Transit Gateway equivalent in GCP?
Is there a direct parallel to aws' transit vpc in gcp?
Network Connectivity Center - Recently, Google launched something called the Network Connectivity Center. Consisting of a central hub (which provides centralized connectivity between spokes), it can be used in exactly the same manner as an AWS Transit Gateway.
Spokes can be of one of the following types:
- VPN tunnels
- VLAN attachments
- Router appliance instances that are deployed within Google Cloud
What about Shared VPCs?
At first glance, the shared VPC may seem to serve a transit gateway equivalent. And while that is a design proposed by many, there are several drawbacks to using a shared VPC as a transit gateway. Read this post to understand the Hub Spoke Network Design on GCP using a Shared VPC - and an alternative hub spoke network design.
Why do you even need more than one VPC in GCP (since a VPC in GCP is truly global)?
It is true that a VPC in GCP (unlike in AWS) is a global networking resource. This means that subnets within the same VPC can belong to different regions - you can have your APP subnet in North America and your data subnet in Asia. All routing between subnets is automatic - so you eliminate any REGION to REGION routing simply by using the default behavior of a GCP VPC.
However, this is also a drawback. All global routing stays within the SINGLE VPC. Typically, a corporate cloud environment would need more granular routing. The data center would consist of a large number of VPCs (e.g. for environment segregation and workload isolation).
Hence, routing needs to be applicable for multiple VPCs - a single VPC will not provide that granular routing.
Aviatrix Transit gateway Option
Aviatrix transit gateway appliance can also serve to connect multiple VPCs with better control and better traffic filtering. It can mimic the functionality of an AWS Transit Gateway.
Summary
While the closest direct equivalent of AWS' transit gateway in GCP would be the Network Connectivity Center, a shared VPC CAN serve that purpose to some extent. There are risks with coupling production and non production environments through the shared VPC. Another option is to connect multiple VPCs using Aviatrix transit gateway appliance.
Also read - A reusable hub spoke network design in GCP
- East to West Traffic Filtering on GCP
- Egress Costs with a Transit VPC
- Shared VPC Best Practices
- Hub Spoke versus Shared VPC in GCP
Need an experienced Cloud Security Expert?
Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
Leave a Reply