Skip to content

Networking

VPC

General Info
  • VPC networks are global
  • Subnets are regional (can span multiple zones)
VPC Network Types
TypeDescription
Default
  • Every project
  • 1 subnet per region
  • Default FW rules
Auto Mode
  • Every project
  • 1 subnet per region
  • Regional IP allocation
  • Fixed /20 subnetwork per region (up to /16)
Custom Mode
  • No default subnets created
  • Full control of IP ranges
  • Regional IP allocation

Sharing Networks

Shared VPC

General Info
  • Supported only within the same Org, and not within same Project
  • Centralised network admin
Roles for delegated administration
  • Organization Admin: nominates Shared VPC Admins (compute.xpnAdmin) for the Org
  • Shared VPC Admin:
    • enables shared VPC for host Project
    • attaches service Projects
    • delegates access to subnets (compute.networkUser)
  • Service Project Admin (network user):
    • has control over service Project resources
    • creates resources in Shared VPC

Peering

General Info
  • Supported across Organizations, and also within the same Project
  • Decentralised network admin
    • Each VPC maintains its FW and routing table
    • Each side of a peering is set independently
    • No subnet IP range overlap across peered VPC networks
    • Transitive peering is not supported
  • Available for Compute Engine, GKE, App Engine Flexible

Private Instances

Option Description
Cloud NAT
  • Allows VMs in Private Subnets to reach out to the Internet (egress)
Private Google Access
  • Allows VMs with Internal IPs to reach the Public IPs of Google APIs and Services
  • Enabled on a subnet-by-subnet basis, with traffic through the VPC's default IGW
  • No effect on VMs with Public IPs
Private Google Access for On-Premises Hosts
  • Allows to reach the Public IPs of Google APIs and Services through a VPN tunnel or Interconnect
Private Services Access
  • Connect to a Google or 3rd-party managed network through VPC Peering