Skip to content
← Back to GCP Deep Dive: Networking

You are viewing a free preview of this lesson.

Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.

View PricingCreate Account

VPC Networks

VPC Networks

A Virtual Private Cloud (VPC) network is the foundational networking construct in Google Cloud Platform. Every GCP project starts with a default VPC, and nearly every resource you deploy — Compute Engine instances, GKE clusters, Cloud SQL databases — lives inside a VPC. Understanding VPC networks is the first step toward designing secure, scalable architectures on GCP.

What Is a VPC Network?

A VPC network is a global, software-defined network that spans all GCP regions automatically. Unlike AWS or Azure, where a virtual network is regional, a GCP VPC is a global resource. This means a single VPC can contain subnets in different regions without any additional peering or gateway configuration.

Key characteristics of a GCP VPC:

  • Global scope — a VPC spans all available GCP regions. You do not need to create separate VPCs per region.
  • Project-scoped — a VPC belongs to a single GCP project (unless shared via Shared VPC or VPC Peering).
  • Isolated by default — resources in one VPC cannot communicate with resources in another VPC unless you explicitly configure peering, VPN, or Shared VPC.
  • No charge — there is no cost for creating a VPC itself, though egress traffic, load balancers, and other networking resources incur charges.

VPC Modes: Auto Mode vs Custom Mode

When you create a VPC you choose between two modes:

Auto Mode VPC

An auto mode VPC automatically creates one subnet in every GCP region. Each subnet uses a predefined CIDR range from the 10.128.0.0/9 block. When Google adds a new region, a new subnet is automatically added to auto mode VPCs.

Characteristic Detail
Subnet creation Automatic — one per region
CIDR range From 10.128.0.0/9 (e.g. 10.128.0.0/20 for us-central1)
Best for Quick prototyping and development
Limitation You cannot control the CIDR ranges

Custom Mode VPC

A custom mode VPC starts with no subnets. You create subnets manually and choose the CIDR ranges. This gives you full control over IP addressing and is the recommended approach for production workloads.

Characteristic Detail
Subnet creation Manual — you decide which regions and ranges
CIDR range Any valid private range you choose
Best for Production environments with planned IP schemes
Advantage Full control over addressing, no wasted IP space

Best practice: Always use custom mode VPCs for production. Auto mode VPCs waste IP space and can cause overlapping ranges when you need to peer with other networks.

Creating a VPC

Google Cloud Console

  1. Navigate to VPC networks in the Networking section.
  2. Click Create VPC network.
  3. Enter a name and select Custom as the subnet creation mode.
  4. Add subnets specifying region and CIDR range.
  5. Configure firewall rules or use the defaults.
  6. Click Create.

gcloud CLI

gcloud compute networks create my-vpc \
  --subnet-mode=custom \
  --bgp-routing-mode=regional

Terraform

resource "google_compute_network" "my_vpc" {
  name                    = "my-vpc"
  auto_create_subnetworks = false
  routing_mode            = "REGIONAL"
}

Routing

Every VPC has a built-in routing table. GCP automatically creates system-generated routes:

  • Subnet routes — created automatically for every subnet CIDR, enabling intra-VPC communication.
  • Default internet route0.0.0.0/0 via the default internet gateway, allowing outbound internet access.

You can also create custom static routes or use Cloud Router for dynamic routing with BGP.

BGP Routing Mode

A VPC can operate in two BGP routing modes:

  • Regional — Cloud Routers only learn routes for their region.
  • Global — Cloud Routers learn routes across all regions in the VPC.

Firewall Rules

VPC firewall rules control ingress and egress traffic to instances. By default, all ingress is denied and all egress is allowed. Rules are evaluated at the instance level and can target instances by network tags, service accounts, or IP ranges.

The Default Network

Every new GCP project comes with a default VPC in auto mode. It includes permissive firewall rules such as allowing SSH (port 22) and ICMP from all sources. For production projects, you should delete the default network and create a custom VPC with tighter security controls.

Summary

A GCP VPC network is a global, software-defined network that provides the connectivity backbone for all your cloud resources. Choose custom mode for production, plan your CIDR ranges carefully, and delete the default network in every project. With a well-designed VPC you get isolation, security, and seamless cross-region communication without the overhead of multi-region peering.

Subscribe to continue