Customer Peering with Symantec Web Security Service (WSS)

book

Article ID: 185969

calendar_today

Updated On:

Products

Web Security Service - WSS Symantec Products

Issue/Introduction

Web Security Service (WSS) data center prefixes are advertised on Google's AS15169. Customers wishing to peer with WSS can do so by peering with Google in any supported public internet exchange (IX). For a full list of IXs where Google participates, please visit https://www.peeringdb.com/net/433.

Please note that Google maintains an extensive global private network that many carriers privately peer with in order to offload Google traffic from their networks for cost savings and efficiency. Because so many carriers already peer with Google, we recommend that customers examine their routes to WSS data centers to see if they are already optimized by carrier-to-Google peering. If your traffic is already being efficiently routed to the Google network, the benefits of peering may be negligible. 

Google maintains a “generally open” public peering policy and all requests are subject to their approval and terms. Google may support or require customers to use other peering methods which may have associated costs. All peering costs are the responsibility of the customer. Submit peering requests to Google at https://peering.google.com/#/options/peering.

Environment

Web Security Service

Resolution

  1. Customers can peer with Symantec WSS via Google in Internet exchanges that Google participates in, using BGP bilateral peering. Google peering is also available in some IX locations via route server.
  2. While peering changes the route path from your premises to WSS, it does not change the logical connection requirements, regardless of how you end up peering.
    1. For example, if you planned to use an IPSec VPN to connect to WSS without peering, you would still use IPSec with peering.
    2. You cannot point your default route at Google/WSS, even when peered: Google only accepts traffic destined for hosts within its networks, so you cannot use Google as a replacement for your upstream ISP/carrier for non-WSS traffic. If your license includes the WSS Cloud Firewall Service, you can effectively route all your internet traffic over the peer, provided it is directed to WSS.
  3. WSS IPs will originate from AS396982, which is located behind Google AS15169. IX peering requests with Google should be to AS15169.
  4. Some IPs behind AS396982 are not part of the WSS service. If you require ingress filtering to restrict received prefixes to only WSS IPs, please contact us to request the list of prefixes we advertise for WSS.
  5. We do not offer private IPs over IX peering links.
  6. Customers must advertise publicly routable IPs over their BGP sessions.
  7. Customer traffic received over peering links will be processed using the same shared cloud infrastructure as traffic received over carrier links. Peering does not provide access to separate infrastructure.
  8. WSS does not support direct connections coming from RFC1918 IP space. Any RFC1918 prefixes advertised to us will be filtered.
  9. Peering requires customer use of BGP with a minimum /24 block of publicly routable IP addresses.
  10. Unless otherwise specified, Google will not join an IX that they are not already participating in, or planning to enter.
  11. Qualified customers peer at their cost.
  12. You must maintain carrier internet circuits as backups to your peering links.