Skip to content
Gallery
2. Networking
Core Networking
Hybrid Networking
Peering
Choosing a connection
Scalability
Threat Prevention and Detection
Networking Observability
VPC Service Controls
Share
Explore
Core Networking

icon picker
Virtual Private Cloud (VPC)

Internal DNS
VPC sharing and peering
Virtual Private Cloud (VPC) provides networking functionality to
Compute Engine virtual machine (VM) instances
,
Google Kubernetes Engine (GKE) clusters
, and
serverless workloads
.
VPC provides networking for your cloud-based resources and services that is global, scalable, and flexible.
image.png

A VPC network is a global resource that consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network. VPC networks are logically isolated from each other in Google Cloud.

A VPC network does the following:
Provides connectivity for your
Compute Engine virtual machine (VM) instances
, including
Google Kubernetes Engine (GKE) clusters
,
serverless workloads
, and other Google Cloud products built on Compute Engine VMs.
Offers built-in internal passthrough Network Load Balancers and proxy systems for internal Application Load Balancers.
Connects to on-premises networks by using Cloud VPN tunnels and VLAN attachments for Cloud Interconnect.
Distributes traffic from Google Cloud external load balancers to backends.

Networks and subnets


Google Cloud offers three types of VPC networks, determined by their subnet creation mode:
When an auto mode VPC network is created
, one subnet from each region is automatically created within it. These automatically created subnets use a set of
predefined IPv4 ranges
that fit within the 10.128.0.0/9 CIDR block. As new Google Cloud regions become available, new subnets in those regions are automatically added to auto mode VPC networks by using an IP range from that block. In addition to the automatically created subnets, you can
add more subnets manually
to auto mode VPC networks in regions that you choose by using IP ranges outside of 10.128.0.0/9.
When a custom mode VPC network is created
, no subnets are automatically created. This type of network provides you with complete control over its subnets and IP ranges. You decide which subnets to create in regions that you choose by using IP ranges that you specify.
Default Network: Unless you choose to
disable
it, each new project starts with a default network. The default network is an auto mode VPC network with
pre-populated IPv4 firewall rules
. The default network does not have pre-populated IPv6 firewall rules.
You can
switch a VPC network from auto mode to custom mode
. This is a one-way conversion; custom mode VPC networks cannot be changed to auto mode VPC networks. To help you decide which type of network meets your needs, see
the considerations for auto mode VPC networks
.
image.png
A network must have at least one subnet before you can use it. Auto mode VPC networks create subnets in each region automatically. Custom mode VPC networks start with no subnets, giving you full control over subnet creation. You can create more than one subnet per region. For information about the differences between auto mode and custom mode VPC networks, see
types of VPC networks
.
When you create a resource in Google Cloud, you choose a network and subnet. For resources other than instance templates, you also select a
zone
or a region. Selecting a zone implicitly selects its parent region. Because subnets are regional objects, the region that you select for a resource determines the subnets that it can use:
When you
create an instance
, you select a zone for the instance. If you don't select a network for the VM, the default VPC network is used, which has a subnet in every region. If you do select a network for the VM, you must select a network that contains a subnet in the selected zone's parent region.
When you
create a managed instance group
, you select a zone or region, depending on the group type, and an instance template. The instance template defines which VPC network to use. Therefore, when you create a managed instance group, you must select an instance template with an appropriate configuration; the template must specify a VPC network that has subnets in the selected zone or region. Auto mode VPC networks always have a subnet in every region.
The process of
creating a Kubernetes container cluster
involves selecting a zone or region (depending on the cluster type), a network, and a subnet. You must select a subnet that is available in the selected zone or region.
For more information, see
Subnets
.


Firewall rules

Each VPC network implements a distributed virtual firewall that you can configure. Firewall rules let you control which packets are allowed to travel to which destinations. Every VPC network has two
implied firewall rules
that block all incoming connections and allow all outgoing connections.
The default network has
additional firewall rules
, including the default-allow-internal rule, which permit communication among instances in the network.
image.png

Best practices for firewall rules

When designing and evaluating your firewall rules, keep in mind the following best practices:
Implement
least-privilege
principles. Block all traffic by default and only allow the specific traffic you need. This includes limiting the rule to just the protocols and ports you need.
Use
hierarchical firewall policy rules
to block traffic that should never be allowed at an organization or folder level.
For "allow" rules, restrict them to specific VMs by specifying the
service account
of the VMs.
If you need to create rules based on IP addresses, try to minimize the number of rules. It's easier to track one rule that allows traffic to a range of 16 VMs than it is to track 16 separate rules.
Turn on
Firewall Rules Logging
and use
Firewall Insights
to verify that firewall rules are being used in the intended way. Firewall Rules Logging can incur
costs
, so you might want to consider using it selectively.

