IntermediateLesson 5 of 12

Networking

Design global VPCs, subnets, firewall rules, load balancers, and DNS for scalable, secure applications.

Simple Explanation (ELI5)

GCP VPC (Virtual Private Cloud) is your private network in the cloud. You create subnets (like office departments) and attach VMs. Firewall rules control traffic (like network access lists). Load balancers distribute traffic across multiple servers. Cloud DNS manages domain names. Together, they let you build complex, resilient network architectures.

Why VPC?

Isolation: VMs in your VPC are isolated from the internet by default.
Global reach: One VPC spans all GCP regions.
Network security: Firewall rules enforce access control at the packet level.
Load balancing: Distribute traffic across instances, zones, or regions.

Technical Explanation

1. VPC & Subnets

A VPC is a global resource. Subnets are regional and contain IP ranges. VMs in a subnet can communicate directly (same project, same VPC).

bash

# Create a VPC
gcloud compute networks create my-vpc --subnet-mode=custom

# Create a subnet in us-central1
gcloud compute networks subnets create us-subnet \
  --network=my-vpc \
  --region=us-central1 \
  --range=10.0.0.0/24

# Create a subnet in europe-west1
gcloud compute networks subnets create eu-subnet \
  --network=my-vpc \
  --region=europe-west1 \
  --range=10.1.0.0/24

# Create a VM in the subnet
gcloud compute instances create my-vm \
  --zone=us-central1-a \
  --subnet=us-subnet \
  --machine-type=n1-standard-1

2. Firewall Rules

Control inbound and outbound traffic. Applied at the network level. Rules have: direction (ingress/egress), action (allow/deny), source/destination, protocol, port.

bash

# Allow SSH from anywhere
gcloud compute firewall-rules create allow-ssh \
  --network=my-vpc \
  --allow=tcp:22 \
  --source-ranges=0.0.0.0/0

# Allow HTTP/HTTPS
gcloud compute firewall-rules create allow-http-https \
  --network=my-vpc \
  --allow=tcp:80,tcp:443 \
  --source-ranges=0.0.0.0/0

# Deny all egress to a specific IP
gcloud compute firewall-rules create deny-egress \
  --network=my-vpc \
  --direction=EGRESS \
  --action=DENY \
  --destination-ranges=203.0.113.0/32 \
  --priority=900

3. Load Balancers

Global (HTTP/HTTPS, TCP/UDP) or regional (internal). Distribute traffic to backend instances or services.

bash

# Create a global HTTP load balancer
gcloud compute backend-services create my-backend \
  --protocol=HTTP \
  --global \
  --health-checks=my-health-check

gcloud compute url-maps create my-loadbalancer \
  --default-service=my-backend

gcloud compute target-http-proxies create my-proxy \
  --url-map=my-loadbalancer

gcloud compute forwarding-rules create my-forwarding-rule \
  --global \
  --target-http-proxy=my-proxy \
  --address=my-ip \
  --ports=80

4. Cloud DNS

Managed DNS service. Create zones and manage DNS records.

bash

# Create a DNS zone
gcloud dns managed-zones create my-zone \
  --dns-name=example.com. \
  --description="My DNS zone"

# Add A record pointing to load balancer
gcloud dns record-sets transaction start --zone=my-zone
gcloud dns record-sets transaction add 35.201.123.45 \
  --name=example.com. \
  --ttl=300 \
  --type=A \
  --zone=my-zone
gcloud dns record-sets transaction execute --zone=my-zone

Network Architecture Best Practices

Use separate subnets per environment (dev, staging, prod).
Use Cloud VPN or Interconnect for hybrid cloud.
Use Cloud NAT for VMs without public IPs to access the internet.
Always use firewall rules to enforce least privilege.
Use internal load balancers for VM-to-VM communication within a VPC.

Interview Questions

Beginner

What is a VPC?▾

Virtual Private Cloud is your isolated network space in GCP. Subnets within a VPC can communicate. VPCs are global; subnets are regional.

What is the difference between an ingress and egress firewall rule?▾

Ingress controls inbound traffic (to your VMs). Egress controls outbound traffic (from your VMs). By default, all ingress is denied and all egress is allowed.

What is a load balancer?▾

A load balancer distributes incoming traffic across multiple backend instances. It improves availability (failover) and performance (no single point of failure).

What is Cloud DNS?▾

Managed DNS service. Create zones for your domain and manage DNS records (A, CNAME, MX, etc.). DNS queries route to Google's globally distributed name servers.

Can VMs in different subnets communicate?▾

Yes, if in the same VPC. Subnets in the same VPC are directly routable. Firewall rules still apply.

Intermediate

What is the default route created when you make a VPC?▾

A default route to the internet gateway (0.0.0.0/0). All traffic from VMs goes through this unless matched by a more specific route (lower priority wins).

How do you prevent a VM from accessing the internet?▾

Remove the internet gateway route or use Cloud NAT. Also, assign no public IP to the VM. Without a public IP and only private IPs, VMs cannot initiate outbound internet traffic.

What is Cloud NAT?▾

Network Address Translation. VMs without public IPs can access the internet through a NAT gateway. Outbound traffic is NAT'd; inbound unsolicited traffic is blocked.

Real-world Scenarios

Scenario 1: Multi-tier Application

Web tier in public subnet (with public IPs), app tier in private subnet (no public IPs), database tier isolated. Load balancer distributes traffic to web tier. Firewall rules restrict app-to-database to port 5432 only.

Scenario 2: Hybrid Cloud

On-premises network connects to GCP via Cloud Interconnect (dedicated, expensive) or VPN (cheaper but variable latency). VMs in GCP can reach on-premises resources as if local.

Summary

VPC, subnets, firewalls, load balancers, and DNS form the foundation of GCP networking. A well-designed network isolates resources, enforces access control, distributes load, and handles global traffic. Always start with network design before provisioning compute.

PreviousDatabase Services ← Back to Course NextSecurity and IAM