This chapter covers Google Cloud networking fundamentals, focusing on Virtual Private Cloud (VPC), subnets, firewall rules, routing, load balancing, Cloud NAT, and hybrid connectivity. These topics are critical for the GCDL exam, as roughly 15–20% of questions touch network design and connectivity. You will learn how Google's global software-defined network operates, key configuration defaults, and how to design secure, scalable network architectures. Mastering these concepts is essential for planning cloud infrastructure and understanding cost, performance, and security trade-offs.
Jump to a section
Imagine Google Cloud networking as a meticulously designed highway system connecting cities (VPCs) across a country (Google's global network). Each city has its own streets (subnets) and buildings (VM instances) with specific addresses (IP addresses). The highways are private, high-speed, and toll-free—just like Google's global fiber network. When a car (data packet) wants to travel from one building to another across cities, it enters an on-ramp (external VPN or interconnect) or uses a direct highway (VPC peering or Cloud VPN). Traffic rules are enforced by firewalls (firewall rules) at city borders and building entrances. Load balancers act like smart traffic lights that distribute cars evenly across multiple buildings to avoid congestion. Cloud NAT is like a company shuttle service: all employees (private VMs) use a single public entrance (NAT IP) to reach the internet, and responses are routed back to the correct employee based on logs. Google's network uses BGP (Border Gateway Protocol) as the traffic control center, dynamically choosing the best route—avoiding accidents and congestion. This global, software-defined network ensures low latency, high throughput, and automatic failover, making it feel like all cities are adjacent even when thousands of miles apart.
Virtual Private Cloud (VPC) Overview
A Virtual Private Cloud (VPC) is a logically isolated section of Google Cloud where you can launch resources. Unlike traditional on-premises networking where you manage physical routers and switches, Google Cloud's VPC is global and software-defined. A single VPC can span multiple regions and zones without explicit inter-region peering. This is a key differentiator from AWS and Azure, where VPCs are region-specific. GCDL tests your understanding that VPCs are global resources.
Subnets: Regional Building Blocks
Subnets are regional resources that define IP address ranges (CIDR blocks) within a VPC. Each subnet must have a unique IP range (e.g., 10.0.1.0/24) and cannot overlap with other subnets in the same VPC. Subnets can be auto-mode or custom-mode. Auto-mode subnets are created automatically in each region with a /20 range (10.128.0.0/9 overall), while custom-mode gives you full control. GCDL expects you to know that auto-mode subnets use predefined IP ranges and are not recommended for production because they waste IP space and limit customization.
Firewall Rules: Stateful Traffic Filtering
Firewall rules control ingress and egress traffic at the instance level (not subnet level like AWS NACLs). Rules are stateful, meaning if you allow outbound traffic, the return traffic is automatically allowed regardless of inbound rules. This is a critical exam point. Firewall rules are defined by priority (0–65535, lower number = higher priority), direction (INGRESS or EGRESS), action (allow or deny), source/destination IP ranges, protocols, and ports. The implied deny rule (priority 65535) blocks all traffic not explicitly allowed. There is also an implied allow egress rule (priority 65535) that allows all outbound traffic. GCDL tests that firewall rules are applied at the VPC level and can target instances via service accounts or tags.
Routes: Path Selection
Routes tell instances how to send traffic. Every VPC has default routes for each subnet that direct traffic within the subnet. There is also a default route (0.0.0.0/0) that points to the internet gateway. Routes can be static (manually created) or dynamic (learned via Cloud Router and BGP). The most specific route (longest prefix match) wins. GCDL focuses on understanding that VPC routing tables are managed automatically for subnets but need manual configuration for custom destinations (e.g., on-premises networks).
Cloud NAT: Outbound Internet Access for Private Instances
Cloud NAT (Network Address Translation) allows private instances (without external IPs) to access the internet for updates, patches, or API calls. It translates private IPs to a pool of public IPs. Key parameters include:
NAT IP addresses: A set of static external IP addresses assigned to the NAT gateway. You can use auto-assigned or manually reserved IPs.
