About This Architecture

GCP lift-and-shift migration architecture for Tryvia using Shared VPC with dual Cloud VPN HA gateways terminating IPSec tunnels from on-premises VLAN 40 and VLAN 30, routing through Cloud Router with BGP ASN 64512 to production and non-production subnets. Production VPC isolates application tier (subnet-apps 10.160.0.0/22) with ANDROMEDA, GPS, PANDORA, and OPTZ workloads from data tier (subnet-data 10.160.4.0/22) hosting SQL Server, PostgreSQL, and MongoDB instances, while management subnet provides Cloud NAT, DNS, and monitoring. Non-production VPC remains isolated by design with separate Cloud VPN HA gateway, preventing direct prod-to-nonprod traffic and enforcing blast radius containment. This architecture demonstrates hybrid-cloud security best practices: dual redundancy for WAN failover, network segmentation by tier and environment, and centralized IAM and firewall policy enforcement. Fork this diagram to customize subnets, add Cloud Load Balancing for internet-facing apps, or extend with additional VPCs and peering.

People also ask

How do I design a GCP lift-and-shift migration with hybrid connectivity and production-nonproduction network isolation?

This diagram shows a Shared VPC architecture with dual Cloud VPN HA gateways terminating IPSec tunnels from on-premises VLAN 40 and VLAN 30, routing via Cloud Router (BGP ASN 64512) to isolated production and non-production subnets. Production separates application tier (subnet-apps), data tier (subnet-data with SQL Server and PostgreSQL), and management services, while non-production remains isol