VPC & Networking
Build networks on GCP with global VPCs, subnets, firewall rules, and load balancing.
Theory
A distinctive GCP feature: VPCs are global, not regional. One VPC spans all regions, and its subnets are regional. This simplifies multi-region architectures compared to clouds where you peer per-region networks.
Core pieces:
- VPC + subnets — global network, regional subnets (each a CIDR range)
- Firewall rules — VPC-level, stateful, allow/deny by tags/service accounts
- Cloud Router + Cloud NAT — outbound internet for private instances
- Cloud Load Balancing — including a global HTTP(S) load balancer with one anycast IP worldwide
Real-World Example
gcloud compute networks create app-vpc --subnet-mode=custom
gcloud compute networks subnets create web \
--network=app-vpc --region=europe-west1 --range=10.0.1.0/24
# Allow HTTPS to instances tagged "web"
gcloud compute firewall-rules create allow-https \
--network=app-vpc --allow=tcp:443 --target-tags=webHands-On Exercise
- Explain why a GCP VPC being global simplifies multi-region design.
- Create a custom-mode VPC with one regional subnet.
- Write a firewall rule (in words) allowing HTTPS only to web-tagged instances.
- Describe what Cloud NAT provides for private instances.
Cheat Sheet▾
| Component | Detail |
|---|---|
| VPC | Global network |
| Subnet | Regional CIDR range |
| Firewall rules | VPC-level, stateful, tag-based |
| Cloud NAT | Outbound for private VMs |
| Cloud Load Balancing | Incl. global HTTP(S) LB |
| Network tags | Target for firewall rules |
Common Interview Questions▾
How is a GCP VPC different from AWS/Azure networks?
GCP VPCs are global — a single VPC spans all regions, with regional subnets — whereas AWS/Azure networks are regional and must be peered across regions.
How do GCP firewall rules typically target workloads?
By network tags or service accounts rather than just IP ranges, so the policy follows the workload’s identity regardless of its address.
Official Documentation
📝 My notes on this topic
Auto-saves as you type