Some or all of the information on this page might not apply to Trusted Cloud by S3NS.

Network Service Tiers overview

Network Service Tiers lets you optimize connectivity between systems on the internet and your Trusted Cloud by S3NS instances. Premium Tier delivers traffic on Google's premium backbone, while Standard Tier uses regular ISP networks.

The following table lists Premium Tier features:

Trusted Cloud	Premium Tier
Routing	Traffic between the internet and your application travels within the Trusted Cloud network to reach users
Security	Traffic is protected on Trusted Cloud's backbone until the last mile
Networking features	Supports all Trusted Cloud networking features

Network Service Tiers and Trusted Cloud resources

Trusted Cloud has two types of external IP addresses: global and regional.

External IP address type	Premium Tier
Global external IPv4 and IPv6 addresses Publicly routable anycast IP addresses.	Supported
Regional external IPv4 addresses Publicly routable IPv4 addresses designated for use by Trusted Cloud resources that fit within a single Trusted Cloud region	Supported
Regional external IPv6 addresses Publicly routable IPv6 addresses designated for use by Trusted Cloud resources that fit within a single Trusted Cloud region	Supported

External IP address type

Premium Tier

Global external IPv4 and IPv6 addresses

Publicly routable anycast IP addresses.

Supported

Regional external IPv4 addresses

Publicly routable IPv4 addresses designated for use by Trusted Cloud resources that fit within a single Trusted Cloud region

Supported

Regional external IPv6 addresses

Publicly routable IPv6 addresses designated for use by Trusted Cloud resources that fit within a single Trusted Cloud region

Supported

Regardless of which tier you use, the network is designed to keep traffic between virtual machine (VM) instances that are in the same or different regions on Google's network, including when a load balancer is on the path. This is true whether the traffic uses publicly or privately routable IP addresses.

The following table describes how Network Service Tiers applies to Trusted Cloud resources and what type of external IP address must be used.

In the table, a indicates that a resource is supported in a network tier, and indicates that it is not supported.

Trusted Cloud resource	Premium Tier
Global external Application Load Balancer Global external proxy Network Load Balancer Classic Application Load Balancer Classic proxy Network Load Balancer	Requires a global external IP address.
Regional external Application Load Balancer Regional external proxy Network Load Balancer External passthrough Network Load Balancer	Requires a regional external IP address.
VM instances, including GKE node VMs	Requires a regional external IP address.
Cloud VPN gateways	Requires a regional external IP address.
Cloud NAT gateways	Requires a regional external IP address.

The following table shows how Network Service Tiers applies to Cloud Storage and Cloud CDN.

Trusted Cloud service	Premium Tier
Cloud Storage	By default, access to Cloud Storage buckets is considered Premium Tier, whether or not the bucket is used as a backend for an external Application Load Balancer.
Cloud CDN	Cloud CDN is always Premium Tier.

Traffic routing

This table summarizes how routing works for Premium Tier:

Traffic	Premium Tier
Inbound data transfer to Trusted Cloud	Traffic from an internet user enters Google's network through peering or transit networks in a Google point of presence (PoP) that's as close as possible to the internet user. More specifically, Trusted Cloud advertises next hops for Premium Tier IP addresses to peering and transit networks in PoPs across the entire Google global network. These next hops are advertised with equivalent BGP metrics. This encourages the peering and transit networks to deliver traffic to a PoP that's as close as possible to the internet user.
Outbound data transfer from Trusted Cloud	Outbound traffic is sent to the internet user on the BGP best path, which typically routes traffic to a point of presence (PoP) that's as close as possible to the internet user. Peering or transit networks then provide connectivity between the Google PoP and the internet user. Peering and transit networks can each advertise multiple next hops with equivalent BGP metrics for a single internet user in many points of presence (PoPs). When BGP best path next hops exist in two or more Google PoPs, the Trusted Cloud resource selects the next hop in the PoP that minimizes network distance within the Google global network. Depending on the network architecture of the BGP best path peering or transit network, selecting the BGP best path route that minimizes network distance within the Google global network can result in selecting a PoP that's not as close as possible to the internet user. When an internet user exists in a network that peers with the Google global network in multiple locations, Trusted Cloud doesn't guarantee that outbound traffic remains on the Google global network until the outbound traffic is as close as possible to the internet user.

Traffic

Premium Tier

Inbound data transfer to Trusted Cloud

Traffic from an internet user enters Google's network through peering or transit networks in a Google point of presence (PoP) that's as close as possible to the internet user.

More specifically, Trusted Cloud advertises next hops for Premium Tier IP addresses to peering and transit networks in PoPs across the entire Google global network. These next hops are advertised with equivalent BGP metrics. This encourages the peering and transit networks to deliver traffic to a PoP that's as close as possible to the internet user.

Outbound data transfer from Trusted Cloud

Outbound traffic is sent to the internet user on the BGP best path, which typically routes traffic to a point of presence (PoP) that's as close as possible to the internet user. Peering or transit networks then provide connectivity between the Google PoP and the internet user.

Peering and transit networks can each advertise multiple next hops with equivalent BGP metrics for a single internet user in many points of presence (PoPs). When BGP best path next hops exist in two or more Google PoPs, the Trusted Cloud resource selects the next hop in the PoP that minimizes network distance within the Google global network.

Depending on the network architecture of the BGP best path peering or transit network, selecting the BGP best path route that minimizes network distance within the Google global network can result in selecting a PoP that's not as close as possible to the internet user. When an internet user exists in a network that peers with the Google global network in multiple locations, Trusted Cloud doesn't guarantee that outbound traffic remains on the Google global network until the outbound traffic is as close as possible to the internet user.

Premium Tier

Premium Tier delivers traffic from external systems to Trusted Cloud resources by using Google's low latency, highly reliable global network. This network consists of an extensive private fiber network with over 100 points of presence (PoPs) around the globe. This network is designed to tolerate multiple failures and disruptions while still delivering traffic.

Premium Tier supports both regional external IP addresses and global external IP addresses for VM instances and load balancers. All global external IP addresses must use Premium Tier. Applications that require high performance and availability, such as those that use external Application Load Balancers and external proxy Network Load Balancers, with backends in more than one region, require Premium Tier. Premium Tier is ideal for customers with users in multiple locations worldwide who need the best network performance and reliability.

With Premium Tier, incoming traffic from systems on the internet enters Google's high-performance network at the PoP closest to the sending system. Within Google's network, traffic is routed from that PoP to the VM in your Virtual Private Cloud (VPC) network or closest Cloud Storage bucket. Outbound traffic is sent through Google's network, exiting at the PoP closest to its destination. This routing method minimizes congestion and maximizes performance by reducing the number of hops between end users and the PoPs closest to them.

Premium Tier summary

		Premium Tier
Use case		Performance optimized Global network Global network services
Network	Routing	Inbound: Traffic across the globe enters Google's global network at a location near your user. Outbound: Your outbound traffic rides Google's high-quality global backbone network to the Google global edge PoP that is geographically closest to your user.
Network services	External Application Load Balancer	Supports global, regional, and classic modes Terminates TCP as close to the user as possible, worldwide
	Internal Application Load Balancer	Cross-region or regional
	External proxy Network Load Balancer	Supports global, regional, and classic modes Terminates TCP as close to the user as possible, worldwide
	Internal proxy Network Load Balancer	Regional
	External passthrough Network Load Balancer	Regional external passthrough Network Load Balancer is supported in Premium Tier
	Internal passthrough Network Load Balancer	Regional
	Cloud CDN	Only Premium Tier

What's next

To specify a network tier for your workloads, see Using Network Service Tiers.