Introduction to VPC Networking Basics
The Virtual Private Cloud (VPC) is the networking foundation of your Google Cloud environment. VPC Networking Basics cover how you define the virtual boundaries, IP address ranges, and communication paths for all your cloud resources. Unlike traditional physical networking, a GCP VPC is a global resource that allows you to connect resources across multiple regions without the need for complex VPNs or public internet exposure.
For the Associate Cloud Engineer, understanding VPC Networking Basics is critical for ensuring security and connectivity. You must know how to partition your network into subnets, how to write restrictive firewall rules, and how to enable private communication with Google services. A well-designed VPC is the difference between a secure, performant infrastructure and a chaotic, vulnerable one.
白話文解釋(Plain English Explanation)
To make VPC Networking Basics easier to visualize, let's use these three analogies.
1. The Modern City Infrastructure (VPC and Subnets)
Imagine you are designing a brand-new city:
- The VPC is the City Boundary. Everything inside follows your city's rules.
- Subnets are the Neighborhoods (e.g., Downtown, Suburbs, Industrial Zone).
- IP Addresses are the House Addresses.
In this city, "Downtown" (Subnet A) might be in the North (Region 1), while "Suburbs" (Subnet B) is in the South (Region 2). Even though they are far apart, they are part of the same city (VPC) and can talk to each other as if they were next door.
2. The High-Security Building (Firewalls)
Think about the security at a government facility:
- The Building is your VPC.
- The Guard at the Front Desk is the Ingress Firewall Rule. He checks your ID (Source IP) and your destination (Port) before letting you in.
- The Security at the Exit is the Egress Firewall Rule. They make sure no one leaves with unauthorized files (Data exfiltration).
- The Network Tag is like a badge. "Everyone with a Green Badge (Web Server Tag) can enter the cafeteria (Port 80)."
VPC Networking Basics teach you that "Implicit Deny" is the default—nothing gets in unless you specifically invite it.
3. The Postal Routing System (Routes)
Consider how a letter gets from your house to its destination:
- The Letter is your Data Packet.
- The Mailman is the Router.
- The Route Table is his Map.
If the map says "All mail for addresses starting with 10.0.0.x goes to the Downtown Post Office," that's a route. VPC Networking Basics involve defining these "next hops" to ensure your packets don't get lost in the digital wilderness.
VPC Structure: Global but Subdivided
One of the most unique aspects of VPC Networking Basics in GCP is the global scope of the VPC.
Global VPC Scope
A single VPC can span every Google Cloud region in the world. This is different from other cloud providers where a VPC is usually confined to one region.
Regional Subnets
While the VPC is global, the "Subnets" (subnetworks) are regional. You define an IP range for a specific region (e.g., us-central1).
VPC Modes: Auto Mode vs. Custom Mode
- Auto Mode: Google automatically creates one subnet in every region with a pre-defined IP range. Great for learning but NOT recommended for production.
- Custom Mode: You manually create subnets only in the regions you need, with the IP ranges you choose. This is the best practice for VPC Networking Basics.
A VPC Network is a virtual version of a physical network, such as a data center network. It provides connectivity for your Compute Engine VM instances, GKE clusters, and other resources. Source ↗
IP Addressing and Ranges
Managing addresses is a core part of VPC Networking Basics.
Internal IP Addresses (RFC 1918)
These are private IPs used for communication inside the VPC. They are usually drawn from standard ranges like 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
External IP Addresses: Static and Ephemeral
- Ephemeral: Assigned when the VM starts and released when it stops.
- Static (Reserved): Assigned to your project and stays with you until you delete it.
Alias IP Ranges for Containers
This allows you to assign multiple IP addresses from a subnet to a single VM, which is vital for GKE where each Pod needs its own IP address within the VPC Networking Basics framework.
Firewall Rules and Security
Firewalls are the primary defense mechanism in VPC Networking Basics.
Ingress and Egress Rules
- Ingress: Controls traffic coming INTO your resources.
- Egress: Controls traffic leaving FROM your resources.
Targets: Tags vs. Service Accounts
- Network Tags: Apply a rule to any VM that has a specific string label (e.g.,
http-server). - Service Accounts: A more secure way to apply rules, as only authorized VMs can "act as" a service account.
Priority and Default Rules
Rules are evaluated from lowest priority number (0) to highest (65535). There are default rules that allow internal traffic and deny all external ingress.
Firewall rules in Google Cloud are stateful. This means if you allow ingress traffic, the return egress traffic is automatically allowed, regardless of egress rules. Source ↗
Routing and Traffic Control
Default Routes and Custom Routes
Every VPC comes with a default route to the internet via an IGW (Internet Gateway). You can create custom routes to send traffic through a VPN or a specific "Gateway VM."
Using Network Tags for Routing
You can apply a route only to specific VMs based on their network tags, allowing for advanced VPC Networking Basics configurations like "Firewall Sandboxes."
Cloud Router and Dynamic Routing (BGP)
Cloud Router uses Border Gateway Protocol (BGP) to automatically exchange routes between your VPC and your on-premises network.
VPC Peering and Connectivity
Sometimes one VPC is not enough in the VPC Networking Basics journey.
Connecting VPCs via Peering
VPC Peering allows two VPCs (even in different projects or organizations) to communicate using internal IP addresses with low latency.
Shared VPC: Centralized Network Management
Allows an organization to designate one project as a "Host Project" containing the VPC, while other "Service Projects" can use the subnets within that VPC. This centralizes VPC Networking Basics management.
