New Blog Post! Google Cloud Interconnect – Sovereign Solutions

New Blog Post! Google Cloud Interconnect

All cloud provider provides their own solution to connect on-premise datacenter to cloud. Here is brief comparison among all major cloud provider like GCP, AWS and Azure.

Feature GCP AWS Azure
Solution Name Cloud Interconnect AWS Direct Connect ExpressRoute
Transport Fiber Fiber Fiber
Targeted Customer Site2Site Site2Site/Hub&Spoke Site2Site
Supported Throughput/Speed* 10Gbps 1Gbps or 10Gbps 500M to 10G
Link provisioning By customer or intermediate/partner provider as L2 link By customer or intermediate/partner provider as L2 link Intermediate/partner provider as L2 link

Here I am taking hybrid cloud example between us-central1 and on-premise.

As hybrid cloud becomes more useful, many organizations are looking for hybrid cloud architectures to bridge the gap from the cloud to their own data centers. But with the scale of modern applications and associated data, cloud connectivity requires a lot of bandwidth and some network planning on user side.

Data in a private cloud is secured, however, a hybrid cloud may require different security platforms to safeguard sensitive data. By selecting the right platform, developing a deep understanding of the data requirements, and with the right partnership in integrating your network solution, security risks can be minimized.

Few legacy applications are not fit for cloud due to some dependency on other system, it will be better for those application to keep them in on-premises and access from cloud. Platforms and other infrastructure can be migrated over time as hardware expires or needs change, they can better utilize the hardware resources through hybrid cloud.

“Hybrid cloud computing has become the industry norm, with systems-of-record computing taking place in the enterprise data centers, [disaster recovery] taking place in colocation data centers, platform or software-as-a-service being provided by the cloud, and customer-facing applications such as video streaming or virtual reality being provided by edge compute.”

Google’s new Dedicated Interconnect service come into play, linking your data center directly to Google Cloud.

The most common technology for direct cloud connectivity from user’s data center is MPLS, or Multi-Protocol Label Switching. Instead of setting up complex routing through backbone internet providers, with the resulting bandwidth limitations and latency, MPLS creates a direct connection between your data center switches and the network in a hyper-scale data center; user can also use it to link his data centers to a disaster recovery site or to increase the scale of his own data center, connecting new on-premises or colocation facilities. Service providers are starting to offer alternatives, but MPLS can be integrated directly into user’s data center core switches, simplifying connectivity and reducing latency.

It is generally the least expensive method if user have a high-volume of traffic to and from Google’s network.

Cloud Interconnect extends our on-premises network to Google’s VPC network through a highly available, low latency connection. Cloud Interconnect connections provide RFC 1918 communication, which means internal (private) IP addresses are directly accessible from both networks.

If user doesn’t require the low latency and high availability of Cloud Interconnect, use Cloud VPN to set up IPsec VPN tunnels between user’s networks. IPsec VPN tunnels encrypt data by using industry standard IPsec protocols as traffic traverses the public Internet.

User can use Cloud Interconnect in conjunction with Private Google Access for on-premises hosts so that on-premises hosts can use internal IP addresses rather than external IP addresses to reach Google APIs and services.

Google Cloud Interconnect are two type – Dedicated and Partner. Using this service traffic directly passing between user’s on-premises network and VPC network. It does not traverse through public internet.

Dedicated Interconnect to connect network directly to Google where Google POP (point of presence) in that region.  Otherwise user can use Google Cloud Interconnect – Partner to connect his network to Google through a supported service provider.

Dedicated Interconnect provide minimum 10 Gbps connections. User can get up to 8 Ethernet circuit (80 Gbps maximum per Dedicated Interconnect connection).

If user want to use low bandwidth connection then he has to opt Service Provider connection. Service Provider provides bandwidth between 50 Mbps to 10 Gbps capacity per interconnect attachment (VLAN).

Google offers end-to-end SLA for Dedicated connectivity between user’s VPC and on-premises networks.

If user wants to increases the number of interconnect attachments (VLANs) or increasing the capacity of an existing attachment, it depends on the service provider’s available capacity. Google bills us based on our interconnect attachment’s capacity and egress traffic.

Connection between user network and Google’s network is not encrypted. If user want additional data security, user have to use VPN over it or have to use application level encryption.

