Overview of Virtual Private Cloud

Google Cloud Platform (GCP) Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Kubernetes Engine clusters, and App Engine Flex instances. VPC provides global, scalable, flexible networking for your cloud-based resources and services.

This page provides a high level overview for a number of VPC concepts and features.

VPC networks

You can think of a VPC network the same way you'd think of a physical network, except that it is virtualized within GCP. A VPC network is a global resource which consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network. VPC networks are logically isolated from each other in GCP.

VPC network example (click to enlarge)
VPC network example (click to enlarge)

All Compute Engine VM instances, Kubernetes Engine clusters, and App Engine Flex instances rely on a VPC network for communication. The network connects the resources to each other and to the Internet.

Read more about VPC networks.

Firewall rules

Each VPC network implements a distributed virtual firewall that you can configure. Firewall rules allow you to control which packets are allowed to travel to which destinations. Every VPC network has two implied firewall rules that block all incoming connections and allow all outgoing connections.

The default network has additional firewall rules, including the default-allow-internal rule, which permit communication among instances in the network.

Read more about firewall rules.

Routes

Routes tell VM instances and the VPC network how to send traffic from an instance to a destination, either inside the network or outside of GCP. Each VPC network comes with some default routes to route traffic among its subnets and send traffic from eligible instances to the Internet.

You can create custom static routes to direct some packets to specific destinations. For example, you can create a route that sends all outbound traffic to an instance configured as a NAT gateway.

Read more about routes.

Forwarding rules

While routes govern traffic leaving an instance, forwarding rules direct traffic to a GCP resource in a VPC network based on IP address, protocol, and port.

Some forwarding rules direct traffic from outside of GCP to a destination in the network; others direct traffic from inside the network. Destinations for forwarding rules are target instances, load balancer targets (target proxies, target pools, and backend services), and VPN gateways.

Read more about forwarding rules.

Interfaces and IP Addresses

IP addresses

GCP resources, such as Compute Engine VM instances, forwarding rules, Kubernetes Engine containers, and App Engine, rely on IP addresses to communicate.

Read more about IP addresses.

Alias IP ranges

If you have multiple services running on a single VM instance, you can give each service a different internal IP address using Alias IP Ranges. The VPC network forwards packets destined for each configured alias IP to the corresponding VM.

Read more about alias IP ranges.

Multiple Network Interfaces

You can add multiple network interfaces to a VM instance, where each interface resides in a unique VPC network. Multiple network interfaces enable a network appliance VM to act as a gateway for securing traffic among different VPC networks or to and from the Internet.

Read more about multiple network interfaces.

VPC sharing and peering

Shared VPC

You can share a VPC network from one project (called a host project) to other projects in your GCP organization. You can grant access to entire Shared VPC networks or select subnets therein using specific IAM permissions. This allows you to provide centralized control over a common network while maintaining organizational flexibility. Shared VPC is especially useful in large organizations.

Read more about Shared VPC.

VPC Network Peering

Allows you to build SaaS (Software-as-a-Service) ecosystems in GCP, making services available privately across different VPC networks, whether the networks are in the same project, different projects, or projects in different organizations.

With VPC Network Peering, all communication happens using private, RFC 1918 IP addresses. Subject to firewall rules, VM instances in each peered network can communicate with one another without using external IP addresses. Peered networks only share their subnet routes. Network administration for each peered network is unchanged: Network and Security admins for one network do not automatically get those roles for the other network in the peering relationship. If two networks from different projects are peered, project owners, editors, and compute instance admins in one project do not automatically receive those roles in the project that contains the other network.

Read more about VPC Network Peering.

Hybrid Cloud

VPN

Allows you to connect your VPC network to your physical, on-premises network or another cloud provider using a secure Virtual Private Network.

Read more about Cloud VPN.

Interconnect

Allows you to connect your VPC network to your on-premises network using a high speed physical connection.

Read more about Interconnect.

Load balancing

GCP offers the following load balancing configurations to distribute traffic and workloads across many VMs:

  • Global external load balancing, including HTTP(S) load balancing, SSL Proxy, and TCP Proxy offerings.
  • Regional, external network load balancing
  • Regional internal load balancing

Read more about load balancing.

Special configurations

Private Google Access

Instances in a subnet of a VPC network can communicate with Google APIs and services using private IP addresses instead of external IP addresses when you enable private Google access for the subnet.

Read more about Private Google Access.

Send feedback about...