Skip to content

VPC

An important thing to remember is that VPCs are global, but your subnets are not.

Your VPCs can span multiple regions. Your subnets are locked to a single region.

Also, remember that you can use Shared VPC to create a common set of resources for everyone in the same company.

Key features

VPC network

VPC can automatically set up your virtual topology, configuring prefix ranges for your subnets and network policies, or you can configure your own. You can also expand CIDR ranges without downtime.

VPC flow logs

Flow logs capture information about the IP traffic going to and from network interfaces on Compute Engine.

VPC flow logs help with network monitoring, forensics, real-time security analysis, and expense optimization.

Google Cloud flow logs are updated every five seconds, providing immediate visibility.

VPC Peering

Configure private communication across the same or different organizations without bandwidth bottlenecks or single points of failure.

Shared VPC

You can Configure a VPC network to be shared across several projects in your organization.

Connectivity routes and firewalls associated are managed centrally.

Your developers have their own projects with separate billing and quotas, while they simply connect to a shared private network where they can communicate.

Bring your own IPs πŸ“²

Bring your own IP addresses to Google’s network across all regions to minimize downtime during migration and reduce your networking infrastructure cost.

After you bring your own IPs, Google Cloud will advertise them globally to all peers. Your prefixes can be broken into blocks as small as 16 addresses (/28), creating more flexibility with your resources.

Private Service Connect πŸ”

Private Service Connect is a capability of Google Cloud networking that allows consumers to access managed services privately from inside their VPC network. Similarly, it allows managed service producers to host these services in their own separate VPC networks and offer a private connection to their consumers.

For example, when you use Private Service Connect to access Cloud SQL, you are the service consumer, and Google is the service producer.

TLDR

With Private Service Connect, consumers can use their own internal IP addresses to access services without leaving their VPC networks. Traffic remains entirely within Google Cloud. Private Service Connect provides service-oriented access between consumers and producers with granular control over how services are accessed.

Private Endpoint Connection πŸ”Œ

Private Service Connect lets you send traffic to endpoints that forward the traffic to published services in another VPC network.

The below diagram shows a Private Service Connect endpoint that targets a published service that is running in a separate VPC network and organization. Private Service Connect endpoints and published services let two independent companies communicate with each other by using internal IP addresses.

Private Google Access πŸ•΅οΈ

VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the external IP addresses of Google APIs and services. The source IP address of the packet can be the primary internal IP address of the network interface or an address in an alias IP range that is assigned to the interface. If you disable Private Google Access, the VM instances can no longer reach Google APIs and services; they can only send traffic within the VPC network.

Implementation of Private Google Access

The VPC network has been configured to meet the DNS, routing, and firewall network requirements for Google APIs and services. Private Google Access has been enabled on subnet-a, but not on subnet-b.

  • VM A1 can access Google APIs and services, including Cloud Storage, because its network interface is located in subnet-a, which has Private Google Access enabled. Private Google Access applies to the instance because it only has an internal IP address.

  • VM B1 cannot access Google APIs and services because it only has an internal IP address and Private Google Access is disabled for subnet-b.

  • VM A2 and VM B2 can both access Google APIs and services, including Cloud Storage, because they each have external IP addresses. Private Google Access has no effect on whether or not these instances can access Google APIs and services because both have external IP addresses.


Was this page helpful?
-->