examlab .net The most efficient path to the most valuable certifications.
Support
In this note ≈ 18 min

Hybrid Connectivity Security

3,500 words · ≈ 18 min read ·

Master the security of hybrid cloud connectivity in Google Cloud. Learn to secure HA VPN, Dedicated Interconnect with MACsec, and BGP MD5 authentication.

Do 20 practice questions → Free · No signup · PSE

Introduction to Hybrid Connectivity Security

Connecting an on-premises data center to Google Cloud is a critical path for data. If this connection is compromised, the entire hybrid infrastructure is at risk. A Professional Cloud Security Engineer (PSE) must ensure that hybrid links are encrypted, authenticated, and resilient against both eavesdropping and routing attacks.

The two primary methods for hybrid connectivity are Cloud VPN and Cloud Interconnect.

白話文解釋(Plain English Explanation)

Analogy 1: Cloud Interconnect vs HA VPN as a Bank Vault Tunnel vs Armored Car

Think of Dedicated Interconnect as a private underground tunnel built directly from your bank vault (on-prem data center) to the Federal Reserve (Google Cloud). No one else uses the tunnel — but it is still just a tunnel, and a corrupt construction worker could theoretically tap into the wall. That is why high-compliance customers add MACsec on top, which is like coating the inside of the tunnel with tamper-evident foil at the Ethernet (Layer 2) level. HA VPN, by contrast, is an armored car driving on the public highway: anyone can see the truck, but the contents are sealed by IPsec encryption with IKEv2 key exchange, and you always send two trucks (two tunnels) for the 99.99% SLA.

Analogy 2: BGP MD5 as a Secret Handshake at the Border

Cloud Router speaks BGP with your on-prem router to swap routing tables — basically saying "I own these subnets, send traffic for them to me." Without authentication, any router that yells loud enough can claim "actually, send all of 10.0.0.0/8 to me" and hijack your traffic. BGP MD5 authentication is a secret handshake: every BGP message is signed with a shared password hash. If the handshake doesn't match, the Cloud Router slams the door. It does not encrypt the data, only the control plane (the routing announcements themselves).

Analogy 3: Partner Interconnect as Renting a Truck from a Moving Company

With Dedicated Interconnect, you own the truck. With Partner Interconnect (Equinix, Megaport, AT&T, etc.), you rent the truck and the driver from a third party. The provider can technically see your Layer 2 frames as they hand them off to Google's edge. The mitigation is to never trust the truck — pack your cargo inside a locked container, which means layering HA VPN (IPsec) on top of Partner Interconnect. Private Google Access then ensures that even when you reach Google APIs over this hybrid link, you stay on private IPs (199.36.153.8/30) instead of leaking out to the public internet.

Securing HA VPN with IPsec and IKEv2

High Availability (HA) VPN is the standard for secure, encrypted tunnels over the public internet.

Security Features:

  • IPsec (Internet Protocol Security): Provides encryption, data integrity, and authentication.
  • IKEv2 (Internet Key Exchange v2): The preferred protocol for key exchange. It is more secure and efficient than IKEv1.
  • Pre-Shared Keys (PSK): Used for mutual authentication between the peer gateway and the Cloud VPN gateway.
  • Traffic Selectors: Define which CIDR ranges are allowed to pass through the tunnel. In HA VPN, these are usually set to 0.0.0.0/0 (any-to-any), with routing handled by BGP.

For a production-grade 99.99% SLA, you must use HA VPN with two interfaces on the Google side and two corresponding tunnels on the peer side.

Cloud Interconnect Security: MACsec (Layer 2)

Dedicated Interconnect provides a direct physical link to Google's network. By default, this traffic is not encrypted because it is on a private circuit. However, for high-compliance industries, MACsec provides Layer 2 encryption.

What is MACsec?

  • Link-Level Encryption: Encrypts all traffic between the on-premises router and the Google Edge router at the Ethernet layer.
  • Integrity: Prevents man-in-the-middle attacks and packet tampering at the physical layer.
  • Pre-shared Keys (CAK): MACsec uses Connectivity Association Keys (CAK) managed via Cloud KMS or stored as Secret Manager secrets.

MACsec (Media Access Control Security) is an IEEE 802.1AE standard that provides security on wired networks at the data link layer (Layer 2).

BGP MD5 Authentication for Route Security

Hybrid connectivity relies on Border Gateway Protocol (BGP) to exchange routes. If an attacker can inject fake routes (BGP hijacking), they can redirect traffic.

  • MD5 Authentication: You configure a shared secret (password) on both the Cloud Router and the on-premises router. Every BGP message is signed with a hash of this secret.
  • If the hashes don't match, the BGP session is rejected.

BGP MD5 protects the control plane, not the data plane. It stops route hijacking on the Cloud Router BGP session but does not encrypt user traffic. For data-plane confidentiality on the same link you still need IPsec (HA VPN over Interconnect) or MACsec on Dedicated Interconnect — never assume MD5 alone is "secure hybrid connectivity."

Site-to-Site VPN Architectures

For companies with multiple branch offices, Site-to-Site VPN allows secure communication between sites through Google Cloud.

  • Hub-and-Spoke: Use a VPC as a "Hub." Branch offices (Spokes) connect to the Hub via VPN.
  • Network Connectivity Center (NCC): A Google service that simplifies managing these complex site-to-site topologies.

Encrypting Interconnect Traffic with IPsec

If you need Layer 3 encryption over a Dedicated Interconnect (perhaps because your routers don't support MACsec), you can run HA VPN over Interconnect.

  • This provides the speed of Interconnect with the end-to-end encryption of IPsec.
  • Architecture: The Interconnect acts as the transport layer for the HA VPN tunnels.

When you enable Private Google Access for on-premises hosts, route private.googleapis.com (199.36.153.8/30) or restricted.googleapis.com (199.36.153.4/30) through the HA VPN / Interconnect link with a custom Cloud Router advertisement. This keeps BigQuery, Cloud Storage, and Pub/Sub API traffic from on-prem inside the encrypted hybrid path instead of egressing to the public internet — and it pairs naturally with VPC Service Controls perimeters.

Monitoring Connectivity Health and Latency

Security includes availability. A link that is "down" is a security failure for a mission-critical system.

  • Cloud Monitoring: Monitor vpn_gateway/sent_bytes_count and interconnect/dropped_packets.
  • BGP Session Status: Alert if the BGP session moves from ESTABLISHED to any other state.
  • Network Intelligence Center: Use the Connectivity Test tool to verify that firewall rules aren't blocking hybrid traffic.

Managing Keys and Certificates for VPN

  • PSK Rotation: Change pre-shared keys periodically. This can cause brief downtime unless coordinated.
  • Certificate-Based Authentication: While Cloud VPN primarily uses PSKs, some specialized architectures (using third-party NVAs) might use certificates managed via Certificate Authority Service (CAS).

Security Considerations for Partner Interconnect

In Partner Interconnect, a third-party provider (like Equinix or AT&T) manages the physical link.

  • Risk: The partner technically has access to your Layer 2 frames.
  • Mitigation: Always use IPsec (VPN) on top of Partner Interconnect if you do not trust the provider's physical security.

Designing for Redundancy and Failover Security

Failover should be automatic but secure.

  • Active-Active: Both tunnels are used. If one fails, traffic shifts to the other.
  • Active-Passive: One tunnel is a backup (using BGP MED or AS-PATH prepending to make it less preferred).
  • Security Trap: Ensure that both the primary and backup links have identical firewall rules. You don't want a failover to a link that has "wide open" security.

A common PSE exam pitfall is choosing "Standard VPN" for a high-availability requirement. Standard VPN is deprecated for many use cases; HA VPN is almost always the correct answer.

PSE Exam Scenarios

Scenario 1: MACsec Requirement

"A bank requires that all data moving over their 10Gbps Dedicated Interconnect be encrypted at the physical layer to prevent tapping. What should the engineer configure?" Answer: Configure MACsec on the Dedicated Interconnect. Store the MACsec keys in Cloud KMS and ensure the on-premises router supports 802.1AE.

Scenario 2: BGP Hijacking Prevention

"A security audit found that the hybrid BGP sessions are vulnerable to spoofing. How can this be mitigated without adding encryption overhead?" Answer: Enable BGP MD5 Authentication on the Cloud Router and the on-premises peer. This authenticates the BGP control plane without encrypting the data plane.

Summary Checklist

  • Differentiate between IPsec (Layer 3) and MACsec (Layer 2).
  • List the requirements for a 99.99% HA VPN SLA.
  • Explain how BGP MD5 protects routing.
  • Describe the benefit of HA VPN over Interconnect.
  • Identify the risks associated with Partner Interconnect.

Hybrid security layer cheat sheet:

  • Layer 2 encryption on private circuitMACsec on Dedicated Interconnect (CAK in Cloud KMS, IEEE 802.1AE).
  • Layer 3 encryption over public internetHA VPN with IPsec + IKEv2, two tunnels, 99.99% SLA.
  • Layer 3 encryption over private circuitHA VPN over Interconnect (when routers lack MACsec, or for Partner Interconnect).
  • Control-plane integrityBGP MD5 on the Cloud Router peer.
  • Private API egress from on-premPrivate Google Access for on-prem hosts via custom Cloud Router advertisement of 199.36.153.8/30.

Official sources

More PSE topics