VPC networks, including their associated routes and firewall rules, are global resources. They are not associated with a particular region or zone. The VPC network’s subnets determine regionality. This provides organizations with the unique ability to have cloud resources deployed globally, while maintaining a small VPC network footprint with a centralized route domain and firewall rule set.
You could deploy load balanced VM-Series firewalls in regions that are reflective of your workload’s locations. However, this design previously presented a design issue. If two or more custom static routes with the same destination using different internal TCP/UDP load balancers as the next hop, the traffic could not be distributed among the load balancers using ECMP.
This limitation can be completely overcome by leveraging Google Cloud’s network tags. Network tags make routes applicable only to instances that use the corresponding network tag and can be used for a variety of use-cases, including:
Prevention of cross-region traffic flows.
Isolation of egress traffic between development environment and production environments.
Creation of “swimming-lanes” to distribute traffic to different sets of load balanced firewalls.
The diagram below is an example of how to use network tags to prevent cross region traffic flows for outbound internet requests. The trust VPC route table has two default routes: default-east and default-west. Each route has a unique network tag applied to it: vmseries-east and vmseries-west. Although both routes belong to the VPC route table, the routes are only applied to compute resources that share the same network tag. For example, the compute resources in the us-east subnets have the east-vmseries tag applied. This ensures resources residing in us-east will only use the us-east VM-Series firewall set. Likewise, compute resources in us-west have the west-vmseries network tag applied to force us-west traffic through the us-west VM-Series firewall set.
The end result with network tags is you do not need to segregate different client instances into separate VPC networks, each pointing to their preferred internal TCP/UDP load balancer front-ending a set of VM-Series firewalls. Below is an example architecture of using network tags to isolate regional subnet traffic flow through a set of firewalls that share the same region