How you can build a FedRAMP High-compliant network with Assured Workloads

Google Cloud recently achieved a major U.S. government compliance milestone with more than 130 services, including 12 additional Cloud Networking services, approved for FedRAMP High authorization — the strictest standard for protecting the most sensitive unclassified data. To help our customers securely deploy a network architecture that aligns with FedRAMP High, we have outlined several of our recommended best practices.

Google Cloud's Assured Workloads enables public sector customers to run regulated FedRAMP High workloads on Google's public cloud infrastructure. By enforcing U.S. data location and personnel access controls, Assured Workloads simplifies the process of maintaining security and compliance while allowing customers to take advantage of the flexibility and innovation of Google Cloud.

The new Cloud Networking additions to Google Cloud’s FedRAMP High authorization include:

1. Cloud Router
2. Cloud NAT
3. Cloud VPN
4. Cloud Interconnect
5. Cloud Load Balancing
6. Cloud Armor
7. Cloud IDS
8. Cloud CDN
9. Traffic Director
10. Network Intelligence Center
11. Network Connectivity Center
12. Network Service Tiers

The full list of Google Cloud services in scope for FedRAMP High is available here.

Configuring Assured Workloads network foundations for FedRAMP High

Customers should start by creating an Assured Workloads folder within their org, and setting the control package to FedRAMP High. This folder provides a boundary within the org to identify regulated data types. By default, any project under this folder will inherit the security and compliance guardrails set at the folder level by Assured Workloads.

The Assured Workload folder will enforce security controls on supported Google Cloud products to adhere to the FedRAMP High control package. These controls include setting an organization policy that restricts resource usage to only supported products, and allows creating or using resources only in allowed locations. It is important to review services in scope for FedRAMP High to assure support for services before using them in your design.

Next, you can create new or migrate existing projects inside the Assured Workload folder to host your resources. You can also create sub-folders if needed.

This diagram shows an example of a landing zone solution for FedRAMP High network boundaries. Please note some of its important features:

1. Multiple VPCs are used to separate Prod from non-Prod environments in a hub and spoke design using VPC Peering. VPCs by design are global, but Assured Workload restrictions will prevent creation of subnets outside supported Assured Workloads locations.
2. If spoke to spoke connectivity is needed we recommend a NCC hub with VPC spoke types to address the lack of transitivity over VPC Peering.
3. Regional Load Balancers protected by Cloud Armor are used to provide external access to web and TCP/UDP workloads hosted in Shared VPC service projects.
4. Private Service Connect endpoints are used to provide private access to GCP managed and third party services.

For more detailed guidance on how to configure the proposed design, check out how to configure networks for FedRAMP and the U.S. Department of Defense in Google Cloud.