Also read At Rest Encryption in GCP.

Overview - Network Layer Automatic Encryption

At the network layer, Google Cloud’s virtual network infrastructure automatically encrypts VM to VM traffic if it crosses a physical boundary not controlled by or on behalf of Google.

On top of this, at the application layer, Application Layer Transport Security automatically provides authentication, integrity and encryption of remote procedure calls from service to service, when those calls leave a physical boundary controlled by or on behalf of Google.

Each service that runs in Google’s infrastructure has a service account identity with associated cryptographic credentials that are used to authenticate these communications.

Layer 7 (HTTPs) encryption between User and Google Services

is AUTOMATIC and REQUIRED for accessing most Google Hosted Services (those services hosted on GFE).

Layer 7 (HTTPs) encryption between the Load Balancer and the first hop backend instance 

Depends on the LB type. HTTPs External LB and SSL Proxy LB terminate the client connection at the LB. What happens after the LB is up to the deployment team  - one can enforce an SSL between the LB and the backend VM.

Layer 3 encryption between a user VM and Google Cloud

IPSec  (VPN Tunnels) is what would support network layer encryption here.

Layer 7 encryption between a user VM and Google Cloud?

For a GFE hosted service, this is automatic - you are only offered an HTTPs endpoint

VM to VM within same VPC or Different VPCs (Peered VPCs)

Default Encryption Provided.

What about PCI Compliance?

PCI Compliance requires end to end encryption. So, for example, an HTTPs external or a SSL Proxy LB which terminates client conenctions, will not have the last hop (from the Load Balancer to the Backend VM) encrypted.

GFEs versus Compute Instances

Most Google APIs and services are hosted on Google Front Ends (GFEs); however, some services are hosted on Google-managed instances.




Need an experienced Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.