11.8.2 VPC and Networking

Note

Google Cloud Virtual Private Cloud (VPC) provides networking functionality for your cloud-based resources and services. VPC networks are global resources that consist of regional subnets, connected by a global wide area network. GCP’s network infrastructure is one of the largest and most advanced in the world, offering high performance, reliability, and security.

VPC Core Concepts

VPC Network

A VPC network is a virtual version of a physical network within Google Cloud. It provides:

• Global scope spanning all GCP regions

• No IP subnet limitations

• Built-in security with firewall rules

• Automatic or custom subnet modes

Subnets

Subnets are regional resources. Each subnet is associated with a region and has a contiguous private IP address range.

Key Characteristics:

• Regional: Subnets exist in a single region

• Expandable: Can expand IP ranges without recreation

• Private Google Access: Access Google services without external IP

• Flow Logs: Monitor network traffic

IP Addressing

• Internal IP: Private IP address for communication within the VPC

• External IP: Public IP address for internet communication

• IP Ranges: RFC 1918 private address spaces

Creating a VPC Network

Auto Mode VPC (Default):

# Create auto-mode VPC (automatically creates subnets in all regions)
gcloud compute networks create my-auto-vpc \
    --subnet-mode=auto \
    --bgp-routing-mode=regional \
    --mtu=1460

# List all networks
gcloud compute networks list

# Describe network
gcloud compute networks describe my-auto-vpc

Auto mode networks automatically create one subnet per region with predefined IP ranges:

• 10.128.0.0/20 in us-west1

• 10.138.0.0/20 in us-central1

• 10.148.0.0/20 in us-east1

• And so on…

Custom Mode VPC (Recommended for Production):

# Create custom-mode VPC
gcloud compute networks create my-custom-vpc \
    --subnet-mode=custom \
    --bgp-routing-mode=global \
    --mtu=1460

# Create custom subnets
gcloud compute networks subnets create my-subnet-us-central1 \
    --network=my-custom-vpc \
    --region=us-central1 \
    --range=10.0.1.0/24 \
    --enable-private-ip-google-access \
    --enable-flow-logs

gcloud compute networks subnets create my-subnet-us-east1 \
    --network=my-custom-vpc \
    --region=us-east1 \
    --range=10.0.2.0/24 \
    --enable-private-ip-google-access \
    --enable-flow-logs

# Create subnet with secondary ranges (for GKE)
gcloud compute networks subnets create gke-subnet \
    --network=my-custom-vpc \
    --region=us-central1 \
    --range=10.0.10.0/24 \
    --secondary-range pods=10.1.0.0/16,services=10.2.0.0/20 \
    --enable-private-ip-google-access

List and Describe Subnets:

# List all subnets
gcloud compute networks subnets list

# List subnets in specific network
gcloud compute networks subnets list --network=my-custom-vpc

# Describe subnet
gcloud compute networks subnets describe my-subnet-us-central1 \
    --region=us-central1

Expand Subnet Range:

# Expand subnet IP range (can only expand, not shrink)
gcloud compute networks subnets expand-ip-range my-subnet-us-central1 \
    --region=us-central1 \
    --prefix-length=23  # Changes from /24 to /23

Firewall Rules

Firewall rules control traffic to and from instances in your VPC.

Firewall Rule Components:

• Priority: 0-65535 (lower number = higher priority)

• Direction: INGRESS (incoming) or EGRESS (outgoing)

• Action: ALLOW or DENY

• Targets: All instances, specific instances, or instances with tags

• Source/Destination: IP ranges, tags, or service accounts

• Protocols and Ports: TCP, UDP, ICMP, etc.

