Open in app

Sign in

Write

Sign in

Streamline Network Security With the Hub-Spoke Model using Central Appliance šŸŒšŸ”

Sumit K
Google Cloud - Community
Published in
7 min readSep 5, 2023

Before delving into the implementation of a central Firewall Appliance within this article, letā€™s start by understanding the fundamental concept of the Hub and Spoke Architecture.

The hub and spoke model is a networking architecture where a central hub connects to multiple spoke networks. This type of network design is often used in enterprise environments where there is a need to centralize network management and security.

In GCP, this model involves using VPC (Virtual Private Cloud) networks to create a central hub network that acts as a transit point for data traffic between multiple spoke networks.

Why do we need this design?

There are several reasons:

  • Centralized management and security: All network traffic passes through the central hub network, which allows for centralized firewall rules and traffic monitoring.
  • Scalability: A hub-and-spoke network design is scalable. As the enterprise grows, new spoke networks can be added to the hub network without having to make changes to the central hub network.
  • Cost-effectiveness: A hub-and-spoke network design can be cost-effective.

How does this model work?

A hub-and-spoke network design typically consists of Hub Network, Spoke Network, and firewalls

  • Hub network: The hub network is the central network that connects to all of the spoke networks. The hub network typically contains shared resources such as firewalls, load balancers, and DNS servers.
  • Spoke networks: The spoke networks are the individual networks that connect to the hub network. Each spoke network can contain its own set of resources, such as servers, applications, and users.
  • Firewalls: Firewalls are used to control traffic between the hub network and the spoke networks.

Central appliance firewall device in GCP:

Central appliance firewalls provide comprehensive security and control over network traffic, ensuring protection from threats. šŸ”’In the Google Cloud Platform (GCP), a central appliance firewall device can be implemented using a variety of methods. One option is to use a third-party firewall appliance that is deployed on a Compute Engine virtual machine (VM). A central appliance in a network is a virtual device that connects all the other VMs in the network. It also provides security for the network by filtering traffic and preventing unauthorized access.

But the question is Why do most enterprises rely on central appliance firewalls in their networks?šŸš€ Letā€™s understand.šŸ“–

Public cloud security architectures vary, but they generally follow a shared responsibility model. Google takes care of the security of the platform and they have got amazing set of tools and services like Physical protection, Shielding, Firewall, IAM, etc. but when packets hit your network, you are responsible for its security. So you need some sort of great visibility of your packets and data moving so and forth from one network to another. Thatā€™s where the central firewall appliance comes into the picture. This is similar to our traditional data center firewall device but now have got their presence in Cloud in the form of virtual appliances.

Many organizations choose to bring traditional firewall devices into the cloud by adopting virtual appliances. These virtualized, VM-based appliances offer a range of capabilities, such as monitoring, transforming, or blocking traffic, allowing organizations to route their network traffic efficiently. Corporate environments often need to route traffic to the internet, to an on-premises network, to other clouds, or even to other parts of the same cloud environment through virtualized, VM-based appliances that monitor, transform, or block traffic. These appliances act as intermediaries, ensuring that traffic is appropriately monitored, secured, and controlled before reaching its intended destination.

Here are some of the things that a central Appliance device can do:

  • Route traffic: The central device routes traffic between the different devices on the network. This ensures that traffic is sent to the correct destination.
  • Filter traffic: The central device can filter traffic to prevent unauthorized access to the network. This can be done by using firewall rules to block traffic from certain sources or destinations.
  • Provide security: The central device can provide security for the network by using intrusion detection and prevention systems (IDS/IPS) to detect and block malicious traffic.
  • Manage the network: The central device can be used to manage the network by providing a central location for configuring devices and monitoring traffic.

Choose your network design

The network design that you choose depends primarily on the following factors:

  • Centralized or decentralized control: Depending on your organizationā€™s preferences, you must choose one of the following:
  • On-premises or hybrid cloud connectivity options: All the network designs provide access from on-premises to cloud environments through Cloud VPN or Cloud Interconnect.
  • Security requirements: Your organization might require traffic between different workloads in Google Cloud to pass through centralized network appliances such as next generation firewalls (NGFW). This constraint influences your Virtual Private Cloud (VPC) network design.
  • Scalability: Some designs might be better for your organization than others, based on the number of workloads that you want to deploy, r resources that they will consume.

