aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
  • Tools
  • About
  • Architecture
  • Public Cloud

Internet-Facing Application Delivery: Networking Architecture

  • aster_cloud
  • May 4, 2023
  • 3 minute read

Exposing your applications to the internet is a common requirement for enterprises. In this article we would be looking at internet facing application delivery. This references information from the document Networking for internet-facing applications: Reference architecture which should be read for more detail.

Internet facing applications 

Any application meant to be used by people on the internet needs to be built for high availability, wide consumption and tight security. Services and web-apps need to be built so they can be protected as they scale.


Partner with aster.cloud
for your next big idea.
Let us know here.


cyberpogo

Google Cloud has several services to help you add security controls to your external facing application.

  • The Edge – Cloud Armor provides WAF and DDoS protection, Load Balancers give you a single IP to expose your services.
  • In region – Network Virtual Appliances such as Next Generation Firewalls can be used to inspect traffic and Network Firewall policies can be used to control access to your resources.
  • Other services – Cloud IDS (Cloud Intrusion Detection System)  can detect threats in both East West and North South traffic flows.

Networking internet-facing applications

The document Networking for internet-facing applications: Reference architecture explores several patterns grouped as follows:

  • Lift and shift Architecture
  • Hybrid service architecture
  • Zero Trust Distributed Architecture

We will explore two architectures under the hybrid service architecture group.

# 1 – Hybrid connectivity configuration using external Cloud Load Balancing and network edge services

Securing service access at the edge and distributing traffic to multiple sources can be achieved on Google Cloud. Some components involved in this design are Load balancers, Cloud CDN, Cloud Armor, Identity aware proxy, Google-managed SSL certificates and Network Endpoint Groups.

The design below shows Google Cloud frontend services, Load balancer and multiple backend sources.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1-network-services-for-hybrid.max-2200x2200.jpg

The design elements are as follows.

Edge services

  • Load balancer – Ingest traffic from external clients.
  • Cloud CDN – If there is static content and this feature is enabled, Cloud CDN caches content at a location closest to the user and serves it from there thereby reducing latency. 
  • Managed certs –  Helps you to manage your domains with Google-managed SSL certificates.
  • Cloud Armor – Provides protection against DDoS and OWASP top 10 protection.
  • Identity Aware-proxy – Allows access based on identity.
Read More  NetApp Teams With VMware, AWS To Help Customers Modernize And Scale Enterprise Workloads On The Cloud

Backend
The backend resources selected will depend on the URL map configuration. Let’s look at some backend types used here.

  • Managed Instance group – This could be used for Virtual machines resources within Google Cloud. 
  • Hybrid Network endpoint groups (NEG) – These could be set up for on-premise and other cloud connections. Traffic to hybrid NEGs are routed over Cloud VPN, or interconnect connections.

# 2 – IDS traffic inspection

Intrusion Detection Systems (IDS) provide inspection of network traffic and visibility into possible suspicious activity. Cloud IDS is a Google Cloud service which meets this requirement.

 The design below shows Cloud IDS providing traffic inspection of internet traffic.

https://storage.googleapis.com/gweb-cloudblog-publish/images/2-ids.max-2000x2000.jpg

The design elements are as follows.

Front End.

  • Load Balancers – The design shows the use of both a regional Network load balancer for non HTTP(S) traffic and a global HTTP(S) load balancer. Traffic is directed to the IP’s of the load balancers to be distributed to the relevant backend resources.
  • External IP – There is also a VMs with an external IP address with firewall rules that allow access.

Cloud IDS.
For Cloud IDS to work the following is setup:

  • Service Networking, Cloud IDS APIs needs to be enabled.
  • Reservation of service IPs- A range of private IPs need to be allocated for services. 
  • A private connection to the service producer has to be enabled. This creates a VPC network peering from the network to be monitored to the service network.
  • A Cloud IDS endpoint has to be set up in the region where traffic is to be monitored. You will add a Cloud IDS service profile and packet mirroring policy to the end point.
  • Traffic logs will be generated and can be viewed in the Cloud IDS console or in Cloud Logging.
Read More  Microservices Architecture On Google Cloud

You can get a hands-on introduction lab at the skillsboost site. Cloud IDS: Qwik Start.

Overall this design gives visibility into internet traffic and also internal traffic for (threat intrusion detection, malware, spyware, and command-and-control attacks) and can help meet certain compliance requirements for an organization.

More on architecture

Previous blogs on this topic 6 building blocks for cloud networking and two network patterns for secure intra-area access are very good to explore. Also, I recommend reading the following documents:

  • Documentation: Networking for secure intra-cloud access: Reference architectures
  • Documentation: Designing networks for migrating enterprise workloads: Architectural approaches
  • Documentation: Networking for hybrid and multi-cloud workloads: Reference architectures
  • Documentation: Hybrid connectivity network endpoint groups overview

By Ammett Williams, Developer Relation Engineer, Google
Originally published Google Cloud

Source: Cyberpogo


Our humans need coffee too! Your support is highly appreciated, thank you!

aster_cloud

Related Topics
  • Cloud IDS
  • Cloud Load Balancing
  • Google Cloud
  • Networking Architecture
You May Also Like
View Post
  • Architecture
  • Platforms
  • Software
  • Solutions
  • Technology

What To Expect From Apple’s WWDC 2023

  • June 1, 2023
View Post
  • Architecture
  • Insights
  • Practices

The Agile Mindset: A Path to Personal Fulfillment and Growth

  • May 30, 2023
View Post
  • Data
  • Public Cloud

Cloud Data Loss Prevention’s Sensitive Data Intelligence Service Is Now Available In Security Command Center

  • May 18, 2023
View Post
  • Multi-Cloud
  • Public Cloud
  • Software Engineering

Policy Controller Dashboard: Now Available For All Anthos And GKE Environments

  • May 18, 2023
View Post
  • Containers
  • Public Cloud
  • Software
  • Software Engineering

How To Easily Migrate Your Apps To Containers — Free Deep Dive And Workshop

  • May 18, 2023
View Post
  • Design
  • Engineering
  • Public Cloud

Kubernetes Costs Less, But Less Than What?

  • May 18, 2023
View Post
  • Public Cloud
  • Software

Best Practices For Monetizing Cloud-based Technology And 5G Networks

  • May 15, 2023
View Post
  • Public Cloud
  • Software

New Cloud Deploy Features Make Application Deployment Even More Efficient

  • May 15, 2023

Stay Connected!
LATEST
  • 1
    Building A Kubernetes Platform: How And Why To Apply Governance And Policy
    • June 4, 2023
  • 2
    Leave, This “United” “Kingdom”, This “Great” “Britain”
    • June 4, 2023
  • 3
    Amazing Federated Multicloud Apps
    • June 2, 2023
  • 4
    What’s The Future Of DevOps? You Tell Us. Take The 2023 Accelerate State Of DevOps Survey
    • June 2, 2023
  • 5
    Resolving Deployment Issues With Ts-node And Azure Development Pipelines
    • June 1, 2023
  • 6
    What To Expect From Apple’s WWDC 2023
    • June 1, 2023
  • 7
    What Is Platform Engineering And Why Adopt It In Your Company?
    • June 1, 2023
  • 8
    Four Steps To Managing Your Cloud Logging Costs On A Budget
    • May 31, 2023
  • 9
    Red Hat Puts Podman Container Management On The Desktop
    • May 30, 2023
  • 10
    The Agile Mindset: A Path to Personal Fulfillment and Growth
    • May 30, 2023
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • 1
    Huawei ICT Competition 2022-2023 Global Final Held In Shenzhen — 146 Teams From 36 Countries And Regions Win Awards
    • May 27, 2023
  • 2
    Huawei OceanStor Pacific Scale-Out Storage Tops IO500 Rankings
    • May 26, 2023
  • 3
    MongoDB And Alibaba Cloud Extend Global Partnership
    • May 25, 2023
  • 4
    Tricentis Launches Quality Engineering Community ShiftSync
    • May 23, 2023
  • 5
    G7 2023: The Real Threat To The World Order Is Hypocrisy.
    • May 27, 2023
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.