GCP - Networking

Google Cloud's networking offerings are one of its biggest differentiators. They are built on the same private, global fiber network that powers Google's own services like Search, YouTube, and Gmail. This gives them unique capabilities in performance, security, and ease of use.

The Foundation: The Global Virtual Private Cloud (VPC)

This is the absolute core of Google's networking and the #1 concept to understand.

Analogy: Think of the Google Cloud VPC not as a single, regional office building (like in other clouds), but as your own private, global corporate network.

• Global by Default: Unlike other clouds where a VPC is tied to a single region, a Google Cloud VPC is a global resource. You create it once, and it can have subnets in any Google Cloud region around the world.
• Private Backbone: When a VM in your London subnet talks to a VM in your Tokyo subnet, that traffic travels over Google's private, encrypted fiber network, not the public internet. This is faster, more reliable, and more secure by default.
• Subnets are Regional: Within your global VPC, you create regional subnets. A subnet is a range of private IP addresses (e.g., 10.1.2.0/24) located in a specific region (e.g., us-central1). Your resources, like VMs, will live inside these subnets.

Key takeaway: The global VPC simplifies networking immensely. You don't need to manually peer or connect different regional networks; they are all part of the same private network from day one.

GCE VPC networks names look like this:

//compute.googleapis.com/projects/{project}/global/networks/{network}

Category 1: Controlling and Securing Your VPC

These are the tools you use to manage traffic flow and secure your "private global network."

1. VPC Firewall Rules

• What it is: A stateful, software-defined firewall that controls traffic to and from your VM instances.
• How it works: You create "allow" or "deny" rules based on IP addresses, protocols, ports, and (most powerfully) network tags or service accounts. For example, you can create a rule that says "Allow traffic on port 443 from any VM with the frontend-webserver tag to any VM with the backend-api tag."

2. Private Service Connect

• What it is: A way to privately and securely consume services (either Google's services or your own) from your VPC without ever exposing traffic to the public internet.
• Analogy: It's like having a secure, private pneumatic tube that connects your office directly to the bank's vault, bypassing the public street entirely.
• Use Case: You can access Google Cloud Storage or BigQuery from your private VMs as if they were services running inside your own VPC, using a private IP address.

3. Cloud NAT (Network Address Translation)

• What it is: Allows VMs with no public IP addresses to access the internet for outbound tasks like downloading patches or calling external APIs.
• How it works: It provides a managed, shared outbound IP address for a group of private VMs, but does not allow any unsolicited inbound connections from the internet.
• Use Case: A critical security practice. Use it for any VM that needs to talk to the internet but should not be reachable from the internet.

Category 2: Connecting to Your VPC from the Outside World

These services get traffic from your users or your other networks into your VPC.

1. Cloud Load Balancing

• What it is: A suite of fully managed, high-performance load balancers to distribute traffic to your applications.
• Key Differentiator: Google's Global External HTTPS Load Balancer is a standout product. It provides a single, global Anycast IP address. When a user in Europe and a user in Asia both access your application via this single IP, Google's network automatically routes them to the healthy backend VMs in the region closest to them, ensuring the lowest latency.
• Types:
  • Global External: For public, internet-facing HTTP/S traffic.
  • Regional External: For other types of public traffic (TCP/UDP).
  • Internal: For balancing traffic inside your VPC between different tiers of your application.

2. Cloud DNS

• What it is: A managed, authoritative Domain Name System (DNS) service that runs on Google's global infrastructure.
• Use Case: You use it to host your public DNS zones (like example.com) to resolve your domain name to your load balancer's IP address. You can also create private DNS zones for service discovery within your VPC.

3. Cloud Interconnect & Cloud VPN

• What they are: These are the two primary ways to create a hybrid network, connecting your on-premise data center to your GCP VPC.
• Cloud VPN: Creates a secure, encrypted IPsec VPN tunnel over the public internet. It's fast to set up and cost-effective.
• Cloud Interconnect: Provides a dedicated, private physical connection between your data center and Google's network. It offers much higher bandwidth, lower latency, and greater reliability than a VPN, but is more expensive and takes longer to provision.

Category 3: Content Delivery and Performance

1. Cloud CDN (Content Delivery Network)

• What it is: A global network of edge caches that stores copies of your website's static content (images, videos, CSS) closer to your users.
• How it works: It integrates seamlessly with the Global External HTTPS Load Balancer. When a user requests an image, it's served from a Google edge location near them (e.g., in their city) instead of having to travel all the way back to your origin server in a specific region. This dramatically speeds up your website's load time.

Summary: Why is Google's Networking Different?

Feature	What It Means	Benefit
Global VPC	One network, multiple regions.	Simplicity. No need to peer regional networks.
Private Backbone	East-West traffic stays on Google's network.	Performance & Security. Lower latency and traffic is not exposed to the public internet.
Global Anycast IP	One IP address for your global load balancer.	Performance & Simplicity. Users are automatically routed to the closest backend.
Software-Defined	Networking is managed via APIs.	Automation & Flexibility. You can configure and automate your entire network with code.

