As organizations increasingly embrace the dynamic and scalable nature of multi-cloud environments to drive innovation and agility, a significant shift is occurring in network security. While this distributed model offers compelling advantages, it fundamentally reshapes the network perimeter, dissolving traditional boundaries and demanding a more sophisticated, distributed approach to network security. Just like how “lift and shift” is not applicable for long-term applications, the same holds true for the underlying Network Architecture and the Security posture for the Cloud environment.
Network Security Challenges in a Multi-Cloud Environment:
Multiple Entry Points for the Attackers: While user-to-application traffic is considered North-South Traffic, the traffic between different workloads and services in a Cloud or multi-cloud environment is called East-West traffic.
With the adoption of multiple cloud environments, multiple entry points for the North-South traffic needs to be secured. However, multiple cloud providers offer different solutions to address, resulting in Inconsistent Network Security Policies and often prone to misconfiguration.
Inter-Cloud Connectivity: Establishing a secure and reliable path between Cloud Environments is a challenge. Traditionally Cloud VPN was the only option, however with the advancements of the technology Cloud providers now provide multiple options to connect almost anywhere to anywhere and that includes Interconnects, direct connects, Cloud WAN, or SD-WAN. While the reliable path solution is resolved with these options, security, monitoring, latency troubleshooting, and bandwidth requirements are still applicable.
Securing Traffic between Cloud Platforms: East-West traffic is critical to be protected from different attacks. Usually, native firewall rules that operate on layer 3 or 4 on each Cloud platform will help control the traffic based on the 5-tuples (Source address, destination address, Source port, Destination Port, Protocol). However, we also need to be able to block the traffic on layer 7, i.e., Application layer, and thus need some important features like SSL/TLS inspection, Deep packet Inspection(DPI), stateful inspection, URL filtering, data loss prevention(DLP), etc., to cater to the increase in demand.
Centralized Visibility and Control: While taking advantage of multi cloud, a unified dashboard to view the Network Traffic is a major challenge. Each cloud provider offers very clear and most advanced Networking tools for the monitoring capabilities, and common dashboards are not available for multi cloud environments, which makes it even more difficult in enforcing consistent Security policies.
Best Practices for a robust Multi-Cloud Network Security from Google Cloud Platform:
To effectively secure multi-cloud networks, organizations should follow best practices:
Principle of Least Privilege: Adhere to the Principle of Least Privilege by meticulously restricting network access for users (principals), Compute Engine instances (devices), and applications (services) strictly to the minimum set of permissions and network paths required for their designated roles and functions. Leverage Identity and Access Management (IAM) for user and service account permissions, and VPC Firewall policies along with network tags to precisely control network connectivity at the instance and application level. This minimizes the blast radius of potential security incidents.
Identity-Centric Security: In Google Cloud, move beyond traditional network location-based access control and base network access decisions on verified user and service account identities (leveraging Cloud IAM), device posture (potentially through integration with endpoint management solutions), contextual factors (such as user location inferred through BeyondCorp Enterprise or Context-Aware Access), and application attributes (like service accounts or workload identity), for a more dynamic and secure environment.
- Centralized point of entry: The Global Load Balancer acts as a single, resilient entry point for your globally distributed applications. Its key capabilities in mitigating the risk of multiple entry points include:
- Centralized Traffic Management: By directing all incoming traffic through a single IP address (or set of addresses), the Global Load Balancer reduces the attack surface and simplifies security policy enforcement.
- Integration with Cloud Armor: Directly integrating with Cloud Armor, Google Cloud’s Web Application Firewall (WAF) and DDoS protection service, the Global Load Balancer allows you to apply consistent security rules and mitigations at the edge, inspecting traffic before it reaches your backend services, regardless of their location. This single point of defense protects against a wide range of web-based attacks.
- Scalable Certificate Management: Supporting millions of SSL/TLS certificates, the Global Load Balancer simplifies the management and deployment of encryption across your global footprint, ensuring secure connections for users regardless of the entry point they access.
- Hybrid Backend Services: The Global Load Balancer can seamlessly route traffic to hybrid backend services spanning multiple environments. This includes backends within different Google Cloud regions, on-premises infrastructure, and even other cloud providers. Internet Network Endpoint Groups (NEGs) further extend this capability by allowing you to directly address internet-reachable endpoints as backends. This centralized control ensures consistent security policies are applied even to traffic destined for diverse backend locations.
Google Kubernetes Engine (GKE) Gateway provides a powerful solution for managing external access to your Kubernetes clusters, including those in hybrid and multi-cloud scenarios. Its relevance to mitigating multiple entry points includes:
- Unified Ingress Control: GKE Gateway offers a standardized way to manage ingress traffic to your GKE clusters, regardless of where they are running. This provides a consistent control plane for external access, reducing the complexity of managing individual ingress controllers per cluster.
- Multi-Cloud and Hybrid Connectivity: GKE Gateway is designed to support cluster services from multiple cloud providers, including on-premises Kubernetes clusters. This allows you to present services running across different Kubernetes environments through a unified set of access policies, managed centrally.
