Typically, connecting to GCP Public-facing services (such as Google Cloud Storage, Cloud Spanner, etc.) is something you would do over the public Internet. However, you may want the benefits of consistent latency and performance offered by private connectivity. Although you can access these services over private connectivity from within a Google Cloud VPC using Private Google Access, or from your on-premises data centers via Google Cloud Interconnect or Google Peering via private line, this usually requires leased lines from your premises to each of your cloud environments and managing the routing yourself. This method means long-term contracts and, depending on your location, may also introduce more latency than it's worth, given that all of the data hairpins through your facility on its journey between the clouds.
With Pureport's Multicloud Fabric, you can quickly and easily connect your site and clouds together via native private connectivity. This Solution Brief focuses on accessing Google's public-facing services from a Customer Site via a VPN Site Connection and Google Cloud Interconnect using our Multicloud Fabric as the connection broker.
First you will need:
- A basic understanding of how the Pureport platform connects clouds and sites
- A Google Cloud Platform account with an active VPC
- A VPN device capable of IPSec Routed Tunnels with BGP
- An DNS service on your internal site network (such as BIND9, Active Directory, DNSmasq, etc.)
Putting it together
The steps required to complete connectivity between an AWS VPC and Google public services are outlined below:
- Create a Pureport Network as outlined in Creating a Network.
- Provision a Route-Based BGP VPN Gateway in your Pureport Network and connect to it from your customer premises device
- Connect your Pureport Network to your Google VPC.
- Configure Private Access to GCP Public Services within your Google VPC.
- Ensure that the route for 22.214.171.124/30 has been propagated from the GCP Cloud Router to your site VPN Gateways.
If not, review steps 2 and 3 to ensure that the GCP Interconnect and VPN Site connections are both up and peered.
- For the Configuring DNS step of configuring Private Access to GCP Public Services, use the following steps to configure a private hosted zone within AWS Route53:
- In your internal DNS server, create a new hosted zone with a domain name of googleapis.com.
- Add a new Record Set to the hosted zone with the following values:
- name: *.googleapis.com
- type: CNAME
- TTL: 300 seconds
- value: restricted.googleapis.com
Supported GCP Public services
Google offers private connectivity support for a subset of services, as compared to Private Google Access (access to services from within a VPC). Only the following Google APIs and services that support the restricted VIP are supported:
- Cloud Bigtable
- Cloud Dataflow
- Cloud Dataproc
- Cloud Data Loss Prevention
- Cloud Deployment Manager
- Cloud DNS
- Cloud KMS
- Cloud Pub/Sub
- Cloud Spanner
- Cloud Storage
- Container Registry
- Stackdriver logging
- Stackdriver Error Reporting