Executive Summary: Google Cloud VPC networking provides the foundation for secure, scalable, and globally distributed cloud architectures. This comprehensive guide explores VPC’s enterprise capabilities, from global VPC design and shared VPC architectures to Private Google Access, Cloud NAT, and zero-trust network security. After designing network architectures for enterprises across all major cloud providers, I’ve found GCP’s global VPC model uniquely simplifies multi-region deployments while providing robust security controls. Organizations should leverage VPC’s global reach, hierarchical firewall policies, and Private Service Connect while implementing proper network segmentation and monitoring from the start.
VPC Architecture: Global Networks and Regional Subnets
GCP’s VPC model differs fundamentally from other cloud providers—VPCs are global resources spanning all regions automatically. This eliminates the need for VPC peering between regions that’s required in AWS and Azure. A single VPC can contain subnets in any region, with traffic between regions flowing over Google’s private backbone network rather than the public internet. This architecture simplifies multi-region deployments and provides consistent, low-latency connectivity.
Subnets are regional resources with IP ranges that cannot overlap within a VPC. Each subnet can use custom or auto-mode IP ranges. Auto-mode VPCs automatically create subnets in each region with predefined ranges—convenient for development but limiting for production. Custom-mode VPCs provide full control over subnet placement and IP allocation, essential for enterprises with existing IP address management requirements.
Shared VPC enables centralized network management across multiple projects. A host project owns the VPC, while service projects attach workloads to shared subnets. This pattern separates network administration from application deployment, enabling network teams to manage connectivity, firewall rules, and IP allocation while application teams focus on their workloads. Shared VPC is the recommended architecture for enterprise GCP deployments.
Security Architecture: Firewalls and Zero Trust
GCP provides multiple layers of firewall controls. VPC firewall rules apply to individual VPCs with allow or deny actions based on IP ranges, protocols, ports, and service accounts. Hierarchical firewall policies apply rules at the organization or folder level, enforcing consistent security policies across all VPCs. This hierarchy enables security teams to enforce baseline rules (block known malicious IPs, require encryption) while allowing project teams to add application-specific rules.
Network tags and service accounts provide identity-based firewall rules rather than IP-based rules. Tag-based rules apply to VMs with matching tags, enabling dynamic security groups that follow workloads as they scale. Service account-based rules provide even stronger identity guarantees—rules apply based on the authenticated identity of the workload, not just network location. This is essential for zero-trust architectures where network location doesn’t imply trust.
Private Google Access enables VMs without external IPs to access Google APIs and services through internal IP addresses. This keeps traffic on Google’s network and eliminates the need for NAT gateways for API access. Private Service Connect extends this model to your own services, enabling private connectivity to services in other VPCs or external providers without exposing them to the public internet.
Production Terraform Configuration
Here’s a comprehensive Terraform configuration for enterprise VPC networking with Shared VPC, Cloud NAT, and hierarchical firewall policies:
# GCP VPC Enterprise Configuration
terraform {
required_version = ">= 1.5.0"
required_providers {
google = { source = "hashicorp/google", version = "~> 5.0" }
}
}
variable "org_id" { type = string }
variable "host_project_id" { type = string }
variable "service_project_ids" { type = list(string) }
# Enable Shared VPC on host project
resource "google_compute_shared_vpc_host_project" "host" {
project = var.host_project_id
}
# Attach service projects
resource "google_compute_shared_vpc_service_project" "service" {
for_each = toset(var.service_project_ids)
host_project = google_compute_shared_vpc_host_project.host.project
service_project = each.value
}
# Global VPC
resource "google_compute_network" "vpc" {
project = var.host_project_id
name = "enterprise-vpc"
auto_create_subnetworks = false
routing_mode = "GLOBAL"
mtu = 1460
}
# Regional subnets
resource "google_compute_subnetwork" "subnets" {
for_each = {
"us-central1" = "10.0.0.0/20"
"us-east1" = "10.1.0.0/20"
"europe-west1" = "10.2.0.0/20"
}
project = var.host_project_id
name = "subnet-${each.key}"
ip_cidr_range = each.value
region = each.key
network = google_compute_network.vpc.id
