Network Security Integration lets you integrate network security appliance VMs, including VMs running packet inspection and firewall software, into a VPC network without changing routes in the VPC network.
Network Security Integration uses the Generic Network Virtualization Encapsulation (GENEVE) protocol. GENEVE delivers original packets and metadata to network security appliance VMs from one or more of your VPC networks based on firewall rules that you create. For more information, see Understand GENEVE format .
Types of integrations
Network Security Integration offers two ways to integrate network security appliance VMs:
-
In-band: this option routes packets to network appliance VMs for inspection, where a network appliance VM decides whether to allow or block the packets. With in-band, network appliances can block any identified threats before the traffic reaches its destination. For more information, see In-band integration overview .
-
Out-of-band: this option routes a copy of packets to network appliance VMs for analysis, without affecting the original traffic flow. For more information, see Out-of-band integration overview .
Service producers and consumers
Network Security Integration uses the producer-consumer model for data inspection and monitoring of traffic data. The producer-consumer model is an architecture where a producer offers services to a consumer, and the consumer uses the producer's services to inspect or analyze network traffic.
Figure 1 shows the high-level deployment architecture of the Network Security Integration services where both the consumer and producer are in the same organization.
In the previous diagram, the producer-consumer model divides the network into two: a service producer network and a service consumer network.
- A service producer network contains a set of scalable network appliances that inspect traffic.
- A service consumer network contains Google Cloud VMs. The consumer network uses rules in a global network firewall policy to send traffic to the producer network.
Depending on the configuration, Network Security Integration either intercepts or mirrors the traffic from one or more consumer networks. It then encapsulates the traffic with GENEVE and sends it to the producer's network appliances for inspection.
Service consumer network
-
A consumer VPC network contains Google Cloud workloads that run on virtual machine (VM) instances. Each consumer VPC network references a producer's packet inspection or analysis services with an endpoint group .
-
Each consumer VPC network uses rules in a global network firewall policy to control the traffic that is inspected or mirrored. These firewall rules use the
apply_security_profile_groupaction. You can make the rules as specific as necessary to achieve your security goals, matching traffic by using multiple attributes such as IP addresses or IP ranges, and secure tags.
Service producer network
-
A producer VPC network contains one or more zonal deployments of network appliances that inspect or mirror consumer network traffic. Each zonal deployment consists of an internal passthrough Network Load Balancer whose backend VMs are network appliances that you manage.
-
Zonal deployments are grouped into a single deployment group that is referenced by an endpoint group in each consumer VPC network.
