Chief Characteristics

  • Networks are organised under a Virtual Private Cloud (VPC) object
  • A GCP VPC Network:
    • Is Global in scope
    • Is not an IP Subnet in the traditional sense but a rather more general term as in “The Core network” or “The Data Center Network”
    • Consists of one or more regional sub-networks
    • Operates in one of 3 modes:
      • default: 1 non-overlapping subnet per region and default firewall rules allowing SSH, ICMP and RDP ingress and no egress restrictions
      • auto:
        • 1 non-overlapping /20 subnet per region from the network => up to 2048 * /20 regional subnets
        • subnets can be expanded to /16 => up to 128 * /16 regional subnets
        • As new regions come online, a subnet is automatically added to the network from this range
      • custom:
        • No automatic subnets
        • Number and range of each subnet decided by administrator and allocated from RFC 1918 address space
        • subnets must not overlap
  • auto-mode networks can be converted to custom-mode but not vice-versa
  • By default a project can have up to 5 networks but this quota can be increased

Traffic Flow

  • Workloads connected to subnets within the same VPC-Network can communicate over their Internal IPs, regardless of region
  • Workloads connected to subnets in different VPC-Networks communicate over their external IPs via the public-facing Google Edge Routers (although traffic does not actually flow through the Internet)
  • Customer sites can therefore connect to an entire VPC through a single VPN because once it’s connected, traffic inside the VPC is routed over the GCP private network only
  • Because subnets are regional they can cross zones i.e. workloads on a given subnet can be placed in any zone in that region

IP Addressing

  • Up to 2 IPs per VM: Internal and External
  • Internal IPs
    • Assigned by DCHP
    • Automatically added to network-scoped DNS
  • External IPs
    • Optional
    • Is not known to a VM i.e. an Instance only sees it’s Internal IP Address
    • Can be assigned from a Pool (Ephemeral) or Static
    • Unused External IPs i.e. those not assigned to VM or FW rule. are charged at a higher rate
    • Accessible from the Internet
    • DNS records can be published to an external public nameserver or an instance of Cloud DNS
  • IP Alias Ranges
    • Assign an Internal IP range to the primary VM IP Address
    • Alias range can be defined from a subnets Primary or Secondary CIDR range
    • Containers running on a VM may use the alias range for example
    • VPC routes towards the alias range are automatically configured by GCP
IP Alias

DNS Resolution

  • VM Hostname = Instance Name (name of the VM)
  • metadata server allocated to each Instance acts as the internal DNS resolver and forwards all other queries to Googles public DNS servers
  • Mapping of Internal to External IPs is maintained by the VPC-Network
  • Internal FQDN:
    • Resolves to Internal IP: because this address is assigned by DHCP the internal IP of an instance can change if it’s deleted & re-created
    • Internal FQDN format: <hostname>.<zone>.c.<project-id>.internal
    • FQDN does not change if the instance is re-created
  • External IPs can have public DNS records assigned (not done automatically)
  • Zones can be hosted on an existing public DNS server or the GCP service: Cloud DNS
  • Cloud DNS is a managed DNS service hosted on GCP
  • Runs on Googles global network and provides a 100% uptime SLA
  • Scales to millions of DNS records updated from a UI, CLI or API


  • All networks have routes that permit traffic between subnets
  • A default route is used to direct traffic outside of the network
  • The default network has pre-configured firewall rules that permits any-any traffic within a network as shown below
Default allow-all firewall rule
  • Whenever a network or subnet is added, a route is automatically created in the VM Routing Table towards that new IP network – you can think of it as a set of connected interfaces on a router
  • Manually configured rules must be accompanied by a suitable Firewall rule
  • A manually configured route applies to all instances (VMs) in a network where a network-tag is not specified
  • If a tag is specified in the route, it is applied only to VMs matching that tag


  • A stateful distributed firewall is applied across all instances in a VPC network
  • Implicit rules:
    • deny-all ingress
    • permit-all egress
Name63 characters max starting with a lowercase letter
Can include numbers and hyphens but must not end with a hyphen
Be aware that large volumes of logs increases Stackdriver costs
NetworkVPC Network to which this rule applies
PriorityDefault = 1000
Rules with a lower number have higher priority
Action on matchAllow/Deny
Targets– All instances in network
– Specified target tags
– Specified service account
Source filter– IP Ranges
– Source tags
– Service account
Destination filterIP Ranges only
Protocols and Ports– Allow all
– Specific TCP and UDP ports
– Other protocols e.g. icmp
EnforcementDisable or Enable rule

Firewall rule structure

Default Firewall Rules


  • Ingress traffic is not charged unless processed by a chargeable GCP resource e.g. LoadBalancer
  • Responses to requests are seen as Egress traffic and therefore charged
  • Egress traffic within a zone over Internal IPs is not charged i.e. traffic between VMs in the same zone over internal IPs
  • Egress traffic towards GCP services such as Drive, Maps, YouTube etc. is not charged
  • Egress traffic between zones over External IPs is chargeable
  • External IPs are charged
    • Unused Static IPs charged at a higher rate than others
    • Static IPs charged higher than ephemeral
    • Lower charge for ephemeral IPs attached to preemptible VMs
  • Up to date pricing information:
  • See also, pricing calculator to estimate costs: