Cloud Interconnects for Google Cloud
The Cloud Interconnects behavior maximizes traffic flow through Private Network Interconnects (PNIs) established with Google Cloud Provider (GCP). PNIs are private connections that provide an optimal network path for the traffic sent between the GCP infrastructure and Akamai edge servers.
This behavior enables reduced egress costs at the origin and is supported for origins in Asia, Europe, and North America.
GCP Interconnect may bring egress savings but doesn't guarantee that you receive cloud egress discounts from the Cloud Service Provider.
Before you begin
Before you enable Cloud Interconnects, make sure you add the cloud hostname to your configuration as part of the Origin Server behavior.
By default, Cloud Interconnects enables the Allow All Methods on Parents Server behavior.
About Tiered Distribution
Cloud Interconnects uses the Tiered Distribution behavior for caching. If you previously enabled Tiered Distribution on your configuration, it uses your existing map. Otherwise, it enables Tiered Distribution implicitly and uses the default global map. If you don't want Cloud Interconnects to enable Tiered Distribution or want to use a different Tiered Distribution map, contact your account representative.
About SureRoute and SiteShield
Cloud Interconnects incorporates several features to optimize its use, such as SureRoute and Origin IP Access Control List. It uses origin Access Control List (ACL) to provide you with a small CIDR list that is used by Akamai to access your origin. You can use this CIDR list as an IP ACL that works like SiteShield.
This behavior overrides any SureRoute and SiteShield configurations for the cloud origins it applies to. If you have a property with multiple origins, some of which don't use Cloud Interconnects, then you should retain any SureRoute or SiteShield configurations that apply to those origins. However, if after you adopt Cloud Interconnects, no other such alternate origins remain, you may want to remove the SureRoute and SiteShield behaviors to simplify your configuration. See the following table for the summary of different scenarios.
|GCP-only origins on configuration||Multi-cloud origins on configuration|
|SureRoute||GCP origin ignores pre-existing SureRoute behavior. It uses Cloud Interconnects built-in SureRoute feature.
You can remove SureRoute to simplify your configuration.
|GCP origin uses a built-in SureRoute feature as part of the Cloud Interconnects behavior. Other origins use SureRoute standalone behavior.
Don't remove the SureRoute behavior.
|SiteShield||GCP origin ignores pre-existing SiteShield behavior. It uses Cloud Interconnects built-in SiteShield feature.
You can remove the SiteShield behavior to simplify your configuration.
|GCP origin uses the built-in SiteShield Route feature as part of the Cloud Interconnects behavior. Other origins use SiteShield standalone behavior.
Don't remove the SiteShield behavior.
In addition, if you previously enabled SiteShield, update your firewall ACL.
Follow these steps to enable Cloud Interconnects for your cloud origin.
Add the Cloud Interconnects for Google Cloud behavior to your property.
Enable. Set to On.
Cloud provider. Select your cloud hosting provider.
Cloud locations. Select the appropriate location of your cloud origin server.
Allow Cloud Interconnects IP addresses through your firewall.
Cloud Interconnects provides an ACL based on supernet CIDRs that you can use to restrict traffic to your origin.
There are two ways you can get the list of addresses that you need to allow through your firewall:
Use the list of addresses given in the Origin IP Access Control List guide.
Use the list of addresses given in the Firewall Rules Notification application:
Launch Firewall Rules Notification in Control Center, then go to COMMON SERVICES > Firewall change notifications.
Select the Manage Subscriptions tab.
Click Subscribe Users.
Select Origin IP ACL, then add one or more email addresses for the subscription.
Go to the CIDR Blocks tab to see the CIDRs.
When you update your firewall and acknowledge this change, Cloud Interconnects starts sending traffic through PNIs.
This step is only required if you previously used SiteShield for this origin. Otherwise it may be optional, depending on your use case.
- Test your configuration
Now you can activate your configuration on the staging network to test it against your origin and activate it on the production network when you're ready to go live.
- Remove the SureRoute behavior from your property.
This step is optional and applies only if you previously enabled SureRoute and your configuration contains only GCP origins. You may complete this step to simplify your configuration. See About SureRoute and SiteShield to learn more.
- Remove the SiteShield behavior from your property.
This step is optional and applies only if you previously enabled SiteShield and your configuration contains only GCP origins. You may complete this step to simplify your configuration. See About SureRoute and SiteShield to learn more.
Update your firewall settings every time you get a notification that a new list of Cloud Interconnects addresses is ready. This list almost never changes.
Tips and best practices
Sometimes, enabling this behavior may cause additional midgress traffic. In your Property Manager configuration, apply this behavior only to Google Cloud origins. If a property contains origins other than Google Cloud, then you should add the behavior only to rules that apply only to Google Cloud origins. If you are using Global Traffic Manager (GTM), verify that Google Cloud and non-Google Cloud origins are contained in separate GTM properties and that the property is structured so that the behavior applies to Google Cloud origins only.
Monitor traffic flowing through Interconnects
Access the Cloud Interconnects Traffic report in the Control Center under the Common Services menu, by selecting Reports > Cloud Interconnects Traffic. Alternatively, if you're already in Traffic Reports, you can select the Cloud Interconnects Traffic report from the Report menu at the top of the Traffic Reports page.
To enable reporting, the behavior must be in a parent rule, child rule, or in the same rule as the Origin Server behavior and Content Provider Code so that the relationship between Origin Server hostname and its associated content provider code is identified. This makes it possible for you to use the Cloud Interconnects traffic report filters. Reporting will not be enabled if the behavior relationship is setup through an environment variable.
Updated 7 months ago