Google charges for both interconnects and VLAN attachments, as well as for data egress.

Common Use Cases

Hybrid cloud, video production, and IoT sensor data processing are the three main areas that Google says customers are applying its direct cloud connectivity service today.

Creating a Dedicated Interconnect connection

 

Order a Dedicated Interconnect. Submit an order form. Google will email an order confirmation. After resources have been allocated, we’ll get another email with LOA-CFAs.

Send LOA-CFAs. Send LOA-CFA to vendor for cross connects between the Google peering edge and our on-premises network.

Test the interconnect. Google sends user automated emails with configuration information for two different tests. First, Google sends an IP configuration to test light levels on every circuit. After those tests pass, Google sends the final IP configuration to test the IP connectivity of each interconnect’s production configuration.

User has to apply this configuration to the Routers so that Google can confirm connectivity.

 Create VLAN attachments and establish BGP sessions. Create a VLAN attachment along with Cloud Router in the VPC network. Using the attachment, user can establish a BGP session between the Cloud Router and on-premises router to start sending traffic between networks.

In the below example I am going to setup interconnect, assuming Primary region as us-central1 and secondary as us-east4.

Steps to create a Dedicated Interconnect.

  1. Create an Interconnect that is an interconnect type of DEDICATED.

gcloud compute interconnects create my_interconnect

–customer-name mycustomer_name

–interconnect-type DEDICATED

–link-type LINK_TYPE_ETHERNET_10G_LR

–location us-central1

–requested-link-count 1

[–noc-contact-email admin@mycomany.com]

[–description ‘this is dedicated interconnect for client’]

For high availability, create a duplicate interconnect that is in the same location but in a different availability zone.

  1. Retrieving LOA-CFAs. Once user orders the interconnect, Google sends the NOC (technical contact) an email with LOA-CFAs (one PDF file per interconnect). user must send these LOA-CFAs to his vendor so that they could install user’s cross connects.
  2. Testing Connections. Before using the interconnects, user must configure IP configuration information provided by Google on on-premise Routers. If anything went wrong, google automatically troubleshot it.
  3. Creating VLAN attachments
  4. Create an InterconnectAttachment, specifying the names of interconnect and Cloud Router. The attachment allocates a VLAN on user’s interconnect that connects to the Cloud Router,

 

gcloud compute interconnects attachments dedicated create my-attachment \

  –region us-central1 \

  –router my-router \

  –interconnect my_interconnect

 

  1. Describe the attachment to retrieve the resources that it allocated, such as the VLAN ID and BGP peering addresses.

gcloud compute interconnects attachments describe my-attachment \

  –region us-central1

 

  1. On Cloud Router, add an interface that connects to the VLAN attachment. For the IP address, use the Cloud Router IP address that was allocated by user’s attachment.

gcloud compute routers add-interface my-router \

  –region us-central1 \

  –ip-address 169.254.180.81 \

  –mask-length 29 \

  –interface-name my-router-i1 \

  –interconnect-attachment my-attachment

  1. Add a BGP peer to the interface. For the peer IP address, use the customer router IP address that was allocated by user attachment. For the peer ASN value, use the same number that user will configure on his on-premises router.

gcloud compute routers add-bgp-peer my-router \

  –interface my-router-i1 \

  –region us-central1 \

  –peer-name bgp-for-my-interconnect \

  –peer-ip-address 169.254.180.82 \

  –peer-asn 65201

 

 Configure Interconnects in Other Projects

User can use the same interconnect in different projects in the same organization by creating VLAN attachments in each of those projects.

 

Creating a Partner Interconnect connection

Here I am taking the example us-central1 as Primary and us-east4 as secondary region.

 

  1. Create a VLAN attachment. When user create a VLAN attachment, it generates a pairing key that user will share with service provider. The pairing key is a unique key that allows a service provider to identify and connect to the user’s VPC network and associated Cloud Router.
  2. Request a connection from service provider. User need to submit the pairing key and other connection details, such as the connection capacity and location. Wait until service provider configures connection.
  3. Activate your connection. After the service provider configures connection, user must activate it.
  4. Configure BGP. For layer 2 connections, user must establish a BGP session between his VPC network’s Cloud Router and his on-premises router. User’s VLAN attachment generates the BGP peering IP addresses. User will need to get the VLAN ID from service provider.

