When designing a hybrid and multicloud network, various factors influence yourarchitectural choices. As you analyze your hybrid and multicloud networkingdesign, think about the following design considerations. To build a cohesivearchitecture, assess these considerations collectively, not in isolation.

Hybrid and multicloud connectivity refers to the communication connections that link on-premises, Google Cloud, andother cloud environments. Choosing the right connectivity method is essential tothe success of hybrid and multicloud architectures, because these connectionscarry all inter-environment traffic. Any network performance issues, such asbandwidth, latency, packet loss, or jitter, can directly affect the performanceof business applications and services.

For the connectivity between an on-premises environment and Google Cloudor other clouds, Google Cloud offers multipleconnectivity options to select from, including:

Internet-based connectivity using public IP addresses:

Transfer data between Google Cloud and an on-premisesenvironment or another cloud environment over the internet. This optionuses the public external IP addresses of an instance—ideally withapplication layerencryption in transit.

Secure connectivity over APIs with Transport Layer Security(TLS) encryption over the public internet. This option requires theapplication or target APIs to be publicly reachable from the internetand that the application performsthe encryption in transit.

Private secure connectivity over the public internet using eitherCloud VPN or customer-managed VPN gateways. This option includes using a networkvirtual appliance (NVA) including software-defined WAN (SD-WAN) solutionsfrom Google Cloud partners. These solutions are available onGoogle Cloud Marketplace.

Private connectivity over a private transport usingCloud Interconnect(Dedicated Interconnect orPartner Interconnect)that offers a more deterministic performance and has anSLA.If encryption in transit is required at the network connectivity layer, youcan useHA VPN over Cloud Interconnect orMACsec for Cloud Interconnect.

Cross-Cloud Interconnect provides enterprises that use multicloud environments the ability toenable private and secure connectivity across clouds (betweenGoogle Cloud andsupported cloud service providers in certainlocations).This option has line-rate performance withhigh availability options of 99.9% and 99.99%, which ultimately helps to lower total cost ofownership (TCO) without the complexity and cost of managing infrastructure.Also, if encryption in transit is required at the network connectivitylayer for additional security, Cross-Cloud Interconnect supportsMACsec for Cloud Interconnect encryption.

Consider usingNetwork Connectivity Center when it fits your cloud solution architectureuse case.Network Connectivity Center is an orchestration framework that provides networkconnectivity amongspoke resources,like virtual private clouds (VPCs), router appliances, or hybrid connections that areconnected to a central management resource called a hub. A Network Connectivity Centerhub supports either VPC spokes or hybrid spokes. For more information, seeRoute exchange with VPC connectivity.Also, to facilitate route exchange with the Cloud Router instance,Network Connectivity Center enables the integration ofthird-party network virtual appliances.That integration includes third-party SD-WAN routers that aresupported by Google Cloud Network Connectivity Center partners.

With the variety of hybrid and multicloud connectivity options available,selecting the most suitable one requires a thorough evaluation of your businessand technical requirements. These requirements include the following factors:

For more information on selecting a connectivity option to Google Cloud,seeChoosing a Network Connectivity product.For guidance on selecting a network connectivity option that meetsthe needs of your multicloud architecture, seePatterns for connecting other cloud service providers with Google Cloud.

You can use the networking architecture patterns discussed in this guide witheither single or multiple projects where supported. Aproject in Google Cloud contains related services and workloads that have a singleadministrative domain. Projects form the basis for the following processes:

A project can contain one or more VPC networks. Your organization, or thestructure of the applications you use in a project, should determine whether touse a single project or multiple projects. Your organization, or the structureof the applications, should also determine how to use VPCs. For moreinformation, seeDecide a resource hierarchy for your Google Cloud landing zone.

The following factors can influence whether you decide to use a single VPC,multiple VPCs, or ashared VPC with one or multiple projects:

VPC use decisions.

Sometimes, you might need to use more than one VPC (or shared VPCs) tomeet scale requirements without exceeding thelimits of resources for a single VPC.

For more information, seeDeciding whether to create multiple VPC networks.

In a hybrid and multicloud architecture, it's essential that the domain namesystem (DNS) is extended and integrated between environments where communicationis permitted. This action helps to provide seamless communication betweenvarious services and applications. It also maintains private DNS resolutionbetween these environments.

In a hybrid and multicloud architecture with Google Cloud, you can useDNS peering andDNS forwarding capabilities to enable the DNS integration between different environments. Withthese DNS capabilities, you can cover the different use cases that can alignwith different networking communication models. Technically, you can useDNS forwarding zones to query on-premises DNS servers and inboundDNS server policies to allow queries from on-premises environments. You can also useDNS peering to forward DNS requests within Google Cloud environments.

For more information, seeBest practices for Cloud DNS and reference architectures for hybrid DNS with Google Cloud.

To learn about redundancy mechanisms for maintaining Cloud DNSavailability in a hybrid setup, seeIt's not DNS: Ensuring high availability in a hybrid cloud environment.Also watch this demonstration of how to design and set up amulticloud private DNS between AWS and Google Cloud.

Cloud network security is a foundational layer of cloud security. To help manage the risks of thedissolving network perimeter, it enables enterprises to embed securitymonitoring, threat prevention, and network security controls.

A standard on-premises approach to network security is primarily based on adistinct perimeter between the internet edge and the internal network of anorganization. It uses various multi-layered security preventive systems in thenetwork path, like physical firewalls, routers, intrusion detection systems, andothers.

With cloud-based computing, this approach is still applicable in certain usecases. But it's not enough to handle the scale and the distributed and dynamicnature of cloud workloads—such as autoscaling and containerized workloads—byitself. The cloud network security approach helps you minimize risk, meetcompliance requirements, and ensure safe and efficient operations though severalcloud-first capabilities. For more information, seeCloud network security benefits.To secure your network, also look atCloud network security challenges,and generalCloud network security best practices.

Adopting a hybrid cloud architecture calls for a security strategy thatgoes beyond replicating the on-premises approach.Replicating that approach can limit design flexibility. It can also potentiallyexpose the cloud environment to security threats. Instead, you should firstidentify the available cloud-first network security capabilities that meet thesecurity requirements of your company. You might also need to combine thesecapabilities with third-party security solutions from Google Cloudtechnology partners, like network virtual appliances.

To design a consistent architecture across environments in a multicloudarchitecture, it's important to identify the different services and capabilitiesoffered by each cloud provider. We recommend, in all cases, that you use aunified security posture that has visibility across all environments.

To protect your hybrid cloud architecture environments, you should alsoconsider usingdefense-in-depth principles.

Finally, design your cloud solution with network security in mind from thestart. Incorporate all required capabilities as part of your initial design.This initial work will help you avoid the need to make major changes to thedesign to integrate security capabilities later in your design process.

However, cloud security isn't limited to networking security. It must be appliedthroughout the entire application development lifecycle across the entireapplication stack, from development to production and operation. Ideally, youshould use multiple layers of protection (the defense-in-depth approach) andsecurity visibility tools. For more information on how to architect and operatesecure services on Google Cloud, see theSecurity, privacy, and compliance pillar of the Google Cloud Architecture Framework.

To protect your valuable data and infrastructure from a wide range of threats,adopt a comprehensive approach to cloud security.To stay ahead of existing threats, continuously assess and refine your securitystrategy.