Thegated pattern is based on an architecture that exposes selectapplications and services in a fine-grained manner, based on specific exposedAPIs or endpoints between the different environments. This guide categorizesthis pattern into three possible options, each determined by the specificcommunication model:

• Gated egress

• Gated ingress

• Gated egress and ingress (bidirectional gated in both directions)

As previously mentioned in this guide, the networking architecture patternsdescribed here can be adapted to various applications with diverse requirements.To address the specific needs of different applications, your main landing zonearchitecture might incorporate one pattern or a combination of patternssimultaneously. The specific deployment of the selected architecture isdetermined by the specific communication requirements of each gated pattern.

This series discusses each gated pattern and its possible design options.However, one common design option applicable to all gated patterns is theZero Trust Distributed Architecture for containerized applications with microservice architecture. This option ispowered byCloud Service Mesh,Apigee, andApigee Adapter for Envoy—alightweight Apigee gateway deployment within a Kubernetes cluster.Apigee Adapter for Envoy is a popular, open source edge and service proxy that'sdesigned for cloud-first applications. This architecture controls allowed secureservice-to-service communications and the direction of communication at aservice level. Traffic communication policies can be designed, fine-tuned, andapplied at the service level based on the selected pattern.

Gated patterns allow for the implementation of Cloud Next Generation Firewall Enterprisewithintrusion prevention service (IPS) to perform deep packet inspection for threat prevention without any designor routing modifications. That inspection is subject to the specificapplications being accessed, the communication model, and the securityrequirements. If security requirements demand Layer 7 and deep packet inspectionwith advanced firewalling mechanisms that surpass the capabilities ofCloud Next Generation Firewall, you can use a centralized next generation firewall (NGFW)hosted in a network virtual appliance (NVA).Several Google Cloudsecurity partners offer NGFW appliances that can meet your security requirements. Integrating NVAswith these gated patterns can require introducing multiple security zones withinthe network design, each with distinct access control levels.