private_ip_google_access = true
secondary_ip_range {
range_name = "pods"
ip_cidr_range = cidrsubnet(each.value, 4, 8)
}
secondary_ip_range {
range_name = "services"
ip_cidr_range = cidrsubnet(each.value, 8, 128)
}
log_config {
aggregation_interval = "INTERVAL_5_SEC"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
# Cloud Router for NAT
resource "google_compute_router" "router" {
for_each = google_compute_subnetwork.subnets
project = var.host_project_id
name = "router-${each.key}"
region = each.key
network = google_compute_network.vpc.id
bgp {
asn = 64514
}
}
# Cloud NAT for outbound connectivity
resource "google_compute_router_nat" "nat" {
for_each = google_compute_router.router
project = var.host_project_id
name = "nat-${each.key}"
router = each.value.name
region = each.key
nat_ip_allocate_option = "AUTO_ONLY"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
log_config {
enable = true
filter = "ERRORS_ONLY"
}
}
# Hierarchical firewall policy
resource "google_compute_firewall_policy" "org_policy" {
short_name = "org-security-policy"
parent = "organizations/${var.org_id}"
}
resource "google_compute_firewall_policy_rule" "deny_known_bad" {
firewall_policy = google_compute_firewall_policy.org_policy.id
priority = 1000
action = "deny"
direction = "INGRESS"
match {
src_ip_ranges = ["192.0.2.0/24"] # Example blocked range
layer4_configs {
ip_protocol = "all"
}
}
}
resource "google_compute_firewall_policy_rule" "allow_iap" {
firewall_policy = google_compute_firewall_policy.org_policy.id
priority = 2000
action = "allow"
direction = "INGRESS"
match {
src_ip_ranges = ["35.235.240.0/20"] # IAP range
layer4_configs {
ip_protocol = "tcp"
ports = ["22", "3389"]
}
}
}
# VPC firewall rules
resource "google_compute_firewall" "allow_internal" {
project = var.host_project_id
name = "allow-internal"
network = google_compute_network.vpc.name
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["0-65535"]
}
allow {
protocol = "udp"
ports = ["0-65535"]
}
source_ranges = ["10.0.0.0/8"]
priority = 1000
}
resource "google_compute_firewall" "allow_health_checks" {
project = var.host_project_id
name = "allow-health-checks"
network = google_compute_network.vpc.name
allow {
protocol = "tcp"
}
source_ranges = ["35.191.0.0/16", "130.211.0.0/22"]
target_tags = ["allow-health-check"]
priority = 1000
}
# Private Service Connect endpoint
resource "google_compute_global_address" "psc_address" {
project = var.host_project_id
name = "psc-googleapis"
purpose = "PRIVATE_SERVICE_CONNECT"
address_type = "INTERNAL"
network = google_compute_network.vpc.id
address = "10.255.255.254"
}
resource "google_compute_global_forwarding_rule" "psc_endpoint" {
project = var.host_project_id
name = "psc-googleapis-endpoint"
target = "all-apis"
network = google_compute_network.vpc.id
ip_address = google_compute_global_address.psc_address.id
load_balancing_scheme = ""
}Python SDK for VPC Operations
This Python implementation demonstrates enterprise patterns for VPC management including firewall rule automation and network monitoring:
"""VPC Network Manager - Enterprise Python Implementation"""
from dataclasses import dataclass
from typing import List, Dict, Optional
from google.cloud import compute_v1
import logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
@dataclass
class FirewallRule:
name: str
direction: str
action: str
priority: int
source_ranges: List[str]
target_tags: List[str]
allowed_ports: Dict[str, List[str]]
@dataclass
class SubnetInfo:
name: str
region: str
ip_range: str
private_google_access: bool
secondary_ranges: Dict[str, str]
class VPCNetworkManager:
"""Enterprise VPC management with firewall automation."""
def __init__(self, project_id: str):
self.project_id = project_id
self.networks_client = compute_v1.NetworksClient()
self.subnets_client = compute_v1.SubnetworksClient()
self.firewalls_client = compute_v1.FirewallsClient()
def list_networks(self) -> List[str]:
"""List all VPC networks in project."""
request = compute_v1.ListNetworksRequest(project=self.project_id)
networks = self.networks_client.list(request=request)
return [n.name for n in networks]
def get_subnet_info(self, network_name: str) -> List[SubnetInfo]:
"""Get all subnets for a network."""
subnets = []
request = compute_v1.AggregatedListSubnetworksRequest(
project=self.project_id
)
for region, response in self.subnets_client.aggregated_list(request=request):
if response.subnetworks:
for subnet in response.subnetworks:
if subnet.network.endswith(f"/{network_name}"):
secondary = {
r.range_name: r.ip_cidr_range
for r in subnet.secondary_ip_ranges
}
subnets.append(SubnetInfo(
name=subnet.name,
region=subnet.region.split("/")[-1],
ip_range=subnet.ip_cidr_range,
private_google_access=subnet.private_ip_google_access,
secondary_ranges=secondary
))
return subnets
def create_firewall_rule(self, network: str, rule: FirewallRule) -> bool:
"""Create or update firewall rule."""
