Google Cloud Networking Guide: Complete Architecture Reference

Google Cloud Platform offers networking built on the same infrastructure that powers Google Search, YouTube, and Gmail. This guide covers GCP's global VPC model, advanced load balancing, and hybrid connectivity options.

Global VPC Architecture

Unlike AWS and Azure, GCP VPCs are global by default. A single VPC can span all GCP regions without peering or additional configuration:

Key Differences from Other Clouds

• Global scope: VPCs span all regions; subnets are regional (not zonal)
• Auto mode vs. custom mode: Auto mode creates subnets automatically; custom mode gives full control
• Free cross-region communication: VMs in the same VPC communicate freely (egress charges apply)
• Overlapping IP ranges: Not allowed within a VPC or its peered networks

# GCP VPC structure (global)
VPC: production (global)
├── Subnet: us-central1 (10.128.0.0/20)
├── Subnet: us-east1 (10.129.0.0/20)
├── Subnet: europe-west1 (10.130.0.0/20)
└── Subnet: asia-east1 (10.131.0.0/20)

# VMs in any region can communicate via internal IPs

Subnet Design

• Custom mode recommended: Gives you control over IP ranges
• Private Google Access: Enable for private VM access to Google APIs
• Secondary ranges: For container networking (GKE Pod IPs)

Firewall Rules

GCP firewall rules are defined at the VPC level (not attached to instances like AWS security groups):

Firewall Architecture

• Priority: Lower number = higher priority (0-65535)
• Direction: Ingress or egress (separate rules)
• Targets: All instances, tagged instances, or service accounts
• Stateful: Return traffic automatically allowed

Best Practices

• Use network tags to target firewall rules to specific instances
• Use service accounts for identity-based rules (more secure than tags)
• Create a deny-all egress rule and explicitly allow needed destinations

# Terraform: Allow HTTPS from load balancer
resource "google_compute_firewall" "allow-lb-https" {
  name    = "allow-lb-https"
  network = google_compute_network.vpc.name
  
  allow {
    protocol = "tcp"
    ports    = ["443"]
  }
  
  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]  # GCP LB ranges
  target_tags   = ["https-server"]
}

Cloud Load Balancing

GCP offers a comprehensive load balancing portfolio, all managed by Google's Andromeda SDN:

External Load Balancers

External HTTP(S) Load Balancer (Global)

• Layer 7: Path-based, host-based routing
• Global: Single anycast IP serves all regions
• Features: Cloud CDN, Cloud Armor WAF, managed SSL
• Use for: Global web applications, APIs

External TCP/UDP Load Balancer

• Layer 4: TCP or UDP load balancing
• Regional or global: Choose based on requirements
• Use for: Non-HTTP services, gaming, IoT

Internal Load Balancers

• Internal HTTP(S): Layer 7 for internal traffic
• Internal TCP/UDP: Layer 4 for internal services
• Internal Regional: Regional scope for internal services

Traffic Distribution

• Backend services: Group of backends (managed instance groups, NEGs)
• URL maps: Route traffic based on path, host
• Health checks: TCP, HTTP, HTTPS, HTTP/2, gRPC

Cloud CDN and Edge

Cloud CDN

• Integration: Enable with one click on HTTP(S) Load Balancer
• Edge locations: Google's global edge network
• Cache keys: Customizable to include/exclude headers, query parameters
• Signed URLs: Time-limited access for secure content

Cloud Armor

• DDoS protection: Always-on network and application layer protection
• WAF rules: Pre-configured and custom rules (OWASP Top 10)
• Rate limiting: Protect against volumetric attacks
• Geo-blocking: Restrict by country

Hybrid Connectivity

Cloud VPN

• HA VPN: 99.99% SLA, two tunnels for redundancy
• Classic VPN: Single tunnel, lower SLA
• Routing: Dynamic (BGP) or static routes
• Bandwidth: 3 Gbps per tunnel

Cloud Interconnect

Private connectivity to Google Cloud:

• Dedicated Interconnect: 10 Gbps or 100 Gbps direct connections
• Partner Interconnect: Via service provider (50 Mbps - 50 Gbps)
• Cross-Cloud Interconnect: Direct connection to other clouds (AWS, Azure)

Cloud Router

Cloud Router handles BGP for dynamic routing:

• Advertise routes: Custom routes, subnet routes
• Learn routes: From on-premise via BGP
• Global routing mode: Propagate routes to all regions

For BGP configuration, see BGP best practices.

VPC Connectivity

VPC Network Peering

• Project or org: Peer VPCs across projects or organizations
• Internal IPs: Communication over internal IPs
• Non-transitive: A-B and B-C doesn't mean A-C
• Quota: 25 peering connections per VPC (can be increased)

Shared VPC

• Centralized networking: Host project owns VPC; service projects use subnets
• IAM control: Network admins manage VPC; project teams manage instances
• Best for: Enterprise environments with central network team

Network Connectivity Center

• Hub-and-spoke: Central hub for multi-cloud and hybrid connectivity
• Spokes: VPNs, Interconnects, VPC spokes
• Data transfer: Site-to-cloud and cloud-to-cloud routing

Private Service Access

• Private Google Access: VMs without external IPs can reach Google APIs
• Private Service Connect: Private endpoints for Google services and your own services
• VPC Service Controls: Security perimeter around sensitive services

Network Tiers

GCP offers two network tiers with different performance and cost:

Premium Tier (Default)

• Traffic routed over Google's global backbone
• Lowest latency, highest reliability
• Global load balancing with single anycast IP
• Higher egress cost

Standard Tier

• Traffic routed over public internet
• Higher latency, less consistent
• Regional load balancing only
• Lower egress cost (up to 40% less)

For cost optimization guidance, see our cost optimization framework.

Network Security

• VPC Flow Logs: Capture network traffic metadata
• Packet Mirroring: Copy traffic to analysis tools
• Cloud IDS: Managed intrusion detection
• Firewall Insights: Analyze firewall rule usage

Key Takeaways

• GCP VPCs are global—subnets span regions without peering
• Firewall rules are VPC-level; use tags or service accounts for targeting
• HTTP(S) Load Balancer is global with single anycast IP
• Premium network tier uses Google's backbone for best performance
• Shared VPC centralizes network management across projects