A global virtual network in Google Cloud that spans regions and contains regional subnets, routes, and firewall rules for connecting and securing resources.

A regional IP range (CIDR block) within a VPC used to allocate internal IP addresses to resources like VM instances; can also have secondary ranges for services such as GKE Pods.

A VPC where you manually create and manage all subnets and IP ranges, recommended for production to avoid IP conflicts and to control topology.

Firewall rule priority

An integer where lower numbers mean higher priority. Among rules that match a packet, the one with the lowest priority number is evaluated first and determines allow or deny.

Classless Inter-Domain Routing; a notation (for example, 10.0.0.0/24) that combines an IP address and a prefix length to define an IP network range.

A regional IP range (CIDR block) within a VPC used to allocate internal IP addresses to resources like VM instances; can also have secondary ranges for services such as GKE Pods.

An encrypted IPsec VPN connection over the public internet between your on-premises network (or another cloud) and your Google Cloud VPC.

Designing VPC Networks, Subnets, and Network Service Tiers — Google Cloud Associate Cloud Engineer: Complete Exam-Ready Masterclass

VPCs on Google Cloud: The Networking Foundation

What is a VPC?

A VPC network is a virtual version of a physical network inside Google’s infrastructure. It is global and provides the foundation for connecting your compute and managed services.

Global VPC, Regional Subnets

In Google Cloud, a VPC is global, but its subnets are regional. All subnets in the same VPC can reach each other using automatically created implicit routes.

Auto vs Custom Mode

Auto mode VPCs auto-create one subnet per region with fixed ranges. Custom mode VPCs require you to define subnets and IP ranges yourself and are preferred for production.

Projects and Shared VPC

VPCs live in projects, but Shared VPC lets a central host project own the network while other service projects attach resources for centralized control.

Designing Subnets and IP Address Ranges

Subnet Basics

Subnets are regional segments of your global VPC. Each has a primary IPv4 CIDR range and can have secondary ranges, often used by GKE Pods and Services.

CIDR and Private Ranges

Use RFC1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Express them in CIDR, such as 10.10.0.0/20, to size your subnets.

Planning for Growth

Pick subnet sizes with room to scale. Avoid tiny ranges unless you are sure the subnet will stay small. Leave unused space for future subnets.

Align with App Tiers

Create subnets that map to roles: frontend, app, database. This supports clearer firewall rules and easier troubleshooting across regions.

Routing Inside and Outside Your VPC

Implicit and Default Routes

Subnet routes are created automatically so subnets can talk. A default route to 0.0.0.0/0 sends traffic to the internet gateway if your VPC has one.

Custom Static Routes

You can add routes to send specific CIDRs to a VPN tunnel, Interconnect attachment, or a next-hop instance acting as a virtual appliance.

Route Selection

More specific prefixes win (for example, /24 over /16). For equal prefixes, the route with the lower priority number is chosen.

Routes vs Firewalls

Routes decide where packets go; firewall rules decide whether they are allowed. Both must align for connectivity to work.

Firewall Rules: Controlling Traffic in Your VPC

Firewall Rule Basics

VPC firewall rules are stateful and distributed. They control which traffic is allowed or denied to and from VM instances in your VPC.

Key Rule Fields

Every rule has direction, action, targets, source or destination filters, protocols and ports, and a priority. The first matching rule by priority applies.

Typical Allow Rules

Examples: allow SSH from admin IPs to tagged VMs; allow HTTP/HTTPS from anywhere to web servers; allow app tier to reach the database subnet.

Default vs Custom Rules

The default network has permissive rules. In custom VPCs, you explicitly create stricter rules aligned with your app tiers and security posture.

Worked Example: Designing a 3-Tier VPC Topology

Requirements Recap

Public users need HTTPS to frontends. App and DB stay private. Admins SSH from a specific corporate IP range. We design the VPC to enforce this.

Subnets per Tier

Use a custom VPC with 10.10.0.0/16. Create frontend, app, and db subnets in us-central1 using /20 ranges to keep room for scaling.

Tagging and Firewalls

Tag VMs as web, app, and db. Create firewall rules: HTTPS from anywhere to web; app subnet to DB port; SSH from corporate IPs to all tiers.

Public Entry via Load Balancer

Expose only an HTTPS load balancer with a public IP. It forwards traffic to internal IPs of web instances, keeping app and DB non-public.

