Google Cloud is rolling out new network and security features, including a service that provides Layer-7 security.\nThe new offerings announced at Google Cloud Next also include firewall and web application-protection options aimed at advancing existing cloud connectivity and ensuring the security of cloud-based resources.\n\u201cWe are fundamentally enhancing our network fabric\u2014which includes 35 regions, 106 zones and 173 network edge locations across 200-plus countries\u2014and making it simpler and easier for organizations to migrate their existing workloads and modernize applications all while securing and making them easier to manage,\u201d said Muninder Sambi, vice president and general manager of networking for Google Cloud.\nPrivate Service Connect (PSC)\nOn the networking front, Google Cloud has added features to its Private Service Connect offering that ties together groups, projects, and other organizations over encrypted links.\u00a0PSC now includes Layer 7-based security, routing, and telemetry to ensure consistent policy control across the service.\nIt also supports using Cloud Interconnect, Google Cloud\u2019s highly available, low-latency connection service, to link on-prem sites to other PSC endpoints, according to Sambi. PSC integrates with managed data and analytic services from Confluent, Databricks, DataStax, Grafana, and Neo4J.\nWith PSC, customer-network traffic traverses only Google\u2019s backbone network and isn\u2019t exposed to the public internet, Sambi said. Customers connect to Google Cloud using PSC endpoints with private IP addresses on Google virtual private cloud (VPC) networks.\n\u201cPrivate Service Connect is important because it helps to simplify the networking and security that must accompany migrations of workloads to the cloud. Specifically, PSC provides encrypted connections across VPC networks that are in different groups, teams, projects, or organizations,\u201d said Brad Casemore, Research VP, Datacenter and Multicloud Networks, IDC.\u00a0\u201cThe new PSC enhancements include an L7 PSC, for simplified application-layer policy; PSC over interconnect, which supports on-premises traffic through Cloud Interconnects to PSC endpoints; PSC for hybrid environments (which is what most enterprises have), and additional integrations with partner services.\u201d\nGoogle also previewed a technology it says will let customers more easily network container-based resources.\u00a0Network Function Analyzer lets customers connect multiple container network functions, apply labels, and steer traffic to them.\n\u201cCustomers can use this function to steer their applications and add multiple services into a cloud container application framework,\u201d Sambi said.\u00a0\u201cIt\u2019s an important feature for customers whose applications were either born in the cloud or being rewritten to move them to the cloud. They can use this function to minimize costs, get high performance and get service scaling along with it.\u201d\nNetwork Function Optimizer provides a simpler, high-performance data plane for container-based networking, leveraging eBPF-based eXpress Data Path (XDP), Casemore said. \u201cGoogle has used eBPF for enhanced data-plane performance on its own infrastructure for a while now, and offering that benefit to enterprises customers adopting cloud-native applications and related network functions makes considerable sense.\u201d\nNew network management tools\nOn the network management side, Google has expanded its overarching Network Intelligence Center.\u00a0The company said the platform\u2019s Network Analyzer, which learns and monitors customer networks to detect misconfigurations and drifts on network topology, firewall rules, routes, load balancers and connectivity to services and applications is now available.\u00a0\nNew features of Network Intelligence center also include Performance Dashboard to provide visibility into latency measurements for Google Cloud-to-internet traffic at per-project and global levels. This helps in planning the placement of customers\u2019 Google Cloud resources and overall network architecture, Sambi said.\nAnother new feature, Network Topology, lets customers identify and monitor their top contributors to egress, and optimize their cloud architecture for performance and cost, Sambi said. The platform\u2019s Firewall Insights program now supports IPv6.\u00a0\nSecurity options\nThe company previewed a two-tiered Cloud Firewall service: Cloud Firewall Essentials and Cloud Firewall Standard.\nCloud Firewall Standard brings expanded policy objects for firewall rules aimed at simplifying configuration and micro-segmentation.\nCloud Firewall Essentials the new basic level of firewall capabilities. It features Global and Regional Network Firewall Policies, which have built-in IAM [identity and access management] controls, that can be applied across VPCs, and support batch-rules updates. New IAM-governed Tags allow for scalable micro-segmentation policies that follow workloads no matter where they are located.\n\u201cThe idea with the combination of IAM-governed Tags in Cloud Firewall Essentials, the dynamic objects in Cloud Firewall Standard, Address Groups, and our existing hierarchical firewall rules helps customers run a flexible, least-privilege, self-service environment that enforces pinpoint policy with greater simplicity and decreased operational cycles,\u201d\u00a0Sambi said.\nAlso in the security realm, Google bolstered its Cloud Armor service that protects web applications, services, and APIs from DDoS attacks and web-application exploits.\u00a0Customers can now configure the service\u2019s machine-learning-based Adaptive Protection capability to automatically deploy its proposed rules.\n\u201cGoogle Cloud Armor is actually built on ML-based attack-protection capability where you can automate, deploy and evolve the security rules with a very simplified policy structure,\u201d Sambi said.\u00a0\u201cWe have pre-configured rules and information on vulnerability risks that customers can use to help build ML-based automated responses to threats.\u201d\nThe battle with AWS, Azure\nGoogle Cloud\u2019s new networking and security features are part of \u00a0the continuing competition among top cloud providers such as AWS and Microsoft Azure.\n\u201cGoogle Cloud and AWS are both significantly enhancing their cloud networking capabilities, including networking from on-premises environments to the cloud, and networking in the cloud (including service insertion and service chaining),\u201d Casemore said. \u201cMicrosoft Azure isn\u2019t standing still, but I\u2019d say it has some ground to make up on the other two. Networking to and in the cloud will only grow in both its range of features and functionality and in its importance to enterprises.\u201d\n\u201cAs new and existing enterprise workloads move to IaaS clouds, the enterprise data center and its network are becoming distributed,\u201d Casemore said.\u00a0\u201cEnterprises must modernize their network infrastructure accordingly, not just in cloud (as part of the distributed data center), but also across the WAN, which must also be optimized to meet the needs of cloud workloads.\u201d\u00a0\n\u201cEnterprises will become increasingly familiar with the constructs and benefits of using these globe-girding, increasingly feature-rich cloud networks to support and deliver cloud workloads,\u201d Casemore said.\nOther Google Cloud announcements at the Next conference include:\n\nSupport for a Live Stream API in its Media CDN offering that brings in and packages content into HTTP-Live Streaming and DASH formats for optimized live streaming. For advanced customization, Google Cloud previewed a new feature called Network Actions for Media CDN, a fully managed offering that lets customers deploy their own code directly in the request\/response path at the edge.\u00a0 For enterprises that depend on video on demand Media CDN is now offered on a global scale, Sambi said.\nA preview of 200Gbps networking with a new C3 virtual machine family. The new C3 machine series\u00a0features the Intel Xeon Scalable processor and\u00a0Google\u2019s custom Intel Infrastructure Processing Unit (IPU) which offloads processing from a core server, improving performance.\u00a0The C3\u2019s system-on-a-chip design promises better security as well as creating more infrastructure choices, such as native bare-metal servers. Compared with the current generation C2, C3 VMs with Hyperdisk will deliver 4x higher throughput and 10x higher IOPS [input\/output operations per second], Google stated.\u00a0\nA fully managed security-software supply-chain service called Software Delivery Shield to address threats like those found in the SolarWinds vulnerability and others.\u00a0It provides DevOps and security teams with the tools to build secure cloud applications. Those tools include software development and deployment areas including continuous integration, continuous delivery, production environments, and policies.