Networking for internet-facing application delivery: Reference architectures
Stay organized with collections
Save and categorize content based on your preferences.
Last reviewed 2025-01-13 UTC
This document is part of a series that describes networking and security
architectures for enterprises that are migrating data center workloads to
Google Cloud.
Google offers a set of products and capabilities that help secure
and scale your most critical internet-facing applications. Figure 1 shows an
architecture that uses Google Cloud services to deploy a web application
with multiple tiers.
Figure 1. Typical multi-tier web application deployed on Google Cloud.
Lift-and-shift architecture
As internet-facing applications move to the cloud, they must be able to scale,
and they must have security controls and visibility that are equivalent to those
controls in the on-premises environment. You can provide these controls by using
network virtual appliances that are available in the marketplace.
Figure 2. Application deployed with an appliance-based external load
balancer.
These virtual appliances provide functionality and visibility that is
consistent with your on-premises environments. When you use a network virtual
appliance, you deploy the software appliance image by using autoscaled managed
instance groups. It's up to you to monitor and manage the health of the VM
instances that run the appliance, and you also maintain software updates for the
appliance.
After you perform your initial shift, you might want to
transition from self-managed network virtual appliances to managed services.
Google Cloud offers a number of managed services to
deliver applications at scale.
Figure 2 shows a network virtual appliance configured as the frontend
of a web tier application. For a list of partner ecosystem solutions, see the
Google Cloud Marketplace
page in the Google Cloud console.
Hybrid services architecture
Google Cloud offers the following approaches to manage
internet-facing applications at scale:
Use Google's global network of anycast DNS name servers that provide
high availability and low latency to translate requests for domain names
into IP addresses.
Use Google's global fleet of external Application Load Balancers to route traffic to an
application that's hosted inside Google Cloud, hosted on-premises, or
hosted on another public cloud. These load balancers scale automatically
with your traffic and ensure that each request is directed to a healthy
backend. By setting up
hybrid connectivity network endpoint groups,
you can bring the benefits of external Application Load Balancer networking
capabilities to services that are running on your existing infrastructure
outside of Google Cloud. The on-premises network or the other public
cloud networks are privately connected to your Google Cloud network
through a VPN tunnel or through Cloud Interconnect.
Use other network edge services such as Cloud CDN to distribute
content, Google Cloud Armor to protect your content, and
Identity-Aware Proxy (IAP) to control access to your services.
Use a Application Load Balancer (HTTP/HTTPS) to route requests based on
their attributes, such as the HTTP uniform resource identifier (URI).
Use a proxy Network Load Balancer to implement TLS offload, TCP proxy, or support for
external load balancing to backends in multiple regions.
Use a passthrough Network Load Balancer to preserve client source IP addresses, avoid the
overhead of proxies, and to support additional protocols like UDP, ESP, and
ICMP.
Protect your service with
Cloud Armor.
This product is an edge DDoS defense and WAF security product that's
available to all services that are accessed through load balancers.
Use
Google-managed SSL certificates.
You can reuse certificates and private keys that you already use for other
Google Cloud products. This eliminates the need to manage separate
certificates.
Enable caching on your application to take advantage of the distributed
application delivery footprint of Cloud CDN.
Use Cloud IDS to detect threats in north-south traffic, as
shown in figure 6.
Figure 6. Cloud IDS configuration to mirror and inspect
all internet and internal traffic.
Zero Trust Distributed Architecture
You can expand Zero Trust Distributed Architecture to include application
delivery from the internet. In this model, the Google external Application Load Balancer provides
global load balancing across GKE clusters that have
Cloud Service Mesh meshes in distinct clusters. For this scenario, you adopt a
composite ingress model. The first-tier load balancer provides cluster
selection, and then a Cloud Service Mesh-managed ingress gateway provides
cluster-specific load balancing and ingress security. An example of this
multi-cluster ingress is the
Cymbal Bank reference architecture
as described in the enterprise application blueprint. For more information about
Cloud Service Mesh edge ingress, see
From edge to mesh: Exposing service mesh applications through GKE Ingress.
Figure 7 shows a configuration in which a external Application Load Balancer directs
traffic from
the internet to the service mesh
through an
ingress gateway.
