1. Study Guide: Understanding Routing in VPC
In Google Cloud, a Route is a rule that tells the network where to send packets destined for a specific IP range. While Firewalls act as the “Security Guards” (deciding if a packet can enter), Routes act as the “GPS” (deciding which path the packet takes).
The Postal Service Analogy: Imagine a VPC is a large city. A “Route” is like a road sign at an intersection. If a package is addressed to “The Internet District,” the sign points toward the Main Highway (Internet Gateway). If the package is for “The Database Suburb,” the sign points to a specific local tunnel (Peering or Internal Hop).
Core Concepts & Best Practices
- Reliability: Use Dynamic Routing with Cloud Router and BGP for automatic failover between On-premises and GCP.
- Scalability: Routes are global resources within a VPC, but they point to regional resources. This allows seamless traffic flow across regions.
- Security: Implement “Least Privilege” routing. If a subnet shouldn’t access the internet, ensure there is no route to
0.0.0.0/0for those instances. - Operational Excellence: Use Connectivity Tests to troubleshoot why a packet isn’t reaching its destination—it’s often a missing route or a firewall block.
Route Comparison Table
| Route Type | Creation Method | Priority | Best Use Case |
|---|---|---|---|
| Default Route | Automatic (System) | 1000 | Internet access (0.0.0.0/0) via Internet Gateway. |
| Subnet Route | Automatic (System) | 0 (Highest) | Traffic between instances in the same VPC. |
| Static Route | Manual (User) | User Defined | Directing traffic to a specific VM (e.g., a NAT Gateway or Firewall appliance). |
| Dynamic Route | Cloud Router (BGP) | Calculated | Hybrid connectivity via Cloud VPN or Interconnect. |
Decision Matrix: Routing Scenarios
| If the Requirement is… | Then Use… | Key Consideration |
|---|---|---|
| Connect VPC A to VPC B | VPC Network Peering | Peering automatically exchanges subnet routes. |
| Send all traffic through a 3rd party NVA | Static Route (Next hop: Instance) | The NVA instance must have IP Forwarding enabled. |
| Connect to On-Prem with high availability | Cloud Router + Dynamic Routing | BGP handles route propagation and link failures. |
Exam Tips: Golden Nuggets
- Priority Matters: Lower numbers have higher priority. If two routes match a destination, the one with the lowest priority wins.
- Next-Hop Types: Know that a next-hop can be an IP address, a VPN tunnel, an Instance, or a Gateway.
- The “Hidden” Route: Every VPC has an implied “Allow All” route for internal subnet traffic (Priority 0). You cannot delete or override this with a manual route of the same priority.
- Firewall vs. Route: Remember that even if a route exists, a firewall rule must also allow the traffic. Routing happens BEFORE firewalling on egress, and AFTER firewalling on ingress.
2. Infographic: The GCP Routing Architecture
Key GCP Services
- VPC Network: Container for routes.
- Cloud Router: Exchanges BGP routes.
- Cloud VPN: Secure tunnel destination.
Common Pitfalls
- Overlapping IP ranges in Peering.
- Forgetting to enable IP Forwarding on NVAs.
- Assuming routes bypass firewalls.
Architecture Patterns
- Hub & Spoke: Centralized routing.
- Shared VPC: Centralized network admin.
- Direct Internet: Default IGW route.