Get a Demo
Under Attack?
Icon set with cloud symbols in red, blue, green, and yellow circles connected by lines in a curved layout. upwind is written in the top left corner.

Visualize End-to-End Google Cloud Cross-Account Traffic with Upwind 

<br />
<b>Warning</b>:  Undefined variable $photo in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Trying to access array offset on value of type null in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
Denise Ashur February 20, 2025

We are excited to introduce a major enhancement to the Upwind platform – comprehensive end-to-end traffic visibility across accounts and clusters in Google Cloud.

For organizations that build cloud infrastructure hosted in Google Cloud, viewing cross-account and cross-cluster traffic can be a major challenge. Upwind’s latest release solves this problem, offering end-to-end visibility of resource traffic. 

Google Cloud Infrastructure 

In Google Cloud, infrastructure is often separated into multiple accounts for security and isolation purposes. While this approach helps in segmenting resources across different environments (such as development, staging, and production), it creates challenges when it comes to monitoring traffic that spans multiple accounts. 

Traditionally, monitoring tools like Grafana and Prometheus collect metrics within individual accounts or projects. However, they lack built-in mechanisms to track traffic moving between accounts, leading to blind spots in cross-account communication. Because they aggregate data per account, they struggle to provide a comprehensive view of multi-account traffic, especially when internal or external IP addresses appear without context in monitoring dashboards. As a result, organizations often cannot track end-to-end communication effectively. For example, when an internal request moves between accounts, monitoring systems may only display an unrecognized IP address, obscuring its origin and destination.

Comparing AWS VPC Peering to Google Cloud

While this new capability focuses on Google Cloud, AWS VPC peering serves as a useful comparison to highlight similar cross-account communication challenges.

In AWS, Virtual Private Cloud (VPC) peering allows two VPCs from different accounts to communicate as if they were part of the same network. This enables secure data transfer over private IP addresses without traversing the public internet.

However, VPC peering does not support what’s known as “transitive routing”, meaning traffic can only flow directly between the two peered VPCs. Each VPC remains isolated, requiring explicit traffic management and monitoring configurations. While VPC peering facilitates account-to-account communication, it lacks built-in visibility into traffic flows, making it difficult to track interactions across VPCs and services.

How Upwind Provides End-to-End Visibility for Google Cloud

Upwind’s new feature addresses the limitations of traditional monitoring in multi-account environments by providing users with complete end-to-end visibility of cross-account and cross-cluster traffic within Google Cloud. This conceptually resembles AWS’s VPC peering, where separate accounts are connected to enable seamless communication. However, while VPC peering enables network connectivity, it doesn’t provide detailed visibility into how services communicate across accounts – which Upwind is able to seamlessly show in Google Cloud.

Diagram showing two projects: Project A with LB-A connected to Cluster A containing Pod A, Pod B, and Pod C; Project B with LB-B connected to Cluster B containing Pod X, Pod Y, and Pod Z. An arrow links LB-A to LB-B. Upwind logo at top right.

Connecting Layers 3, 4 and 7 with Kubernetes Context

Upwind achieves this by capturing detailed data from Layers 3, 4, and 7 with our high-performance eBPF sensor. This allows users to track the exact path traffic follows, from the originating service through the load balancer and Kubernetes clusters to the final destination. For instance, Upwind can identify when an application in one Google Cloud account communicates with a service in a cluster within another account.

Diagram of a cloud infrastructure setup. It features clusters: upwind-cluster with components like onlineboutique, microservices, databases, and namespaces like kube-system and default. Connected elements include Google-cloud icons.

With this newest capability, Upwind provides users with traffic flow details and mapping across accounts, ensuring organizations gain comprehensive visibility into their communication across Google Cloud infrastructures.

Use Upwind’s latest capability for:

  • Detailed visibility of traffic flows across Google Cloud Accounts – Understand how data moves across accounts with full network insights, helping to troubleshoot and optimize communication.
  • Improved real-time monitoring of traffic flows – Gain instant awareness of network behavior to detect anomalies, prevent disruptions, and strengthen security.
  • Deep context of connected services, load balancers, and clusters – See the entire traffic path, from origin to destination, providing the necessary intelligence for effective cloud management.
Screenshot of a software program showing a map and an overview panel. The map has navigation options and a sidebar with a list of resources. The overview panel displays a diagram with nodes for different microservices and details about threat analysis.

Upwind’s next-generation cloud security platform provides groundbreaking end-to-end visibility of traffic across accounts and clusters, enabling organizations to quickly identify security risks, optimize cloud performance, and maintain compliance with minimal effort. By eliminating blind spots in network traffic, Upwind empowers security and DevOps teams with actionable insights that drive smarter, faster decision-making – allowing them to proactively detect threats, optimize performance, and ensure compliance with ease.

To learn more, schedule a demo

Contents

Further Reading

KSPM-Agentless-Scanning

Complete KSPM: From Pull Request to Production Runtime

Kubernetes environments move fast. Workloads appear and disappear, container images change continuously, services are exposed, permissions evolve, and development teams deploy updates throughout the day. But most cloud security platforms force practitioners to investigate Kubernetes risk through interfaces designed for the broader cloud, leaving teams to manually filter the noise before they can begin investigating…
Upwind MCP Server

Revolutionizing Security Investigations with the Upwind MCP Server

Frontier AI models combined with a rampant rate of new critical vulnerabilities mean speed and context are everything. When a critical production service starts behaving suspiciously, every second spent jumping between different tools and dashboards is a second lost to a potential attacker. At Upwind, we are excited to introduce a game-changer for security teams:…
Security Feed - Threat

No npm Token Required: Inside the AsyncAPI Supply Chain Attack

Executive Summary Upwind identified a critical supply chain compromise across five npm packages in the @asyncapi scope, published on July 14, 2026 via two separate branch compromises in two GitHub repositories. The attacker never touched an npm token. They abused each project's own CI pipeline through GitHub Actions OIDC to publish the malicious packages. The…