The gateway is a dedicated proxy in the service mesh.
Figure 7. Application delivery in a zero-trust microservices environment.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-01-13 UTC."],[[["\u003cp\u003eThis document focuses on networking architectures for delivering internet-facing applications in Google Cloud, covering migration from on-premises environments.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Cloud offers managed services like external Application Load Balancers, Cloud CDN, and Cloud Armor to scale and secure internet-facing applications, replacing self-managed network virtual appliances.\u003c/p\u003e\n"],["\u003cp\u003eHybrid services architectures can be implemented, allowing the use of Google's global network for DNS and load balancing while connecting to services hosted on-premises or in other clouds.\u003c/p\u003e\n"],["\u003cp\u003eThe document covers various approaches to load balancing, including HTTP/HTTPS Application Load Balancers, proxy Network Load Balancers, and passthrough Network Load Balancers, each with specific use cases.\u003c/p\u003e\n"],["\u003cp\u003eZero Trust Distributed Architecture is discussed, detailing how external Application Load Balancers can integrate with Cloud Service Mesh for secure, multi-cluster application delivery.\u003c/p\u003e\n"]]],[],null,["# Networking for internet-facing application delivery: Reference architectures\n\nThis document is part of a series that describes networking and security\narchitectures for enterprises that are migrating data center workloads to\nGoogle Cloud.\n\nThe series consists of the following documents:\n\n- [Designing networks for migrating enterprise workloads: Architectural approaches](/architecture/network-architecture)\n- [Networking for secure intra-cloud access: Reference architectures](/architecture/network-secure-intra-cloud-access)\n- Networking for internet-facing application delivery: Reference architectures (this document)\n- [Networking for hybrid and multi-cloud workloads: Reference architectures](/architecture/network-hybrid-multicloud)\n\nGoogle offers a set of products and capabilities that help secure\nand scale your most critical internet-facing applications. Figure 1 shows an\narchitecture that uses Google Cloud services to deploy a web application\nwith multiple tiers.\n\n**Figure 1**. Typical multi-tier web application deployed on Google Cloud.\n| **Note:** You need to consider limitations of using Application Load Balancers. For more information, see the [Limitations](/load-balancing/docs/https#limitations) section in the \"External Application Load Balancer overview\" documentation.\n\nLift-and-shift architecture\n---------------------------\n\nAs internet-facing applications move to the cloud, they must be able to scale,\nand they must have security controls and visibility that are equivalent to those\ncontrols in the on-premises environment. You can provide these controls by using\nnetwork virtual appliances that are available in the marketplace.\n\n**Figure 2**. Application deployed with an appliance-based external load\nbalancer.\n\nThese virtual appliances provide functionality and visibility that is\nconsistent with your on-premises environments. When you use a network virtual\nappliance, you deploy the software appliance image by using autoscaled managed\ninstance groups. It's up to you to monitor and manage the health of the VM\ninstances that run the appliance, and you also maintain software updates for the\nappliance.\n\nAfter you perform your initial shift, you might want to\ntransition from self-managed network virtual appliances to managed services.\nGoogle Cloud offers a number of managed services to\ndeliver applications at scale.\n\nFigure 2 shows a network virtual appliance configured as the frontend\nof a web tier application. For a list of partner ecosystem solutions, see the\n[Google Cloud Marketplace](https://console.cloud.google.com/marketplace/browse?filter=category:networking)\npage in the Google Cloud console.\n\nHybrid services architecture\n----------------------------\n\nGoogle Cloud offers the following approaches to manage\ninternet-facing applications at scale:\n\n- Use Google's global network of anycast DNS name servers that provide high availability and low latency to translate requests for domain names into IP addresses.