By leveraging this powerful, software-defined global network, you can build applications that are more secure, more performant, and simpler to manage than with traditional, region-constrained networking models.

Cloud Interconnect

Google Cloud Interconnect is a suite of services provided by Google Cloud that establishes a direct, private, and high-bandwidth connection between your on-premises network (or another cloud provider's network) and Google's network. Unlike connections over the public internet, Cloud Interconnect offers enhanced performance, lower latency, increased reliability, and improved security for data transfer.

Think of it as a dedicated, private highway for your data to travel between your infrastructure and Google Cloud, bypassing the unpredictable nature of the public internet.

Key Benefits

• Enhanced Performance & Reduced Latency: By bypassing the public internet, traffic takes fewer hops, leading to significantly faster data transfer speeds and lower latency. This is crucial for applications requiring real-time processing, such as financial transactions, online gaming, video conferencing, and high-performance computing (HPC).
• Increased Security: Cloud Interconnect provides private, dedicated pathways for data transfer, minimizing exposure to potential cyber threats and reducing the risk of data breaches compared to public internet connections. Optional encryption like MACsec for Cloud Interconnect and HA VPN over Cloud Interconnect can further secure traffic.
• High Availability: These connections are designed for reliability, ensuring consistent and dependable data transfer.
• Cost Efficiency: While there might be initial setup costs, Cloud Interconnect can lead to long-term savings by reducing egress fees associated with data transfers from Google Cloud.
• Scalability and Flexibility: You can scale your connection capacity to meet your specific requirements, with bandwidth options ranging from 50 Mbps up to 100 Gbps, allowing businesses to adapt to evolving needs.
• Direct IP Address Access: Your Virtual Private Cloud (VPC) network's internal IP addresses are directly accessible from your on-premises network, eliminating the need for NAT or VPN tunnels to reach internal resources.

Types of Cloud Interconnect

Google Cloud offers different types of Cloud Interconnect to cater to various organizational needs and technical requirements:

1. Dedicated Interconnect: Provides a direct physical connection between your on-premises network and Google's network at a Google Cloud colocation facility. This offers the highest level of performance, security, and control. It typically involves a minimum commitment of 10 Gbps and can scale to 100 Gbps.
2. Partner Interconnect: Connects your on-premises network to Google Cloud through a supported service provider. This is a more flexible option, with bandwidth options starting as low as 50 Mbps and scaling up to 10 Gbps. It's suitable for organizations that don't need a full 10 Gbps connection or cannot meet Google's colocation facility requirements.
3. Cross-Cloud Interconnect: Establishes a direct physical connection between Google's network and the network of another cloud service provider. This allows for high-performance and secure connectivity between different cloud environments.

Common Use Cases

Cloud Interconnect is vital for managing data effectively and securely, particularly in industries like finance, healthcare, and e-commerce.

• Hybrid Cloud Environments: Seamlessly integrates on-premises infrastructure with Google Cloud services, enabling efficient data transfer and communication for various business needs.
• Disaster Recovery: Facilitates the transfer of vital data and workloads from on-premises systems to Google Cloud, ensuring data resilience and business continuity.
• High-Performance Computing (HPC): Provides the high-bandwidth and low-latency connections required for demanding HPC applications.
• Large-scale Data Migration: Enables efficient and rapid transfer of large datasets to Cloud Storage, BigQuery, and other Google Cloud services.
• Real-time Analytics and Machine Learning: Supports low-latency access to on-premises data sources for services like AI Platform and Vertex AI, enabling hybrid AI/ML workflows.
• Database Replication: Facilitates efficient data replication patterns between on-premises databases and Google Cloud's managed database services.
• SaaS Providers: Critical for delivering low-latency access to cloud assets for customers, especially for real-time communication tools.

Equivalent

• AWS Equivalent: AWS Direct Connect
• Azure Equivalent: Azure ExpressRoute

Secure Web Proxy

Secure Web Proxy is a managed service that enables Google customers to secure egress web traffic with a focus on workload egress specifically.

What is a Shared VPC

Shared VPC in Google Cloud Platform (GCP) is a networking architecture that allows an organization's multiple projects to share a common Virtual Private Cloud (VPC) network from a single host project. This setup enables resources across these projects, called service projects, to communicate securely and efficiently using internal IP addresses while maintaining centralized control over network configurations, firewall rules, and IP address management from the host project.

• Host Project: The project that contains the shared VPC network and owns the central networking resources.
• Service Projects: Multiple projects that attach to the host project's Shared VPC network and use its subnets for their resources.

FAQ

• Is subnet regional? Yes, each subnet is a regional resource, meaning it is contained within a single GCP region,
• Is subnet zonal? No, GCP subnets are not zonal; they are regional resources, meaning a subnet's IP address range spans across the entire region where it's defined.
• Are subnets auto generated? In auto-mode VPC networks, subnets are automatically created in every region. In custom-mode VPC networks, however, you must manually create all subnets and have complete control over their creation and IP ranges.
• Only one IPv4 range per subnet? Each subnet can have one primary IPv4 range and multiple (up to 30) secondary IPv4 ranges.