GCP networking differs meaningfully from AWS and Azure. The most important distinction: GCP VPCs are global by default. A single VPC spans all regions, and subnets are regional constructs within that global VPC.
VPC (Virtual Private Cloud)
A VPC provides isolated private networking for your GCP resources. Key properties:
- Global scope: A VPC spans all Google Cloud regions. Resources in different regions can communicate privately without extra peering configuration.
- Shared VPC: A VPC can be shared across multiple projects (an organisation-level pattern for centralised networking).
- VPC Peering: Connect two VPCs privately, even across projects or organisations. Traffic stays on Google's network.
Subnets
Subnets are regional. You create a subnet in a region and assign it a CIDR IP range. VMs launched in that region can be placed in the subnet's address space.
- Each subnet is in exactly one region
- Subnets can span multiple zones within a region
- GCP supports subnet expansion — you can grow a subnet's CIDR range without downtime
Firewall Rules
GCP firewall rules are stateful (return traffic is automatically allowed) and applied at the instance level using network tags or service account targeting — not at the subnet level like AWS security groups or NACLs.
Key concepts:
- Rules apply to ingress (inbound) or egress (outbound) traffic
- Priority: lower number = higher priority (0–65535). Default rules have priority 65535.
- Target by network tag, service account, or all instances in the VPC
Cloud Load Balancing
GCP's load balancing is software-defined and globally distributed. Types:
| Type | Scope | Use Case |
|---|---|---|
| Global External HTTP(S) | Global | Web apps, APIs — L7 with URL routing, SSL offload, CDN |
| Global External TCP/SSL Proxy | Global | Non-HTTP TCP apps — terminates and proxies connections |
| Regional External TCP/UDP | Regional | L4 load balancing, pass-through |
| Internal HTTP(S) | Regional | Internal microservices, Envoy-based L7 |
| Internal TCP/UDP | Regional | Internal L4, pass-through |
GCP's global HTTP(S) Load Balancer is a single anycast IP that routes to the nearest healthy backend globally — no per-region load balancers needed.
Cloud DNS
Cloud DNS is a highly available, scalable authoritative DNS service. It supports public and private DNS zones, DNSSEC, and integrates with other GCP services.
Cloud NAT
Cloud NAT (Network Address Translation) allows VM instances without external IP addresses to make outbound internet connections. Inbound connections from the internet are not allowed — providing security without a NAT gateway VM.
Cloud NAT is regional and works per VPC router. It's fully managed and scales automatically.
Hybrid Connectivity
| Option | Bandwidth | Best For |
|---|---|---|
| Cloud VPN | Up to 3 Gbps per tunnel | Encrypted IPsec to on-premises, lower cost |
| Cloud Interconnect (Dedicated) | 10–100 Gbps | Direct physical connection, highest throughput |
| Partner Interconnect | 50 Mbps–50 Gbps | Interconnect via a service provider |
| Cross-Cloud Interconnect | 10–100 Gbps | GCP to AWS/Azure direct connection |