Google Cloud: Building Secure Network Infrastructure
Google Cloud Security Labs: Building Secure Network Infrastructure
This comprehensive walkthrough documents an advanced series of Google Cloud security labs that build enterprise-grade network infrastructure with security controls. The progression moves from foundational VPC concepts through complex multi-network architectures, culminating in real-world security implementations.
Each lab demonstrates practical security patterns while emphasising the defense-in-depth approach that characterises modern cloud security architectures.
Lab 1: Build a Secure Google Cloud Network
Network security begins with proper foundation design. This lab establishes the core principles of secure cloud networking by implementing custom VPCs with restrictive access controls and strategic subnet design.
Implementation Strategy
Custom VPC Architecture:
# Create custom VPC with controlled IP addressing
gcloud compute networks create secure-vpc \
--subnet-mode custom \
--bgp-routing-mode regional
# Create private subnet with specific CIDR
gcloud compute networks subnets create private-subnet \
--network secure-vpc \
--range 10.1.0.0/24 \
--region us-central1 \
--enable-private-ip-google-accessRestrictive Firewall Implementation:
# Deny all ingress traffic by default (implicit)
# Allow specific internal communication
gcloud compute firewall-rules create allow-internal \
--network secure-vpc \
--allow tcp:22,tcp:3389,icmp \
--source-ranges 10.1.0.0/24 \
--target-tags internal-servers
# Allow limited external access
gcloud compute firewall-rules create allow-web-traffic \
--network secure-vpc \
--allow tcp:80,tcp:443 \
--source-ranges 0.0.0.0/0 \
--target-tags web-serversSecure Instance Deployment:
# Deploy instances with appropriate security configurations
gcloud compute instances create secure-web-server \
--zone us-central1-a \
--machine-type e2-micro \
--subnet private-subnet \
--no-address \
--tags web-servers \
--image-family debian-11 \
--image-project debian-cloudSecurity Architecture Principles
The implementation demonstrates several critical security concepts:
Network Segmentation: Custom subnets enable logical separation of resources based on function and security requirements, reducing the blast radius of potential security incidents.
Default Deny Posture: Starting with restrictive firewall rules and explicitly allowing required traffic implements the principle of least privilege at the network level.
Private IP Addressing: Eliminating external IP addresses where possible reduces attack surface while maintaining necessary connectivity through controlled pathways.
Lab 2: Securing Virtual Machines using Chrome Enterprise Premium
Modern cloud security extends beyond network controls to include endpoint protection and identity-aware access. This lab implements advanced endpoint security using Chrome Enterprise Premium for context-aware access control.
Implementation Strategy
Context-Aware Access Configuration:
- Configure Access Context Manager with organisational policies
- Define access levels based on device compliance and user identity
- Implement conditional access for VM resources
- Establish monitoring for access violations
OS Login with Multi-Factor Authentication:
# Enable OS Login for centralised SSH key management
gcloud compute project-info add-metadata \
--metadata enable-oslogin=TRUE
# Configure metadata for MFA requirement
gcloud compute instances add-metadata secure-web-server \
--metadata enable-oslogin-2fa=TRUEDevice-Based Access Controls:
- Deploy Chrome Enterprise policies for device compliance
- Configure certificate-based device authentication
- Implement real-time device posture assessment
- Establish automated remediation for non-compliant devices
Security Architecture Principles
Zero Trust Implementation: Every access request is evaluated based on user identity, device state, and contextual factors rather than traditional network-based trust models.
Centralised Policy Management: Chrome Enterprise Premium provides unified policy distribution and enforcement across diverse endpoint environments.
Continuous Verification: Real-time assessment of device compliance and user behavior enables dynamic access decisions that adapt to changing risk conditions.
Lab 3: Multiple VPC Networks
Network isolation through multiple VPCs provides strong security boundaries for different application tiers and business functions. This lab demonstrates secure multi-network architectures with controlled inter-network communication.
Implementation Strategy
Isolated VPC Creation:
# Create production VPC
gcloud compute networks create production-vpc \
--subnet-mode custom
gcloud compute networks subnets create prod-subnet \
--network production-vpc \
--range 10.10.0.0/24 \
--region us-central1
# Create development VPC
gcloud compute networks create development-vpc \
--subnet-mode custom
gcloud compute networks subnets create dev-subnet \
--network development-vpc \
--range 10.20.0.0/24 \
--region us-central1Network Isolation Verification:
# Deploy test instances in each VPC
gcloud compute instances create prod-instance \
--zone us-central1-a \
--subnet prod-subnet \
--tags production
gcloud compute instances create dev-instance \
--zone us-central1-a \
--subnet dev-subnet \
--tags developmentControlled VPC Peering:
# Establish selective peering for required communication
gcloud compute networks peerings create prod-to-dev \
--network production-vpc \
--peer-network development-vpc \
--auto-create-routes
gcloud compute networks peerings create dev-to-prod \
--network development-vpc \
--peer-network production-vpc \
--auto-create-routesSecurity Architecture Principles
Defense in Depth: Multiple network boundaries create layered security that prevents lateral movement even if one boundary is compromised.
