GCP VPC Design: Custom VPCs, Subnets, and IP Allocation
A production-focused guide to GCP VPC Design: Custom VPCs, Subnets, and IP Allocation on Google Cloud Platform..
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
- ✓Google Cloud SDK (gcloud) installed and configured, a GCP project with billing enabled, basic understanding of networking concepts (CIDR, subnets, firewalls), familiarity with IPv6 addressing (for IPv6 sections), and experience with bash or Terraform for infrastructure as code.
GCP VPC Design: Custom VPCs, Subnets, and IP Allocation is like having a specialized tool that handles vpc design so you don't have to build and manage it yourself โ it just works out of the box with Google Cloud's infrastructure.
| Chrome | Firefox | Safari | Edge |
|---|---|---|---|
| ✓ | ✓ | ✓ | ✓ |
You just deployed a new microservice, and suddenly half your production traffic is timing out. The root cause? Your VPC subnet ran out of IP addresses, forcing GCP to auto-allocate from a range that overlaps with your on-premises VPN. That's the cost of ignoring VPC design. Most teams treat VPCs as an afterthoughtโclick 'default' and move on. But in GCP, a VPC is a global resource, and subnets are regional. Get the CIDR blocks wrong, and you're rebuilding from scratch. This article walks you through designing custom VPCs that survive production: from IP allocation strategies to hybrid connectivity, with real-world failure modes you'll face at scale.
Why Default VPCs Are a Trap
GCP creates a default VPC in every project with auto-mode subnets in each region. This sounds convenient, but it's a ticking time bomb. Auto-mode uses a /20 per region, which is fine for prototypes but disastrous for production. You can't control IP ranges, so you'll inevitably collide with on-premises networks or peered VPCs. Worse, you can't delete the default VPC without breaking existing resources. The first step in any production deployment is to create a custom VPC with manually planned CIDR blocks. This gives you full control over IP allocation, routing, and firewall rules. Don't let convenience cost you a production outage.
IP Allocation Strategy: CIDR Planning for Growth
IP allocation is the foundation of VPC design. Start by reserving a large CIDR block for your entire VPCโtypically a /16 or /8 depending on scale. Then carve out subnets per region and tier. For example, use 10.0.0.0/16 for the whole VPC, then assign 10.0.1.0/24 for us-central1 web tier, 10.0.2.0/24 for us-central1 app tier, and so on. Always leave room for expansion: never allocate more than 50% of your block upfront. Use RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and avoid overlapping with on-premises or other cloud networks. Document your plan in a central IPAM tool.
Regional vs. Global VPC: Choosing the Right Scope
GCP VPCs are global, meaning a single VPC spans all regions. This is a superpower: you can have subnets in us-central1, europe-west1, and asia-east1 all within the same VPC. Global VPCs simplify routing and firewall management because resources can communicate across regions using internal IPs. However, global VPCs also mean a misconfiguration can affect all regions. For most production workloads, a single global VPC per environment (prod, staging, dev) is the right choice. Avoid creating separate VPCs per regionโthat's a legacy mindset from on-premises networking.
Subnet Design: Tiers, Regions, and High Availability
Subnets are the atomic unit of network segmentation. Design them around tiers (web, app, db) and regions. Each tier should have its own subnet to enforce firewall rules and routing policies. For high availability, create subnets in at least two regions. For example, us-central1 and us-east1 each have web, app, and db subnets. Use consistent naming: {env}-{region}-{tier}. This makes firewall rules and monitoring easier. Each subnet should have a /24 or larger to accommodate growth. For GKE, use secondary ranges for pods and services to avoid IP exhaustion.
Private Google Access: Enabling Internal API Calls
Private Google Access allows VM instances without external IPs to reach Google APIs and services (Cloud Storage, BigQuery, etc.) through Google's internal network. This is critical for security: you don't want your database servers talking to the internet. Enable it per subnet. Without it, your private instances will fail to pull container images or write logs. Always enable it on subnets that host backend services. It's a checkbox in the console or a flag in gcloud. Don't forget itโit's a common cause of 'works on my machine' failures.
