A Virtual Private Cloud (VPC) is a global private isolated virtual network partition that provides managed networking functionality for your Google Cloud Platform (GCP) resources. A Google VPC has the following properties:
- VPC provides a global private communications space.
- VPC supports multi-tenancy deployments via shared VPC (XPN) for your organization. A shared VPC network can be shared by different autonomously administered GCP projects.
- VPC provides private communication between compute resources you create, and you can also enable private communication to Google managed services like Google Cloud Storage, Spanner, big data and analytics, and Machine Learning.
- VPC configuration access can be secured using Identity and Access Management(IAM). VPC ingress and egress traffic connections can be restricted using firewall rules.
- VPC can be extended privately across hybrid environments.
This page describes Virtual Private Cloud (VPC) networks. For information on legacy (non-subnetted) networks, see the Legacy Network Overview.
VPC networks and subnets
A VPC network is a virtual version of the traditional physical networks that exist within and between physical data centers. A VPC network provides connectivity for your Compute Engine virtual machine (VM) instances, Container Engine containers, App Engine Flex services, and other network-related resources.
Each GCP project contains one or more VPC networks. Each VPC network is a global entity spanning all GCP regions. This global VPC network allows VM instances and other resources to communicate with each other via internal, private IP addresses.
Each VPC network is subdivided into subnets, and each subnet is contained within a single region. You can have more than one subnet in a region for a given VPC network. Each subnet has a contiguous private RFC1918 IP space. You create instances, containers, and the like in these subnets. When you create an instance, you must create it in a subnet, and the instance draws its internal IP address from that subnet.
Virtual machine (VM) instances in a VPC network can communicate with instances in all other subnets of the same VPC network, regardless of region, using their RFC1918 private IP addresses. You can isolate portions of the network, even entire subnets, using firewall rules.
Subnets vs. subnetworks
The term "subnet" is a shortening of the term "subnetwork." The two terms are
synonymous. In some places in the
gcloud command line tool and in the
REST API, you will see the term "subnetwork" instead of "subnet," but the
two terms mean the same thing.
Types of VPC networks
There are two types of VPC networks: auto mode VPC networks and custom mode VPC networks. The two work very similarly, but an auto mode VPC network starts with a single subnet in each region with the ranges listed in the table. Custom mode VPC networks do not start with any subnets. You must create the subnets manually.
Every project comes with a
default network that is automatically created.
default network is an auto mode VPC network
If you need only one subnet in each region and the auto mode VPC network
predefined IP ranges meet your needs, then you can use the
default VPC network or
create your own auto mode VPC network. If you
need different IP ranges or more than one subnet in a region,
create a custom mode VPC network.
If you create an auto mode VPC network and later change your mind about the number and type of subnets you need, you can switch the auto mode VPC network to a custom mode VPC network.
Auto mode VPC network IP ranges
|Auto mode VPC network IP ranges|
|Region||IP range||Default gateway|
Manually created subnet IP ranges
Manually created subnets can use any valid
IP range. Ranges do not have to be contiguous between subnets. For
example, some subnets can use ranges from
10.0.0.0/8 while others use
ranges from the
192.168.0.0/16 space. Ranges must be unique and
non-overlapping within the network. The minimum subnet size that can be used
Reserved IP addresses in every subnet
Each subnet has the following reserved addresses:
- Network address (first address in the CIDR range)
- Default gateway address (second address in the CIDR range)
- Reserved address (second-to-last address in the CIDR range)
- Broadcast address (last address in the CIDR range)
VPC network example
The figure below shows a VPC network. A new instance takes its IP address
from the given subnet's prefix. Subnet1 is in region 1 and has all of its
private IPs allocated from
10.240.0.0/24 (instance IPs
10.240.0.3), and Subnet2 in region 2 has all of its private IPs allocated from
192.168.1.0/24 (instance IPs
192.168.1.3). You can
also see that Subnet3 crosses zones within a region.
VPC networks and projects
Each project starts with a
default VPC network that is an auto mode VPC network.
There is a quota of five networks per project,
default network. You can keep the
default network and create
four more, or delete it and create five of your own.
All networks have automatically created routes
to the Internet (default route) and to the IP ranges in the network. The route
names are automatically generated and will look different each time. The auto
mode VPC networks, including the
default network, have ranges that look like
the following. You can see a default route to the Internet gateway and
individual routes for each subnet in the VPC network. The subnet routes let
instances send traffic to any other instance or resource in the same VPC
network, and the default route lets instances send traffic outside the VPC
network. However, traffic can use the routes if firewall rules permit.
gcloud compute routes list
NAME NETWORK DEST_RANGE NEXT_HOP PRIORITY default-route-02a98b9a14f7edc4 default 10.128.0.0/20 1000 default-route-081fa300345dd52a default 0.0.0.0/0 default-internet-gateway 1000 default-route-93a38d78c77eac66 default 10.132.0.0/20 1000 default-route-999664b72dd247e7 default 10.140.0.0/20 1000 default-route-a1f15d0858cd51e1 default 10.142.0.0/20 1000
A custom mode VPC network has a default route, plus a route for each subnet that you create.
With these routes, the network knows how to send traffic to the Internet and to all instances you create. However, traffic cannot reach the instances until appropriate firewall rules are in place.
Each network has its own firewall controlling access to and from the instances.
All traffic to instances, even from other instances, is blocked by the firewall unless firewall rules are created to allow it.
default network has automatically created firewall rules that are
default firewall rules.
No manually created network has automatically created firewall
rules except for a default "allow" rule for outgoing traffic and a default
"deny" for incoming traffic. For all networks except the
you must create any firewall rules you need.
Quotas and limits
VPC networks only support IPv4 unicast traffic. IPv4 broadcast and IPv4 multicast are not supported. VPC networks do not support IPv6 at all within the network. Global load balancer IPs and traditional App Engine do support IPv6.
A VPC network can have a maximum of 7000 virtual machine instances. This number is not a quota and cannot be increased on the Quotas page. If you attempt to exceed the maximum, GCP returns the following error message:
You cannot create any more instances in the network, as the limit of 7000.0 is reached.
There is no per-subnet maximum, only a maximum for the entire network.
If you need more than 7000 VM instances, you can create additional networks or contact your customer sales engineer.
For a list of resources other than the number of VM instances and their quotas, visit the Quotas page. Many of these quotas can be increased upon request via the Request increase button on that page.
- See Using VPC for instructions on creating and modifying VPC networks.