Network Service Tiers: Performance vs Cost

What Network Service Tiers Do

Network Service Tiers affect outbound internet traffic. They trade off performance and cost by choosing how much of Google’s backbone is used.

Premium Tier

Premium keeps traffic on Google’s global backbone longer, exiting near users. It gives lower latency and supports global anycast IPs.

Standard Tier

Standard sends traffic to the public internet earlier, near the resource’s region. It is cheaper but usually has higher, less stable latency.

Choosing a Tier

Pick Premium for latency-sensitive, globally used apps. Pick Standard when minimizing cost matters more than top-tier performance.

Hybrid Connectivity and Peering Options

Why Hybrid Connectivity?

Many organizations connect Google Cloud to on-prem or other clouds. This supports migrations, hybrid apps, and shared identity or data.

Cloud VPN

Cloud VPN uses encrypted IPsec tunnels over the public internet. It is fast to set up and good for moderate bandwidth or backup links.

Cloud Interconnect

Cloud Interconnect provides dedicated or partner physical links for high-bandwidth, low-latency connections between your network and Google.

VPC Peering and Private Services

VPC Network Peering links VPCs privately without public IPs. Private Service Connect lets you reach Google APIs or services using internal IPs.

Design Exercise: Pick Subnets, Firewalls, and Tiers

Imagine you are designing the network for a new analytics dashboard used by employees worldwide. The dashboard runs on managed instance groups behind an HTTP(S) load balancer in `europe-west1`, and it queries BigQuery and Cloud SQL.

Requirements:

Employees connect from many countries over the internet.
The app must be responsive (low latency) during business hours.
Cost matters, but user experience is more important.
Only HTTPS from the internet; SSH only from your corporate IP range `198.51.100.0/24`.

Think through these questions (mentally or jot down answers):

Subnets

Would you choose auto mode or custom mode for the VPC? Why?
Suggest a CIDR for the primary app subnet in `europe-west1`.

Firewall rules

Which tags would you assign to the VM instances?
Define an ingress rule for HTTPS access.
Define an ingress rule for admin SSH.

Network Service Tier

Given global employees and responsiveness needs, which tier fits best: Premium or Standard?
Under what circumstances might you later consider switching tiers?

Compare your design with this checklist:

Custom VPC, non-overlapping private CIDR like `10.50.0.0/20`.
Tags like `web` on instances.
HTTPS allow from `0.0.0.0/0` to `web` on tcp:443.
SSH allow from `198.51.100.0/24` on tcp:22.
Premium Tier for better global performance.

Quiz: VPCs, Subnets, and Firewalls

Answer this question to check your understanding of subnet design and firewall behavior.

You create a custom VPC with two subnets: 10.1.0.0/24 in us-central1 and 10.2.0.0/24 in europe-west1. Two VMs, one in each subnet, have no external IPs. You can ping from the us-central1 VM to the europe-west1 VM using internal IPs. Later, you add an ingress firewall rule on the europe-west1 VM’s tag that DENIES all ICMP from 10.1.0.0/24. What happens?

Ping continues to work because implicit routes override firewall rules.
Ping stops working because the new deny rule blocks ICMP from 10.1.0.0/24.
Ping stops working because routes between regions are removed when you add a deny rule.
Ping continues to work because firewall rules are stateless and only affect new connections.

Show Answer

Answer: B) Ping stops working because the new deny rule blocks ICMP from 10.1.0.0/24.

Subnet routes still exist and allow packets between subnets, but firewall rules decide whether traffic is permitted. The explicit deny ICMP rule with matching source and direction takes precedence, so ping from 10.1.0.0/24 to the europe-west1 VM is blocked.

Quiz: Network Service Tiers and Connectivity Options

Check your understanding of Network Service Tiers and hybrid connectivity.

A company runs a latency-sensitive gaming backend in us-central1 with players around the world. They also need a secure, high-bandwidth connection between their main data center and Google Cloud. Which combination is the best fit?

Standard Tier for egress traffic and Cloud VPN for data center connectivity.
Premium Tier for egress traffic and Cloud Interconnect for data center connectivity.
Standard Tier for egress traffic and VPC Network Peering for data center connectivity.
Premium Tier for egress traffic and only private service connect for data center connectivity.