Google Cloud has added a new service that promises to make it easier for enterprise customers to securely network multiple cloud-based resources.
The Cross-Cloud Network service consists of new and existing Google Cloud technology and includes a partner ecosystem to help organizations develop, build and support distributed enterprise applications across clouds.
“We know that 70-plus percent of our enterprises are going to adopt multicloud. [The] idea behind Cross-Cloud Network is that today many organizations operate bespoke networks with turnkey security to connect to those clouds that are operationally complex to manage and build, thereby resulting in a much higher total cost of ownership and soaring costs,” said Muninder Sambi, vice president and general manager of networking for Google Cloud.
“They set up private data centers to connect and secure the hybrid workforce to access cloud and on-prem resources and manage multiple CDN clouds to accelerate web apps. All of this can also lead to an inconsistent security posture and drives up total costs."
Cross-Cloud Network is designed to address those challenges and offer a consistent way to interconnect applications without compromising application delivery or security, Sambi said.
Key to the Cross-Cloud Network service is the vendor’s Cross Cloud Interconnect feature, introduced in May, that offers 10 Gbps or 100 Gbps managed, encrypted links to connect Google virtual private cloud (VPC), other VPCs or virtual networks in different clouds. The service supports security options such as IPsec VPN or MACsec and is backed with a 99.99% SLA promise, Sambi said.
Using Cross-Cloud Network can reduce network latency by 35% and total cost of ownership by 40% versus networking applications without routing the traffic over Google’s network, Sambi said.
The service supports Alibaba Cloud, Amazon Web Services, Microsoft Azure, and Oracle Cloud Infrastructure, Sambi added.
Cross-Cloud Network makes use of Google’s backbone which, according to analysts, is a key point of the new service.
Google’s overarching networking strategy is strong, said Sid Nag, vice president for cloud services and technologies with Gartner Research. “[Google Cloud] is not only connecting its own customers but also connecting to other hyperscale cloud providers as organizations (90% in 2023 as per Gartner’s prediction) increasingly move to a multicloud adoption model. Google’s Cross-Cloud Interconnect feature is a strong offering in this regard,” Nag said.
“Google Networking is one of the strong assets of Google that separates itself from the competition. It is a hyperscale networking backbone. Google Networking is akin to an ISP in many ways. It provides connectivity for its multiple assets such as YouTube and Google Cloud,” Nag said. “Google Network is present on over 180 internet exchanges and at over 160 interconnection facilities. Google has made significant investments in multicloud networking.”
VPC spokes support in Network Connectivity Center
The Cross-Cloud Network service includes support for Google’s Network Connectivity Center, which orchestrates network connectivity among multiple resources. To that service, Google is previewing a service called VPC spokes, which will let customers scale virtual private connectivity.
“VPC spokes export and import all IPv4 subnet routes from the spoke VPC network's own subnet IPv4 address ranges, ensuring full IPv4 connectivity between all workloads that reside in these VPC networks,” Google stated. “Inter-VPC network traffic stays within the Google Cloud network and does not travel through the internet, ensuring privacy and security.”
In addition, another new feature called Private Service Connect provides connectivity to managed service networking without leaving the Google Cloud network. According to Google, the feature works by allowing a network connection from a Private Service Connect interface to Google Cloud, which then allocates an IP address to the interface. The IP address is linked from the consumer subnet that's specified by the network connection. The consumer and producer networks are then connected and can communicate by using internal IP addresses, the vendor stated.
The service supports over 20 different Google and partner managed services, including Databricks, JFrog, and MongoDB.
Also new to Cross-Cloud Network is an application load balancer that can evenly distribute workloads between distributed clients and backend services, which can improve traffic flows and overall resiliency for internal applications, Sambi said.
The load balancing function allows private clients from any Google Cloud region to access internal load balancers residing in any other Google Cloud region. The application load balancers can also check the health status of a particular application and send traffic to globally distributed backend services, Google stated.
In addition, Google's cloud application load balancers now support cross-project service referencing.
“This capability was available in our regional application load balancers and is now added to the global. Cross-project service referencing allows organizations to route traffic to services in different cloud projects, enabling deployment flexibility for services to reside in the projects that best meet organizational needs,” Sambi said.
Cross-Cloud Network security services
In addition to the networking components, Cross-Cloud Network adds a number of security services.
“We built ML-powered security products such as Cloud Armor and partnered with companies such as Palo Alto Networks to integrate advanced security technologies that can provide high threat efficacy with security posture controls,” Sambi said. Google’s Cloud Armor Adaptive Protection is the vendor’s ML-based service intended to detect and help protect networks from DDoS attacks.
The vendor also previewed Cloud NGFW, a cloud-first next-generation firewall co-developed with Mandiant and Palo Alto Networks. Cloud NGFW promises inline threat protection via a distributed firewall architecture to ensure simplicity, scale, and coverage across the cloud without the need to re-route traffic or re-architect cloud networks, Sambi said.
It allows for unified network security posture controls across perimeters and workloads so that enterprises can set organization-wide policies or IAM-provisioned tag-based policies that follow a workload across network and application layers, Sambi said.
A single-policy threat response can be enforced across an organization to quickly address security incidents.
“One of the things that our customers struggle with whenever they apply a firewall or a threat detection device is Transport Layer Security decryption,” Sambi said. "So we've actually distributed and taken that function out of the firewall and distributed it in our data plane, giving us much higher performance without having to degrade the Cloud NGFW performance.”
Additionally, global external application load balancers have enhanced security with mTLS client-side authentication. This capability lets the server verify the client’s identity in the same way that the client verifies the server’s identity during standard TLS authentication, Sambi said.
Another feature, Network Security Posture Control, lets customers tag workloads, VMs or a set of workloads and apply security policies across the Google Cloud infrastructure.
Partnering for secure service edge
For customers looking to adopt secure service edge (SSE) technology, for hybrid workers in particular, Google Cloud is partnering with Palo Alto Networks for its Prisma Access system and Broadcom for its secure Web gateway to offer SSE support natively in Google Cloud.
SSE solutions are being adopted by organizations to provide secure access to enterprise applications and SaaS applications and to help protect the distributed workforce, Sambi said. However, users connecting to SSE experience higher latency for private apps as SSE solutions rely on fixed tunnels over best-effort internet links to reach private applications across clouds.
The Cross Cloud Network service can direct all on-prem user traffic to these SSE offerings hosted in Google Cloud, Sambi said.
“After security inspection, traffic is routed to applications in Google Cloud or over Cross-Cloud Interconnect to other clouds. Because the security stack is deployed natively in Google Cloud, there are no tunnels or overlay networks required, allowing the stack to perform at its best. As a result of the native integration of these SSE solutions into Cross-Cloud Network, businesses will gain security controls and up to a 35% reduction in network latency.”