This is an overview of the network requirements for GGC installations. Detailed configuration information can be found in the GGC Install Guide.
Physical network connectivity
Each machine in the GGC node is connected via either:
- An ISP managed Ethernet switch or router
- A Google provided and managed router, with uplinks to your network
Google provides SR or LR optics (as required) for the Google side of the connection only.
Access control
The GGC node must be reachable from any IP on the Internet.
Access Control Lists (ACLs) are not recommended on network equipment serving the GGC node. An IP firewall runs on each machine in the GGC node.
If you use ACLs in your network, the following ports must be allowed for the entire GGC subnet:
- Inbound and outbound ICMP
- Inbound and outbound GRE
- Inbound and outbound SSH (TCP/22)
- Inbound and outbound HTTP and HTTPS (TCP/80, TCP/443)
- Inbound and outbound QUIC (UDP/80, UDP/443)
- Inbound and outbound BGP (TCP/179)
- Inbound and outbound DSR (UDP/666)
- Inbound and outbound Telemetry (TCP/57400)
- Outbound DNS (UDP/53 and TCP/53)
- Outbound NTP (TCP/123, UDP/123), with no restriction on source port
- Outbound TCP/2856 and outbound TCP/2872, with no restriction on source port
Note: Future services may require additional ports.
Proxies and filters
You must not place transparent proxies or filters in the path of communications between the GGC node and Google’s back-end servers, or between the GGC node and users.