SkarpSkarp

Chapter 16 of 26

Deploying and Configuring Networking: VPCs, Shared VPC, and Load Balancers

Put your network designs into action by building VPCs, Shared VPCs, and load balancers that front real workloads and enforce connectivity rules.

27 min readen

VPC Fundamentals and Custom Network Design

What is a VPC?

A Virtual Private Cloud (VPC) is a global, logically isolated network in Google Cloud. It spans all regions, and you place resources in regional subnets inside that VPC.

Auto vs Custom VPC

Auto mode VPCs create one subnet per region automatically. Custom mode VPCs require you to define each subnet and CIDR block, giving you full control for production and exam scenarios.

Multi-tier Design

A typical design uses separate subnets for web, app, and database tiers. Each subnet has a non-overlapping IP range and lives in a specific region for better control and security.

Key Constraints

Subnets cannot overlap within a VPC. You can often expand but not shrink subnet ranges. Non-overlapping ranges are critical for VPC peering and Shared VPC designs.

Hands-on: Creating a Custom VPC and Subnets

Network Design Goal

We will build a custom VPC named `prod-vpc` with three subnets for web, app, and database tiers, all in `us-central1` with distinct /24 CIDR ranges.

Console Walkthrough

In VPC networks → Create VPC, choose Custom mode and add three subnets. Each subnet gets a name, region `us-central1`, and a unique IP range like 10.10.10.0/24.

gcloud Commands

Use `gcloud compute networks create prod-vpc --subnet-mode=custom`, then `gcloud compute networks subnets create ...` three times with the chosen ranges.

Exam Tip: Custom Mode

When a question mentions strict IP planning, on-prem connectivity, or multi-project setups, prefer custom mode VPC over auto mode in the answer choices.

Firewall Rules, Routes, and Network Service Tiers

Firewall Rules Basics

Firewall rules are stateful controls at the VPC level. They apply to VM NICs on ingress and egress and can ALLOW or DENY traffic based on IPs, tags, and ports.

Default Firewall Rules

New VPCs often include broad allow rules for internal traffic and SSH/RDP/ICMP. In real environments you typically tighten or replace these rules.

Routes in a VPC

Routes tell packets where to go. System routes cover each subnet and a default route to the internet. Custom routes are added for VPNs or special traffic paths.

Network Service Tiers

Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers.

Design Exercise: Planning Firewall Rules

Use this thought exercise to practice designing firewall rules for a three-tier app in `prod-vpc`.

Scenario

You have:

  • `prod-web-subnet` with web VMs behind an HTTP(S) load balancer.
  • `prod-app-subnet` with internal app VMs.
  • `prod-db-subnet` with a managed Cloud SQL instance using private IP.

Requirements:

  1. Allow users on the internet to access the web tier on HTTP/HTTPS only.
  2. Allow web VMs to call app VMs on TCP port 8080.
  3. Allow app VMs to connect to Cloud SQL on its private IP.
  4. Deny SSH from the internet, but allow SSH from the corporate VPN range `203.0.113.0/24`.

Your task (mentally or in notes):

  1. Decide which traffic is handled by firewall rules vs by the HTTP(S) load balancer.
  2. For each requirement, sketch a firewall rule:
  • Direction (INGRESS/EGRESS)
  • Source/destination ranges or tags
  • Protocol/port
  • Priority (high-level: low, medium, high)
  1. Identify any unnecessary default rules you would remove.

Hints

  • Global external HTTP(S) load balancers terminate client connections at the edge, then use Google Front End (GFE) to connect to your backend VMs. Backend firewalls must allow traffic from the GFE ranges, not directly from the public internet.
  • To isolate tiers, use network tags like `web`, `app`, `admin` and target firewall rules to those tags.

After you think it through, compare to this possible approach:

  • Ingress allow from GFE IP ranges to `web` tag on ports 80/443.
  • Ingress allow from `web` tag to `app` tag on TCP 8080.
  • Ingress allow from `app` tag to Cloud SQL private IP range on TCP 5432 or 3306.
  • Ingress allow SSH from `203.0.113.0/24` to `admin` tag; remove default-allow-ssh.

Shared VPC: Host and Service Projects

Why Shared VPC?

Shared VPC centralizes networking in a host project while letting teams deploy resources in separate service projects, balancing control and autonomy.

Host vs Service Projects

The host project owns VPCs and subnets. Service projects attach VMs and clusters to those subnets, effectively sharing the same IP space.

IAM for Shared VPC

Identity and Access Management (IAM) controls who can manage Shared VPC and who can attach resources, using roles like Shared VPC Admin and Compute Network User.

Key Constraints

One host per Shared VPC, and each service project can attach to only one host. Host projects cannot be downgraded while service projects are attached.

Configuring Shared VPC: Step-by-Step

Scenario Setup

We use a host project `net-host-prod` and two service projects `app-payments` and `app-marketing`, all sharing a central VPC for production.

Enable Shared VPC

In the Console, mark `net-host-prod` as a host project under Shared VPC, or run `gcloud compute shared-vpc enable net-host-prod` from Cloud Shell.

Attach Service Projects

Attach `app-payments` and `app-marketing` as service projects so they can use subnets from the host project’s VPC networks.

Grant Network User Access

Grant Compute Network User on specific subnets to app teams so they can create VMs in their own projects but attach to shared subnets.

HTTP(S) Load Balancing: External and Internal

External HTTP(S) LB

A global, Layer 7 load balancer with a single anycast IP. It terminates HTTPS and routes based on URLs or headers to instance groups or NEGs.

Internal HTTP(S) LB

A regional, internal Layer 7 load balancer with an internal IP. It is used for private service-to-service traffic inside or across peered VPCs.

Core Components

Both use frontends (IP+port), URL maps, backend services, and health checks to distribute traffic only to healthy instances.

Choosing the Right LB

Global public access → external HTTP(S) LB. Private internal-only HTTP between tiers → internal HTTP(S) LB.

Deploying an External HTTP(S) Load Balancer for Instance Groups

LB Deployment Flow

Create a managed instance group, then a health check, backend service, URL map, target proxy, and finally a global forwarding rule with an external IP.

Cloud NAT and External IP Management

External IP Basics

External IPs can be ephemeral or static, regional or global. Use static IPs for stable endpoints and keep the number of externally reachable VMs small.

What Cloud NAT Does

Cloud NAT lets VMs without external IPs make outbound internet connections using shared NAT IPs while remaining unreachable from the public internet.

Cloud NAT Setup

Create a Cloud Router, then a NAT configuration that covers specific subnets and uses either auto-allocated or pre-reserved static external IPs.

Key Exam Patterns

If you see "no external IPs but outbound internet needed", think Cloud NAT. NAT is regional and not required for VMs that already have external addresses.

Quiz: VPCs, Shared VPC, and Load Balancers

Check your understanding of the core concepts before moving on.

You need to let multiple project teams deploy VMs into the same centrally managed VPC and subnets. The security team wants to control firewall rules and routes in one place. What is the BEST Google Cloud feature to use?

  1. VPC Network Peering between all projects
  2. Shared VPC with a host project and multiple service projects
  3. Creating identical custom VPCs with the same CIDR ranges in each project
  4. Using separate auto mode VPCs and Cloud NAT in each project
Show Answer

Answer: B) Shared VPC with a host project and multiple service projects

Shared VPC is designed exactly for this: one host project owns the VPC and subnets, and multiple service projects attach their resources. Peering does not centralize firewall/routing control, and duplicating VPCs or using separate auto mode VPCs does not provide a shared IP space.

Quiz: Cloud NAT and HTTP(S) Load Balancing

Another quick check on outbound access and load balancer choices.

