Written by Fawzi Hmouda.
In our conversations with customers, we are often asked about the best way to implement a centralised egress inspection architecture for workloads across multiple regions. Since the launch of GCP Network Connectivity Centre, organisations are moving away from the traditional VPC peering model to adopt the flexible and scalable NCC Hub and Spoke architecture.
Network Connectivity Center is an orchestration framework that enables network connectivity among VPCs that are connected to a central management resource called NCC Hub and it supports two types of spokes:
VPC Spokes provide inter-VPC network connectivity at scale, reducing the operational complexity of managing individual pair-wise VPC Network Peering connections through centralised NCC Hub.
Hybrid Spokes provide VPC networks connectivity to on-premise or other cloud provider networks. These external networks can be reachable through any type of hybrid spoke. Hybrid spokes consist of:
HA VPN Tunnel
Cloud Interconnect VLAN attachments
Router Appliance
Route exchange with spokes enables scalable any-to-any connectivity between VPC Spokes and hybrid spokes, however it comes with limitations where IPv4 static default routes exchange across VPC spokes and default routes pointing to internal passthrough Network Load Balancer virtual IP address in other VPC spokes are not supported, therefore workloads in a VPC Spoke cannot reach the internet through the centralised Network Virtual Appliances that are deployed in a traditional way behind a load balancer with a static default route exported.
This is where NCC Router Appliances come into play, offering a solution to these challenges by enabling more flexible and robust routing configurations, ensuring that all workloads can maintain necessary connectivity through centralised appliances.
Network Virtual Appliances with NCC Router Appliances
NCC Router Appliances are specialised NCC Spokes that allow the creation of BGP sessions between GCP Cloud Router and any Network Virtual Appliances that support BGP Protocol, including solutions like PaloAlto and Fortigate Firewalls.Â
Once the Network Virtual Appliances are installed, interfaces on the GCP Cloud Router are configured to establish Border Gateway Protocol (BGP) peering with the appliances. To ensure redundancy, two interfaces should be created on each Cloud Router, with both interfaces associated with the same subnet as the corresponding appliances interface. BGP then facilitates the dynamic exchange of routes between the Cloud Router and the NVAs.
Network Virtual Appliances advertise the 0.0.0.0/0 prefix through BGP to the GCP Cloud Router, which then install this prefix as a dynamic route in the VPC routing table. The route is configured with a Next Hop value pointing to the specific Router Appliance instance, identified as Router appliance instance <NVA-Name>, ensuring that all traffic going to the external networks is directed through the NVA.
Network Connectivity Center spokes support the exchange of subnet private IPv4 address ranges and dynamic routes learned by the Router Appliance Spoke VPC through BGP, as in our case. These dynamic routes are then propagated to all workload Spoke VPCs, enabling, for example, a VM in the workload VPC to utilise these routes to reach the internet through the centralised Network Virtual Appliances.
The exported dynamic routes in the workload VPC allow resources to automatically use routes with different next hops without the need for network tags. With global routing enabled in the VPCs, exported routes are installed in each region introducing a cross-regional cost when a route is set up in a different region from where the Cloud Router resides. This configuration ensures that traffic prefers routes pointing to next hops within the same region first, due to their lower cost (BGP MED), and only uses the next hops in other regions if the NVAs in a specific region fail.
Failover occurs automatically, as routes pointing to the primary next hop are withdrawn if a failure happens. For example, if the NVAs in the AUS1 region fail, the routes they advertised, including the default 0.0.0.0/0 route, will be removed, and traffic will seamlessly reroute through cross-regional NVAs. Consequently, VMs in the AUS1 region will use the default route via the AUS2 NVA.
Moreover, there’s no longer a need for Internal Load Balancers (ILBs), as the next hop for the BGP routes is pointed directly to the NVAs. GCP will automatically perform Equal Cost Multi-Path (ECMP) routing to distribute traffic evenly across multiple NVAs within the same region, ensuring efficient and balanced use of network resources.
End to End Testing
For end-to-end testing, the focus is on egress traffic from a VM located in Spoke VPC-1 in the australia-southeast1 region, as shown in the diagram below.
To route the egress traffic from this VM to the internet, two pairs of Network Virtual Appliances (NVAs) are deployed in australia-southeast1 and australia-southeast2, with the following IP addresses:
AUS-1 NVAs: 10.4.0.2 and 10.4.0.3
AUS-2 NVAs: 10.5.0.2 and 10.5.0.3
This setup not only allows for an evaluation of how the VM routes its traffic through the appropriate NVAs to access the internet, but it also enables testing of how GCP’s Equal Cost Multi-Path (ECMP) routing effectively distributes traffic evenly across multiple NVAs within the same region, ensuring efficient and reliable internet egress.
Conclusion
The NCC Hub and Spoke architecture, enhanced by NCC Router Appliances, is more than just a network solution; it’s a strategic approach to modernising your cloud connectivity. By simplifying complex routing configurations and ensuring seamless failover, this architecture empowers your infrastructure to operate with greater efficiency and reliability.
Mantel Group’s deep expertise in GCP networking and cloud architecture shines through in our approach to leveraging NCC Router Appliances. We’ve combined our technical expertise with a clear understanding of enterprise needs to create a solution that not only meets but exceeds connectivity demands.
Ready to elevate your network architecture with NCC? Contact us today to explore how this solution can transform your cloud environment.