Principle of Least Privilege: Default isolation requires explicit configuration for cross-network communication, ensuring only necessary connections are established.
Compliance Segmentation: Separate networks enable different compliance requirements and audit scopes for various business functions.
Lab 4: VPC Networks - Controlling Access
Advanced access control combines network-level restrictions with identity-based policies to create comprehensive security frameworks. This lab implements sophisticated access control patterns using hierarchical firewall rules and IAM integration.
Implementation Strategy
Hierarchical Firewall Rules:
# Create organisation-level security policies
gcloud compute security-policies create global-security-policy \
--description "Organisation-wide security baseline"
# Implement network-level access controls
gcloud compute firewall-rules create deny-all-default \
--network production-vpc \
--action deny \
--rules tcp,udp,icmp \
--source-ranges 0.0.0.0/0 \
--priority 65534
# Allow specific application traffic
gcloud compute firewall-rules create allow-application-tier \
--network production-vpc \
--allow tcp:8080 \
--source-tags frontend \
--target-tags backend \
--priority 1000Service Account Integration:
# Create service accounts with minimal privileges
gcloud iam service-accounts create web-server-sa \
--display-name "Web Server Service Account"
# Assign specific roles for application functions
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member "serviceAccount:web-server-sa@$PROJECT_ID.iam.gserviceaccount.com" \
--role "roles/storage.objectViewer"Network Tag-Based Policies:
# Apply tags for granular policy targeting
gcloud compute instances add-tags web-server-instance \
--tags frontend,web-tier,production \
--zone us-central1-aSecurity Architecture Principles
Identity-Aware Networking: Combining network controls with identity verification ensures that both “what” and “who” are validated for each access request.
Policy Automation: Programmatic policy management reduces human error and ensures consistent security posture across environments.
Audit and Compliance: Comprehensive logging and monitoring of access decisions support compliance requirements and security investigations.
Lab 5: Application Load Balancer with Cloud Armor
Production applications require protection against sophisticated attacks while maintaining high availability. This lab implements comprehensive application security using HTTP(S) load balancers with Cloud Armor protection.
Implementation Strategy
Load Balancer with Backend Services:
# Create managed instance group for scalable backends
gcloud compute instance-templates create web-server-template \
--machine-type e2-micro \
--image-family debian-11 \
--image-project debian-cloud \
--tags web-servers \
--metadata startup-script='#!/bin/bash
apt-get update
apt-get install -y apache2
systemctl start apache2
echo "Secure Web Server $(hostname)" > /var/www/html/index.html'
gcloud compute instance-groups managed create web-server-group \
--base-instance-name web-server \
--template web-server-template \
--size 3 \
--zone us-central1-aCloud Armor Security Policies:
# Create comprehensive security policy
gcloud compute security-policies create web-app-security-policy \
--description "Web application protection policy"
# Block known malicious IP ranges
gcloud compute security-policies rules create 1000 \
--security-policy web-app-security-policy \
--expression "origin.region_code == 'CN'" \
--action "deny-403"
# Rate limiting for DDoS protection
gcloud compute security-policies rules create 2000 \
--security-policy web-app-security-policy \
--expression "true" \
--action "rate-based-ban" \
--rate-limit-threshold-count 100 \
--rate-limit-threshold-interval-sec 60HTTP(S) Load Balancer Configuration:
# Create health check for backend monitoring
gcloud compute health-checks create http web-health-check \
--port 80 \
--request-path / \
--check-interval 30s \
--timeout 10s
# Configure backend service with security policy
gcloud compute backend-services create web-backend-service \
--protocol HTTP \
--health-checks web-health-check \
--security-policy web-app-security-policy \
--global
# Create URL map and target proxy
gcloud compute url-maps create web-url-map \
--default-service web-backend-service
gcloud compute target-http-proxies create web-http-proxy \
--url-map web-url-mapSecurity Architecture Principles
Application-Layer Protection: Cloud Armor provides sophisticated protection against application-layer attacks including SQL injection, cross-site scripting, and custom attack patterns.
Geographic Access Control: IP-based restrictions enable compliance with data sovereignty requirements and reduce attack surface from high-risk regions.
