You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
A Virtual Private Cloud (VPC) network is the foundational networking construct in Google Cloud Platform. Every GCP project starts with a default VPC, and nearly every resource you deploy — Compute Engine instances, GKE clusters, Cloud SQL databases — lives inside a VPC. Understanding VPC networks is the first step toward designing secure, scalable architectures on GCP.
A VPC network is a global, software-defined network that spans all GCP regions automatically. Unlike AWS or Azure, where a virtual network is regional, a GCP VPC is a global resource. This means a single VPC can contain subnets in different regions without any additional peering or gateway configuration.
Key characteristics of a GCP VPC:
When you create a VPC you choose between two modes:
An auto mode VPC automatically creates one subnet in every GCP region. Each subnet uses a predefined CIDR range from the 10.128.0.0/9 block. When Google adds a new region, a new subnet is automatically added to auto mode VPCs.
| Characteristic | Detail |
|---|---|
| Subnet creation | Automatic — one per region |
| CIDR range | From 10.128.0.0/9 (e.g. 10.128.0.0/20 for us-central1) |
| Best for | Quick prototyping and development |
| Limitation | You cannot control the CIDR ranges |
A custom mode VPC starts with no subnets. You create subnets manually and choose the CIDR ranges. This gives you full control over IP addressing and is the recommended approach for production workloads.
| Characteristic | Detail |
|---|---|
| Subnet creation | Manual — you decide which regions and ranges |
| CIDR range | Any valid private range you choose |
| Best for | Production environments with planned IP schemes |
| Advantage | Full control over addressing, no wasted IP space |
Best practice: Always use custom mode VPCs for production. Auto mode VPCs waste IP space and can cause overlapping ranges when you need to peer with other networks.
gcloud compute networks create my-vpc \
--subnet-mode=custom \
--bgp-routing-mode=regional
resource "google_compute_network" "my_vpc" {
name = "my-vpc"
auto_create_subnetworks = false
routing_mode = "REGIONAL"
}
Every VPC has a built-in routing table. GCP automatically creates system-generated routes:
0.0.0.0/0 via the default internet gateway, allowing outbound internet access.You can also create custom static routes or use Cloud Router for dynamic routing with BGP.
A VPC can operate in two BGP routing modes:
VPC firewall rules control ingress and egress traffic to instances. By default, all ingress is denied and all egress is allowed. Rules are evaluated at the instance level and can target instances by network tags, service accounts, or IP ranges.
Every new GCP project comes with a default VPC in auto mode. It includes permissive firewall rules such as allowing SSH (port 22) and ICMP from all sources. For production projects, you should delete the default network and create a custom VPC with tighter security controls.
A GCP VPC network is a global, software-defined network that provides the connectivity backbone for all your cloud resources. Choose custom mode for production, plan your CIDR ranges carefully, and delete the default network in every project. With a well-designed VPC you get isolation, security, and seamless cross-region communication without the overhead of multi-region peering.