- Enhanced Security Features: While not directly a WAF like Cloud Armor, GKE Gateway integrates with Kubernetes Network Policies and can be further enhanced with third-party security solutions. Its centralized management of ingress rules helps to define and enforce consistent security boundaries for your containerized applications, regardless of their cloud provider.
East-West Security with Google Cloud: With the evolution of Cloud platforms, many advancements have been made in firewalls, and we see that security options like NGFW Enterprise by Google Cloud are one great example.
It helps in Advanced Threat Prevention Powered by Palo Alto Networks, protecting against Intrusion Prevention System (IPS), Anti-Malware and Anti-Spyware, Command and Control (C2) Blocking, Vulnerability Protection, Real-time Threat Intelligence, Deep Packet Inspection (DPI) and Layer 7 Visibility, TLS Inspection and Decryption, Micro-segmentation with IAM-governed tags, and Centralized and comprehensive Logging and Monitoring options.
NGFW Enterprise integrates with Google Cloud’s Identity and Access Management (IAM) and leverages IAM-governed Tags. This powerful combination enables granular micro-segmentation down to individual Compute Engine instances or workloads.
However, while working with a multi-cloud environment, NGFW will incur lack of Centralized Control, potential for Policy Gaps on multiple cloud providers, Vendor Lock-in Concerns.
Centralize Network Security Monitoring and Management with Integrated 3P Visibility:
Establish unified visibility by integrating network logs and telemetry generated within your Google Cloud environment (from VPC Flow Logs, Firewall Rules Logging, Cloud NAT Logging, etc.) or by using Network Security Integration Out-of-band 3P integration. This provides a centralized and holistic view of network activity alongside insights from your other cloud and on-premises environments, enhancing threat detection and analysis.
Implement automated anomaly detection within your integrated 3P solution by leveraging its AI and machine learning capabilities to analyze aggregated Google Cloud network traffic patterns. This enables the identification of deviations indicative of potential attacks, triggering alerts and facilitating automated or semi-automated responses orchestrated through the 3P solution, potentially interacting with Google Cloud APIs for remediation.
Ensure continuous configuration monitoring of your Google Cloud network resources (VPC networks, firewall rules, routes, etc.) by leveraging the monitoring capabilities of your integrated Network Security Integration 3P out-of-band solution. Configure it to detect configuration drift and identify potential misconfigurations against your security baselines, generating timely alerts and, where possible, initiating automated remediation workflows through API integrations with Google Cloud.
Conclusion:
The move to multi-cloud setups brings flexibility and innovation, but it also creates complex network security problems. The traditional idea of a network’s edge is disappearing, leaving a spread-out environment with many points of vulnerability. This demands a more advanced and unified security strategy. Businesses struggle with inconsistent security rules across different clouds, the difficulty of setting up secure connections between clouds, the crucial need to protect traffic within cloud environments (East-West traffic), and the challenge of getting a single, clear view and centralized control of their scattered networks.
Adopting a robust set of best practices is paramount to navigating this evolving terrain. Strategies such as enforcing the Principle of Least Privilege through meticulous access controls and moving towards an Identity-Centric security model are foundational. Centralizing traffic management and defense using tools like global load balancers with integrated web application firewalls can effectively mitigate risks associated with multiple entry points. For containerized workloads, solutions like GKE Gateway can provide unified ingress control across hybrid and multi-cloud Kubernetes deployments.
Furthermore, advanced threat prevention for internal East-West traffic, for example, through Next-Generation Firewalls, is crucial, although considerations for centralized management in multi-cloud settings remain. Ultimately, achieving comprehensive security requires centralizing network monitoring and management, often by integrating Network Security Integration 3P out-of-band platforms to enable holistic visibility, automated anomaly detection, and continuous configuration oversight across the entire multi-cloud and hybrid landscape. By proactively addressing these areas, organizations can harness the power of multi-cloud environments while maintaining a strong and resilient security posture.
About the Author
Harika Rama Tulasi Karatapu is a seasoned Network Solutions Architect with over 13 years of experience in cloud and traditional networking. With a strong technical foundation and a results-driven approach, she specializes in designing and implementing secure, high-performance networking solutions across Google Cloud Platform (GCP) and Amazon Web Services (AWS).
Currently working as a Network/Network Security Specialist, Customer Engineer at Google LLC, she architects cloud-native and hybrid networking solutions for enterprise clients, optimizing cost, performance, and security. She also collaborates with C-suite executives on cloud adoption strategies, leads the Network Architecture for Google Cloud SaaS Accelerator Program, and contributes to Google Cloud for Startups as a technical Mentor.
Prior to Google, Harika worked at Juniper Networks, Amazon Web Services, and Infosys, working on network architecture, troubleshooting, automation, and security. A JNCIE-ENT, JNCIE-DC certified Juniper expert. Harika did her Masters from San Jose State University in Electrical Engineering with Computer Networking as specialization.
Harika can be reached online at hari[email protected], https://www.linkedin.com/in/harikakaratapu/ and at our company website
