Mastering the GCP Network: Beyond the Basics of VPCs
In the world of cloud computing, the network is the circulatory system of your architecture. In Google Cloud Platform (GCP), the Virtual Private Cloud (VPC) offers a unique value proposition that sets it apart from competitors: Global Reach. Unlike traditional networking where a VPC is confined to a single region, a GCP VPC spans the entire globe, allowing resources in different continents to communicate over Google’s private fiber without ever touching the public internet.
However, with great power comes the need for granular control. Understanding how subnets are regional, how routes direct traffic, and how firewall rules protect your assets is fundamental for any Cloud Architect. One of the most common points of confusion for those transitioning from AWS or on-premise is the distinction between Network Tags and Service Accounts when defining firewall targets. While tags are simple and familiar, Service Accounts provide a robust, identity-based security model that scales with your organization.
In this guide, we will break down these core components, explore real-world implementation strategies, and prepare you for the technical rigors of a Google Cloud Professional Architect interview.
Study Guide: VPC Networking Deep-Dive
The Real-World Analogy
Imagine a Global Enterprise Headquarters. The building itself is the VPC. Each floor represents a Region (e.g., US-East, Europe-West). Within each floor, there are specific Departments (Accounting, Engineering)—these are your Subnets. The Security Guards at the doors are your Firewall Rules, and the Signage in the hallways directing people where to go are your Routes.
Detailed Explanation
- Global VPC: A single VPC can contain subnets in any GCP region worldwide. Traffic between regions stays on Google’s backbone.
- Regional Subnets: IP ranges are assigned at the regional level. You can expand a subnet’s IP range without deleting resources or causing downtime.
- Routes: Every VPC has a default route to the internet (via the IGW) and local routes for subnet communication. Custom routes can be created for VPNs, Interconnects, or NVA (Network Virtual Appliances).
- Firewall Rules: These are stateful. By default, all ingress is denied and all egress is allowed. You can filter by IP range, Protocol/Port, Network Tags, or Service Accounts.
Comparison: AWS vs. GCP Networking
| Feature | Google Cloud (GCP) | Amazon Web Services (AWS) |
|---|---|---|
| VPC Scope | Global | Regional |
| Subnet Scope | Regional | Availability Zone (AZ) |
| Firewall Type | Distributed (Stateful) | Security Groups (Stateful) & NACLs (Stateless) |
| Internal Routing | Automatic across regions | Requires Peering or Transit Gateway |
Real-World Scenarios
Scenario 1: Multi-Region High Availability
You deploy a web app in us-central1 and europe-west1. Because the VPC is global, you can use a single Global Load Balancer to route traffic to both regions without complex peering arrangements.
Scenario 2: Secure Database Access
Instead of allowing IP ranges (which change), you assign a db-server Service Account to your SQL instances and a web-app Service Account to your front-end. Your firewall rule says: “Allow Ingress on Port 5432 ONLY if the source is web-app.”
Interview Questions & Answers
- Q: Are GCP VPCs regional or global?
A: VPCs are global; Subnets are regional. - Q: What is the difference between a Network Tag and a Service Account in a firewall rule?
A: Tags are strings (less secure, anyone with Compute Instance Admin can add them). Service Accounts are identity-based (IAM controlled, more secure). - Q: Can two VPCs have overlapping IP ranges?
A: Yes, but you cannot peer them together. - Q: How do you expand a subnet’s CIDR block?
A: Use theexpand-ip-rangecommand. It is non-disruptive. - Q: What is the priority of firewall rules?
A: 0-65535, where 0 is the highest priority. - Q: Does a VPC have a default firewall?
A: Yes, “default-allow-internal”, “default-allow-ssh”, etc., but best practice is to replace these with specific rules. - Q: Can a firewall rule be applied to a specific folder or organization?
A: Yes, using Hierarchical Firewall Policies. - Q: What is Private Google Access?
A: It allows VM instances with only internal IP addresses to reach Google APIs and services. - Q: How does VPC Peering handle transitivity?
A: It doesn’t. VPC A peered with B, and B with C, does NOT allow A to talk to C. - Q: What is a Shared VPC?
A: It allows an organization to connect resources from multiple projects to a common VPC network.
- The “Tags” Trap: If an interviewer asks how to scale security, always pivot from Tags to Service Accounts. Tags don’t have IAM permissions; anyone who can edit a VM can change its tags and bypass security.
- Statefulness: Remember that if you allow Ingress, the return traffic (Egress) is automatically allowed, regardless of egress rules.
- Implied Rules: Every VPC has two implied rules (Allow Egress, Deny Ingress) that exist at the lowest priority (65535) and cannot be deleted.
Visual Architecture & Ecosystem
Connects to GKE (Alias IPs), Cloud SQL (Private IP via Peering), and Compute Engine directly. Integrates with Cloud Armor at the edge.
No bandwidth limits between instances in the same VPC (up to 32Gbps per VM). VPC peering scales up to 25 peered networks.
Egress is the main cost. Egress to Google Services is free. Egress between zones in the same region has a cost; egress between regions is higher.
Decision Matrix: Tags vs. Service Accounts
Network Tags
- Pros: Simple, easy to script.
- Cons: No IAM control. Anyone with “Instance Admin” can change tags.
- Best For: Development, simple non-prod environments.
Service Accounts
- Pros: Identity-based, IAM protected, highly secure.
- Cons: Requires understanding of IAM roles.
- Best For: Production, regulated industries (PCI/HIPAA).
Production Use Case: The 3-Tier App
A production environment uses a Shared VPC. The Host Project manages the network (Subnets, Firewalls, VPN). Service Projects (App, DB) consume the subnets. Firewall rules use Service Accounts to ensure that even if an App VM is compromised, the attacker cannot spoof a “tag” to reach the Database.