Adaptive Security: Rate limiting and behavioral analysis enable dynamic response to emerging threats without impacting legitimate users.
Lab 6: Create an Internal Load Balancer
Internal applications require secure traffic distribution without external exposure. This lab implements regional internal load balancing for private application architectures.
Implementation Strategy
Internal Load Balancer Setup:
# Create internal backend service
gcloud compute backend-services create internal-web-backend \
--load-balancing-scheme internal \
--protocol TCP \
--region us-central1 \
--health-checks internal-health-check
# Configure internal forwarding rule
gcloud compute forwarding-rules create internal-web-lb \
--load-balancing-scheme internal \
--backend-service internal-web-backend \
--region us-central1 \
--subnet private-subnet \
--ports 80Private Service Access:
# Configure private Google Access for managed services
gcloud compute networks subnets update private-subnet \
--region us-central1 \
--enable-private-ip-google-access
# Create private service connection
gcloud services vpc-peerings connect \
--service servicenetworking.googleapis.com \
--ranges google-managed-services-private-subnet \
--network production-vpcSecurity Architecture Principles
Zero External Exposure: Internal load balancers eliminate external attack surface while maintaining high availability and performance for internal services.
Network-Level Isolation: Traffic never leaves the VPC environment, providing strong security boundaries for sensitive applications.
Regional Resilience: Internal load balancers provide high availability across zones within a region while maintaining network isolation.
Lab 7: Build a Secure Google Cloud Network - Challenge Lab
The challenge lab synthesises all previous concepts into a comprehensive security implementation that mirrors real-world enterprise requirements.
Challenge Architecture Requirements
Multi-Tier Network Design:
- Public-facing web tier with Cloud Armor protection
- Private application tier accessible only from web tier
- Isolated database tier with no external connectivity
- Management network for administrative access
Comprehensive Security Implementation:
# Example challenge solution structure
# Web tier with external load balancer
gcloud compute networks create web-tier-vpc --subnet-mode custom
gcloud compute networks subnets create web-subnet \
--network web-tier-vpc \
--range 10.1.0.0/24 \
--region us-central1
# Application tier with internal load balancer
gcloud compute networks create app-tier-vpc --subnet-mode custom
gcloud compute networks subnets create app-subnet \
--network app-tier-vpc \
--range 10.2.0.0/24 \
--region us-central1
# Database tier with strict isolation
gcloud compute networks create db-tier-vpc --subnet-mode custom
gcloud compute networks subnets create db-subnet \
--network db-tier-vpc \
--range 10.3.0.0/24 \
--region us-central1Advanced Security Controls:
- Hierarchical firewall rules with explicit deny-all defaults
- Cloud Armor policies with custom rules and geographic restrictions
- IAM integration with service accounts and minimal privilege roles
- Network monitoring and alerting for security events
- SSL/TLS termination with managed certificates
Success Criteria Validation
Security Posture Verification:
- External access limited to designated web endpoints
- Inter-tier communication properly restricted and monitored
- No unnecessary external IP addresses assigned
- All firewall rules follow least-privilege principles
- Security policies effectively block malicious traffic
Operational Excellence:
- Health checks properly configured for all tiers
- Load balancing distributes traffic effectively
- Monitoring and alerting operational across all components
- Administrative access properly secured and audited
Enterprise Security Patterns and Best Practices
This comprehensive lab series establishes several critical enterprise security patterns:
Defense in Depth Architecture: Multiple layers of security controls provide resilient protection against diverse attack vectors. Network isolation, application-layer filtering, and identity verification work together to create comprehensive security coverage.
Zero Trust Implementation: Every access request undergoes verification regardless of source location or network segment. This approach eliminates implicit trust based on network location and provides stronger security in distributed environments.
Policy-Driven Security: Automated policy enforcement reduces human error and ensures consistent security posture across environments. Infrastructure-as-code approaches enable version control and audit trails for security configurations.
Continuous Monitoring and Response: Real-time visibility into network traffic, security events, and access patterns enables proactive threat detection and rapid incident response.
Production Implementation Considerations
Scalability Planning: Security controls must scale with application growth without introducing performance bottlenecks or operational complexity.
Compliance Integration: Security implementations should support regulatory requirements including data sovereignty, audit trails, and access controls.
Operational Efficiency: Security tools and processes should integrate with existing operational workflows and provide clear visibility into security posture.
Cost Optimisation: Security implementations should balance protection requirements with cost considerations, leveraging managed services where appropriate.
This comprehensive security lab series provides the foundation for implementing enterprise-grade cloud security architectures that protect against modern threats while supporting business requirements for agility and scalability.