A global, logically isolated virtual network in Google Cloud that spans all regions and contains regional subnets where resources like VMs and GKE clusters are deployed.

A regional segment of a VPC network with its own IP range in CIDR notation; resources attach to a specific subnet in a specific region.

A VPC where you manually create and manage subnets and IP ranges, giving full control over network layout; preferred for production.

A feature that lets you configure a VPC network in a host project and share its subnets with service projects in the same organization for centralized networking.

Host project (Shared VPC)

The project that owns the Shared VPC network, its subnets, and firewall rules, and shares them with attached service projects.

A regional segment of a VPC network with its own IP range in CIDR notation; resources attach to a specific subnet in a specific region.

A managed Network Address Translation service that lets instances without external IP addresses make outbound internet connections using shared NAT IPs.

A feature that lets you configure a VPC network in a host project and share its subnets with service projects in the same organization for centralized networking.

Deploying and Configuring VPC Networks, Shared VPC, and Load Balancing — Google Cloud Associate Cloud Engineer: Complete Exam-Ready Masterclass

Q: A team runs web servers on a managed instance group in us-central1. Requirements: global access via one IP, path-based routing, and VMs must not have external IPs but need outbound internet access. Which combination best meets these needs?

External HTTP(S) Load Balancer plus Cloud NAT.. A global, path-based entry point requires an external HTTP(S) load balancer. To allow VMs without external IPs to reach the internet, use Cloud NAT. Network load balancing is regional and layer 4, and internal load balancers are not internet-facing.

VPC Fundamentals in Google Cloud

What is a VPC?

A VPC network is a global, logically isolated virtual network in Google Cloud that spans all regions and hosts resources like VMs and GKE clusters.

Subnets in a VPC

Within a VPC you create regional subnets, each with a CIDR range (for example 10.10.0.0/24). Resources attach to a specific subnet in a specific region.

Auto vs Custom Mode

Auto mode VPCs create one subnet per region automatically. Custom mode VPCs require you to define subnets and IP ranges, giving more control for production.

Key Exam Points

Remember: VPCs are global, subnets are regional, and IP ranges cannot overlap within a VPC. You will build on this with Shared VPC, NAT, and load balancers.

Creating a Custom Mode VPC and Subnets (Console and gcloud)

Scenario: 3‑Tier App

You deploy a 3‑tier app in us-central1 and europe-west1 with separate web and DB subnets and non-overlapping IP ranges per region.

Console Steps

Create VPC `prod-vpc` in Custom mode, then add regional subnets like `us-web-subnet` (10.10.0.0/24) and `us-db-subnet` (10.10.1.0/24).

gcloud Commands

`gcloud compute networks create prod-vpc --subnet-mode=custom` then `gcloud compute networks subnets create ... --region=... --range=...`.

Exam Angle

Know that region is defined on subnets, not on the VPC, and distinguish auto vs custom subnet modes in both console and gcloud.

Firewall Rules and Basic Routing in a VPC

Firewall Basics

Firewall rules are stateful, live at the VPC level, and control ingress or egress traffic with allow or deny actions and priorities.

Key Rule Fields

Each rule defines direction, action, priority, targets (all, tags, or service accounts), source/destination, and protocols/ports.

Example: Allow HTTP

Use a rule like `allow-http-web` on network `prod-vpc` allowing tcp:80 from 0.0.0.0/0 to targets with tag `web`.

Exam Traps

Lower priority numbers win. A deny with lower priority can override an allow. Distinguish targeting by tags vs by service accounts.

Shared VPC: Centralized Networking Across Projects

What is Shared VPC?

Shared VPC lets you host a central VPC in one project and share its subnets with other projects in the same organization.

Host vs Service Projects

The host project owns the VPC and firewall rules. Service projects attach to its subnets and deploy their own resources into that network.

Setup Flow

Enable Shared VPC on the host project, attach service projects, and grant roles like `compute.networkUser` so teams can use shared subnets.

Why Use It?

Shared VPC centralizes networking and security while keeping billing and IAM separate per app team. It is preferred over VPC peering for org-wide networks.

Shared VPC Configuration Walkthrough

Scenario: Central Network

A networking team owns `network-host-project` with VPC `corp-vpc`, shared by `payments-project` and `analytics-project`.

