Virtual Private Cloud (VPC) Networking

# CHAPTER 6

Virtual Private Cloud (VPC) Networking #

1. Introduction #

If you deploy a Web Server and a Database, they need to communicate. If you send that communication over the public internet, hackers will intercept it in seconds. In GCP, resources communicate securely through a Virtual Private Cloud (VPC). A VPC is a secure, isolated, private network dedicated entirely to your project. It is the virtual equivalent of laying down ethernet cables between your servers. In this chapter, we will master Subnets, Internal IP routing, and Firewall rules.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Define a Virtual Private Cloud (VPC) network.

• Understand the global nature of GCP VPCs vs. regional Subnets.

• Differentiate between Default and Custom mode VPCs.

• Differentiate between Internal (Private) and External (Public) IP addresses.

• Author precise Firewall Rules using Network Tags.

3. Beginner-Friendly Explanation #

Imagine a massive corporate office building (The VPC).

• The Building (VPC): It is highly secure. You need a badge to get in.

• The Floors (Subnets): The building has different floors. Floor 1 is in London. Floor 2 is in Tokyo.

• The Desks (Internal IPs): Every employee on every floor has a desk phone with a 4-digit extension. An employee in London can dial 1234 and instantly reach an employee in Tokyo. This call never leaves the building. It is totally secure.

• The Public Switchboard (External IP): If someone *outside* the building wants to call the CEO, they have to dial a public 1-800 number.

• The Security Guards (Firewalls): Guards stand in the hallways checking badges. "Only employees from the Web Server department are allowed to walk into the Database department."

4. Global VPCs and Regional Subnets #

A massive advantage of GCP over AWS is that a GCP VPC is Global. You create ONE network for your entire company. Inside that global network, you create Subnets in specific regions (e.g., subnet-london, subnet-tokyo). Because the VPC is global, a Virtual Machine in London can talk to a Virtual Machine in Tokyo using a completely secure, internal IP address! They do not need to traverse the public internet.

5. Default vs. Custom VPCs #

When you create a GCP Project, Google automatically creates a network named default. It has a subnet pre-created in every single region globally, and extremely permissive firewall rules.

• Beginners: Use the default network.

• Professionals: Delete the default network immediately. In a production environment, you *always* create a Custom VPC so you have absolute control over the IP ranges and security boundaries.

6. Firewall Rules and Network Tags #

By default, a VPC blocks ALL incoming (Ingress) traffic from the internet. You open holes in the firewall by creating Rules. Instead of applying a rule to a specific IP address (which can change), GCP uses Network Tags.

1. 1. You create a Firewall Rule: "Allow port 80 (HTTP) to any VM with the tag web-server".

1. 2. You create 50 Virtual Machines and simply type web-server in their tag box.

1. 3. The firewall automatically protects them all!

7. Mini Project: Create a Custom VPC Network #

Let's build a secure, private network from scratch.

Step-by-Step Tutorial:

1. 1. In the GCP Console, navigate to VPC network > VPC networks.

1. 2. Click Create VPC Network.

1. 3. Name: my-custom-vpc

1. 4. Subnet creation mode: Choose Custom.

1. 5. New subnet:

• Name: subnet-us-central

• Region: us-central1

• IPv4 range: 10.0.1.0/24 (This provides 256 internal IP addresses)

• Click Done.

1. 6. Click Create. (Wait 1 minute for the network to build).

1. 7. Now, we need a Firewall rule. Navigate to VPC network > Firewall.

1. 8. Click Create Firewall Rule.

• Name: allow-custom-ssh

• Network: Select my-custom-vpc

• Target tags: type allow-ssh

• Source IPv4 ranges: 0.0.0.0/0 (This means ANY IP on the internet)

• Protocols and ports: Check tcp and type 22 (The port for SSH).

1. 9. Click Create.

1. 10. If you create a VM now, put it in my-custom-vpc, and give it the tag allow-ssh, you will be able to log into it securely!

8. Real-World Scenarios #

A bank deploys a 3-tier architecture: Frontend, Backend API, and Database. They place all 3 tiers in a Custom VPC. Only the Frontend VMs are given External Public IPs. The Backend and Database VMs have NO public IPs whatsoever; they are physically impossible to reach from the internet. The Cloud Engineer creates a Firewall Rule stating: "The Database VMs will only accept traffic coming from VMs possessing the backend-api network tag." This creates an impenetrable security perimeter.

9. Best Practices #

• Cloud NAT: If your Database VMs have no External Public IP, how do they download software updates from the internet? You configure Cloud NAT (Network Address Translation). Cloud NAT allows private VMs to reach *out* to the internet to download updates, but strictly blocks the internet from reaching *in*.

10. Common Mistakes #

• Overlapping IP Ranges: If your company is trying to connect your GCP VPC to your on-premise corporate office via a VPN, the IP ranges cannot overlap! If your corporate office uses 10.0.0.0/16, and you accidentally create your GCP Subnet with 10.0.0.0/24, the routing will completely fail. Always plan your IP CIDR blocks carefully.

11. Exercises #

1. 1. What is the architectural benefit of GCP VPCs being global rather than regional?

1. 2. Explain the purpose of a Network Tag in GCP Firewall configuration.

12. FAQs #

Q: Do I pay for the VPC network itself? A: No, creating the VPC structure (Subnets, Firewalls, Routes) is completely free. You only pay for the resources you put *inside* the VPC (like VMs) and the actual data (Network Egress) that flows out of it.

13. Interview Questions #

• Q: Contrast the Default VPC mode with the Custom VPC mode. Why is relying on the Default VPC considered a critical security anti-pattern in an enterprise production environment?

• Q: Describe the architectural flow of isolating a backend database. How do you utilize Subnets, Firewall Rules, Network Tags, and the absence of External IPs to create a zero-trust network perimeter?

14. Summary #

In Chapter 6, we secured our infrastructure's foundation. We replaced the chaotic public internet with a highly secure, private Virtual Private Cloud (VPC). We rejected the pre-configured Default network to architect a Custom VPC, explicitly defining our own Subnet IP ranges. Finally, we mastered the mechanics of GCP Firewalls, utilizing dynamic Network Tags to selectively permit traffic, ensuring our servers remain impenetrable to unauthorized access.

15. Next Chapter Recommendation #

Our servers are secure, but what if one crashes? Or what if 10,000 users visit our site simultaneously? We need to distribute the load. Proceed to Chapter 7: Load Balancing and High Availability.