Firewall Rules: Least Privilege at Scale
Firewall rules in GCP are stateful and evaluated in order of priority (lower number = higher priority). Default rules allow all internal traffic and deny all ingress from outside. For production, you need to lock down inter-tier traffic. For example, only allow web tier to talk to app tier on port 8080, and app tier to db tier on port 3306. Use service accounts and tags to group instances. Avoid using source IP ranges for dynamic workloadsโuse tags instead. Always log denied traffic to detect misconfigurations. Remember: firewall rules are global, so a rule applies to all regions unless you specify source and destination tags.
VPC Peering: Connecting VPCs Across Projects
VPC peering allows you to connect two VPCs so they can communicate using internal IPs. This is useful for multi-project architectures (e.g., shared services VPC with monitoring tools). Peering is not transitive: if VPC A is peered with VPC B, and VPC B with VPC C, A cannot talk to C. Plan your peering topology as a hub-and-spoke model. Use a shared VPC for most cases instead of multiple peerings. Also, beware of overlapping IP rangesโpeering fails if CIDRs overlap. Always check for conflicts before creating a peering.
Cloud NAT: Outbound Connectivity for Private Instances
Private instances (no external IP) need Cloud NAT to access the internet for updates, package downloads, or external APIs. Cloud NAT is a regional managed service that provides outbound NAT. You configure it per region and associate it with a Cloud Router. Without Cloud NAT, private instances can't reach the internet. This is a common oversight when migrating from on-premises. Cloud NAT also supports static IP addresses for whitelisting. Always enable logging to debug connectivity issues.
Hybrid Connectivity: VPN and Interconnect
Connecting on-premises networks to GCP requires either Cloud VPN (IPsec) or Dedicated Interconnect. Cloud VPN is simpler but limited to 3 Gbps per tunnel. Use it for low-bandwidth or test environments. For production, use Dedicated Interconnect for 10 Gbps or higher with SLA. Both require a Cloud Router for dynamic routing (BGP). Always use BGP over static routes to handle failover automatically. Plan your IP ranges to avoid overlap with on-premises. Test failover regularlyโwe've seen VPN tunnels drop without triggering alerts.
Shared VPC: Centralized Network Management
Shared VPC allows you to host a VPC in a central project (host project) and share its subnets with other projects (service projects). This is the recommended pattern for multi-team organizations. The host project owns the network resources (VPC, subnets, firewall rules), while service projects deploy their workloads into those subnets. This centralizes control and avoids IP fragmentation. However, it requires careful IAM: grant compute.networkUser role to service project teams. Also, be aware that Shared VPC is not transitiveโyou can't share a shared VPC further.
Monitoring and Logging: VPC Flow Logs and Firewall Insights
You can't fix what you can't see. Enable VPC Flow Logs on subnets to capture metadata about IP traffic. This helps with troubleshooting, capacity planning, and security analysis. Flow Logs are sampled (default 1 per 10 packets) and cost money, so enable them selectively on critical subnets. Also, enable Firewall Insights to see which firewall rules are being hit and identify unused rules. Set up alerts for denied traffic spikesโthey often indicate misconfigurations or attacks. Use Cloud Logging to export logs to BigQuery for long-term analysis.
IPv6 Support in VPC: Dual-Stack and IPv6-Only Subnets
GCP VPCs support IPv4-only (single-stack), dual-stack (IPv4 + IPv6), and IPv6-only subnets. Internal IPv6 addresses (ULAs from fd20::/20) are private and not internet-routable. External IPv6 addresses (GUAs) are publicly routable and available only in Premium Tier. When you enable IPv6 on a subnet, a /64 range is assigned. The first and last /96 of internal /64 ranges are reserved for system use. For dual-stack subnets, VM interfaces get both IPv4 and IPv6 /96 addresses. Production insight: plan your IPv6 allocation upfront. The VPC network gets a /48 ULA range, and each subnet gets a /64 from that. You can provide a custom /48 ULA to avoid conflicts with on-premises networks. We migrated a legacy app to IPv6-only subnets and discovered that some monitoring tools didn't support IPv6. Always test application compatibility before migrating.
