🔒

Google Virtual Private Cloud

NetworkingPrivate Cloud Network

Google Virtual Private Cloud (VPC) provides virtual networking for your GCP resources. Configure subnets, firewall rules, and routing to control communication between resources and manage the boundary with the public internet.

▶Architecture Diagram

🔍 Structure

🌐Internet

🔄Cloud NAT

🔐Cloud VPN

🔒VPC Network

🏠Subnet (Region-a)

🏠Subnet (Region-b)

🛡️Firewall Rules

🔗VPC Peering

Dashed line animations indicate the flow direction of data or requests

Why do you need it?

You've deployed resources to the cloud but without network boundaries, your database could be exposed to the internet or services could be unexpectedly blocked from communicating with each other. You need to design networks like on-premises, but without physical hardware.

Why did this approach emerge?

On-premises, adding network capacity meant submitting a purchase order for switches and routers — a process that often took weeks before hardware arrived. Provisioning a new subnet required physically cabling a switch into the right rack, configuring VLANs, and manually updating firewall rules on dedicated appliances. Every change went through change-advisory boards because mistakes in physical infrastructure were hard to roll back. When cloud computing made it possible to spin up hundreds of VMs in seconds, this physical model couldn't keep pace. You can't wait three weeks for a switch when an autoscaler needs a new subnet in minutes. Software-defined networking abstracted the physical layer: VPC provides the same isolation, routing, and access control that hardware used to deliver, but as configuration you can create, modify, and tear down through an API call.

How does it work inside?

VPC divides IP ranges into subnets and controls traffic with firewall rules. Google Cloud VPCs are global, meaning a single VPC can contain subnets across multiple regions. Enabling Private Google Access lets resources without external IPs reach Google APIs like Cloud Storage or BigQuery — so that traffic stays on Google's internal backbone rather than traversing the public internet, reducing both latency and attack surface.

What is it often confused with?

AWS VPCs are regional, but Google VPCs are global. A single VPC can manage subnets across all regions worldwide, making multi-region setups simpler. When you need network isolation, create separate VPCs; when isolated VPCs need to communicate, connect them with VPC Peering.

Commonly Compared Concepts

🔒

VPC

Virtual Network Isolation

AWS VPCs are regional — you create one per region and peer them together. Google VPCs are global by default, so a single VPC spans all regions. This changes how you design multi-region architectures.

When should you use it?

Essential for production network isolation, exposing databases on private IPs only, and hybrid connectivity with on-premises infrastructure. For a simple test with just a public API, the default VPC is enough.

Network isolationPrivate servicesHybrid connectivityShared VPC