Google has deployed an Andromeda - their own network stack. It solves many networking challenges introduced by virtualization like delivering the highest level of performance, availability, and security requires orchestrating across virtual machines, hypervisors, operating systems, network interface cards, top of rack switches, fabric switches, border routers, and even Google's network peering edges.
Andromeda's goal is to expose the raw performance of the underlying network while simultaneously exposing network function virtualization (NFV). This functionality includes distributed denial of service (DDoS) protection, transparent service load balancing, access control lists, and firewalls. This kind of protection is built-in to everything inside Google's network, your virtual machines running on Google Compute Engine included.
However, you still need to take care of the following:
- O/S regular patching
- Protection using O/S level firewall
- Configure Google Firewall and leave only used ingress ports
- Secure the SSH on your bastion machine
- Apply application patches regulary