Overview of Virtual Private Cloud

Google Cloud Platform (GCP) Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Kubernetes Engine containers and App Engine Flex. VPC provides global, scalable, flexible networking for your cloud-based services.

A VPC consists of the following core and optional functionality.

A VPC network

You can think of a VPC network the same way you'd think of a physical network, except that it is virtualized within GCP. A VPC network consists of virtual local subnet networks in data centers, all connected by a global wide area network. Networks are logically isolated from all other networks in GCP.

All Compute Engine virtual machine (VM) instances, and the VMs running Kubernetes Engine containers and App Engine Flex apps, exist within a VPC network. The VPC network connects VMs in that network to each other and to the Internet.

Read more about VPC networks.

Firewall rules

Each VPC network implements a distributed virtual firewall that you can configure. Firewall rules allow you to control which packets are allowed to travel to which destinations. By default, a VPC network's firewall rules block all incoming connections and allow all outgoing connections.The project default network has certain preconfigured rules to make it easier to get started.

Read more about firewall rules.


Routes tell VM instances and the VPC network how to forward a packet based on the packet's destination IP address. Each VPC network comes with routes that tell the network how to forward packets to every subnet in that network and a Default internet gateway route that tells the network how to send packets out of the network. You can manually create routes to direct some packets to specific destinations. For example, you can create a route that sends all outbound traffic to an instance configured as a NAT gateway.

Read more about routes.

Forwarding rules

While routes govern traffic leaving an instance, forwarding rules can direct traffic that arrives from outside the network as well as traffic from inside the network. You can use forwarding rules to forward traffic based on IP address, protocol, and port. For example, you can use a forwarding rule to direct all TCP traffic destined for a particular IP address to a load balancer resource.

Read more about forwarding rules.

Interfaces and IP Addresses

IP addresses

Many GCP resources, such as Compute Engine virtual machine instances and forwarding rules, Kubernetes Engine containers, and App Engine, rely on IP addresses in their network communications.

Read more about IP addresses.

Alias IP ranges

If you have multiple services running on a single VM, you can give each service a different internal IP address using Alias IP Ranges. The VPC network automatically forwards all packets destined to one of the alias IP addresses to the VM hosting the range.

Read more about alias IP ranges.

Multiple Network Interfaces

If you want to configure a VM instance as a network appliance that acts as a bridge between several VPC networks, you can do so. You can add multiple additional virtual network interfaces to a VM, and each interface must be in a different VPC network.

Read more about multiple network interfaces.

VPC sharing and peering

Shared VPC

You can share a VPC network, or individual subnets, with other GCP projects. This allows you to create a host network, then give departments or functional areas in your organization specific IAM permissions to control specific resources in that network. For example, you may allow networking admins, but no one else, to create load balancers; security admins, but no one else, to create firewall rules; developers permission to create instance that can reach the Internet; and QA engineers to create instances that can reach each other, but not the Internet. Shared VPC is mainly useful to large organizations that need to coordinate across many functional areas.

Read more about shared VPC.

VPC Network Peering

Allows you to build SaaS (Software-as-a-Service) ecosystems in GCP, making services available privately across different VPC networks within and across organizations, allowing workloads to communicate in private RFC1918 space. You can allow your network and another network to reach each other over an internal IP space. VM instances on both networks can reach all instances in the other network without using external IP addresses. Unlike Shared VPC, VPC Network Peering allows traffic to travel across projects only. It does not grant any other kind of access to the peered network or its resources.

Read more about VPC Network Peering.


Allows you to connect your VPC network to your physical, on-premises network or another cloud provider using a secure Virtual Private Network.

Read more about Cloud VPN.


Allows you to connect your VPC network to your physical, on-premises network using a high speed, direct physical connection.

Read more about Interconnect.

Load balancing

Allows you to distribute traffic and workloads across many VMs. GCP offers several different styles of load balancing, depending on the type of traffic (HTTP(S), TCP, SSL, or UDP), the IP protocol (IPv4 and IPv6), and whether the traffic is internal to your VPC network or coming from external users.

Read more about load balancing.

Special configurations

Private Google Access

Allows VM instances in a VPC network subnet to reach Google APIs even if the VMs don't have external IP addresses. You can enable this setting when you create the subnet or modify the setting on existing subnets.

Read more about Private Google Access.

Send feedback about...