Infoblox in GCP

flyingfoster · ‎05-12-2021

We are planning to add Infoblox to our GCP environment. So far I have found some gotchas and wanted to run it past the community to see if anyone else has seen these architecture issues.

First, we are a large organization, to that end we can easily run into the VPC peering limits really fast. To get around this limitation we use the hub and spoke architecture for our networking.

More info here: https://community.infoblox.com/t5/user/VerifyUserEmailPage/user-id/45933/mail-message-tracking/KOLWV...

The problem with this design is I am thinking it would require an Infoblox appliance in every hub to accommodate the spokes. Am I correct in this assumption?

Second, there is a small footnote in the GCP DNS documentation that states DNS traffic can not be transitive between regions:

If you are using DNS peering to target a forwarding zone, the target VPC network with the forwarding zone must contain a VM, a VLAN attachment, or a Cloud VPN tunnel located in the same region as the source VM that uses the DNS peering zone. For details about this limitation, see Forwarding queries from VMs in a consumer VPC network to a producer VPC network not working.

https://cloud.google.com/dns/docs/overview#dns_peering_limitations_and_key_points

I interpret that to mean I would also need an Infoblox appliance for each region we use and each hub connected to that region. At this rate, the number of Infoblox appliances is getting prohibitively expensive and complex.

Has anyone else gone down this path?

THE GAME HAS CHANGED

Cloud

Infoblox in GCP