Minimum ports per VM: Default is 64, but you can adjust based on expected connections.
UDP Idle Timeout: 30 seconds (default).
TCP Established Idle Timeout: 1200 seconds (20 minutes) by default.
TCP Transitory Idle Timeout: 30 seconds.
Cloud NAT is regional and can be configured per subnet. It does not support inbound connections; it is outbound-only. GCDL tests that Cloud NAT is used when private instances need internet access without public IPs.
Load Balancing: Global Traffic Distribution
Google Cloud offers several load balancers:
Global External HTTP(S) Load Balancer: For web traffic, uses anycast IP and routes to the closest healthy backend.
Global External SSL Proxy Load Balancer: For non-HTTP SSL traffic (e.g., secure TCP).
Global External TCP Proxy Load Balancer: For TCP traffic without SSL.
Regional External Network Load Balancer: For UDP or TCP traffic within a region.
Regional Internal Load Balancer: For internal traffic between VMs.
All load balancers are managed, scalable, and support health checks. GCDL emphasizes that global load balancers use Google's global network to route traffic to the nearest region, reducing latency.
Hybrid Connectivity: Connecting On-Premises to Cloud
Google Cloud provides multiple options for hybrid connectivity:
Cloud VPN: Site-to-site VPN using IPsec. Supports dynamic routing (BGP) with Cloud Router. Maximum throughput is ~3 Gbps per tunnel.
Cloud Interconnect: Dedicated or partner connections with bandwidth from 10 Gbps to 100 Gbps (Dedicated) or up to 10 Gbps (Partner). VLAN attachments support multiple VLANs.
Cloud Router: BGP-based router that exchanges routes between VPC and on-premises network. Required for dynamic routing with VPN or Interconnect.
GCDL tests that Cloud Interconnect provides higher bandwidth and more reliable connections than VPN, but at a higher cost. Cloud Router is essential for automatic route exchange.
VPC Peering: Direct Connectivity Between VPCs
VPC peering allows two VPCs to communicate using internal IPs as if they were on the same network. Peering is not transitive—if VPC A peers with B and B peers with C, A cannot communicate with C through B. This is a common exam trap. Peering supports up to 25 Gbps per connection.
Shared VPC: Centralized Network Management
Shared VPC allows an organization to host a common VPC in a host project and share its subnets with other service projects. This is useful for centrally managed network infrastructure. The host project owns the VPC and subnets, while service projects can create instances in those subnets. GCDL tests that Shared VPC simplifies network administration and security policy enforcement.
Private Google Access
Private Google Access allows on-premises or VM instances without external IPs to reach Google APIs and services (e.g., Cloud Storage, BigQuery) using private IPs. It works by routing traffic through a VPC and using the default internet gateway but with destination filtering. This is different from Private Services Access, which provides private connectivity to Google-managed services (e.g., Cloud SQL). GCDL expects you to differentiate these two.
Cloud CDN: Content Delivery Network
Cloud CDN uses Google's global edge cache to deliver content closer to users. It works with the global external HTTP(S) load balancer. Cache hit ratio and time-to-live (TTL) settings are key concepts. GCDL tests that Cloud CDN reduces latency and offloads backend servers.
Networking Tiers: Premium vs. Standard
Google Cloud offers two network service tiers:
Premium Tier: Traffic stays on Google's global network for most of its journey, providing lower latency and higher performance. Default for most services.
Standard Tier: Traffic uses the public internet for part of the journey, reducing cost but increasing latency.
GCDL tests that Premium Tier is recommended for latency-sensitive applications, while Standard Tier can be cost-effective for bulk data transfer.
Firewall Insights and Network Intelligence Center
Firewall Insights provide visibility into firewall rule usage, identifying unused or overly permissive rules. Network Intelligence Center offers topology and performance monitoring. These are operational tools that GCDL may mention as best practices for network optimization.
Packet Mirroring
Packet Mirroring clones traffic from specified instances and sends it to a collector for security monitoring. It works by applying a mirroring policy to a VPC. This is useful for intrusion detection systems (IDS). GCDL tests that Packet Mirroring is used for security analysis, not for load balancing or failover.
Network Service Tiers and Pricing
Pricing for network egress varies by tier. Premium Tier egress to internet is higher than Standard Tier. However, inter-region traffic within Google's network is free for Premium Tier (except for certain destinations). GCDL expects you to understand cost implications of tier choice.
Key Exam Values and Defaults
VPC: global resource
Subnet: regional resource
Auto-mode subnet prefix: /20 per region, overall 10.128.0.0/9
Firewall rule priority range: 0–65535 (lower = higher)
Implicit deny rule priority: 65535
Cloud NAT default TCP established timeout: 1200 seconds
Cloud NAT default UDP timeout: 30 seconds
Cloud VPN max throughput: 3 Gbps per tunnel
Cloud Interconnect Dedicated: 10 Gbps, 100 Gbps
VPC peering max throughput: 25 Gbps
Shared VPC: host project owns VPC, service projects use subnets
Private Google Access: for VMs without external IPs to access Google APIs
Premium Tier: traffic stays on Google network
Standard Tier: uses public internet
Interplay with Other Services
Networking integrates with Compute Engine (VM instances), GKE (Kubernetes clusters), Cloud SQL (private IP), Cloud Load Balancing, Cloud CDN, and Cloud Armor (WAF). GCDL tests how network design affects these services. For example, Private Services Access enables Cloud SQL to use private IPs, and VPC-native clusters in GKE use alias IP ranges.
Design VPC and Subnets
First, determine the IP address plan. Choose a CIDR block for the VPC (e.g., 10.0.0.0/8) and carve out subnets for each region. Use custom-mode VPC for production to avoid wasted IP space. Each subnet must have a unique CIDR (e.g., 10.1.0.0/24 for us-central1). Consider future growth and avoid overlapping with on-premises networks. This step sets the foundation for all networking.
Configure Firewall Rules
Define firewall rules to control traffic. Start with least privilege: allow only necessary ingress traffic (e.g., SSH from bastion host, HTTP from load balancer). Use target tags (e.g., 'web-server') to apply rules to specific instances. Remember that firewall rules are stateful—egress responses are automatically allowed. Set priorities to ensure proper ordering. The implied deny rule blocks all traffic not explicitly allowed.
Set Up Cloud NAT for Private Instances
If instances have no external IPs, create a Cloud NAT gateway in the region. Specify the subnet(s) to be NATted. Choose NAT IP addresses (auto or manual). Adjust port allocation based on expected connections. The gateway translates private IPs to public IPs for outbound traffic. Inbound connections are not supported. Verify by testing internet access from a private instance.
Configure Load Balancing
For HTTP(S) traffic, create a global external HTTP(S) load balancer. Define backend services (instance groups), health checks, and URL maps. The anycast IP routes users to the closest healthy backend. For internal traffic, use a regional internal load balancer. Set session affinity if needed. Test by sending requests and verifying distribution.
Establish Hybrid Connectivity
To connect on-premises, choose between Cloud VPN and Cloud Interconnect based on bandwidth and reliability needs. For VPN, create a Cloud VPN gateway and a peer VPN gateway on-premises. Use Cloud Router with BGP for dynamic routing. For Interconnect, provision a VLAN attachment and configure BGP. Verify connectivity by pinging on-premises resources from a VM.
