The Global Backbone: Designing the Network
GCP's network is its "secret sauce." Unlike other clouds that rely on the public internet to connect regions, Google owns its global private fiber-optic network. As a Professional Cloud Architect, your job is to leverage this backbone to create secure, low-latency, and highly available connections.
- VPC (Virtual Private Cloud): Global by nature. Subnets are regional.
- Hybrid Connectivity: Connecting your on-prem data center to GCP.
- Load Balancing: Distributing traffic globally or regionally.
- Service Connectivity: Securely accessing APIs and services.
The "Optimal" network design balances Security (Isolation) and Connectivity (Reachability).
A private, isolated network within Google Cloud. Unlike other clouds, a GCP VPC is a global resource, allowing resources in different regions to communicate over a private IP without crossing the public internet. Reference: https://cloud.google.com/vpc/docs/vpc
Plain-Language Explanation: Network Architecture Design
Designing a cloud network is like designing the infrastructure for a massive, global city.
Analogy 1 — The Private Underground Tunnel (VPC)
Think of a VPC as a private underground tunnel system for your city. You can build rooms (Subnets) in different parts of the city (Regions). Because the tunnels are private and owned by you, you can move people (Data) between rooms in New York and rooms in London safely and quickly, without them ever having to go outside and deal with public street traffic (The Public Internet).
Analogy 2 — The High-Speed Train vs. the Toll Road (Interconnect vs. VPN)
Connecting your old office to the new city is like choosing a commute.
- HA VPN is like a toll road on the public highway. It's easy to set up and uses the existing roads (The Internet). It's encrypted, but if there's a traffic jam on the highway, your commute gets slow.
- Cloud Interconnect is like building a private high-speed rail line directly from your office to the city center. It's expensive and takes time to build, but it's incredibly fast, reliable, and never has to deal with highway traffic.
Analogy 3 — The Global Traffic Controller (Load Balancer)
The Global Load Balancer is like a super-intelligent traffic controller standing at the entrance to the city. When a traveler (User) arrives from Asia, the controller doesn't send them to a hotel in New York; they send them to the closest identical hotel in Tokyo. If the Tokyo hotel is full or closed, the controller instantly redirects them to the next closest healthy hotel, and the traveler doesn't even notice the change.
On the PCA exam, if a question mentions "Global failover" and "Single Anycast IP," the answer is always the Global External Application Load Balancer. Reference: https://cloud.google.com/load-balancing/docs/load-balancing-overview
VPC Design: Shared VPC vs. Peering
This is a frequent "Architect decision" on the exam.
- Shared VPC: Optimal for large organizations. One "Host Project" manages the network (VPCs, subnets, firewalls), and "Service Projects" use those subnets. This centralizes control and simplifies governance.
- VPC Peering: Viable for connecting two independent networks (e.g., between two different companies). It allows private IP communication but can become complex to manage at scale (no transitive peering).
When PCA scenarios describe a hub-and-spoke topology where many VPCs must talk to each other, VPC Peering does not scale because peering is non-transitive (A↔B and B↔C does not give you A↔C). Pick Shared VPC for single-organization governance, or Network Connectivity Center when you need a true transitive hub across multiple VPCs and hybrid links. Reference: https://cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/overview
Hybrid Connectivity: VPN vs. Interconnect
- HA VPN: Use for low-to-medium bandwidth (up to 5 Gbps per tunnel) or as a quick-start solution. Must use BGP for dynamic routing to be "Highly Available."
- Dedicated Interconnect: Use for high bandwidth (10G/100G) and the highest reliability. Requires a physical connection at a Google colocation facility.
- Partner Interconnect: Use if you need a dedicated link but aren't in a Google facility—you connect through a service provider like Equinix or AT&T.
Hybrid bandwidth ceilings the exam loves to test: HA VPN = up to 5 Gbps per tunnel (BGP required for HA), Dedicated Interconnect = 10 Gbps or 100 Gbps per circuit (Google colo only), Partner Interconnect = 50 Mbps to 50 Gbps via a service provider like Equinix or AT&T. The 99.99% SLA requires two physical Interconnect circuits or two HA VPN gateways in different edge locations.
To achieve a 99.99% SLA for Hybrid Connectivity, you must have two physical connections (Interconnect) or two HA VPN gateways in different regions/edge locations. Reference: https://cloud.google.com/network-connectivity/docs/interconnect/concepts/topology-overview
Load Balancing Selection
- Global External Application (HTTP/S): For web traffic. Provides Anycast IP, URL maps, and Cloud Armor integration.
- Regional External Application: For compliance requirements where traffic must stay within a specific region.
- Proxy Network Load Balancer: For non-HTTP TCP/SSL traffic.
- Passthrough Network Load Balancer: For high-performance, non-proxied traffic (UDP/TCP).
Private Service Connect (PSC)
The "Optimal" way to connect to services (like Google APIs or a service in another VPC) without using public IPs or VPC Peering. It allows you to expose a service as a private endpoint (IP) inside your own VPC, simplifying the security posture.
Network Security
- Hierarchical Firewall Policies: Apply rules at the Organization or Folder level, ensuring that "Security Guardrails" are enforced across all projects.
- Cloud Armor: The GCP WAF. Protects against DDoS and the OWASP Top 10 (SQLi, XSS).
- Identity-Aware Proxy (IAP): Allows you to access internal apps (like SSH or a Jenkins dashboard) without a VPN, using only identity and context.
On the exam, if a question asks how to securely connect to a VM's internal IP from the internet without a public IP, don't pick "VPN" if "IAP (Identity-Aware Proxy)" is an option. IAP is the modern, Zero-Trust "Optimal" choice. Reference: https://cloud.google.com/iap/docs/concepts-overview
Summary of Optimal vs. Viable Decisions in Networking
| Requirement | Viable Solution (Good) | Optimal Solution (Architect-level) |
|---|---|---|
| Multi-project Networking | VPC Peering | Shared VPC (Centralized control) |
| Hybrid Connection | Standard VPN | HA VPN or Dedicated Interconnect |
| Global Web Traffic | Regional Load Balancer | Global Load Balancer + Cloud CDN |
| Internal API Access | Public IP + Firewall | Private Service Connect (PSC) |
| External VM Access | Bastion Host | IAP (Identity-Aware Proxy) |
FAQ — Network Architecture Design
Q1. Is VPC Peering transitive?
No. If VPC A is peered with VPC B, and VPC B is peered with VPC C, A and C cannot communicate. This is why Shared VPC or Network Connectivity Center is preferred for complex hub-and-spoke designs.
Q2. What is the difference between Premium and Standard Network Tiers?
- Premium (Default): Uses Google's private backbone for as much of the journey as possible. Faster and more reliable.
- Standard: Hand-off to the public internet closer to the source. Cheaper but lower performance.
Q3. When should I use Cloud Armor?
Always put Cloud Armor in front of any internet-facing application. It's your first line of defense against botnets and web-based attacks.
Q4. Can I have a subnets with the same IP range in two different VPCs?
Yes, but you cannot peer them. For any communication between VPCs, IP ranges must not overlap.
Q5. What is "Cloud NAT"?
It allows VMs without public IPs to access the internet (for updates, etc.) without allowing the internet to initiate a connection back to the VM. It's a critical tool for private-only VPC designs.
Final Architect Tip
"Global by Design." GCP networking is unique because of its global VPC and global load balancer. On the PCA exam, always favor solutions that simplify the network by using these global features. Avoid complex manual routing or bastion hosts unless the scenario explicitly forbids modern alternatives like IAP or Shared VPC.