Traffic Flows in GCP Network Security Integration

East-West (VM to VM)

  1. A packet leaves VM-1 (on subnet 10.10.5.0/24). The Egress Network Firewall ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. intercepts packets to ALL destinations and sends them to the Cloud Firewall Gateway for inspection.

  2. The system intercepts the packet as it leaves the VM. The packet is encapsulated in a GENEVE UDP tunnel and rerouted to the Intercept Endpoint for the VPC.

  3. The Intercept Endpoint Group (IEG) receives the encapsulated packet and transfers it to the Intercept Deployment Group (IDG) in the Producer Project.

  4. The system sends the encapsulated packet to the Intercept Deployment in the matching zone (B).

  5. The Forwarding Rule forwards it to the Internal Load Balancer.

  6. The Cloud Firewall Gateway in zone B receives the encapsulated packet through the eth1 interface. If zone B is unavailable, zone A receives the packet instead. The Cloud Firewall Gateway decapsulates and inspects the packet.

  7. After inspection, the Cloud Firewall Gateway re-encapsulates the packet in a GENEVE UDP tunnel. The packet exits through the eth1 interface and returns to the IDG.

  8. The IEG for the Consumer Project receives the encapsulated packet and forwards it to the VPC-associated Intercept Endpoint.

  9. The packet returns to the original Intercept Endpoint and is decapsulated.

  10. The system places the packet on the network fabric to continue to VM-2 on the same subnet.

North-South (VM to Internet)

  1. A packet leaves VM-1 (on subnet 10.10.5.0/24). The Egress Network Firewall rule intercepts packets to ALL destinations and sends them to the Cloud Firewall Gateway for inspection.

  2. The system intercepts the packet as it leaves the VM. The packet is encapsulated in a GENEVE UDP tunnel and rerouted to the Intercept Endpoint for the VPC.

  3. The Intercept Endpoint Group (IEG) receives the encapsulated packet and transfers it to the Intercept Deployment Group (IDG) in the Producer Project.

  4. The system sends the encapsulated packet to the Intercept Deployment in the matching zone (B).

  5. The Forwarding Rule forwards it to the Internal Load Balancer.

  6. The Cloud Firewall Gateway in zone B receives the encapsulated packet through the eth1 interface. If zone B is unavailable, zone A receives the packet instead. The Cloud Firewall Gateway decapsulates and inspects the packet.

  7. After inspection, the Cloud Firewall Gateway re-encapsulates the packet in a GENEVE UDP tunnel. The packet exits through the eth1 interface and returns to the IDG.

  8. The IEG for the Consumer Project receives the encapsulated packet and forwards it to the VPC-associated Intercept Endpoint.

  9. The packet returns to the original Intercept Endpoint and is decapsulated.

  10. The system places it back on the network fabric to continue to the Internet through the External Load Balancer.