This document is part of a series that describes networking and securityarchitectures for enterprises that are migrating data center workloads toGoogle Cloud.

The series consists of the following documents:

• Designing networks for migrating enterprise workloads: Architectural approaches
• Networking for secure intra-cloud access: Reference architectures
• Networking for internet-facing application delivery: Reference architectures (this document)
• Networking for hybrid and multi-cloud workloads: Reference architectures

Google offers a set of products and capabilities that help secureand scale your most critical internet-facing applications. Figure 1 shows anarchitecture that uses Google Cloud services to deploy a web applicationwith multiple tiers.

Figure 1. Typical multi-tier web application deployed on Google Cloud.

Note: You need to consider limitations of using Application Load Balancers. For moreinformation, see theLimitations section in the "External Application Load Balancer overview" documentation.

Lift-and-shift architecture

As internet-facing applications move to the cloud, they must be able to scale,and they must have security controls and visibility that are equivalent to thosecontrols in the on-premises environment. You can provide these controls by usingnetwork virtual appliances that are available in the marketplace.

Figure 2. Application deployed with an appliance-based external loadbalancer.

These virtual appliances provide functionality and visibility that isconsistent with your on-premises environments. When you use a network virtualappliance, you deploy the software appliance image by using autoscaled managedinstance groups. It's up to you to monitor and manage the health of the VMinstances that run the appliance, and you also maintain software updates for theappliance.

After you perform your initial shift, you might want totransition from self-managed network virtual appliances to managed services.Google Cloud offers a number of managed services todeliver applications at scale.

Figure 2 shows a network virtual appliance configured as the frontendof a web tier application. For a list of partner ecosystem solutions, see theGoogle Cloud Marketplace page in the Google Cloud console.

Hybrid services architecture

Google Cloud offers the following approaches to manageinternet-facing applications at scale:

• Use Google's global network of anycast DNS name servers that providehigh availability and low latency to translate requests for domain namesinto IP addresses.
• Use Google's global fleet of external Application Load Balancers to route traffic to anapplication that's hosted inside Google Cloud, hosted on-premises, orhosted on another public cloud. These load balancers scale automaticallywith your traffic and ensure that each request is directed to a healthybackend. By setting uphybrid connectivity network endpoint groups,you can bring the benefits of external Application Load Balancer networkingcapabilities to services that are running on your existing infrastructureoutside of Google Cloud. The on-premises network or the other publiccloud networks are privately connected to your Google Cloud networkthrough a VPN tunnel or through Cloud Interconnect.

• Use other network edge services such as Cloud CDN to distributecontent, Google Cloud Armor to protect your content, andIdentity-Aware Proxy (IAP) to control access to your services.

  Figure 3 shows hybrid connectivity that uses external Application Load Balancer.

  

  Figure 3. Hybrid connectivity configuration using external Application Load Balancer andnetwork edge services.

  Figure 4 shows a different connectivity option—using hybridconnectivity network endpoint groups.

  

  Figure 4. External Application Load Balancer configuration using hybridconnectivity network endpoint groups.

• Use a Application Load Balancer (HTTP/HTTPS) to route requests based ontheir attributes, such as the HTTP uniform resource identifier (URI).Use a proxy Network Load Balancer to implement TLS offload, TCP proxy, or support forexternal load balancing to backends in multipleregions.Use a passthrough Network Load Balancer to preserve client source IP addresses, avoid theoverhead of proxies, and to support additional protocols like UDP, ESP, andICMP.

• Protect your service withCloud Armor.This product is an edge DDoS defense and WAF security product that'savailable to all services that are accessed through load balancers.

• UseGoogle-managed SSL certificates.You can reuse certificates and private keys that you already use for otherGoogle Cloud products. This eliminates the need to manage separatecertificates.

• Enable caching on your application to take advantage of the distributedapplication delivery footprint of Cloud CDN.

• UseCloud Next Generation Firewall to inspect and filter traffic in your VPC networks.

• Use Cloud IDS to detect threats in north-south traffic, asshown in figure 6.

  

  Figure 6. Cloud IDS configuration to mirror and inspectall internet and internal traffic.

Zero Trust Distributed Architecture

You can expand Zero Trust Distributed Architecture to include applicationdelivery from the internet. In this model, the Google external Application Load Balancer providesglobal load balancing across GKE clusters that haveCloud Service Mesh meshes in distinct clusters. For this scenario, you adopt acomposite ingress model. The first-tier load balancer provides clusterselection, and then a Cloud Service Mesh-managed ingress gateway providescluster-specific load balancing and ingress security. An example of thismulti-cluster ingress is theCymbal Bank reference architecture as described in the enterprise application blueprint. For more information aboutCloud Service Mesh edge ingress, seeFrom edge to mesh: Exposing service mesh applications through GKE Ingress.

Figure 7 shows a configuration in which a external Application Load Balancer directstraffic fromtheinternet to the service mesh through aningress gateway.The gateway is a dedicated proxy in the service mesh.

Figure 7. Application delivery in a zero-trust microservices environment.

What's next

• Networking for secure intra-cloud access: Reference architectures.
• Networking for hybrid and multi-cloud workloads: Reference architectures.
• Use Cloud Armor, load balancing, and Cloud CDN to deploy programmable global front ends
• Migration to Google Cloud can help you to plan, design, and implement the process of migrating yourworkloads to Google Cloud.
• Landing zone design in Google Cloudhas guidance for creating a landing zone network.
• For more reference architectures, diagrams, and best practices, explore theCloud Architecture Center.