Hub-and-spoke topology with centralized appliances:

This network design uses hub-and-spoke topology. A hub VPC network contains a set of appliance VMs such as NGFWs that are connected to the spoke VPC networks that contain the workloads. Traffic between the workloads, on-premises networks, or the internet is routed through appliance VMs for inspection and filtering.

Use this design when the following is true:

  • You require Layer 7 inspection between different workloads or applications.
  • You have a corporate mandate that specifies the security appliance vendor for all traffic.

Avoid this design when the following is true:

  • You donā€™t require Layer 7 inspection for most of your workloads.
  • You want workloads on Google Cloud to not communicate at all with each other.

Stateful L7 firewall between VPC networks

This architecture has multiple VPC networks that are bridged by an L7 next-generation firewall (NGFW) appliance, which functions as a multi-NIC bridge between VPC networks.

An untrusted, outside VPC network, is introduced to terminate hybrid interconnects and internet-based connections that terminate on the outside leg of the L7 NGFW for inspection. This design has many variations, but the key principle is to filter traffic through the firewall before the traffic reaches trusted VPC networks.

This design requires each VPC network to reside in the project where you insert the VM-based NGFW. Because quotas are enforced at the project level, you must consider the aggregate of all VPC resources.

L7 firewall Appliance in VPC network. Picture Credit Google

Architecting a Customized Stateful L7 or Nextgen Firewall Solution for VPC Network Segmentation and Security in a Hub and Spoke Model:

Google recommends best practices to follow when considering your network design. Every Organization has unique requirements based on the business needs, usersā€™ presence, geographical location, compliance, and security requirements. As a first step in your VPC network design, identify the decision makers, timelines, and pre-work necessary to ensure that you can address stakeholder requirements. The following Architecture is based on the hub and spoke model wherein shared VPCs are used and can be split into each environment like production or staging. This architecture in the image is architecture for a multi-tenant application

Next-gen Firewall appliance between VPC network

Shared VPC is a great option to manage your network centrally. you donā€™t need to go into each project to manage your network-related issues. Service projects are the consumers for shared VPC for their IP allocation. The host project also has a next-gen firewall appliance to track every packet leaving from VPC or coming towards your network. This also helps to forward traffic to another VPC such as the Internet, meaning that if a VM has to go to the Internet, the next hope could be VM appliance NICs or if you have multiple appliances behind the internal load balancer, you can also use the endpoint of your ILB as next hope in your static routes right!

The management VPC is specifically created to manage your Firewall appliances such as connecting, day-to-day Operational work, creating policies or patching etc. There is no direct internet connectivity or public IP attached to any instance or firewall device. The intent is to block direct connectivity and leverage appliances to forward the traffic to the internet VPC wherein Cloud NAT allows traffic to flow between the internet and private subnets in the VPC. Also Shared VPC is connected to interconnect VPC in a separate project to establish a connectivity from shared VPC to on-Prem and vice-versa.

Using Cloud Router and VLAN attachment, Network Interconnect terminates hybrid dedicated interconnect connectivity from your Google Cloud to on-premises. An isolated Ingress VPC is dedicatedly used to receive incoming traffic from the internet. This VPC can have a Global Load Balancer to distribute traffic to the firewall appliance. The firewall appliance is multi-NIC connected to the Ingress Trusted VPC, which is peered with Shared VPCs in host projects. This allows for the management of ingress traffic.

Conclusion: The hub-spoke model is a simple and effective way to streamline network security. By centralizing security functions in a single appliance, organizations can improve visibility and control over their network traffic. This can help to reduce the risk of data breaches and other security incidents. Most of large organizations use this model use this model in the real world. So, If you are looking for a way to streamline network security, the hub-spoke model is a good option to consider. It is a simple and effective way to improve visibility and control over your network traffic.

Thatā€™s so much for now :) I hope you like this article. Please share it if helpful and donā€™t forget to follow me :) Please subscribe for upcoming blogs.

Book a call for consulting/assistance: https://topmate.io/sumit_kumar40

Firewall Network
Shared Vpc
Google Cloud Platform
Architecture
Gcp Security Operations

--

--

Sumit K
Google Cloud - Community

Written by Sumit K

408 Followers
Writer for

Humanity is the quality that we lack so much in real life, An Abide leaner, Cloud Architectā›…ļø, Love DevOps, AWS Community Builder 2023, Proud Hindu šŸ•‰ļø

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams