What is Networking in GCP?
Are you new to networking in Google Cloud Platform (GCP)? Do you want to learn how to navigate the complex world of Virtual Private Clouds (VPCs), VPNs, DNS, IP addressing, and firewalls? Look no further! In this article, we’ll break down each of these concepts and show you how they fit together to create a secure and efficient network.

What is Networking?
Networking is like sending a package from your house to a friend’s house. You get the package, hop on a bike, and head to their home on paved roads. The package is like data, the houses are like clients, and the road is like the network that allows the data to move from one client to the next.
Understanding VPCs
A VPC is a private subsection of GCP that you control, where you can place GCP resources like Compute Engine VMs and databases. You have full control over who has access to the resources in your VPC. According to Google, VPCs provide networking functionality to Compute Engine Virtual Machine Instances, Google Kubernetes Engines, and the App Engine Flexible Environment.
VPC networks
You can think of a VPC network the same way you’d think of a physical network, except that it is virtualized within Google Cloud. A VPC network is a global resource that consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network. VPC networks are logically isolated from each other in Google Cloud.

What are VPNs?
Cloud VPN securely connects your peer network to your VPC network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway and decrypted by the other VPN gateway, protecting your data as it travels over the internet.
You can also connect two VPC networks together by connecting two Cloud VPN instances. You cannot use Cloud VPN to route traffic to the public internet; it is designed for secure communication between private networks.
Types of Cloud VPN
Google Cloud offers two types of Cloud VPN gateways:
- HA VPN
- Classic VPN
HA VPN
HA VPN is a high-availability (HA) Cloud VPN solution that lets you securely connect your on-premises network to your VPC network through an IPsec VPN connection. Based on the topology and configuration, HA VPN can provide an SLA of 99.99% or 99.9% service availability.
When you create an HA VPN gateway, Google Cloud automatically chooses two external IP addresses, one for each of its interfaces. Each IP address is automatically chosen from a unique address pool to support high availability. Each of the HA VPN gateway interfaces supports multiple tunnels. You can also create multiple HA VPN gateways. When you delete the HA VPN gateway, Google Cloud releases the IP addresses for reuse. You can configure an HA VPN gateway with only one active interface and one external IP address; however, this configuration does not provide an availability SLA.
Classic VPN
All Cloud VPN gateways created before the introduction of HA VPN are considered Classic VPN gateways. For information about how to move from Classic VPN to HA VPN, see Move from Classic VPN to HA VPN.
In contrast to HA VPN, Classic VPN gateways have a single interface, a single external IP address, and support tunnels that use static routing (policy based or route based). You can also configure dynamic routing (BGP) for Classic VPN, but only for tunnels that connect to third-party VPN gateway software running on Google Cloud VM instances.
Classic VPN gateways provide an SLA of 99.9% service availability.
Classic VPN gateways don’t support IPv6.
DNS Explained

DNS (Domain Name Server) is a hierarchical distributed database that lets you store IP addresses and other data and look them up by name. Cloud DNS lets you publish your zones and records in DNS without managing your own DNS servers and software. Cloud DNS offers both public zones and private managed DNS zones.
A public zone is visible to the public internet, while a private zone is visible only from one or more Virtual Private Cloud (VPC) networks that you specify. For detailed information about zones, see DNS zones overview.
Cloud DNS supports Identity and Access Management (IAM) permissions at the project level and individual DNS zone level. For information about how to set individual resource IAM permissions, see Create a zone with specific IAM permissions.
IP Addressing and CIDR Blocks
When you create a VPC, you define an IP address range that the VPC can use, done in the form of a CIDR block (Classless Inter-Domain Routing). An IP address is used to identify resources over a network, and there are two types: public and private. Public IP addresses are accessible via the internet, while private IPs are used within local networks for identification of resources locally.
Firewalls: The Barrier Between Your Network and the Internet

A firewall is essentially the barrier that sits between a private internal network and the public internet. Its main purpose is to allow non-threatening traffic in and keep dangerous traffic out. VPC firewall rules apply to a given project and network, letting you allow or deny connections to or from your virtual machine instances based on a configuration you specify.
VPC firewall rules let you allow or deny connections to or from virtual machine (VM) instances in your VPC network. Enabled VPC firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started up.
Every VPC network functions as a distributed firewall. While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. You can think of the VPC firewall rules as existing not only between your instances and other networks, but also between individual instances within the same network.
Firewall rules in Google Cloud

When you create a VPC firewall rule, you specify a VPC network and a set of components that define what the rule does. The components enable you to target certain types of traffic, based on the traffic’s protocol, destination ports, sources, and destinations. For more information, see firewall rule components.
You create or modify VPC firewall rules by using the Google Cloud console, the Google Cloud CLI, and the REST API. When you create or modify a firewall rule, you can specify the instances to which it is intended to apply by using the target parameter of the rule. For firewall rule examples, see Other configuration examples.
In addition to firewall rules that you create, Google Cloud has other rules that can affect incoming (ingress) or outgoing (egress) connections:
- Google Cloud blocks or limits certain traffic. For more information, see Blocked and limited traffic.
- Google Cloud always allows communication between a VM instance and its corresponding metadata server at
169.254.169.254
. For more information, see always allowed traffic. - Every network has two implied firewall rules that permit outgoing connections and block incoming connections. Firewall rules that you create can override these implied rules.
- The default network is pre-populated with firewall rules that you can delete or modify.
In this article, we’ve covered the basics of networking in GCP, including VPCs, VPNs, DNS, IP addressing, and firewalls. We’ve also built a picture of how these concepts fit together to create a secure and efficient network. With this knowledge, you’ll be well on your way to creating your own network in GCP.