Deploy a VM-Series firewall as an internet gateway.
The VM-Series firewall secures North/South traffic to
and from the internet to protect applications from known and unknown
threats. A Google project can have up to five VPC networks. For
a typical example of an internet gateway, refer to the Google configuration examples.
In public cloud environments, it is a common practice to use
a scale-out architecture (see the figure below) rather than larger,
higher performing VMs. This architecture (sometimes called a sandwich deployment)
avoids a single point of failure and enables you to add or remove
firewalls as needed.
Deploy a VM-Series firewall as a segmentation gateway.
A segmentation gateway secures East/West traffic between
virtual private clouds (VPCs) to ensure data protection compliance
and application access. The following figure shows a firewall securing
both North/South and East/West traffic.
Hybrid IPSec VPN
Deploy a VM-Series firewall as a VPN termination point
between an on-premises data center and a virtual private cloud (VPC),
or place the firewall behind a VPN gateway.
The VM-Series firewall serves as an IPSec VPN termination
point, which enables secure communications to and from applications
hosted on Google Cloud Platform (GCP).
The deployment in the figure below shows a site-to-site VPN from
an on-premises network to a VM-Series firewall deployed on GCP and
an IPSec connection from an on-premises network to a Google Cloud