General best practices

When designing and onboarding cloud identities, resource hierarchy, and landing zone networks, consider the design recommendations in Landing zone design in Google Cloud and the Google Cloud security best practices covered in the enterprise foundations blueprint. Validate your selected design against the following documents:

• Best practices and reference architectures for VPC design
• Decide a resource hierarchy for your Google Cloud landing zone
• Google Cloud Architecture Framework: Security, privacy, and compliance

Also, consider the following general best practices:

• When choosing a hybrid or multicloud network connectivity option, consider business and application requirements such as SLAs, performance, security, cost, reliability, and bandwidth. For more information, see Choosing a Network Connectivity product and Patterns for connecting other cloud service providers with Google Cloud.

• Use shared VPCs on Google Cloud instead of multiple VPCs when appropriate and aligned with your resource hierarchy design requirements. For more information, see Deciding whether to create multiple VPC networks.

• Follow the best practices for planning accounts and organizations.

• Where applicable, establish a common identity between environments so that systems can authenticate securely across environment boundaries.

• To securely expose applications to corporate users in a hybrid setup, and to choose the approach that best fits your requirements, you should follow the recommended ways to integrate Google Cloud with your identity management system.

  • Also, see Patterns for authenticating workforce users in a hybrid environment.

• When designing your on-premises and cloud environments, consider IPv6 addressing early on, and account for which services support it. For more information, see An Introduction to IPv6 on Google Cloud. It summarizes the services that were supported when the blog was written.

• When designing, deploying, and managing your VPC firewall rules, you can:

  • Use service-account-based filtering over network-tag-based filtering if you need strict control over how firewall rules are applied to VMs.
  • Use firewall policies when you group several firewall rules, so that you can update them all at once. You can also make the policy hierarchical. For hierarchical firewall policy specifications and details, see Hierarchical firewall policies.
  • Use geo-location objects in firewall policy when you need to filter external IPv4 and external IPv6 traffic based on specific geographic locations or regions.
  • Use Threat Intelligence for firewall policy rules if you need to secure your network by allowing or blocking traffic based on Threat Intelligence data, such as known malicious IP addresses or based on public cloud IP address ranges. For example, you can allow traffic from specific public cloud IP address ranges if your services need to communicate with that public cloud only. For more information, see Best practices for firewall rules.

• You should always design your cloud and network security using a multilayer security approach by considering additional security layers, like the following:

  • Google Cloud Armor
  • Cloud Intrusion Detection System
  • Cloud Next Generation Firewall IPS
  • Threat Intelligence for firewall policy rules

  These additional layers can help you filter, inspect, and monitor a wide variety of threats at the network and application layers for analysis and prevention.

• When deciding where DNS resolution should be performed in a hybrid setup, we recommend using two authoritative DNS systems for your private Google Cloud environment and for your on-premises resources that are hosted by existing DNS servers in your on-premises environment. For more information see, Choose where DNS resolution is performed.

• Where possible, always expose applications through APIs using an API gateway or load balancer. We recommend that you consider an API platform like Apigee. Apigee acts as an abstraction or facade for your backend service APIs, combined with security capabilities, rate limiting, quotas, and analytics.

• An API platform (gateway or proxy) and Application Load Balancer aren't mutually exclusive. Sometimes, using both API gateways and load balancers together can provide a more robust and secure solution for managing and distributing API traffic at scale. Using Cloud Load Balancing API gateways lets you accomplish the following:

  • Deliver high-performing APIs with Apigee and Cloud CDN, to:

    • Reduce latency
    • Host APIs globally

    • Increase availability for peak traffic seasons

      For more information, watch Delivering high-performing APIs with Apigee and Cloud CDN on YouTube.

  • Implement advanced traffic management.

  • Use Google Cloud Armor as DDoS protection, WAF, and network security service to protect your APIs.

  • Manage efficient load balancing across gateways in multiple regions. For more information, watch Securing APIs and Implementing multi-region failover with PSC and Apigee.

• To determine which Cloud Load Balancing product to use, you must first determine what traffic type your load balancers must handle. For more information, see Choose a load balancer.

• When Cloud Load Balancing is used, you should use its application capacity optimization abilities where applicable. Doing so can help you address some of the capacity challenges that can occur in globally distributed applications.

  • For a deep dive on latency, see Optimize application latency with load balancing.

• While Cloud VPN encrypts traffic between environments, with Cloud Interconnect you need to use either MACsec or HA VPN over Cloud Interconnect to encrypt traffic in transit at the connectivity layer. For more information, see How can I encrypt my traffic over Cloud Interconnect.

  • You can also consider service layer encryption using TLS. For more information, see Decide how to meet compliance requirements for encryption in transit.

• If you need more traffic volume over a VPN hybrid connectivity than a single VPN tunnel can support, you can consider using active/active HA VPN routing option.

  • For long-term hybrid or multicloud setups with high outbound data transfer volumes, consider Cloud Interconnect or Cross-Cloud Interconnect. Those connectivity options help to optimize connectivity performance and might reduce outbound data transfer charges for traffic that meets certain conditions. For more information, see Cloud Interconnect pricing.

• When connecting to Google Cloud resources and trying to choose between Cloud Interconnect, Direct Peering, or Carrier Peering, we recommend using Cloud Interconnect, unless you need to access Google Workspace applications. For more information, you can compare the features of Direct Peering with Cloud Interconnect and Carrier Peering with Cloud Interconnect.

• Allow enough IP address space from your existing RFC 1918 IP address space to accommodate your cloud-hosted systems.

• If you have technical restrictions that require you to keep your IP address range, you can:

  • Use the same internal IP addresses for your on-premises workloads while migrating them to Google Cloud, using hybrid subnets.

  • Provision and use your own public IPv4 addresses for Google Cloud resources using bring your own IP (BYOIP) to Google.

• If the design of your solution requires exposing a Google Cloud-based application to the public internet, consider the design recommendations discussed in Networking for internet-facing application delivery.

• Where applicable, use Private Service Connect endpoints to allow workloads in Google Cloud, on-premises, or in another cloud environment with hybrid connectivity, to privately access Google APIs or published services, using internal IP addresses in a fine-grained fashion.

• When using Private Service Connect, you must control the following:

  • Who can deploy Private Service Connect resources.
  • Whether connections can be established between consumers and producers.
  • Which network traffic is allowed to access those connections.

  For more information, see Private Service Connect security.

• To achieve a robust cloud setup in the context of hybrid and multicloud architecture:

  • Perform a comprehensive assessment of the required levels of reliability of the different applications across environments. Doing so can help you meet your objectives for availability and resilience.
  • Understand the reliability capabilities and design principles of your cloud provider. For more information, see Google Cloud infrastructure reliability.

• Cloud network visibility and monitoring are essential to maintain reliable communications. Network Intelligence Center provides a single console for managing network visibility, monitoring, and troubleshooting.