For more information, see
VPC firewall rules
.

image.png
image.png

Routes

Routes tell VM instances and the VPC network how to send traffic from an instance to a destination, either inside the network or outside of Google Cloud. Each VPC network comes with some
system-generated routes
to route traffic among its subnets and send traffic from
eligible instances
to the internet.
You can create custom static routes to direct some packets to specific destinations.
For more information, see
Routes
.

Forwarding rules

While routes govern traffic leaving an instance, forwarding rules direct traffic to a Google Cloud resource in a VPC network based on IP address, protocol, and port.
Some forwarding rules direct traffic from outside of Google Cloud to a destination in the network; others direct traffic from inside the network. Destinations for forwarding rules are
target instances
,
load balancer targets (backend services, target proxies, and target pools)
, and
Classic VPN gateways
.
A forwarding rule specifies how to route network traffic to the backend services of a load balancer. A forwarding rule includes an IP address, an IP protocol, and one or more ports on which the load balancer accepts traffic. Some Google Cloud load balancers limit you to a
predefined set of ports
, and others let you specify arbitrary ports.
A forwarding rule and its corresponding IP address represent the frontend configuration of a Google Cloud load balancer.
Depending on the load balancer type, the following is true:
Forwarding rules specify either a
backend service
,
target proxy
, or
target pool
.
Forwarding rules and their IP addresses are either internal or external.
Forwarding rules are either
global
or
regional
, depending on the load balancer and its
network tier
.

For more information, see
Forwarding rules overview
.

Interfaces and IP addresses

VPC networks provide the following configurations for IP addresses and VM network interfaces.

IP addresses

Google Cloud resources, such as Compute Engine VM instances, forwarding rules, and GKE containers, rely on IP addresses to communicate.
Resources such as VM instances and load balancers have IP addresses in Google Cloud. These IP addresses let Google Cloud resources communicate with other resources in Google Cloud, in on-premises networks, or on the public internet.
Google Cloud uses the following labels to describe different IP address types. For example, an internal IP address is not publicly routed. An external IP address is a publicly routed IP address. You can assign an external IP address to the network interface of a Google Cloud VM.

External IP address

External IP addresses are publicly advertised, meaning they are reachable by any host on the internet. External IP addresses must be
publicly routable IP addresses
. Resources with external IP addresses can communicate with the public internet.
External IPv4 addresses for resources can be provided by Google, or you can
bring your own IP (BYOIP)
addresses to Google Cloud. While BYOIP addresses are static external IPv4 addresses, and can be used with most resources that support static external IPv4 addresses, there are some
exceptions
.
External IPv6 addresses are provided by Google. For more information, see
IPv6 subnet ranges
.

Internal IP address

Internal IP addresses cannot be reached from the internet and are not publicly routable.
Internal IP addresses are local to a VPC network, a VPC network connected by using VPC Network Peering, or an on-premises network connected to a VPC network by using Cloud VPN, Cloud Interconnect, or a Router appliance. Resources with internal IP addresses communicate with other resources as if they're all on the same private network.
Internal IPv4 addresses can be private IPv4 addresses, or they can be privately used public IPv4 addresses. For a list of valid internal IPv4 addresses, see
Valid IPv4 ranges
.
Internal IPv6 addresses are unique within Google Cloud. For more information, see
IPv6 subnet ranges
.
For details about how internal IP addresses are advertised when you connect your VPC network to another network, see
Route advertisements and internal IP addresses
.
For more information, see
IP addresses
.

image.png

Alias IP ranges

If you have multiple services running on a single VM instance, you can give each service a different internal IP address by using alias IP ranges. The VPC network forwards packets that are destined to a particular service to the corresponding VM.
For more information, see
Alias IP ranges
.

Multiple network interfaces

You can add multiple network interfaces to a VM instance, where each interface resides in a unique VPC network. Multiple network interfaces enable a network appliance VM to act as a gateway for securing traffic among different VPC networks or to and from the internet.
For more information, see
Multiple network interfaces
.



Ref:
https://storage.googleapis.com/cloud-training/archinfra/v2.2/on-demand/1.2_Virtual_Networks.pdf

Networks and subnets
Firewall rules
Best practices for firewall rules
Routes
Forwarding rules
Interfaces and IP addresses
IP addresses
External IP address
Internal IP address
Alias IP ranges
Multiple network interfaces
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.