Enabling Shared VPC

In `network-host-project`, enable Shared VPC, then add the two application projects as service projects under the same organization.

Granting Access

Assign `Compute Network Admin` to network engineers and `compute.networkUser` on specific subnets to each app team.

Result for Teams

When teams create VMs in their projects, they can choose shared subnets like `corp-us-subnet`, inheriting host-project firewall and routing.

External HTTP(S) Load Balancing Overview

What is External HTTP(S) LB?

A global, proxy-based, layer 7 load balancer that exposes one anycast IP and routes HTTP/HTTPS traffic to backends worldwide.

Main Components

Frontend (IP and port), URL map, backend services pointing to instance groups or NEGs, and health checks to detect healthy backends.

Integrations

Works with Cloud CDN, Cloud Armor, and GKE Ingress. Supports path and host-based routing and SSL offload at the edge.

Exam Distinctions

External HTTP(S) is global and layer 7. Network load balancing is regional and layer 4. Clients talk to GFEs, not directly to your VMs.

Deploying an External HTTP Load Balancer for a MIG

Scenario: Expose a MIG

You have a managed instance group `web-mig` serving HTTP on port 80 and want a global public entry point.

Configure Backends

Create an HTTP(S) load balancer, add a backend service using `web-mig`, and define an HTTP health check on `/` port 80.

Configure Frontend

Assign an external IPv4 address, protocol HTTP, port 80. Ensure firewall rules allow LB health checks to reach instances.

Result and Exam Angle

Clients use one global IP; traffic is balanced across healthy VMs. Keywords like global and path routing point to HTTP(S) LB.

Internal Load Balancing and Cloud NAT

Internal Load Balancers

Internal TCP/UDP and Internal HTTP(S) load balancers expose a private IP inside your VPC for regional, internal-only services.

Use Cases

Use internal LBs for databases, internal APIs, or microservices that should not be publicly reachable but need high availability.

What is Cloud NAT?

Cloud NAT lets VMs without external IPs make outbound internet connections by translating their traffic through NAT IP addresses.

Secure Pattern

Combine private instances, internal LBs, and Cloud NAT to keep workloads private while still allowing necessary outbound access.

Design Exercise: Secure Web Tier with NAT and Load Balancing

Apply what you have learned by designing a simple architecture.

Scenario:

You are deploying a web application in `us-central1`. Requirements:

Web VMs must not have external IP addresses.
Users on the internet should access the app via a single global endpoint.
VMs must be able to download OS and package updates from the internet.
Networking should be centrally managed in a host project and shared with an app project.

Your task:

Decide where to create the VPC and subnets (host vs service project).
Choose the right load balancer type and describe its backend.
Explain how users reach the app from the internet.
Explain how VMs without external IPs get outbound internet access.
List at least two firewall rules you would configure.

Pause and sketch your design (mentally or on paper) before reading the suggested outline in your notes. Focus on naming the specific Google Cloud features (Shared VPC, external HTTP(S) load balancer, Cloud NAT, firewall rules) and how they connect.

Quiz 1: VPCs, Shared VPC, and Firewalls

Test your understanding of VPC basics and Shared VPC.

You need multiple application projects to use the same IP space and Cloud VPN connection, while a central networking team manages firewall rules. What is the best approach?

Create separate VPCs in each project and connect them with VPC peering.
Create a VPC in one host project, enable Shared VPC, and attach the application projects as service projects.
Use only auto mode VPCs so subnets are created automatically in all projects.
Create a single project for all apps and give every team Owner access.

Show Answer

Answer: B) Create a VPC in one host project, enable Shared VPC, and attach the application projects as service projects.

Shared VPC is designed for this scenario. You create a host project that owns the VPC and firewall rules, then attach service projects that use its subnets. VPC peering does not centralize firewall management, and the other options conflict with least privilege and typical org structure.

Quiz 2: Load Balancing and Cloud NAT

Check your understanding of load balancer types and NAT.

A team runs web servers on a managed instance group in us-central1. Requirements: global access via one IP, path-based routing, and VMs must not have external IPs but need outbound internet access. Which combination best meets these needs?

External TCP/UDP Network Load Balancer plus Cloud NAT.
Internal TCP/UDP Load Balancer plus Cloud VPN.
External HTTP(S) Load Balancer plus Cloud NAT.
Cloud NAT only, without any load balancer.