Connecting to GCP Public-facing services such as Google Cloud Storage, Cloud Spanner, etc. is typically something you would do over the public Internet, however you may want the added benefits of consistent latency and performance offered by private connectivity. And while you can access these services over private connectivity from within a Google Cloud VPC using Private Google Access, and even from your on-premises data centers via Google Cloud Interconnect or Google Peering, getting there from your AWS VPC or Azure vNet via private line has historically meant standing up leased lines from your premises to each of your cloud environments (Cloud Interconnect, Direct Connect, and ExpressRoute) and managing the routing yourself. This method means long-term contracts and, depending on your location, may also introduce more latency than it's worth given that all of the data hairpins through your facility on its journey between the clouds.
Pureport's Multicloud Fabric enables you to quickly and easily connect two clouds together via native private connectivity. In the solution brief below, we'll focus specifically on accessing Google's public-facing services from an AWS VPC via AWS Direct Connect and Google Cloud Interconnect using our Multicloud Fabric as the connection broker.
When planning your deployment, you should carefully consider geographical distance between your two cloud environments in order to minimize latency. While each cloud provider has many overlapping regions, the naming of these regions varies widely. For example, Google's US West 1 is in Oregon, while for AWS US West 1 is in Northern California and US West 2 is the Oregon region. You also need to consider which Pureport location is closest to each. The table below maps out the best combinations of cloud regions and Pureport POPs based on location.
|Pureport Location||AWS Regions||Google Cloud Regions|
|Ashburn / Washington DC|
US-East-1, Northern VA
US-East4, N. Virginia
|San Jose / Silicon Valley|
US-West-1, Northern California
US-West2, Los Angeles
First you will need:
- A Google Cloud Platform account with an active VPC
- An AWS account with an active VPC
- A basic understanding of how the Pureport platform connects clouds and sites
Putting it together
The steps required to complete connectivity between an AWS VPC and Google public services are outlined below:
- Create a Pureport Network as outlined in Creating a Network
- Connect your Pureport Network to your AWS VPC via:
- Connect your Pureport Network to your Google VPC
- Configure Private Access to GCP Public Services within your Google VPC
- Ensure that the route for 22.214.171.124/30 has been propagated from the GCP Cloud Router to the AWS VPC route table. If not, you may need to revisit step 2 or 3 to ensure that the GCP Interconnect and AWS Direct Connect connections are both up and peered. Also verify that Route Propagation is enabled for the VGW within the AWS VPC Route Table.
- For the Configuring DNS step of configuring Private Access to GCP Public Services, use the following steps to configure a private hosted zone within AWS Route53.
- Use the AWS Route53 Console or API to create a new private hosted zone with a domain name of googleapis.com and associate it with your VPC.
- Add a new Record Set to the hosted zone with the following values:
- name: *.googleapis.com
- type: CNAME
- TTL: 300 seconds
- value: restricted.googleapis.com
- Ensure that both of the following values are set to true on your VPC to allow Route53 to be used for DNS lookups.
Supported GCP Public services
Currently, Google offers private connectivity support for a subset of services, as compared to Private Google Access (access to services from within a VPC). Only the following Google APIs and services that support the restricted VIP are supported:
- Cloud Bigtable
- Cloud Dataflow
- Cloud Dataproc
- Cloud Data Loss Prevention
- Cloud Deployment Manager
- Cloud DNS
- Cloud KMS
- Cloud Pub/Sub
- Cloud Spanner
- Cloud Storage
- Container Registry
- Stackdriver logging
- Stackdriver Error Reporting