You need to control incoming and outgoing traffic to a compute engine instance what do you do

At 66degrees, security is always top of mind for our clients and us when we architect Google Cloud solutions. Starting with Google’s extensive list of security best practices, we bake security into every aspect of our designs.

One of the most important security controls we offer our clients is a private network. Like other cloud providers, Google Cloud defaults to having almost all of the servers and services exposed to the internet, either in the form of public IP addresses or publicly accessible APIs. This creates a significant challenge when trying to restrict access to and from these services, and ensure services have the minimum amount of permissions required, including permissions to network resources.

In part one of our private networking series, I’ll walk through how to design private networks on Google Cloud, starting with: 

• Organizational Policies
• Shared VPCs
• Cloud NAT
• Private Google Access
• Traffic management

Organizational Policies

The first step to creating a private network starts with an organizational policy. 

You need to prevent Compute Engine VMs from having an external IP address. To do this, you enforce the constraints/compute.vmExternalIpAccess on your entire organization or on specific projects. Every organization’s security needs are different, so you’ll need to understand yours before deciding the best way to apply this organizational policy.

Once you have limited the ability for virtual machines to acquire public IP addresses, it’s time to design how internal networking will look.

Shared VPCs

We typically encourage our clients to use a Google Cloud Shared VPC architecture for their projects:

Image Credits: Google Cloud

A Shared VPC architecture focuses on centralizing control of networking into one project, commonly referred to as the “Shared VPC Host Project.”  From here, you can centrally manage subnets, firewall rules, and routes. You can also delegate access to these resources to other projects, commonly referred to as “Service Projects.”

Google provides a deep dive on setting up a Shared VPC here. 

With your Shared VPC architecture set up, you’ll now need a way for your virtual machines to access resources on the internet.

Cloud NAT

Without a public IP address, your Compute Engine VMs will be unable to reach resources on the internet. To fix this, you’ll need to set up Cloud NAT.

Cloud NAT allows Compute Engine VMs to access resources on the internet by providing them a static block of external IP addresses to use for external connectivity. You’ll need a Cloud Router in which to attach the Cloud NAT instance. (See this guide for more information.)

An added benefit of using Cloud NAT is ensuring the external traffic of your instances comes from a static, predictable block of IP addresses. A lot of our clients leverage vendors that limit their services by IP address, and Cloud NAT easily meets this requirement.

Cloud NAT will help with accessing resources on the internet, but what about services on Google Cloud?

Private Google Access

Without internet access, your Compute Engine VMs will not be able to access Google Cloud services like Google Cloud Storage or Secrets Manager directly. Instead, you’ll need to set up Private Google Access.

Private Google Access is enabled on each subnet in your VPC and allows instances to connect to Google Cloud services and APIs through private networking. The process to set this up has multiple steps and requires some architecture considerations for your use cases. See this guide for details. 

You now have access to internet resources and Google Cloud services. All that’s left is to tighten up your firewall rules and figure out how external clients can access your services.

Traffic Management

Your private network is now isolated from the internet, but you have two problems left to solve: restricting outbound traffic and allowing inbound traffic from clients on the internet.

Firewall rules can be used to restrict outbound traffic to the internet. By default, all egress traffic is allowed on Google Cloud. To change this, create a firewall rule to deny outbound traffic and allow only specific traffic to the resources on your VPC and the internet your services need access to.  We recommend using service accounts wherever possible in your firewall policies, as they allow administrators to delegate firewall policy usage without needing to give users the ability to self-manage firewall policies. You can also leverage hierarchical firewall policies to allow self-management of firewall policies.

To allow clients on the internet to access your private network services, use Google Cloud Load Balancing. Your private Compute Engine VMs can be used as backend services, allowing clients on the internet to access them securely. Review the list of load balancers available and choose the one most suitable for your workloads.

Get a Secure Start on Google Cloud

Private networks are just one of many security controls you can use to get a secure start on the cloud. Talk to 66degrees’ cloud experts about elevating your Google Cloud security posture with expert guidance, configuration, and support.

More and more businesses are offloading their networking and storage needs to cloud services to help them deal with growing demands on their limited resources. Gartner has predicted that public cloud spending will increase by 18% in 2021, reaching a total of $304.9 billion. With 7% of the market share and tremendous year-on-year growth, Google Cloud is emerging as one of the top competitors.

While going to the cloud holds many benefits, it also comes with its fair share of challenges, particularly in maintaining high standards of network traffic monitoring and visibility. Having access to comprehensive, contextual, and up-to-date information is critical to make intelligent decisions and maintaining your network security. 

FastNetMon is a lightning-fast network monitoring tool that’s easy to deploy within Google Cloud infrastructure and integrates with native tools to enhance your visibility and control over your network.

We are certified Google Cloud partner.

What Does FastNetMon Offer Google Cloud Users?

FastNetMon offers a complete solution for Google Cloud, featuring a one-click setup. You can deploy FastNetMon from Google Cloud market place , licensed on the Google Cloud side. As a further convenience, you can pay for FastNetMon through your cloud subscription without any direct, separate contract with FastNetMon itself.

When setting up FastNetMon on your Google Cloud infrastructure, FatNetMon will utilizes the native Google Cloud Datastore database instead of the standard MongoDB.

Why use FastNetMon With Your Google Cloud?

First of all, it’s a highly safe solution that provides you with the ability  to store traffic and metrics data in separate regions and use native Google Cloud tools (such as VPC Flows, PUB / PUB, compute) to process and transform traffic information data.

FastnetMon in Google Cloud can be used as a complete solution for the detection and mitigation of DDoS attacks and network analytics. FastNetMon can detect what traffic is entering a particular instance, which instances/networks are becoming overloaded, and even what countries or autonomous systems are taking up excessive amounts of traffic. You can use this information to optimize your network systems and decide whether to move specific components from your cloud to content delivery networks (CDNs).

How to set up FastNetMon on Google Compute Engine (GCE)

As a flexible network analytics solution, FastNetMon offers three different ways to be set up on your GCE network:

• Configure a single, central instance that receives all traffic from all regions.
• Configure a single instance of FastNetMon in every region you use.
• Configure a hybrid setup that simultaneously consists of a central instance and  instances across all active regions. Take note that data will be duplicated across regional instances and the primary instance. However, you will have the opportunity to get a global overview of all the data collected from all your regions if you have a distributed topology on your service.

When using FastNetMon, it’s recommended to provide information about network events to Google Cloud using the PUB/SUB system with an additional FastNetMon component that accepts the incoming/outgoing traffic data associated with a particular instance or load balancer.

FastNetMon can also quickly ingest information from Google Cloud platform flow logs to provide you with the visibility to monitor your data and make informed networking decisions. The setup process is relatively straightforward, and FastNetMon’s team stands ready to provide you with any assistance.

See how FastNetMon can help you monitor your Google Cloud network with a no-risk free trial. Our team stands ready should you need any assistance to configure the optimal FastNetMon in Google Cloud solution for your network.