Hybrid Network

During my 2nd year working as a Sovereign Google Cloud Engineer on a major defense company public Cloud, I had the opportunity to define and deploy a hybrid network connecting Google Cloud and 3 datacenters to offer high availability to on-premise services: encryption keys, secrets, monitoring, SOC, etc. Hybrid networks are crucial to combine the upsides from both public and private Clouds.

To get a comprehensive overview of Google Cloud Network Engineering, read my Cloud Network article.

Reading Time: 10 minutes

WIP

For each of the 3 datacenter, I was given a set of equipment (2 Palo Alto firewalls PA-1410, 2 Cisco Nexus switches N9K-C93180YC-FX3), dedicated rack units, 3 internet connexions per site, 1 Google Cloud project, and a list of requirements per site: 5 servers (Lenovo TS-SR655), 1 HSM (Thales LUNA-7-GRK-16), 1 firewall is dedicated for admin traffic (backup access and external SOC logs) with 1 internet connection, 1 firewall is dedicated workloads directed inward or toward Google and other datacenter using 2 internet connections, 1 subnet with 1 vlan per service.

First came the IP addressing and bit management:

10.0.0.0/8 for admin

192.168.0.0/16 for workloads

3 bits (8 possibilities) for locations (gcp, dc1, dc2, dc3)

5 bits (32 possibilities) for services (private info)

This meant admin subnets had 2 bytes left of IP adresses (65534 available) and workload subnets had 1 byte (254 available)

For IP allocation, I gave every device the same number so that only the 2nd or 3rd byte would change: Switch 02 is 192.168.32.2 on DC1 VLAN 100, 192.168.33.2 on DC1 VLAN 101, 192.168.64.2 on DC2 VLAN 100, 192.168.65.2 on DC2 VLAN 101.

The first 10 to 30 number of reserved for infrastructure equipment (network, security, HSM), the rest is for the servers.

Then came physical studies:

Devices and ports cable compatibility, port allocation, architecture diagram

Config:

Key Parts are IP, vlan, and firewall rules/zones.

Setup:

Console Init > SSH Config Injection > Update via SFTP (SW) or Internet Link (FW) > Connectivity Test

GCP to on-prem:

Follow the Partner Interconnect documentation (https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/provisioning-overview)

The hardest part wasn't technical but synchronization: ensuring servers operators knew which IP and port type (vlan trunk), VPN configuration with a remote SOC, proprietary VPN PA config for macOS and Ubuntu.