Introduction to Hybrid and Multi-Cloud Connectivity
In a modern enterprise, data and applications are rarely confined to a single cloud. A Professional Cloud Architect must design robust, secure, and high-performance links between Google Cloud, on-premises data centers, and other cloud providers (AWS, Azure).
GCP provides several connectivity options, ranging from the public internet (VPN) to private, high-bandwidth physical connections (Interconnect). The choice depends on bandwidth requirements, latency sensitivity, cost, and security needs.
A Cloud VPN solution that lets you securely connect your on-premises network to your VPC network through an IPsec VPN connection with an SLA of 99.99%. It requires two interfaces on the Cloud VPN gateway. Reference: https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview
Plain-Language Explanation: Hybrid & Multi-Cloud Connectivity
Connecting different networks is like connecting two cities separated by a mountain range.
Analogy 1 — The Public Highway vs. The Private Railway (VPN vs. Interconnect)
- Cloud VPN is like a public highway. It's free to use (except for tolls/data charges), but you share it with everyone else. It can get congested, and weather (internet instability) can affect your trip. You use an armored car (Encryption) to stay safe.
- Cloud Interconnect is like a private railway line built specifically for your company. No one else uses it. It's fast, consistent, and can carry massive loads. It's more expensive to build and maintain, but it's the only way to move 10,000 tons of freight (Data) daily.
Analogy 2 — The Universal Translator (Cloud Router & BGP)
Cloud Router using BGP (Border Gateway Protocol) is like a universal translator at a trade summit. Your on-prem network speaks "On-Premish" and GCP speaks "Cloudish." Without BGP, you have to manually write down every single route (Static Routing), which is tedious and prone to errors. BGP allows both sides to automatically announce, "Hey, I have these new folders (Subnets) available," ensuring the map is always up to date.
Analogy 3 — The Central Hub (Network Connectivity Center)
Network Connectivity Center (NCC) is like the central hub of a global airline. Instead of having separate, messy flights between every city, all flights come through the hub. NCC simplifies complex global networks by letting you manage VPNs, Interconnects, and SD-WANs in one place.
On the PCA exam, if a scenario requires "99.99% availability" for a hybrid link, you must use HA VPN or Interconnect with a redundant configuration. Reference: https://cloud.google.com/network-connectivity/docs/how-to/choose-product
Setting Up HA VPN Tunnels
HA VPN is the standard for secure, encrypted connectivity over the internet.
- Topology: Requires two tunnels from the GCP side to two different on-prem endpoints (or one endpoint with two IPs).
- Routing: Dynamic routing (BGP) is mandatory for HA VPN.
- SLA: 99.99% availability is only guaranteed if both tunnels are configured correctly.
Dedicated vs. Partner Interconnect
When the internet isn't enough, you use Interconnect.
- Dedicated Interconnect: A physical 10G or 100G link directly between your hardware and Google's edge. Best for massive data transfer.
- Partner Interconnect: Connectivity provided through a third-party (like Equinix or AT&T). Good if you are already in a provider's data center or need less than 10G bandwidth.
PCA scenarios requiring 99.99% SLA on a private link must use Dedicated Interconnect with two circuits in two different Google Edge Availability Domains (EADs) terminated on two different on-premises routers — a single 10G/100G circuit only delivers 99.9%. If the question caps bandwidth below 10G or rules out a colocation footprint, switch to Partner Interconnect with redundant VLAN attachments instead.
Configuring Cloud Router and BGP
Cloud Router enables dynamic exchange of routes between your VPC and external networks.
- ASN (Autonomous System Number): You need a private ASN for your on-prem side (e.g., in the range 64512-65534).
- Keepalive Timers: Determine how quickly a failure is detected.
- Route Advertisements: You can choose to advertise all subnets or only specific ones.
Multi-Cloud Connectivity Patterns
Connecting GCP to AWS or Azure:
- VPN over Internet: Simplest but least predictable.
- Cross-Cloud Interconnect (CCI): Google-managed physical links to other clouds. This is the modern architect's choice for high-performance multi-cloud.