Cloud VPN: Secure Hybrid Connectivity
Connects your on-premises network to your Google Cloud VPC over the public internet using an encrypted IPsec tunnel.
For production workloads the ACE exam expects Custom Mode VPC (created via gcloud compute networks create my-vpc --subnet-mode=custom) combined with Shared VPC, so the Host Project owns the subnets and Service Projects only consume them. Auto Mode is acceptable only for learning because it pre-creates a subnet in every region with fixed /20 ranges that often overlap with future Peering or on-prem CIDRs.
Source ↗
VPC Network Peering looks like a transitive mesh, but it is not: if VPC-A peers with VPC-B and VPC-B peers with VPC-C, traffic from VPC-A still cannot reach VPC-C. Peering also refuses to establish when subnet CIDR ranges overlap, so plan your 10.0.0.0/8 / 172.16.0.0/12 / 192.168.0.0/16 allocations before creating the peering — you cannot re-IP a subnet after VMs are deployed.
Source ↗
Cloud Load Balancing
Load balancing is an advanced but essential part of VPC Networking Basics.
Global vs. Regional Load Balancers
- Global: HTTP(S), SSL Proxy, and TCP Proxy. They use a single "Anycast" IP address for the whole world.
- Regional: Internal and External Network Load Balancers.
Choosing the Right LB Type
- Use HTTP(S) Load Balancing for web traffic and multi-region failover.
- Use Network Load Balancing for non-HTTP traffic or when you need to preserve the source IP address.
Use Global HTTP(S) Load Balancing to provide your users with the lowest possible latency by terminating SSL at the Google edge location closest to them. Source ↗
Private Access Options
VPC Networking Basics includes ways to reach Google services without a public IP.
Private Google Access
Allows VMs with only internal IP addresses to reach Google APIs and services (like Cloud Storage or BigQuery).
Private Service Access
A private connection between your VPC and a VPC owned by Google or a third party (often used for Cloud SQL).
Cloud NAT: Egress for Private VMs
Allows VMs without external IPs to reach the internet (e.g., for software updates) without allowing the internet to initiate connections to those VMs.
DNS and Service Discovery
Cloud DNS: Managed Zones and Records
A highly available, low-latency DNS service. You can create public zones for the internet or private zones that only resolve within your VPC.
Internal DNS for VPC Resources
Google automatically creates DNS names for all your VMs (e.g., [INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal).
Network Monitoring and Diagnostics
- VPC Flow Logs: Record every "conversation" in your network. Essential for auditing and security in VPC Networking Basics.
- Connectivity Tests: A tool that simulates a packet journey to see where it might be getting blocked.
- Network Intelligence Center: Provides a visual map of your network topology and health.
Managing VPCs via gcloud CLI
gcloud compute networks create my-vpc --subnet-mode=custom: Creates a new VPC.gcloud compute networks subnets create my-subnet --network=my-vpc --region=us-central1 --range=10.0.1.0/24: Adds a subnet.gcloud compute firewall-rules create allow-http --allow=tcp:80 --target-tags=http-server: Adds a firewall rule.
The command 'gcloud compute networks create' is used to initialize a new VPC. Always prefer '--subnet-mode=custom' for production environments. Source ↗
Troubleshooting Network Issues
Firewall Blocking Traffic
The most common issue in VPC Networking Basics. Use the "Policy Troubleshooter" or check your tags.
Route Conflicts
If you have two routes for the same destination, the one with the most specific prefix (e.g., /24 over /16) wins. If the prefixes are the same, the one with the lower "Priority" wins.
Subnet Overlap in Peering
You cannot peer two VPCs if they have overlapping IP address ranges. Planning your VPC Networking Basics address space is vital!
Common Exam Scenarios for ACE
Restricting Access to a Web Server
"You have a VM running a web server. You want to allow traffic from the internet only on port 443. How?" (Answer: Create an ingress firewall rule with 0.0.0.0/0 as source and tcp:443 as the allowed port).
Connecting Two VPCs in Different Projects
"How do you allow a VM in Project A to talk to a DB in Project B using private IPs?" (Answer: Use VPC Network Peering).
Providing Internet Access to Private VMs
"Your VMs in a private subnet need to download security patches. They have no external IPs. What do you do?" (Answer: Set up a Cloud NAT gateway for that subnet).
FAQ
Q1: Can I change an Auto-mode VPC to a Custom-mode VPC? A1: Yes, you can convert it, but it is a one-way operation. You cannot go back to Auto-mode.
Q2: Is there a limit to how many VPCs I can have? A2: Yes, the default limit is 5 networks per project, but you can request an increase.
Q3: Does VPC Peering cost money? A3: There is no charge for the peering connection itself, but you pay for the data transfer between the peered networks.
Q4: Can I use IPv6 in my VPC? A4: Yes, Google Cloud VPCs support dual-stack (IPv4 and IPv6) subnets.
Q5: What is a "Private Service Connect" (PSC)? A5: PSC allows you to consume services (like those from a 3rd party vendor) as if they were a local IP address in your own VPC, without needing peering.
Summary Checklist for ACE
- Understand that a VPC is Global while Subnets are Regional.
- Know how to use Network Tags and Service Accounts in Firewall rules.
- Be able to explain the difference between Shared VPC and VPC Peering.
- Know that Cloud NAT is the solution for private VMs needing internet access.
- Understand that Private Google Access allows private VMs to talk to GCP APIs.
- Recognize the basic load balancing types and their use cases.