the VPC to the network in the private computing environment by using either Cloud Interconnect or Cloud VPN. This setup ensures that communication between environments can be conducted using private IP addresses.
- You use Cloud Router to dynamically exchange routes between environments.
- All environments share a common, overlap-free RFC 1918 IP address space.
Mô hình thông thường
Best practices
- If you intend to enforce stricter isolation between the cloud and private computing environments, consider using the gated topology instead.
- When using Kubernetes within the private computing environment, use Open Service Broker to provision and access Google platform services and resources in a unified way.
- Also consider the general best practices for hybrid and multi-cloud networking topologies.
3. Mô hình Gated
Gated egress
- Các thức hoạt động
- Workloads that you deploy in Google Cloud can communicate with the API gateway by using private IP addresses. Other systems in the private computing environment cannot be reached from within Google Cloud.
- Communication from the private computing environment to any workloads deployed in Google Cloud is not allowed.
- Mô tả chi tiết
- On the Google Cloud side, you deploy workloads into a Shared VPC.
- Using either Cloud Interconnect or Cloud VPN, you connect the VPC to a perimeter network in the private computing environment, allowing calls to the API gateway.
- Using firewall rules, you disallow incoming connections to the VPC.
- Optionally, you use Cloud Router to dynamically exchange routes between environments.
- All environments share a common, overlap-free RFC 1918 IP address space.
- Best practices
- Consider using Apigee for Private Cloud as the API gateway solution.
- Also consider the general best practices for hybrid and multi-cloud networking topologies.
Gated ingress
- Cách thức hoạt động
- Workloads that you deploy in the private computing environment are able to communicate with the API gateway by using private IP addresses. Other systems deployed in Google Cloud cannot be reached.
- Communication from Google Cloud to the private computing environment is not allowed.
- Mô tả chi tiết
- On the Google Cloud side, you deploy workloads into an application VPC.
- You establish a Cloud Interconnect or Cloud VPN connection between a dedicated transit VPC and the private computing environment.
- You establish the connection between the transit VPC and the application VPC by using VMs that are running the API gateway. These VMs use two networking interfaces: one connected to the transit VPC, and one to the application VPC. To balance traffic to multiple API gateway instances, you configure an internal load balancer in the transit VPC.
- You deploy Cloud NAT in the application VPC to allow workloads to access the internet. This gateway avoids having to equip VM instances with external IP addresses, which you don’t want in systems that are deployed behind an API gateway.
- Optionally, you can use Cloud Router to dynamically exchange routes between environments.
- All environments share a common, overlap-free RFC 1918 IP address space
- Best practices
- Consider using Apigee for Private Cloud as API gateway solution.
- Also consider the general best practices for hybrid and multi-cloud networking topologies.
Gated ingress and egress
- Cách thức hoạt động
- Workloads that you deploy in Google Cloud can communicate with the API gateway by using private IP addresses. Other systems deployed in the private computing environment cannot be reached.
- Conversely, workloads that you deploy in the private computing environment can communicate with the Google Cloud-side API gateway by using private IP addresses. Other systems deployed in Google Cloud cannot be reached.
- Mô tả chi tiết
- On the Google Cloud side, you deploy workloads to a Shared VPC and do not expose them to the internet.
- You establish a Cloud Interconnect or Cloud VPN connection between a dedicated transit VPC and the private computing environment.
- You establish the connection between the transit VPC and the application VPC by using VMs that are running the API gateway. These VMs use two networking interfaces: one connected to the transit VPC, and one to the application VPC. To balance traffic to multiple API gateway instances, you configure an internal load balancer in the transit VPC.
- You also use Cloud NAT. Cloud NAT allows workloads to access the internet and to communicate with the API gateway that is running in the private computing environment.
- Optionally, you can use Cloud Router to dynamically exchange routes between environments.
- All environments share a common, overlap-free RFC 1918 IP address space.
- Best practices
- Consider using Apigee for Private Cloud as API gateway solution.
- Also consider the general best practices for hybrid and multi-cloud networking topologies.
4. Mô hình Handover
- Cách thức hoạt động
- Workloads that are running in a private computing environment upload data to shared storage locations. Depending on use cases, uploads might happen in bulk or in small messages.
- Google Cloud-hosted workloads then consume data from these locations and process it in a streaming or batch fashion.
- Mô tả chi tiết
- On the Google Cloud side, you deploy workloads into an application VPC. These workloads can include data processing, analytics, and analytics-related frontend applications.
- To securely expose frontend applications to corporate users, you can use Identity-Aware Proxy.
- You use a set of Cloud Storage buckets or Pub/Sub queues to upload data from the private computing environment and to make it available for further processing by workloads deployed in Google Cloud. Using IAM policies, you can restrict access to trusted workloads.
- Because there is no private network connectivity between environments, RFC 1918 IP address spaces are allowed to overlap between environments.
- Best practices
- Lock down access to Cloud Storage buckets and Pub/Sub topics.
- To reduce latency and to avoid passing data over the public internet, consider using Direct Peering or Carrier Peering.
- Use VPC Service Controls to restrict access to the Cloud Storage or Pub/Sub locations to specific IP address ranges.
- Equip VM instances in the VPC with public IP addresses so that they can access the internet directly. Otherwise, deploy Cloud NAT in the same VPC to handle egress traffic.
- Also consider the general best practices for hybrid and multi-cloud networking topologies.