For layer 3 connections, the service provider establishes a BGP session with user’s VPC network and Cloud Router.

 

 

User will create and configure resources to achieves 99.99% availability, using Partner Interconnect.

  1. Four VLAN attachments, two per GCP region. Even if user only have VM instances in a single region, he must use two regions. Each VLAN attachment must be have its own Cloud Router.
  2. The attachments in one region must connect to an interconnect in one metro, and attachments in the other region must connect to an interconnect in another metro.
  3. The dynamic routing mode for the VPC network must be global. With global dynamic routing, Cloud Routers can advertise all subnets and propagate learned routes to all subnets regardless of the subnet’s region.
  4. Depending on user hardware and availability requirements, user might have one or more routers in his on-premises network.

In this example, I am taking the us-central1 as Primary and us-east4 as secondary region.

Creating the VPC network

  1. Create a custom subnet network.

gcloud compute networks create vpc1 \

  –subnet-mode custom \

  –bgp-routing-mode global

 

  1. create subnet network in us-central1 and us-east4 regions

gcloud compute networks subnets create subnet-uscentral1 \

  –network vpc1 \

  –region us-central1 \

  –range 192.168.1.0/24

gcloud compute networks subnets create subnet-useast4 \

  –network vpc1 \

  –region us-east4 \

  –range 192.168.2.0/24

 

Creating Cloud Routers

  1. Create two Cloud Routers in the vpc1 network in the us-central1 region. Use ASN 16550 for both Cloud Routers.

gcloud compute routers create router-central-a

   –asn 16550

   –network vpc1

   –region us-central1

 gcloud compute routers create router-central-b

   –asn 16550

   –network vpc1

   –region us-central1

 

  1. Create two Cloud Routers in the vpc1 network in the us-east4 region. Use ASN 16550 for both Cloud Routers

gcloud compute routers create router-east-a

   –asn 16550

   –network vpc1

   –region us-east4

 gcloud compute routers create router-east-b

   –asn 16550

   –network vpc1

   –region us-east4

 

Creating VLAN attachments

 

Create four VLAN attachments and pair them with Cloud Routers,

gcloud compute interconnects attachments partner create attach-central-a \

  –router router-central-a \

  –region us-central1 \

  –edge-availability-domain availability-domain-1

gcloud compute interconnects attachments partner create attach-central-b \

  –router router-central-b \

  –region us-central1 \

  –edge-availability-domain availability-domain-2

gcloud compute interconnects attachments partner create attach-east-a \

  –router router-east-a \

  –region us-east4 \

  –edge-availability-domain availability-domain-1

gcloud compute interconnects attachments partner create attach-east-b \

  –router router-east-b \

  –region us-east4 \

  –edge-availability-domain availability-domain-2

 

Retrieving pairing keys

 

Retrieve the VLAN attachment pairing keys by describing each one.

gcloud compute interconnects attachments describe attach-central-a \

  –region us-central1

 

Requesting connections from your service provider

 

Reach out to service provider and request four connections, one for each VLAN attachment. The service provider will require the pairing key, capacity, and location for each attachment.

 

 Activating VLAN attachments

User must activate them before they can start passing traffic

 

gcloud compute interconnects attachments partner update attach-central-a \

–region us-central1 \

–admin-enabled

gcloud compute interconnects attachments partner update attach-central-b \

–region us-central1 \

–admin-enabled

gcloud compute interconnects attachments partner update attach-east-a \

–region us-east4 \

–admin-enabled

gcloud compute interconnects attachments partner update attach-east-b \

–region us-east4 \

–admin-enabled

 

Configuring Routers

Describe the Cloud Router that’s associated with the attach-central-a VLAN attachment.

 

gcloud compute routers describe router-central-a \

  –region us-central1

 Update the BGP peer with on-premises router’s ASN.

gcloud compute routers update-bgp-peer router-central-a \

  –peer-name auto-ia-bgp-attachment-central-a-c2c53a710bd6c2e \

  –peer-asn [ON-PREM ASN] \

  –region us-central1

 

 


Talk to our experts now to learn how Sovereign Solutions can help your organization with meet its business objectives.

*This content is being provided for informational and educational purposes, and should not be regarded as a specific recommendation for your situation.