Google Cloud adds networking, security features for enterprises

Google Cloud is rolling out new network and security features, including a service that provides Layer-7 security.

The new offerings announced at Google Cloud Next also include firewall and web application-protection options aimed at advancing existing cloud connectivity and ensuring the security of cloud-based resources.

“We are fundamentally enhancing our network fabric—which includes 35 regions, 106 zones and 173 network edge locations across 200-plus countries—and making it simpler and easier for organizations to migrate their existing workloads and modernize applications all while securing and making them easier to manage,” said Muninder Sambi, vice president and general manager of networking for Google Cloud.

Private Service Connect (PSC)

On the networking front, Google Cloud has added features to its Private Service Connect offering that ties together groups, projects, and other organizations over encrypted links. PSC now includes Layer 7-based security, routing, and telemetry to ensure consistent policy control across the service.

It also supports using Cloud Interconnect, Google Cloud’s highly available, low-latency connection service, to link on-prem sites to other PSC endpoints, according to Sambi. PSC integrates with managed data and analytic services from Confluent, Databricks, DataStax, Grafana, and Neo4J.

With PSC, customer-network traffic traverses only Google’s backbone network and isn’t exposed to the public internet, Sambi said. Customers connect to Google Cloud using PSC endpoints with private IP addresses on Google virtual private cloud (VPC) networks.

“Private Service Connect is important because it helps to simplify the networking and security that must accompany migrations of workloads to the cloud. Specifically, PSC provides encrypted connections across VPC networks that are in different groups, teams, projects, or organizations,” said Brad Casemore, Research VP, Datacenter and Multicloud Networks, IDC. “The new PSC enhancements include an L7 PSC, for simplified application-layer policy; PSC over interconnect, which supports on-premises traffic through Cloud Interconnects to PSC endpoints; PSC for hybrid environments (which is what most enterprises have), and additional integrations with partner services.”

Google also previewed a technology it says will let customers more easily network container-based resources. Network Function Analyzer lets customers connect multiple container network functions, apply labels, and steer traffic to them.

“Customers can use this function to steer their applications and add multiple services into a cloud container application framework,” Sambi said. “It’s an important feature for customers whose applications were either born in the cloud or being rewritten to move them to the cloud. They can use this function to minimize costs, get high performance and get service scaling along with it.”

Network Function Optimizer provides a simpler, high-performance data plane for container-based networking, leveraging eBPF-based eXpress Data Path (XDP), Casemore said. “Google has used eBPF for enhanced data-plane performance on its own infrastructure for a while now, and offering that benefit to enterprises customers adopting cloud-native applications and related network functions makes considerable sense.”

New network management tools

On the network management side, Google has expanded its overarching Network Intelligence Center. The company said the platform’s Network Analyzer, which learns and monitors customer networks to detect misconfigurations and drifts on network topology, firewall rules, routes, load balancers and connectivity to services and applications is now available. 

New features of Network Intelligence center also include Performance Dashboard to provide visibility into latency measurements for Google Cloud-to-internet traffic at per-project and global levels. This helps in planning the placement of customers’ Google Cloud resources and overall network architecture, Sambi said.

Another new feature, Network Topology, lets customers identify and monitor their top contributors to egress, and optimize their cloud architecture for performance and cost, Sambi said. The platform’s Firewall Insights program now supports IPv6

Security options

The company previewed a two-tiered Cloud Firewall service: Cloud Firewall Essentials and Cloud Firewall Standard.

Cloud Firewall Standard brings expanded policy objects for firewall rules aimed at simplifying configuration and micro-segmentation.

Cloud Firewall Essentials the new basic level of firewall capabilities. It features Global and Regional Network Firewall Policies, which have built-in IAM [identity and access management] controls, that can be applied across VPCs, and support batch-rules updates. New IAM-governed Tags allow for scalable micro-segmentation policies that follow workloads no matter where they are located.

The idea with the combination of IAM-governed Tags in Cloud Firewall Essentials, the dynamic objects in Cloud Firewall Standard, Address Groups, and our existing hierarchical firewall rules helps customers run a flexible, least-privilege, self-service environment that enforces pinpoint policy with greater simplicity and decreased operational cycles,” Sambi said.

Also in the security realm, Google bolstered its Cloud Armor service that protects web applications, services, and APIs from DDoS attacks and web-application exploits. Customers can now configure the service’s machine-learning-based Adaptive Protection capability to automatically deploy its proposed rules.

“Google Cloud Armor is actually built on ML-based attack-protection capability where you can automate, deploy and evolve the security rules with a very simplified policy structure,” Sambi said. “We have pre-configured rules and information on vulnerability risks that customers can use to help build ML-based automated responses to threats.”

The battle with AWS, Azure

Google Cloud’s new networking and security features are part of  the continuing competition among top cloud providers such as AWS and Microsoft Azure.

“Google Cloud and AWS are both significantly enhancing their cloud networking capabilities, including networking from on-premises environments to the cloud, and networking in the cloud (including service insertion and service chaining),” Casemore said. “Microsoft Azure isn’t standing still, but I’d say it has some ground to make up on the other two. Networking to and in the cloud will only grow in both its range of features and functionality and in its importance to enterprises.”

“As new and existing enterprise workloads move to IaaS clouds, the enterprise data center and its network are becoming distributed,” Casemore said. “Enterprises must modernize their network infrastructure accordingly, not just in cloud (as part of the distributed data center), but also across the WAN, which must also be optimized to meet the needs of cloud workloads.” 

“Enterprises will become increasingly familiar with the constructs and benefits of using these globe-girding, increasingly feature-rich cloud networks to support and deliver cloud workloads,” Casemore said.

Other Google Cloud announcements at the Next conference include:

  • Support for a Live Stream API in its Media CDN offering that brings in and packages content into HTTP-Live Streaming and DASH formats for optimized live streaming. For advanced customization, Google Cloud previewed a new feature called Network Actions for Media CDN, a fully managed offering that lets customers deploy their own code directly in the request/response path at the edge.  For enterprises that depend on video on demand Media CDN is now offered on a global scale, Sambi said.
  • A preview of 200Gbps networking with a new C3 virtual machine family. The new C3 machine series features the Intel Xeon Scalable processor and Google’s custom Intel Infrastructure Processing Unit (IPU) which offloads processing from a core server, improving performance. The C3’s system-on-a-chip design promises better security as well as creating more infrastructure choices, such as native bare-metal servers. Compared with the current generation C2, C3 VMs with Hyperdisk will deliver 4x higher throughput and 10x higher IOPS [input/output operations per second], Google stated. 
  • A fully managed security-software supply-chain service called Software Delivery Shield to address threats like those found in the SolarWinds vulnerability and others. It provides DevOps and security teams with the tools to build secure cloud applications. Those tools include software development and deployment areas including continuous integration, continuous delivery, production environments, and policies.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.