Google Cloud VPC Basics: ACE Exam Study Guide
A Virtual Private Cloud (VPC) is the foundational networking layer for Google Cloud resources. Unlike traditional networking, a GCP VPC is a global resource, meaning a single VPC can span multiple regions across the world without requiring a complex VPN setup between them.
The Analogy: The Global Office Complex
Imagine you own a global company. Your VPC is your private office building complex. Even though you have “floors” (Subnets) in New York, London, and Tokyo, they are all part of the same building security system and internal phone network. Your Firewall Rules are the security guards at each door, and your Routes are the hallways connecting the rooms.
Detail Elaboration & Core Concepts
To pass the ACE exam, you must understand that GCP networking is software-defined. It follows the principles of Scalability (add subnets as needed), Security (Firewall rules are stateful), and Reliability (Global control plane).
- Subnets are Regional: While the VPC is global, the subnets within it are tied to specific regions (e.g.,
us-central1). - Dynamic Routing: Cloud Router uses BGP to exchange routes between your VPC and on-premises networks.
- IP Address Management: VPCs support both IPv4 (internal and external) and IPv6.
Service Comparison: VPC Types
| Feature | Default VPC | Custom Mode VPC | Shared VPC |
|---|---|---|---|
| Subnet Creation | Automatic (one per region) | Manual (full control) | Centralized (Host project) |
| IP Range Control | Pre-defined ranges | User-defined CIDR | Managed by Network Admin |
| Best Use Case | Quick testing/Sandbox | Production (Recommended) | Multi-project organizations |
| Scalability | Limited by default ranges | High | Very High |
Scenario-Based Decision Matrix
If the requirement is… → Use this Service/Feature:
- Connecting two VPCs in different projects → VPC Network Peering
- Centralizing network management for multiple teams → Shared VPC
- Allowing private VMs to access the internet for updates → Cloud NAT
- Restricting traffic between two VM instances → Firewall Rules (using Network Tags)
- Connecting on-prem data centers via high-bandwidth → Cloud Interconnect
Exam Tips: Golden Nuggets
- Regional vs. Global: Remember that VPCs are Global, but Subnets are Regional. This is a common distractor!
- Implied Rules: Every VPC has two implied firewall rules: Allow Egress (all) and Deny Ingress (all). You must create rules to allow incoming traffic.
- Deleting Networks: You cannot delete a VPC until all resources (VMs, Load Balancers) inside it are deleted.
- Auto Mode to Custom: You can switch an Auto Mode VPC to Custom Mode, but you cannot switch a Custom Mode VPC back to Auto Mode.
VPC Architecture Visualized
Internal traffic routes globally between regions by default within the same VPC.
Key GCP Services
- Cloud Router: Regional, dynamic routing (BGP).
- Cloud NAT: Outbound internet for private VMs.
- VPC Peering: Connects two VPCs with low latency.
Common Pitfalls
- Overlapping CIDRs: Prevents VPC Peering.
- Firewall Tags: Typos in tags will break security rules.
- External IPs: Unnecessary use increases cost and attack surface.
Quick Patterns
- Hub-and-Spoke: Centralized security inspection.
- Shared VPC: Host project manages network; Service projects manage VMs.