A multinational e-commerce company uses Google Cloud to host its web application across us-central1 and europe-west1. They use a global external HTTP(S) load balancer to route traffic to the nearest region, reducing latency. The backend consists of managed instance groups in each region. Firewall rules allow HTTP/HTTPS traffic only from the load balancer's IP ranges (130.211.0.0/22 and 35.191.0.0/16). Cloud NAT is configured for private instances that need to fetch updates from the internet. The company uses Cloud Interconnect (10 Gbps) to connect to their on-premises database. Cloud Router exchanges routes via BGP, enabling seamless communication. Misconfiguration of firewall rules (e.g., allowing all traffic from 0.0.0.0/0) would expose instances to the internet, leading to security incidents. Overlapping IP ranges between VPC and on-premises would break connectivity, requiring re-IPing. The network engineer must monitor Cloud NAT port exhaustion—if the number of concurrent connections exceeds available ports, connections fail. They adjust the minimum ports per VM to 128 to handle peak load. Another scenario: a healthcare startup uses Shared VPC to centralize networking. The host project has a VPC with subnets for dev, test, and prod. Service projects deploy instances in these subnets. This ensures consistent firewall and routing policies. However, they must avoid overlapping subnet ranges between environments. A common mistake is creating subnets in different regions with overlapping CIDRs, which is not allowed. They also use Private Google Access to allow VMs without external IPs to access BigQuery APIs, reducing data exfiltration risk. The network engineer configures Private Services Access for Cloud SQL to use private IPs, improving security. They also set up VPC peering between the Shared VPC and a partner's VPC for data exchange. Non-transitive peering is a pitfall—they must establish direct peering with each partner VPC.
GCDL exam objectives related to networking: 2.4 (Design network architectures) and 2.5 (Configure network connectivity services). Key topics: VPC global nature, subnets (auto vs custom), firewall rules (stateful, priority, implied deny), Cloud NAT (outbound only, port exhaustion, timeouts), load balancers (global vs regional, HTTP vs TCP/SSL), hybrid connectivity (VPN vs Interconnect, Cloud Router, BGP), VPC peering (non-transitive), Shared VPC (host/service projects), Private Google Access vs Private Services Access, network tiers (Premium vs Standard).
Common wrong answers: 1. Choosing 'VPCs are regional' – Wrong. Google Cloud VPCs are global. AWS VPCs are regional. Candidates confuse cloud providers. 2. Thinking firewall rules are stateless – Wrong. They are stateful. Candidates assume stateless like AWS NACLs. 3. Believing Cloud NAT allows inbound connections – Wrong. It is outbound-only. Candidates think NAT implies inbound. 4. Assuming VPC peering is transitive – Wrong. Peering is non-transitive. Candidates overgeneralize. 5. Selecting Standard Tier for latency-sensitive apps – Wrong. Premium Tier is for low latency. Candidates pick Standard to save cost.
Specific numbers: Auto-mode subnet prefix /20, firewall priority range 0-65535, Cloud NAT TCP established timeout 1200s, VPN max 3 Gbps, Interconnect 10 or 100 Gbps.
Edge cases: Overlapping subnet CIDRs within a VPC are not allowed. You cannot have two subnets with same CIDR in different regions. Also, you cannot delete a VPC that has resources. Private Google Access works with external IPs? No, it is for instances without external IPs. But it requires default internet gateway route (0.0.0.0/0) to exist. Candidates miss this dependency.
Elimination strategy: Read the scenario carefully. If it mentions 'global' or 'any region', the answer likely involves global resources. If it mentions 'private instances need internet', think Cloud NAT. If it mentions 'on-premises connection', differentiate VPN (low cost, lower bandwidth) vs Interconnect (high cost, high bandwidth). For firewall, remember stateful = return traffic allowed automatically. For peering, remember non-transitive. Use these rules to eliminate distractors.
VPCs are global; subnets are regional.
Auto-mode subnets use predefined /20 ranges (10.128.0.0/9 overall).
Firewall rules are stateful; implied deny at priority 65535.
Cloud NAT is outbound-only; default TCP established timeout 1200s.
Cloud VPN max throughput ~3 Gbps per tunnel; Cloud Interconnect up to 100 Gbps.
