multi-cloud networking

Scaling Out Secure Dedicated Ingress on GCP

close up photography of yellow green red and brown plastic cones on white lined surface — Photo by Pixabay on Pexels.com

Proposed Architecture

The architecture presented below satisfies GCP customers requirements to use third party compute instance based appliances in their flows.

The design considers HTTP(S) load balancers due its advanced capabilities.

Constraints

HTTP(S) supports port 80, 8080, and 443.
The combination instance (responsible for SNAT/DNAT ingress traffic) and port (back end port) can be used a single time
An instance may belong to at most one load-balanced instance group

GCP Load Balancers Decision Chart

Chart from https://cloud.google.com/load-balancing/docs/load-balancing-overview

Update DNS

Add the second app to Cloud DNS for proper name resolution

Create a second instance group and health check.

How to Scale Scenario 1

add a new external load balancer
add a new set of compute instances

How to Scale Scenario 2

add a second back end using another set of compute instances

Use Routing Rules to forward traffic to the new back end

How to Scale Scenario 3

add a new external HTTP(S) load balancer

create a new back end using the same instance group as before but using different ports
this step requires the creation of a new named port in the instance group
this step also requires proper secure firewall rules proper configured

compute instance DNAT using SRC:DST port 81 and DST:DST port 80

How to Scale Scenario 4

this scenario is a hybrid of scenarios 2 and 3

a new BE is created using port 82

The HC as before is the same as we are checking the health of the compute instances:

routing rules

compute instance DNAT config:

References

https://research.google/pubs/pub44824/

https://cloud.google.com/load-balancing/docs/load-balancing-overview

https://cloud.google.com/load-balancing/docs/backend-service

Related

Leave a Reply Cancel reply

%d bloggers like this: