SkarpSkarp

Chapter 8 of 26

Networking Design: VPCs, Subnets, and Network Service Tiers

Lay out robust network topologies with VPCs, subnets, and routing while understanding how Network Service Tiers impact performance and cost.

27 min readen

Big Picture: Networking Design in Google Cloud

Why Networking Design Matters

You will connect your earlier compute and storage planning to the network layer: how resources talk to each other securely and efficiently in Google Cloud.

Core Building Blocks

You will work mainly with VPC networks, subnets, routes, firewall rules, and Network Service Tiers. These are central to security, performance, and cost.

Four Key Design Questions

For any scenario: 1) Where do resources live? 2) How do they talk to each other? 3) How do they talk to internet/on‑prem? 4) What network quality and cost are needed?

Important Properties

VPCs are global, subnets are regional. Routes and firewall rules live at the VPC level and apply to VM NICs in that VPC.

Network Service Tiers

Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.

Scenario Mindset

Throughout this module, imagine you are the Associate Cloud Engineer designing VPCs, subnets, and connectivity for a small web app and database migration.

VPC Networks: Global Private Networks in Google Cloud

What is a VPC?

A Virtual Private Cloud (VPC) is a virtual version of a physical network inside Google’s infrastructure. It holds your IP ranges, subnets, routes, and firewall rules.

Global but Structured

A VPC is global across all regions, while each subnet is regional with its own CIDR range. The VPC lives in a project but can be shared via Shared VPC.

Auto Mode VPC

Auto mode creates one subnet per region with predefined ranges. New regions get new subnets automatically, good for quick labs but not precise IP control.

Custom Mode VPC

Custom mode lets you define all subnets and IP ranges yourself. This is recommended for production and is the default best answer in exam scenarios.

Common Exam Angles

Questions often ask which VPC type to choose for non-overlapping IPs with on‑prem (answer: custom) or what happens when one auto subnet is deleted.

Subnet Design and IP Address Planning

What is a Subnet?

A subnet is a regional slice of your VPC IP space. It has a name, region, primary CIDR range, and optional secondary ranges for alias IPs.

Non-overlapping Requirement

Within a single VPC, subnet IP ranges must not overlap, even if the subnets are in different regions. Names are unique per VPC.

IP Planning Basics

Use RFC1918 private ranges for internal traffic. Plan CIDR sizes with room to grow and avoid overlap with on‑prem or other VPCs you might peer.

Example Subnet Layout

Example: corp-prod-vpc with prod-web-eu-west1 (10.10.0.0/20), prod-db-eu-west1 (10.10.16.0/20), and prod-shared-us-central1 (10.20.0.0/20).

Internal IPs

VMs get internal IPs from the subnet. These are ephemeral by default, but you can reserve internal static IPs for stable backends like databases.

Worked Example: Designing VPCs and Subnets for a Web App

Scenario Overview

You are migrating a 3‑tier app: web, app, and Cloud SQL DB. Users are in Europe, on‑prem uses 10.0.0.0/16, and you want room for future US expansion.

Step 1: VPC Choice

Create a custom mode VPC called corp-prod-vpc. Since on‑prem is 10.0.0.0/16, choose a different block like 10.20.0.0/16 for this VPC.

Step 2: EU Subnets

In europe-west1, define: prod-web-eu-west1 (10.20.0.0/20), prod-app-eu-west1 (10.20.16.0/20), prod-shared-eu-west1 (10.20.32.0/20).

Step 3: Reserve for US

Reserve 10.20.64.0/18 in your plan for future us-central1 subnets. You do not need to create them yet, just avoid overlap.

Why This Works

This design uses custom mode, avoids overlap with on‑prem, separates tiers for security, and leaves contiguous space for growth.

Routes and How Traffic Flows in a VPC

What Routes Do

Routes decide where packets go when they leave a VM’s NIC: which destination CIDR uses which next hop.

Route Fields

Each route has a destination range, next hop, priority (lower is higher priority), and belongs to a specific VPC network.

Automatic Routes

Google adds subnet routes (next hop local) for each subnet and a default 0.0.0.0/0 internet route for the VPC.

Custom Routes

You add custom routes for VPN/Interconnect to on‑prem, or to direct traffic through specific next hops like Cloud Router.

Routes vs Firewalls

Routes only decide paths. Firewall rules still must allow the traffic. No route, no traffic, even if firewall allows it.

Route Selection

Google chooses the most specific matching destination; if tied, the route with the lowest priority number wins.

Firewall Rules: Controlling Access Within and Across VPCs

Firewall Rule Basics

Firewall rules are stateful, distributed rules at the VPC level that allow or deny traffic to VM network interfaces.

Rule Fields

Each rule has direction (ingress/egress), action (allow/deny), priority, targets, source/destination filters, and protocols/ports.

Default Rules

New VPCs have default allow internal, allow SSH/RDP/ICMP, an implicit deny-all-ingress, and an allow-all-egress rule.

Production Hardening

In production you usually delete or tighten defaults, then add least-privilege rules that match your app tiers.

3‑Tier Example

Allow HTTP/HTTPS from internet to web tier; allow only web to app; allow only app to DB; restrict egress to needed external APIs.

Stateful Behavior

Firewall rules are stateful: if ingress allows a connection, the return traffic is automatically allowed without a separate egress rule.

Quick Check: Routes vs Firewall Rules

Test your understanding of how routes and firewall rules interact.

A VM in subnet 10.20.0.0/20 cannot reach the internet. The VPC has the default 0.0.0.0/0 route and the VM has an external IP. Which change is MOST likely to fix this?

  1. Create a custom route with destination 0.0.0.0/0 and next hop local.
  2. Add an egress firewall rule allowing 0.0.0.0/0 on required ports.
  3. Increase the priority number of the default internet route.
  4. Create a new subnet with a larger CIDR range.
Show Answer

Answer: B) Add an egress firewall rule allowing 0.0.0.0/0 on required ports.

The default route already exists and points to the internet gateway, and the VM has an external IP. If traffic is still blocked, the missing piece is usually an egress firewall rule that allows traffic to 0.0.0.0/0 on the needed ports. Routes decide the path; firewall rules decide whether traffic is allowed.

Public vs Private Access: External IPs, Cloud NAT, and Private Google Access

Internal vs External IPs

Internal IPs are private from the subnet; external IPs are public and routable on the internet. Both are controlled by firewall rules.

Simple Public Outbound

You can give VMs external IPs so they reach the internet directly. This is simple but increases attack surface and IP management.

Cloud NAT

With Cloud NAT, VMs have only internal IPs. Outbound internet traffic is NATed through Cloud NAT’s external IPs; inbound from internet is blocked.

Private Google Access

Private Google Access lets VMs without external IPs reach Google APIs (like Cloud Storage) via internal IPs. It is enabled at the subnet level.

Common Exam Scenarios

No external IPs but need OS updates? Choose Cloud NAT. Need to reach Cloud Storage privately? Enable Private Google Access.

Network Service Tiers: Premium vs Standard

Definition

Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.

Premium Tier

Premium Tier uses Google’s private global backbone, keeping traffic on Google’s network as long as possible for low latency and high reliability.

Standard Tier

Standard Tier offloads traffic to the public internet closer to the VM region, reducing cost but with more latency and variability.

Scope of Tiers

Tiers are configured per external IP. They affect outbound internet traffic, not internal VPC traffic.

Exam Decision Hints

Global users and performance focus? Choose Premium. Cost-sensitive, less latency-critical traffic? Standard can be appropriate.

Cost Estimation

You can compare costs with the Google Cloud pricing calculator, but for the exam you mainly choose tiers conceptually.

Quiz: Choosing a Network Service Tier

Apply your understanding of Premium vs Standard Tier.

Your company runs a latency-sensitive SaaS app with users in North America, Europe, and Asia. Management prioritizes user experience over network egress cost. Which choice best fits?

  1. Use Standard Tier external IPs for all frontends.
  2. Use Premium Tier external IPs for the global frontends.
  3. Use Standard Tier for Europe only and disable external IPs elsewhere.
  4. Use internal IPs only and rely on Private Google Access.
Show Answer

Answer: B) Use Premium Tier external IPs for the global frontends.

The app is latency-sensitive and global; management prioritizes performance over cost. Premium Tier is designed for this, using Google’s global backbone to reduce latency. Standard Tier emphasizes cost savings but can introduce more latency and variability.

Hybrid Connectivity Overview: VPN, Interconnect, and VPC Peering

Hybrid Connectivity Needs

Many designs must connect Google Cloud to on‑prem or other VPCs. You choose between VPN, Interconnect, and VPC Network Peering.

Cloud VPN

Cloud VPN uses encrypted IPsec tunnels over the public internet, suitable for secure, moderate-bandwidth connectivity. HA VPN is recommended.

Cloud Interconnect

Cloud Interconnect provides physical links to Google with higher bandwidth and more predictable latency than VPN, via Dedicated or Partner options.

VPC Network Peering

VPC Network Peering privately connects two VPCs using internal IPs. No overlap allowed, and peering is non-transitive.

Choosing the Right Option

On‑prem to VPC, high throughput: Interconnect. On‑prem to VPC, quick and cheaper: VPN. VPC to VPC in Google Cloud: VPC Network Peering or Shared VPC.