VPC peering is non-transitive.
Shared VPC: host project owns VPC; service projects use subnets.
Private Google Access enables access to Google APIs without external IPs.
Premium tier uses Google's global network; Standard uses internet.
Global load balancers use anycast IP; regional load balancers are for internal traffic.
These come up on the exam all the time. Here's how to tell them apart.
Cloud VPN
Uses IPsec VPN tunnels over the internet.
Lower cost, no physical infrastructure.
Maximum throughput ~3 Gbps per tunnel.
Suitable for small to medium bandwidth needs.
Higher latency due to internet routing.
Cloud Interconnect
Uses dedicated or partner connections (no internet).
Higher cost, requires physical cross-connects.
Bandwidth up to 10 Gbps (Partner) or 100 Gbps (Dedicated).
Suitable for high bandwidth and low latency needs.
Lower latency, more reliable, SLA-backed.
Mistake
Google Cloud VPCs are regional like AWS.
Correct
Google Cloud VPCs are global resources that span all regions. Subnets are regional, but the VPC itself is not confined to a single region. This is a key difference from AWS.
Mistake
Firewall rules in Google Cloud are stateless.
Correct
Firewall rules are stateful. If you allow outbound traffic, the corresponding inbound return traffic is automatically permitted regardless of inbound rules. This is opposite to AWS NACLs which are stateless.
Mistake
Cloud NAT allows inbound connections from the internet.
Correct
Cloud NAT is outbound-only. It translates private IPs to public IPs for outbound traffic only. Inbound connections are not supported. For inbound, use load balancers or external IPs.
Mistake
VPC peering is transitive.
Correct
VPC peering is non-transitive. If VPC A is peered with B, and B with C, A cannot communicate with C through B. You must establish direct peering between A and C.
Mistake
Standard network tier is best for low-latency applications.
Correct
Standard tier uses the public internet for part of the path, increasing latency. Premium tier keeps traffic on Google's global network for lower latency. Use Premium for latency-sensitive apps.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Auto-mode VPC automatically creates subnets in each region with a /20 CIDR, using the 10.128.0.0/9 range. Custom-mode VPC lets you manually define subnets with any CIDR. Auto-mode is simpler but wastes IP space and limits customization. Custom-mode is recommended for production. GCDL tests that auto-mode is not ideal for complex designs.
No, Cloud NAT is outbound-only. It allows private instances to initiate connections to the internet, but external hosts cannot initiate connections to instances behind Cloud NAT. For inbound traffic, use a load balancer or assign external IPs to instances.
By default, VPC has an implied allow egress rule (priority 65535) allowing all outbound traffic, and an implied deny ingress rule (priority 65535) blocking all inbound traffic. You must create explicit allow rules for desired ingress traffic. Firewall rules are stateful.
VPC peering connects two separate VPCs (possibly in different projects) allowing direct communication via internal IPs. Shared VPC allows multiple projects to use subnets from a common VPC in a host project. Peering is non-transitive; Shared VPC is transitive within the host project's subnets.
Private Google Access allows VMs without external IPs to access Google APIs (e.g., Cloud Storage). Private Services Access allows VMs to access Google-managed services (e.g., Cloud SQL) via private IPs. Both require a VPC and routes. Private Google Access uses the default internet gateway route; Private Services Access uses VPC peering.
Premium Tier routes traffic over Google's global network for low latency and high performance. Standard Tier uses the public internet for part of the path, reducing cost but increasing latency. Choose Premium for latency-sensitive applications (e.g., gaming, real-time). Standard is suitable for bulk data transfer where cost is more important.
No, subnets in the same VPC must have unique CIDR blocks, even if in different regions. Overlapping CIDRs would cause routing conflicts. Plan IP address space carefully to avoid exhaustion.
You've just covered Networking on Google Cloud — now see how well it sticks with free GCDL practice questions. Full explanations included, no account needed.
Done with this chapter?