Create Firewall Rules:

# Allow HTTP traffic
gcloud compute firewall-rules create allow-http \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=1000 \
    --action=ALLOW \
    --rules=tcp:80 \
    --source-ranges=0.0.0.0/0 \
    --target-tags=http-server

# Allow HTTPS traffic
gcloud compute firewall-rules create allow-https \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=1000 \
    --action=ALLOW \
    --rules=tcp:443 \
    --source-ranges=0.0.0.0/0 \
    --target-tags=https-server

# Allow SSH from specific IP range
gcloud compute firewall-rules create allow-ssh \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=1000 \
    --action=ALLOW \
    --rules=tcp:22 \
    --source-ranges=203.0.113.0/24 \
    --target-tags=ssh-access

# Allow internal communication between instances
gcloud compute firewall-rules create allow-internal \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=1000 \
    --action=ALLOW \
    --rules=tcp:0-65535,udp:0-65535,icmp \
    --source-ranges=10.0.0.0/8

# Allow health checks from Google load balancers
gcloud compute firewall-rules create allow-health-checks \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=1000 \
    --action=ALLOW \
    --rules=tcp:80,tcp:443 \
    --source-ranges=35.191.0.0/16,130.211.0.0/22 \
    --target-tags=lb-backend

Deny Rules (Higher Priority):

# Deny SSH from everywhere except office IP
gcloud compute firewall-rules create deny-ssh-except-office \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=900 \
    --action=DENY \
    --rules=tcp:22 \
    --source-ranges=0.0.0.0/0 \
    --target-tags=production

Service Account Based Rules:

# Allow traffic from specific service account
gcloud compute firewall-rules create allow-from-sa \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=1000 \
    --action=ALLOW \
    --rules=tcp:3306 \
    --source-service-accounts=webapp@PROJECT_ID.iam.gserviceaccount.com \
    --target-tags=database

List and Manage Firewall Rules:

# List all firewall rules
gcloud compute firewall-rules list

# List rules for specific network
gcloud compute firewall-rules list --filter="network:my-custom-vpc"

# Describe firewall rule
gcloud compute firewall-rules describe allow-http

# Update firewall rule
gcloud compute firewall-rules update allow-http \
    --source-ranges=0.0.0.0/0,10.0.0.0/8

# Delete firewall rule
gcloud compute firewall-rules delete allow-http

Cloud NAT

Cloud NAT (Network Address Translation) allows instances without external IP addresses to access the internet.

Create Cloud Router:

# Cloud Router is required for Cloud NAT
gcloud compute routers create my-router \
    --network=my-custom-vpc \
    --region=us-central1 \
    --asn=65001

Create Cloud NAT:

# Create NAT configuration
gcloud compute routers nats create my-nat \
    --router=my-router \
    --region=us-central1 \
    --nat-all-subnet-ip-ranges \
    --auto-allocate-nat-external-ips

# Create NAT with specific IP addresses
gcloud compute addresses create nat-ip-1 --region=us-central1
gcloud compute addresses create nat-ip-2 --region=us-central1

gcloud compute routers nats create my-nat-static \
    --router=my-router \
    --region=us-central1 \
    --nat-all-subnet-ip-ranges \
    --nat-external-ip-pool=nat-ip-1,nat-ip-2

# Enable logging
gcloud compute routers nats update my-nat \
    --router=my-router \
    --region=us-central1 \
    --enable-logging

List and Describe NAT:

# List Cloud NAT configurations
gcloud compute routers nats list --router=my-router --region=us-central1

# Describe NAT configuration
gcloud compute routers nats describe my-nat \
    --router=my-router \
    --region=us-central1

Cloud Load Balancing

GCP offers several types of load balancers:

• Global External Load Balancer: HTTP(S), SSL Proxy, TCP Proxy

• Regional External Load Balancer: Network TCP/UDP, Internal TCP/UDP

• Internal Load Balancer: HTTP(S), TCP/UDP

Create HTTP(S) Load Balancer:

# 1. Create instance group
gcloud compute instance-groups managed create web-backend-group \
    --zone=us-central1-a \
    --template=web-server-template \
    --size=3

# Set named port
gcloud compute instance-groups managed set-named-ports web-backend-group \
    --named-ports=http:80 \
    --zone=us-central1-a

# 2. Create health check
gcloud compute health-checks create http web-health-check \
    --port=80 \
    --request-path=/health \
    --check-interval=10s \
    --timeout=5s \
    --healthy-threshold=2 \
    --unhealthy-threshold=3

# 3. Create backend service
gcloud compute backend-services create web-backend-service \
    --protocol=HTTP \
    --health-checks=web-health-check \
    --global \
    --enable-cdn \
    --connection-draining-timeout=300

# Add instance group to backend
gcloud compute backend-services add-backend web-backend-service \
    --instance-group=web-backend-group \
    --instance-group-zone=us-central1-a \
    --balancing-mode=UTILIZATION \
    --max-utilization=0.8 \
    --global

# 4. Create URL map
gcloud compute url-maps create web-url-map \
    --default-service=web-backend-service

# 5. Create SSL certificate (for HTTPS)
gcloud compute ssl-certificates create web-ssl-cert \
    --domains=www.example.com

# Or use managed certificate
gcloud compute ssl-certificates create web-ssl-cert \
    --domains=www.example.com \
    --global

# 6. Create target HTTPS proxy
gcloud compute target-https-proxies create web-https-proxy \
    --url-map=web-url-map \
    --ssl-certificates=web-ssl-cert

# 7. Create forwarding rule
gcloud compute forwarding-rules create web-https-rule \
    --address=web-lb-ip \
    --global \
    --target-https-proxy=web-https-proxy \
    --ports=443

Create Network Load Balancer:

# Create target pool
gcloud compute target-pools create web-pool \
    --region=us-central1 \
    --health-check=web-health-check

# Add instances to target pool
gcloud compute target-pools add-instances web-pool \
    --instances=web-server-1,web-server-2,web-server-3 \
    --zone=us-central1-a

# Create forwarding rule
gcloud compute forwarding-rules create web-lb-rule \
    --region=us-central1 \
    --ports=80 \
    --target-pool=web-pool

VPC Peering

VPC Network Peering allows private connectivity between two VPC networks.

Create VPC Peering:

# From VPC-A to VPC-B
gcloud compute networks peerings create vpc-a-to-vpc-b \
    --network=vpc-a \
    --peer-project=PROJECT_B_ID \
    --peer-network=vpc-b \
    --auto-create-routes

# From VPC-B to VPC-A (must be done in PROJECT_B)
gcloud compute networks peerings create vpc-b-to-vpc-a \
    --network=vpc-b \
    --peer-project=PROJECT_A_ID \
    --peer-network=vpc-a \
    --auto-create-routes

# List peering connections
gcloud compute networks peerings list

# Describe peering
gcloud compute networks peerings list --network=vpc-a

Cloud VPN

Cloud VPN securely connects your on-premises network to your GCP VPC.

Create HA VPN:

# 1. Create VPN gateway
gcloud compute vpn-gateways create my-ha-vpn-gateway \
    --network=my-custom-vpc \
    --region=us-central1

# 2. Create external VPN gateway (represents on-prem device)
gcloud compute external-vpn-gateways create on-prem-gateway \
    --interfaces=0=ON_PREM_IP_ADDRESS

# 3. Create Cloud Router
gcloud compute routers create vpn-router \
    --region=us-central1 \
    --network=my-custom-vpc \
    --asn=65001

# 4. Create VPN tunnels
gcloud compute vpn-tunnels create tunnel-1 \
    --peer-external-gateway=on-prem-gateway \
    --peer-external-gateway-interface=0 \
    --region=us-central1 \
    --ike-version=2 \
    --shared-secret=SHARED_SECRET \
    --router=vpn-router \
    --vpn-gateway=my-ha-vpn-gateway \
    --interface=0

# 5. Create BGP sessions
gcloud compute routers add-interface vpn-router \
    --interface-name=tunnel-1-int \
    --ip-address=169.254.1.1 \
    --mask-length=30 \
    --vpn-tunnel=tunnel-1 \
    --region=us-central1

gcloud compute routers add-bgp-peer vpn-router \
    --peer-name=bgp-peer-1 \
    --interface=tunnel-1-int \
    --peer-ip-address=169.254.1.2 \
    --peer-asn=65002 \
    --region=us-central1

Private Google Access

Allow instances without external IPs to access Google services.

