Protect Internet Facing Applications with Firewalls in Public Cloud – Ingress Traffic Design

Every public Cloud is drastically different. The networking and security are 180 degrees apart from each other. We need a normalizer. That normalizer is #Aviatrix.

Google Cloud (GCP)

The solution described below shows how to implement NLB based ingress in Google Cloud.

For this design, credit goes to Adam Stipkovits for deploying and verifying in the lab.

Note that in NLB based deployment is GCP the original source address is preserved. The firewall then has to NAT the traffic source to its LAN interface IP, so that’s where the original source IP is lost.

For HTTP/HTTPS load balancing HTTP(S) load balancer with Network, Endpoint groups could be another option although that doesn’t preserve source IP address.

Today you cannot put an HTTP(S) or another form of a load balancer into a Spoke as load balancers in GCP are not tied to a Subnet and would deliver traffic directly to backend services instead of Spoke gateways. A third-party appliance, like F5/Nginx, could be used to do this in a Spoke network if needed.

Leave a Reply

Your email address will not be published.