Design Exercise: Putting It All Together

Use this thought exercise to practice end-to-end network design.

Scenario:

You are the Associate Cloud Engineer for a startup building a regional e‑commerce app.

  • Users are mostly in `us-central1`.
  • App stack: web frontends (GCE), backend API (GKE), PostgreSQL (Cloud SQL).
  • Security policy: no external IPs on backend or database; only web tier may be publicly reachable.
  • On‑prem network uses 192.168.0.0/16 and must connect via VPN.
  • Management wants good performance for customers but is somewhat cost-sensitive.

Your tasks (think and, if you like, jot down answers):

  1. VPC and subnet plan
  • What CIDR block will you choose for the VPC to avoid overlap?
  • How will you split subnets between web, backend, and shared services?
  1. Routing and firewall
  • Which default routes will exist, and what custom routes do you need for VPN?
  • What key firewall rules will you create for ingress and egress between tiers?
  1. Public vs private access
  • Which resources get external IPs? Which use Cloud NAT? Will you enable Private Google Access?
  1. Network Service Tier
  • For the web frontends’ external IPs, will you choose Premium or Standard Tier, and why given the "regional app, cost-sensitive" context?

After you answer, compare mentally against this checklist:

  • Custom mode VPC with non-overlapping CIDR.
  • Separate subnets per tier in us-central1.
  • Cloud VPN route to 192.168.0.0/16.
  • Web tier only with external IPs; backend/DB internal-only with Cloud NAT and Private Google Access.
  • Likely Premium Tier if user experience is prioritized, or Standard if cost emphasis dominates.

Key Term Flashcards: VPC Networking and Tiers

Flip through these cards to reinforce key concepts.

Virtual Private Cloud (VPC)
A global, logically isolated virtual network in Google Cloud that contains subnets, routes, and firewall rules for your resources.
Subnet
A regional segment of a VPC’s IP space with a non-overlapping CIDR range from which internal IPs are assigned to resources.
Custom Mode VPC
A VPC where you manually create and manage all subnets and IP ranges, giving fine-grained control and avoiding automatic subnet creation.
Route
A VPC configuration that specifies a destination IP range and a next hop, determining where packets go when leaving a VM’s network interface.
Firewall Rule
A stateful, VPC-level rule that allows or denies ingress or egress traffic to VM instances based on priority, targets, sources/destinations, and ports.
Cloud NAT
A managed network address translation service that lets VMs without external IPs access the internet for outbound connections.
Private Google Access
A subnet-level setting that allows VMs without external IPs to access Google APIs and services using internal IP addresses.
Network Service Tiers
Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.
Premium Tier
The higher-performance network service tier that uses Google’s private global backbone for most of the path, reducing latency and improving reliability.
Standard Tier
The cost-optimized network service tier that uses the public internet more, offloading traffic from Google’s network closer to the VM’s region.
Cloud VPN
An encrypted IPsec VPN service that connects your on-premises network to a VPC over the public internet, with options like HA VPN for higher availability.
VPC Network Peering
A private connection between two VPC networks that allows internal IP communication without VPN, requiring non-overlapping IP ranges and offering non-transitive connectivity.

Key Terms

Route
A VPC configuration that specifies a destination IP range and a next hop, determining where packets go when leaving a VM’s network interface.
Subnet
A regional segment of a VPC’s IP space with a non-overlapping CIDR range from which internal IPs are assigned to resources.
Cloud NAT
A managed network address translation service that lets VMs without external IPs access the internet for outbound connections.
Cloud VPN
An encrypted IPsec VPN service that connects your on-premises network to a VPC over the public internet, with options like HA VPN for higher availability.
Premium Tier
The higher-performance network service tier that uses Google’s private global backbone for most of the path, reducing latency and improving reliability.
Firewall Rule
A stateful, VPC-level rule that allows or denies ingress or egress traffic to VM instances based on priority, targets, sources/destinations, and ports.
Standard Tier
The cost-optimized network service tier that uses the public internet more, offloading traffic from Google’s network closer to the VM’s region.
Custom Mode VPC
A VPC where you manually create and manage all subnets and IP ranges, giving fine-grained control and avoiding automatic subnet creation.
VPC Network Peering
A private connection between two VPC networks that allows internal IP communication without VPN, requiring non-overlapping IP ranges and offering non-transitive connectivity.
Network Service Tiers
Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.
Private Google Access
A subnet-level setting that allows VMs without external IPs to access Google APIs and services using internal IP addresses.
Virtual Private Cloud (VPC)
A global, logically isolated virtual network in Google Cloud that contains subnets, routes, and firewall rules for your resources.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself