Network Service Tiers overview

Network Service Tiers lets you optimize connectivity between systems on the internet and your Cloud de Confiance by S3NS instances.

The following table lists Premium Tier features:

Cloud de Confiance	Premium Tier
Routing	Traffic between the internet and your application travels within the Cloud de Confiance network to reach users
Security	Traffic is protected on Cloud de Confiance's backbone until the last mile
Networking features	Supports all Cloud de Confiance networking features

Network Service Tiers and Cloud de Confiance resources

Cloud de Confiance has two types of external IP addresses: global and regional.

External IP address type	Premium Tier
Global external IPv4 and IPv6 addresses Publicly routable anycast IP addresses.	Supported
Regional external IPv4 addresses Publicly routable IPv4 addresses designated for use by Cloud de Confiance resources that fit within a single Cloud de Confiance region	Supported
Regional external IPv6 addresses Publicly routable IPv6 addresses designated for use by Cloud de Confiance resources that fit within a single Cloud de Confiance region	Supported

External IP address type

Premium Tier

Global external IPv4 and IPv6 addresses

Publicly routable anycast IP addresses.

Supported

Regional external IPv4 addresses

Publicly routable IPv4 addresses designated for use by Cloud de Confiance resources that fit within a single Cloud de Confiance region

Supported

Regional external IPv6 addresses

Publicly routable IPv6 addresses designated for use by Cloud de Confiance resources that fit within a single Cloud de Confiance region

Supported

Regardless of which tier you use, the network is designed to keep traffic between virtual machine (VM) instances that are in the same or different regions on Google's network, including when a load balancer is on the path. This is true whether the traffic uses publicly or privately routable IP addresses.

The following table describes how Network Service Tiers applies to Cloud de Confiance resources and what type of external IP address must be used.

In the table, a indicates that a resource is supported in a network tier, and indicates that it is not supported.

Cloud de Confiance resource	Premium Tier
Regional external Application Load Balancer Regional external proxy Network Load Balancer External passthrough Network Load Balancer	Requires a regional external IP address.
VM instances, including GKE node VMs	Requires a regional external IP address.
Cloud VPN gateways	Requires a regional external IP address.
Cloud NAT gateways	Requires a regional external IP address.

The following table shows how Network Service Tiers applies to Cloud Storage.

Cloud de Confiance service	Premium Tier
Cloud Storage	By default, access to Cloud Storage buckets is considered Premium Tier, whether or not the bucket is used as a backend for an external Application Load Balancer.

Traffic routing

This table summarizes how routing works for Premium Tier:

Traffic	Premium Tier
Inbound data transfer to Cloud de Confiance	Traffic from an internet user enters Google's network through peering or transit networks in a Google point of presence (PoP) that's as close as possible to the internet user. More specifically, Cloud de Confiance advertises next hops for Premium Tier IP addresses to peering and transit networks in PoPs across the entire Google global network. These next hops are advertised with equivalent BGP metrics. This encourages the peering and transit networks to deliver traffic to a PoP that's as close as possible to the internet user.
Outbound data transfer from Cloud de Confiance	Outbound traffic is sent to the internet user on the BGP best path, which typically routes traffic to a point of presence (PoP) that's as close as possible to the internet user. Peering or transit networks then provide connectivity between the Google PoP and the internet user. Peering and transit networks can each advertise multiple next hops with equivalent BGP metrics for a single internet user in many points of presence (PoPs). When BGP best path next hops exist in two or more Google PoPs, the Cloud de Confiance resource selects the next hop in the PoP that minimizes network distance within the Google global network. Depending on the network architecture of the BGP best path peering or transit network, selecting the BGP best path route that minimizes network distance within the Google global network can result in selecting a PoP that's not as close as possible to the internet user. When an internet user exists in a network that peers with the Google global network in multiple locations, Cloud de Confiance doesn't guarantee that outbound traffic remains on the Google global network until the outbound traffic is as close as possible to the internet user.

Traffic

Premium Tier

Inbound data transfer to Cloud de Confiance

Traffic from an internet user enters Google's network through peering or transit networks in a Google point of presence (PoP) that's as close as possible to the internet user.

More specifically, Cloud de Confiance advertises next hops for Premium Tier IP addresses to peering and transit networks in PoPs across the entire Google global network. These next hops are advertised with equivalent BGP metrics. This encourages the peering and transit networks to deliver traffic to a PoP that's as close as possible to the internet user.

Outbound data transfer from Cloud de Confiance

Outbound traffic is sent to the internet user on the BGP best path, which typically routes traffic to a point of presence (PoP) that's as close as possible to the internet user. Peering or transit networks then provide connectivity between the Google PoP and the internet user.

Peering and transit networks can each advertise multiple next hops with equivalent BGP metrics for a single internet user in many points of presence (PoPs). When BGP best path next hops exist in two or more Google PoPs, the Cloud de Confiance resource selects the next hop in the PoP that minimizes network distance within the Google global network.

Depending on the network architecture of the BGP best path peering or transit network, selecting the BGP best path route that minimizes network distance within the Google global network can result in selecting a PoP that's not as close as possible to the internet user. When an internet user exists in a network that peers with the Google global network in multiple locations, Cloud de Confiance doesn't guarantee that outbound traffic remains on the Google global network until the outbound traffic is as close as possible to the internet user.

Premium Tier

Premium Tier delivers traffic from external systems to Cloud de Confiance resources by using Google's low latency, highly reliable global network. This network consists of an extensive private fiber network with over 200 points of presence (PoPs) around the globe. This network is designed to tolerate multiple failures and disruptions while still delivering traffic.

Premium Tier supports both regional external IP addresses and global external IP addresses for VM instances and load balancers. All global external IP addresses must use Premium Tier. Applications that require high performance and availability, such as those that use external Application Load Balancers and external proxy Network Load Balancers, with backends in more than one region, require Premium Tier. Premium Tier is ideal for customers with users in multiple locations worldwide who need the best network performance and reliability.

With Premium Tier, incoming traffic from systems on the internet enters Google's high-performance network at the PoP closest to the sending system. Within Google's network, traffic is routed from that PoP to the VM in your Virtual Private Cloud (VPC) network or closest Cloud Storage bucket. Outbound traffic is sent through Google's network, exiting at the PoP closest to its destination. This routing method minimizes congestion and maximizes performance by reducing the number of hops between end users and the PoPs closest to them.

Premium Tier summary

		Premium Tier
Use case		Performance optimized Google's network Google's network services
Network	Routing	Inbound: Traffic across the enters Google's network at a location near your user. Outbound: Your outbound traffic rides Google's high-quality backbone network to the Google edge PoP that is geographically closest to your user.
Network services
	Internal Application Load Balancer	Regional
	External proxy Network Load Balancer	Supports regional mode Terminates TCP as close to the user as possible, worldwide
	Internal proxy Network Load Balancer	Regional
	External passthrough Network Load Balancer	Regional external passthrough Network Load Balancer is supported in Premium Tier
	Internal passthrough Network Load Balancer	Regional

What's next

Learn about Network Service Tiers differences in Cloud de Confiance versus Google Cloud

To specify a network tier for your workloads, see Using Network Service Tiers.