Introduction


Connecting to GCP Public-facing services such as Google Cloud Storage, Cloud Spanner, etc. is typically something you would do over the public Internet, however you may want the added benefits of consistent latency and performance offered by private connectivity. And while you can access these services over private connectivity from within a Google Cloud VPC using Private Google Access, and even from your on-premises data centers via Google Cloud Interconnect or Google Peering, getting there from your Azure vNet via private line has historically meant standing up leased lines from your premises to each of your cloud environments (Cloud Interconnect and ExpressRoute) and managing the routing yourself. This method means long-term contracts and, depending on your location, may also introduce more latency than it's worth given that all of the data hairpins through your facility on its journey between the clouds.


Pureport's Multicloud Fabric enables you to quickly and easily connect two clouds together via native private connectivity. In the solution brief below, we'll focus specifically on accessing Google's public-facing services from an Azure vNet via ExpressRoute and Google Cloud Interconnect using our Multicloud Fabric as the connection broker.




Geographical Considerations

When planning your deployment, you should carefully consider geographical distance between your two cloud environments in order to minimize latency. While each cloud provider has many overlapping regions, the naming of these regions varies widely. For example, Google's US West 1 is in Oregon, while for Azure the West US is in California and West US 2 is the Washington region. You also need to consider which Pureport location is closest to each. The table below maps out the best combinations of cloud regions and Pureport POPs based on location.


Pureport LocationAzure RegionsGoogle Cloud Regions
Ashburn / Washington DC

East US, East US 2, Virginia

US-East4, N. Virginia

Seattle

West US 2, Washington

US-West1, Oregon

San Jose / Silicon Valley

West US, California

US-West2, Los Angeles

Chicago

North Central US, Illinois

US-Central1, Iowa


Prerequisites

First you will need:


Putting it together

The steps required to complete connectivity between an Azure vNet and Google public services are outlined below:

  1. Create a Pureport Network as outlined in Creating a Network

  2. Connect your Pureport Network to your Azure vNet:
    1. Create an ExpressRoute circuit and connect it to your Pureport Network
    2. Configure Azure Private Peering
    3. Link your vNet to your ExpressRoute Circuit

  3. Connect your Pureport Network to your Google VPC

  4. Configure Private Access to GCP Public Services within your Google VPC

  5. Ensure that the route for 199.36.153.4/30 has been propagated from the GCP Cloud Router to the Azure vNet route table.  If not, you may need to revisit step 2 or 3 to ensure that the GCP Interconnect and Azure ExpressRoute connections are both up and peered.

  6. For the Configuring DNS step of configuring Private Access to GCP Public Services, use the following steps to configure a private hosted zone
    1. Create a new private zone with a domain name of googleapis.com and associate it with your vNet.
    2. Add a new Record Set to the hosted zone with the following values:
      • name: *.googleapis.com
      • type: CNAME
      • TTL: 300 seconds
      • value: restricted.googleapis.com


Supported GCP Public services

Currently, Google offers private connectivity support for a subset of services, as compared to Private Google Access (access to services from within a VPC). Only the following Google APIs and services that support the restricted VIP are supported:

  • BigQuery
  • Cloud Bigtable
  • Cloud Dataflow
  • Cloud Dataproc
  • Cloud Data Loss Prevention
  • Cloud Deployment Manager
  • Cloud DNS
  • Cloud KMS
  • Cloud Pub/Sub
  • Cloud Spanner
  • Cloud Storage
  • Container Registry
  • Stackdriver logging
  • Stackdriver Error Reporting