Your internal app servers in `prod-app-subnet` must call external APIs on the internet. Security requires that these VMs do NOT have external IP addresses. Which combination best satisfies this requirement?

  1. Assign ephemeral external IPs to the VMs and restrict outbound traffic with firewall rules
  2. Use an internal HTTP(S) load balancer in front of the VMs
  3. Configure Cloud NAT in the region for the subnet and remove external IPs from the VMs
  4. Use VPC Network Peering to a different project that has VMs with external IPs
Show Answer

Answer: C) Configure Cloud NAT in the region for the subnet and remove external IPs from the VMs

Cloud NAT provides outbound internet access for VMs without external IPs, satisfying both connectivity and security requirements. Internal HTTP(S) LBs are for internal client access, not outbound internet. Giving VMs external IPs violates the constraint; peering does not solve the external IP requirement cleanly.

Flashcards: Key Networking Terms for ACE

Use these cards to reinforce core networking concepts that frequently appear on the Associate Cloud Engineer exam.

Virtual Private Cloud (VPC)
A global, logically isolated virtual network in Google Cloud that spans regions. You create regional subnets inside it to host resources like VMs and GKE nodes.
Custom mode VPC
A VPC where you manually create each subnet and choose its IP range and region. Preferred for production, on-prem connectivity, and precise IP planning.
Shared VPC host project
The project that owns one or more VPC networks and subnets, which are shared with service projects so their resources can attach to the same network.
Shared VPC service project
A project that does not own the shared VPC itself but can attach its resources (VMs, GKE clusters) to subnets in the host project’s VPC.
Firewall rule (Google Cloud)
A stateful rule at the VPC level that allows or denies ingress or egress traffic to VM network interfaces based on IPs, tags, service accounts, protocols, and ports.
External HTTP(S) Load Balancer
A global, Layer 7 load balancer with a single anycast IP that terminates HTTP/HTTPS from the internet and routes traffic to backends like instance groups or NEGs.
Internal HTTP(S) Load Balancer
A regional, internal Layer 7 load balancer that exposes an internal IP address for private HTTP/HTTPS traffic within or across peered VPCs.
Cloud NAT
A managed network address translation service that lets VMs and other resources without external IPs initiate outbound connections to the internet using shared NAT IPs.
Static external IP address
An external IP that you reserve and keep until you release it. It provides a stable address for services such as load balancers or VMs referenced by DNS.
Network Service Tiers (definition)
Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.

Key Terms

Route
A rule that determines how packets are forwarded from a subnet to destinations, such as other subnets, VPNs, or the internet gateway.
Cloud NAT
A managed network address translation service that provides outbound internet access for resources without external IPs.
Shared VPC
A configuration where a host project shares its VPC networks and subnets with one or more service projects in the same organization.
Host project
The project designated to own the shared VPC networks and subnets in a Shared VPC setup.
Firewall rule
A stateful rule that controls allowed or denied ingress and egress traffic at the VPC level for VM network interfaces.
Custom mode VPC
A VPC where all subnets and IP ranges are created manually, providing fine-grained control for production and hybrid networking.
Service project
A project that uses subnets from a host project’s VPC in a Shared VPC configuration to attach its resources.
Static external IP
An external IP address reserved to a project until released, used for stable endpoints like load balancers or important VMs.
Network Service Tiers
Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.
Virtual Private Cloud (VPC)
A global, logically isolated virtual network in Google Cloud that spans regions and contains regional subnets for resources.
Managed instance group (MIG)
A group of identical VMs managed as a single entity for scaling, health checking, and rolling updates.
External HTTP(S) Load Balancer
A global Layer 7 load balancer that exposes a public anycast IP and distributes HTTP/HTTPS traffic to backends.
Internal HTTP(S) Load Balancer
A regional Layer 7 load balancer that uses an internal IP to handle HTTP/HTTPS traffic within or across peered VPCs.
Identity and Access Management (IAM)
Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself