Supported Deployments on Google Cloud Platform

Review basic topologies supported on Google® Cloud Platform (GCP™).
You can deploy the VM-Series firewall on a Google® Compute Engine instance in a network in your virtual private cloud (VPC). The deployment types are:

Internet Gateway

Deploy a VM-Series firewall as an internet gateway.
The VM-Series firewall secures North/South traffic to and from the internet to protect applications from known and unknown threats. A Google project can have up to five VPC networks. For a typical example of an internet gateway, refer to the Google configuration examples.
In public cloud environments, it is a common practice to use a scale-out architecture (see the figure below) rather than larger, higher performing VMs. This architecture (sometimes called a sandwich deployment) avoids a single point of failure and enables you to add or remove firewalls as needed.
gce-lb.png

Segmentation Gateway

Deploy a VM-Series firewall as a segmentation gateway.
A segmentation gateway secures East/West traffic between virtual private clouds (VPCs) to ensure data protection compliance and application access. The following figure shows a firewall securing both North/South and East/West traffic.
gce-n-s-e-w.png

Hybrid IPSec VPN

Deploy a VM-Series firewall as a VPN termination point between an on-premises data center and a virtual private cloud (VPC), or place the firewall behind a VPN gateway.
The VM-Series firewall serves as an IPSec VPN termination point, which enables secure communications to and from applications hosted on Google Cloud Platform (GCP).
The deployment in the figure below shows a site-to-site VPN from an on-premises network to a VM-Series firewall deployed on GCP and an IPSec connection from an on-premises network to a Google Cloud VPN gateway.
gce-vpn-hybrid.png

Related Documentation