- Third-Party Exchange: Using a provider like Megaport to bridge the clouds.
Network Connectivity Center (NCC)
NCC is a hub-and-spoke model for network management.
- Hub: The central resource in a project.
- Spokes: VPNs, Interconnects, or Router Appliances connected to the hub.
- VPC-to-VPC: NCC can also manage connectivity between different VPCs, even across projects.
Troubleshooting Hybrid Links
- BGP Session Down: Check ASN mismatches, firewall rules (allow TCP 179), and shared secrets.
- Latency Issues: Check for suboptimal routing or physical distance. Use Cloud Monitoring to track tunnel throughput.
- MTU Mismatch: Standard MTU is 1500, but VPNs often need 1460 or 1440. A mismatch causes packet fragmentation.
Bandwidth and Latency Optimization
- LACP (Link Aggregation): Combine multiple Dedicated Interconnect circuits for higher bandwidth and redundancy.
- Global Routing: Enable global dynamic routing to allow a single Cloud Router to learn routes from all regions in a VPC.
Encryption Over Interconnect
Interconnect is private but not encrypted by default.
- Solution: Use IPsec VPN over Interconnect (also known as HA VPN over Interconnect) if your industry requires encryption for data in transit over physical lines.
Architects often assume Dedicated Interconnect is encrypted because it is a "private" physical line — it is not. The link is layer-2 isolated but data in transit is cleartext, so PCI-DSS or HIPAA workloads still require HA VPN over Interconnect layered on top. The flip side trap: do not pick Direct Peering to reach VPC workloads — Direct Peering only connects to Google's public services (Workspace, YouTube), never to your VPC subnets.
When a scenario says "connect multiple branch offices, VPNs, and Interconnects together in a global mesh," the expected answer is Network Connectivity Center (NCC) — its hub-and-spoke model lets VPNs, Dedicated/Partner Interconnects, Router Appliances, and VPCs share routes through a single Hub. Pair it with global dynamic routing on the Cloud Router so one router learns routes across all VPC regions instead of building per-region peerings.
Key hybrid-connectivity numbers: HA VPN SLA 99.99% (requires 2 tunnels + BGP), single Interconnect circuit SLA 99.9%, dual-EAD Dedicated Interconnect SLA 99.99%. Private ASN range for on-prem peers is 64512–65534. BGP runs over TCP port 179 (must be allowed by firewall). Standard MTU is 1500, but VPN tunnels typically need 1460 or 1440 to avoid fragmentation.
Router Advertisements and Filtering
Prevent "Route Leaking" or "Bridge Loops."
- Custom Advertisements: Only send the routes you want the other side to know.
- Inbound Filtering: Only accept the routes you expect from your on-prem router.
FAQ — Hybrid and Multi-Cloud Connectivity
Q1. Can I use static routing with HA VPN?
No. HA VPN requires dynamic routing (BGP) to ensure that if one tunnel fails, the traffic automatically reroutes to the other tunnel without manual intervention.
Q2. What is the difference between "Interconnect" and "Peering"?
Interconnect (Dedicated/Partner) is for connecting your network to your GCP VPC. Peering (Direct/Carrier) is for connecting your network to Google's public services (like Workspace or YouTube) without going through a VPC.
Q3. How do I achieve 99.99% availability with Dedicated Interconnect?
You must have at least two circuits connected to two different Google Edge Availability Domains (EADs) and two different on-premises routers.
Q4. Does Cross-Cloud Interconnect require me to have my own data center?
No. Cross-Cloud Interconnect is a cloud-to-cloud connection managed by Google. You don't need physical hardware; you just need a VPC in both clouds.
Q5. What happens if my BGP session stays "Pending"?
Usually, this means the two routers can see each other but cannot agree on the parameters. Verify that the Local ASN, Peer ASN, and BGP IP addresses match exactly on both sides.
Final Architect Tip
For the PCA exam, always remember that Direct Peering is NOT a VPC connectivity solution. If the question asks how to connect your VMs to your on-prem database, the answer will be VPN or Interconnect. If it asks how to get faster access to YouTube for your employees, the answer might be Direct Peering.