Packet Mirroring: Deep Traffic Inspection
Packet Mirroring clones traffic from a mirrored source (VM instance or tag) and forwards it to a collector destination (internal load balancer or another VM). This is used for intrusion detection systems, application performance monitoring, and compliance logging. It captures all traffic (ingress and egress) on the source's network interfaces, including metadata. Packet Mirroring is a regional resourceโsource and collector must be in the same region. Important: Packet Mirroring doubles the traffic cost for the mirrored VMs because mirrored traffic is billed separately. Production insight: use Packet Mirroring selectively on sensitive workloads (e.g., database servers), not on all VMs. We saw a client mirroring all traffic in a 500-VM fleet, doubling their network bill. Focus on high-value targets and use sampling.
VPC Service Controls: Prevent Data Exfiltration
VPC Service Controls (VPC SC) define a security perimeter around Google Cloud services like Cloud Storage, BigQuery, and Cloud Bigtable. Within the perimeter, data can flow freely. Outside the perimeter, data exfiltration is blocked. You can configure perimeters per project or across multiple projects. VPC SC also allows you to define ingress and egress rules for specific identities or VPCs. This is critical for compliance frameworks that require data residency and exfiltration prevention. Production insight: VPC SC can break legitimate cross-service integrations. For example, a Cloud Function in a non-perimeter project can't access a Cloud Storage bucket in a perimeter project unless you configure an egress rule. We had a client enable VPC SC and immediately break their CI/CD pipeline because the CI service account was outside the perimeter. Test in a staging environment first.
Common Pitfalls and How to Avoid Them
Even experienced teams make mistakes. Here are the top pitfalls: (1) IP overlap with on-premises or peered VPCsโalways document and use an IPAM tool. (2) Forgetting to enable Private Google Access on subnetsโadd it to your subnet creation script. (3) Using default VPC in productionโjust don't. (4) Overly permissive firewall rulesโuse tags and least privilege. (5) Not planning for GKE secondary rangesโyou'll have to recreate the cluster. (6) Ignoring Cloud NAT for private instances. (7) Assuming VPC peering is transitive. Avoid these by using Infrastructure as Code (Terraform) and peer reviews for network changes.
| File | Command / Code | Purpose |
|---|---|---|
| create-custom-vpc.sh | gcloud compute networks create prod-vpc \ | Why Default VPCs Are a Trap |
| create-subnets.sh | gcloud compute networks subnets create prod-us-central1-web \ | IP Allocation Strategy |
| list-subnets.sh | gcloud compute networks subnets list --network=prod-vpc | Regional vs. Global VPC |
| create-ha-subnets.sh | for region in us-central1 us-east1; do | Subnet Design |
| enable-private-google-access.sh | gcloud compute networks subnets update prod-us-central1-web \ | Private Google Access |
| create-firewall-rules.sh | gcloud compute firewall-rules create allow-web-to-app \ | Firewall Rules |
| create-vpc-peering.sh | gcloud compute networks peerings create prod-to-shared \ | VPC Peering |
| create-cloud-nat.sh | gcloud compute routers create nat-router \ | Cloud NAT |
| create-vpn-tunnel.sh | gcloud compute vpn-tunnels create onprem-tunnel \ | Hybrid Connectivity |
| enable-shared-vpc.sh | gcloud compute shared-vpc enable shared-host-project | Shared VPC |
| enable-flow-logs.sh | gcloud compute networks subnets update prod-us-central1-web \ | Monitoring and Logging |
| create-ipv6-subnet.sh | gcloud compute networks subnets create prod-us-central1-ipv6 \ | IPv6 Support in VPC |
| packet-mirroring.sh | gcloud compute packet-mirrorings create prod-db-mirror \ | Packet Mirroring |
| vpc-sc-perimeter.sh | gcloud access-context-manager perimeters create prod-perimeter \ | VPC Service Controls |
| vpc.tf | resource "google_compute_network" "vpc" { | Common Pitfalls and How to Avoid Them |
Key takeaways
Common mistakes to avoid
3 patternsIgnoring gcp vpc design best practices
Over-provisioning without rightsizing analysis
Skipping IAM least-privilege principles
Interview Questions on This Topic
What is GCP VPC Design: Custom VPCs, Subnets, and IP Allocation and when would you use it in production?
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
That's Google Cloud. Mark it forged?
6 min read · try the examples if you haven't