Firewall configuration – Google Networking Best Practices for Large Deployments User Manual
Page 30
30
Networking Best Practices for Large Deployments
Using a centralized DNS server architecture will obscure the user making the request from
Google’s DNS servers, preventing Google from responding with an appropriate IPv4 address.
If DNS queries are routed through a central server to resolve Internet hosts, users may not
connect to the closest Google Apps servers. In extreme cases, this architecture can cause
users in one continent to connect to servers in another, distant continent.
The ideal solution is to place local DNS resolvers close to the users. Then have the remote
DNS resolvers send all DNS traffic through an Internet connection that’s local to the users.
Then, for internal-only addresses, forward the requests to the appropriate internal corporate
DNS server.
Alternatively, you can use a DNS service that supports the edns-client-subnet extension (
h as
or
.
Note:
Clients and DNS servers using the edns-client-subnet extension require more data to
be sent with the request, causing the traditional 512-byte limit to be exceeded. It’s
common for poorly implemented or configured services between the client and the
authoritative DNS server to incorrectly handle the request. For more information,
including instructions on how to test your infrastructure, see the
DN
RC site
.
Firewall Configuration
With Google Apps and other cloud applications, users reach outside your network for
resources. This causes a shift of HTTP connections, from internal to external resources.
Because of this change, outbound firewalls that were previously properly sized in your network
might become overwhelmed. Be aware of this possible increased footprint on your outbound
firewall.
The average, peak, and idle connections from your benchmarking of proxy server load is a
good estimate of the connection load to expect on your outbound firewall. The only
connections you will not see on your outbound firewall are those that your proxy server does
not allow through. For more information on gathering and using this data, see “Proxy Server
Evaluation and Sizing” on page 16.
Outbound Firewall Rules
To ensure the best possible experience for users of Google Apps, and to provide a low-latency
connection to our systems, we recommend leaving outbound firewall rules as open as
possible on ports 80/443 for TCP/IP traffic.
Inbound Firewall Rules
Google Apps does not initiate connections from Google data centers into your network. All
traffic is initiated by clients inside of your network to Google. The only exception to this is
Google Talk video in certain circumstances. For more information, see “Google Talk Voice and
Video and Google+ Hangouts” on page 21.