-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)

The fundamental Cloud Security concepts were covered in documents 1-7 and can be found here. This document addresses another important aspect of cloud security – the network. As network security is specific to each cloud service provider, this document concentrates on Google Cloud Platform and provides an overview of some of the key security services and resources it provides to cloud architects.

The network infrastructure in Google Cloud Platform contains the following components:

  • Virtual Private Cloud (VPC) – A logical isolated section of the GCP cloud for a specific customer to launch resources.
  • Subnet – A segment of a VPC’s IP address range where you can place groups of isolated resources.
  • Firewall Rule – Allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. Firewall rules are applied at the virtual networking level, so they provide effective protection and traffic control regardless of the operating system used in instances.
  • Internet Gateway – A VPC component that allows communication between instances inside a VPC and the internet.
  • NAT Gateway – A component that allows instances in a private subnet to connect to the internet without allowing connections to be initiated from the internet.

References:

Instructions for creating GCP Firewall Rules:

https://cloud.google.com/vpc/docs/using-firewalls

Best practices for GCP Firewall Rules:

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#firewall-rules

Google Cloud Platform Security Best practices:

https://www.cisecurity.org/blog/new-cis-benchmark-for-google-cloud-computing-platform/

https://nvd.nist.gov/ncp/checklist/870

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/october/securing-google-cloud-platform-ten-best-practices/