# Enable Private Google Access on subnet
gcloud compute networks subnets update my-subnet-us-central1 \
    --region=us-central1 \
    --enable-private-ip-google-access

# Verify
gcloud compute networks subnets describe my-subnet-us-central1 \
    --region=us-central1 \
    --format="get(privateIpGoogleAccess)"

Cloud DNS

Create DNS Zone:

# Create public DNS zone
gcloud dns managed-zones create my-zone \
    --dns-name=example.com. \
    --description="My DNS zone"

# Create private DNS zone
gcloud dns managed-zones create my-private-zone \
    --dns-name=internal.example.com. \
    --description="Internal DNS zone" \
    --visibility=private \
    --networks=my-custom-vpc

Add DNS Records:

# Start transaction
gcloud dns record-sets transaction start --zone=my-zone

# Add A record
gcloud dns record-sets transaction add \
    --zone=my-zone \
    --name=www.example.com. \
    --type=A \
    --ttl=300 \
    "203.0.113.10"

# Add CNAME record
gcloud dns record-sets transaction add \
    --zone=my-zone \
    --name=blog.example.com. \
    --type=CNAME \
    --ttl=300 \
    "www.example.com."

# Execute transaction
gcloud dns record-sets transaction execute --zone=my-zone

# List records
gcloud dns record-sets list --zone=my-zone

Network Monitoring

Enable VPC Flow Logs:

# Enable on existing subnet
gcloud compute networks subnets update my-subnet-us-central1 \
    --region=us-central1 \
    --enable-flow-logs \
    --logging-aggregation-interval=interval-5-sec \
    --logging-flow-sampling=0.5 \
    --logging-metadata=include-all

View Flow Logs:

# Query flow logs
gcloud logging read "resource.type=gce_subnetwork" \
    --limit=10 \
    --format=json

Network Intelligence Center:

# Get connectivity test
gcloud network-management connectivity-tests create my-test \
    --source-instance=source-vm \
    --destination-ip-address=10.0.1.10 \
    --protocol=TCP \
    --destination-port=80

Best Practices

1. Network Design:

• Use custom VPC for production workloads

• Plan IP addressing carefully (use RFC 1918 ranges)

• Separate environments into different VPCs

• Use VPC peering or Shared VPC for multi-project architectures

• Implement least-privilege firewall rules

2. Security:

# Use default-deny firewall rules
gcloud compute firewall-rules create deny-all-ingress \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=65534 \
    --action=DENY \
    --rules=all

# Allow only specific traffic
gcloud compute firewall-rules create allow-specific \
    --network=my-custom-vpc \
    --direction=INGRESS \
    --priority=1000 \
    --action=ALLOW \
    --rules=tcp:443 \
    --source-ranges=203.0.113.0/24

3. High Availability:

• Use multiple zones for instances and load balancers

• Implement health checks for all backend services

• Use managed instance groups with autoscaling

• Configure connection draining for graceful shutdowns

4. Cost Optimization:

• Use Cloud NAT instead of external IPs

• Implement network tiers (Premium vs Standard)

• Use committed use discounts for VPN and load balancers

• Monitor egress traffic costs

Troubleshooting

Test Connectivity:

# From an instance, test connectivity
gcloud compute ssh my-instance --zone=us-central1-a --command="ping -c 3 8.8.8.8"

# Test internal connectivity
gcloud compute ssh my-instance --zone=us-central1-a --command="ping -c 3 10.0.1.10"

# Test DNS resolution
gcloud compute ssh my-instance --zone=us-central1-a --command="nslookup google.com"

Check Firewall Rules:

# List applicable firewall rules for an instance
gcloud compute instances describe my-instance \
    --zone=us-central1-a \
    --format="get(tags.items)"

# Find firewall rules for specific tags
gcloud compute firewall-rules list \
    --filter="targetTags:http-server"

Packet Mirroring:

# Create packet mirroring policy for troubleshooting
gcloud compute packet-mirrorings create my-mirror \
    --region=us-central1 \
    --network=my-custom-vpc \
    --mirrored-subnets=my-subnet-us-central1 \
    --collector-ilb=my-collector-forwarding-rule

Additional Resources

• VPC Documentation: https://cloud.google.com/vpc/docs

• Firewall Rules Guide: https://cloud.google.com/vpc/docs/firewalls

• Load Balancing Documentation: https://cloud.google.com/load-balancing/docs

• VPC Network Peering: https://cloud.google.com/vpc/docs/vpc-peering

• Cloud VPN Documentation: https://cloud.google.com/network-connectivity/docs/vpn