firewall = compute_v1.Firewall(
name=rule.name,
network=f"projects/{self.project_id}/global/networks/{network}",
direction=rule.direction,
priority=rule.priority,
source_ranges=rule.source_ranges,
target_tags=rule.target_tags
)
# Build allowed rules
allowed = []
for protocol, ports in rule.allowed_ports.items():
allowed.append(compute_v1.Allowed(
I_p_protocol=protocol,
ports=ports
))
firewall.allowed = allowed
try:
operation = self.firewalls_client.insert(
project=self.project_id,
firewall_resource=firewall
)
operation.result()
logger.info(f"Created firewall rule: {rule.name}")
return True
except Exception as e:
logger.error(f"Failed to create firewall rule: {e}")
return False
def audit_firewall_rules(self, network: str) -> List[Dict]:
"""Audit firewall rules for security issues."""
issues = []
request = compute_v1.ListFirewallsRequest(project=self.project_id)
for fw in self.firewalls_client.list(request=request):
if not fw.network.endswith(f"/{network}"):
continue
# Check for overly permissive rules
if "0.0.0.0/0" in (fw.source_ranges or []):
for allowed in fw.allowed:
if allowed.ports and "0-65535" in allowed.ports:
issues.append({
"rule": fw.name,
"severity": "HIGH",
"issue": "Allows all ports from any source",
"recommendation": "Restrict source ranges and ports"
})
elif allowed.I_p_protocol == "all":
issues.append({
"rule": fw.name,
"severity": "HIGH",
"issue": "Allows all protocols from any source",
"recommendation": "Specify allowed protocols"
})
# Check for disabled logging
if not fw.log_config or not fw.log_config.enable:
issues.append({
"rule": fw.name,
"severity": "MEDIUM",
"issue": "Firewall logging disabled",
"recommendation": "Enable logging for audit trail"
})
return issues
def enable_private_google_access(self, region: str, subnet: str) -> bool:
"""Enable Private Google Access on subnet."""
try:
current = self.subnets_client.get(
project=self.project_id,
region=region,
subnetwork=subnet
)
if current.private_ip_google_access:
logger.info(f"Private Google Access already enabled on {subnet}")
return True
current.private_ip_google_access = True
operation = self.subnets_client.patch(
project=self.project_id,
region=region,
subnetwork=subnet,
subnetwork_resource=current
)
operation.result()
logger.info(f"Enabled Private Google Access on {subnet}")
return True
except Exception as e:
logger.error(f"Failed to enable Private Google Access: {e}")
return FalseCost Optimization and Monitoring
VPC networking costs include egress charges, Cloud NAT processing, and VPN/Interconnect fees. Egress to the internet varies by destination and volume—use Premium Tier for lowest latency or Standard Tier for cost savings on less latency-sensitive traffic. Inter-region egress within GCP is charged but significantly cheaper than internet egress. Design architectures to minimize cross-region traffic for cost-sensitive workloads.
Cloud NAT charges per VM and per GB processed. For high-egress workloads, consider dedicated NAT gateways with reserved IPs rather than auto-allocated IPs. VPC Flow Logs provide visibility into network traffic but incur logging and storage costs—use sampling (0.5 or lower) for cost-effective monitoring while maintaining visibility into traffic patterns.
Network Intelligence Center provides comprehensive network monitoring and troubleshooting. Connectivity Tests validate network paths without sending actual traffic—essential for verifying firewall rules before deployment. Performance Dashboard shows latency and packet loss across your network, helping identify performance issues before they impact applications.
Key Takeaways and Best Practices
GCP’s global VPC model simplifies multi-region architectures while providing enterprise-grade security controls. Use Shared VPC for centralized network management across projects, enabling separation of network and application administration. Implement hierarchical firewall policies for organization-wide security baselines, with VPC-level rules for application-specific requirements.
Enable Private Google Access on all subnets to keep API traffic on Google’s network. Use service account-based firewall rules for zero-trust security rather than relying solely on network location. The Terraform and Python examples provided here establish patterns for production-ready VPC deployments that scale from single projects to enterprise-wide network architectures.
Discover more from Code, Cloud & Context
Subscribe to get the latest posts sent to your email.