\n- Use Google's global fleet of external Application Load Balancers to route traffic to an application that's hosted inside Google Cloud, hosted on-premises, or hosted on another public cloud. These load balancers scale automatically with your traffic and ensure that each request is directed to a healthy backend. By setting up [hybrid connectivity network endpoint groups](/load-balancing/docs/negs/hybrid-neg-concepts), you can bring the benefits of external Application Load Balancer networking capabilities to services that are running on your existing infrastructure outside of Google Cloud. The on-premises network or the other public cloud networks are privately connected to your Google Cloud network through a VPN tunnel or through Cloud Interconnect.\n- Use other network edge services such as Cloud CDN to distribute\n content, Google Cloud Armor to protect your content, and\n Identity-Aware Proxy (IAP) to control access to your services.\n\n Figure 3 shows hybrid connectivity that uses external Application Load Balancer.\n\n **Figure 3**. Hybrid connectivity configuration using external Application Load Balancer and\n network edge services.\n\n Figure 4 shows a different connectivity option---using hybrid\n connectivity network endpoint groups.\n\n **Figure 4**. External Application Load Balancer configuration using hybrid\n connectivity network endpoint groups.\n- Use a Application Load Balancer (HTTP/HTTPS) to route requests based on\n their attributes, such as the HTTP uniform resource identifier (URI).\n Use a proxy Network Load Balancer to implement TLS offload, TCP proxy, or support for\n external load balancing to backends in multiple [regions](/docs/geography-and-regions#regions_and_zones).\n Use a passthrough Network Load Balancer to preserve client source IP addresses, avoid the\n overhead of proxies, and to support additional protocols like UDP, ESP, and\n ICMP.\n\n- Protect your service with\n [Cloud Armor](/armor).\n This product is an edge DDoS defense and WAF security product that's\n available to all services that are accessed through load balancers.\n\n- Use\n [Google-managed SSL certificates](/load-balancing/docs/ssl-certificates/google-managed-certs).\n You can reuse certificates and private keys that you already use for other\n Google Cloud products. This eliminates the need to manage separate\n certificates.\n\n- Enable caching on your application to take advantage of the distributed\n application delivery footprint of Cloud CDN.\n\n- Use [Cloud Next Generation Firewall](/vpc/docs/firewalls) to inspect and filter traffic in your VPC networks.\n\n- Use Cloud IDS to detect threats in north-south traffic, as\n shown in figure 6.\n\n **Figure 6**. Cloud IDS configuration to mirror and inspect\n all internet and internal traffic.\n\nZero Trust Distributed Architecture\n-----------------------------------\n\nYou can expand Zero Trust Distributed Architecture to include application\ndelivery from the internet. In this model, the Google external Application Load Balancer provides\nglobal load balancing across GKE clusters that have\nCloud Service Mesh meshes in distinct clusters. For this scenario, you adopt a\ncomposite ingress model. The first-tier load balancer provides cluster\nselection, and then a Cloud Service Mesh-managed ingress gateway provides\ncluster-specific load balancing and ingress security. An example of this\nmulti-cluster ingress is the\n[Cymbal Bank reference architecture](/architecture/blueprints/enterprise-application-blueprint/cymbal-bank)\nas described in the enterprise application blueprint. For more information about\nCloud Service Mesh edge ingress, see\n[From edge to mesh: Exposing service mesh applications through GKE Ingress](/architecture/exposing-service-mesh-apps-through-gke-ingress).\n\nFigure 7 shows a configuration in which a external Application Load Balancer directs\ntraffic from\nthe [internet to the service mesh](/architecture/exposing-service-mesh-apps-through-gke-ingress)\nthrough an\n[ingress gateway](/architecture/exposing-service-mesh-apps-through-gke-ingress).\nThe gateway is a dedicated proxy in the service mesh.\n\n**Figure 7**. Application delivery in a zero-trust microservices environment.\n\nWhat's next\n-----------\n\n- [Networking for secure intra-cloud access: Reference architectures](/architecture/network-secure-intra-cloud-access).\n- [Networking for hybrid and multi-cloud workloads: Reference architectures](/architecture/network-hybrid-multicloud).\n- [Use Cloud Armor, load balancing, and Cloud CDN to deploy programmable global front ends](/architecture/deploy-programmable-gfe-cloud-armor-lb-cdn)\n- [Migration to Google Cloud](/solutions/migration-to-gcp-getting-started) can help you to plan, design, and implement the process of migrating your workloads to Google Cloud.\n- [Landing zone design in Google Cloud](/architecture/landing-zones) has guidance for creating a landing zone network.\n- For more reference architectures, diagrams, and best practices, explore the [Cloud Architecture Center](/architecture)."]]