A Virtual Private Cloud (VPC) network is a virtual version of a physical network, implemented inside of Google's production network, using Andromeda. A VPC network provides the following: Show
Projects can contain multiple VPC networks. Unless you create an organizational policy that prohibits it, new projects start with a default network (an auto mode VPC network) that has one subnetwork (subnet) in each region. Networks and subnetsThe terms subnet and
subnetwork are synonymous. They are used interchangeably in the Google Cloud console, A subnet is not the same thing as a (VPC) network. Networks and subnets are different types of resources in Google Cloud. For more information, see Subnets. SpecificationsVPC networks have the following properties:
Organization policy constraints
For more information about constraints, see Organization policy constraints. Subnet creation modeGoogle Cloud offers two types of VPC networks, determined by their subnet creation mode:
You can switch a VPC network from auto mode to custom mode. This is a one-way conversion; custom mode VPC networks cannot be changed to auto mode VPC networks. To help you decide which type of network meets your needs, see the considerations for auto mode VPC networks. Default networkUnless you choose to disable it, each new project starts with a default network. The default network is an auto mode VPC network with pre-populated IPv4 firewall rules. The default network does not have pre-populated IPv6 firewall rules. Considerations for auto mode VPC networksAuto mode VPC networks are easy to set up and use, and they are well suited for use cases with these attributes:
However, custom mode VPC networks are more flexible and are better suited to production. The following attributes highlight use cases where custom mode VPC networks are recommended or required:
IPv4 subnet rangesEach subnet has a primary IPv4 address range. The primary internal addresses for the following resources come from the subnet's primary range: VM instances, internal load balancers, and internal protocol forwarding. You can optionally add secondary IP address ranges to a subnet, which are only used by alias IP ranges. However, you can configure alias IP ranges for instances from the primary or secondary range of a subnet. Each primary or secondary IPv4 range for all subnets in a VPC network must be a unique valid CIDR block. Refer to the per network limits for the number of secondary IP ranges you can define. Your IPv4 subnets don't need to form a predefined contiguous CIDR block, but you can do that if desired. For example, auto mode VPC networks do create subnets that fit within a predefined auto mode IP range. When you create a subnet in a custom mode VPC network, you choose what IPv4 range to use. For more information, see valid ranges, prohibited subnet ranges, and working with subnets. There are four unusable IP addresses in every primary IPv4 subnet range. For more information, see reserved IP addresses in a subnet. Auto mode VPC networks are created with one subnet per region at creation time and automatically receive new subnets in new regions. The subnets have IPv4 ranges only, and all subnet ranges fit inside the IPv6 subnet rangesWhen you create a dual-stack subnet in a custom mode VPC network, you choose whether the subnet is configured with an internal IPv6 subnet range, or an external IPv6 subnet range.
For more information about IPv6 subnet ranges, see Subnets. Networks that support dual-stack subnetsYou can create dual-stack subnets in a custom mode VPC network. Dual-stack subnets are not supported on auto mode VPC networks, including the default network. Dual-stack subnets are not supported on legacy networks. If you have an auto mode VPC network that you would like to add dual-stack subnets to, you can do the following:
Routes and firewall rulesRoutesRoutes define paths for packets leaving instances (egress traffic). For details about Google Cloud route types, see Routes. Dynamic routing modeEach VPC network has an associated dynamic routing mode that controls the behavior of all of its Cloud Routers. Cloud Routers manage BGP sessions for Google Cloud connectivity products. For a description of dynamic routing mode options, see Effects of dynamic routing mode in the Cloud Router documentation. Route advertisements and internal IP addressesThe following IP addresses are advertised within a VPC network:
If you connect VPC networks using VPC Network Peering, subnet ranges using private IPv4 addresses are always exchanged. You can control whether subnet ranges using privately used public IPv4 addresses are exchanged. Global internal IPv4 addresses are never exchanged using peering. For additional details, see the VPC Network Peering documentation. When you connect a VPC network to another network, such as an on-premises network, using a Google Cloud connectivity product like Cloud VPN, Cloud Interconnect, or Router appliance:
Firewall rulesBoth hierarchical firewall policies and VPC firewall rules apply to packets sent to and from VM instances (and resources that depend on VMs, such as Google Kubernetes Engine nodes). Both types of firewalls control traffic even if it is between VMs in the same VPC network. To monitor which firewall rule allowed or denied a particular connection, see Firewall Rules Logging. Communications and accessCommunication within the networkThe system-generated subnet routes define the paths for sending traffic among instances within the network by using internal IP addresses. For one instance to be able to communicate with another, appropriate firewall rules must also be configured because every network has an implied deny firewall rule for ingress traffic. Except for the default network, you must explicitly create higher priority ingress firewall rules to allow instances to communicate with one another. The default network includes several firewall rules in addition to the
implied ones, including the Rules that come with the default network are also presented as options for you to apply to new auto mode VPC networks that you create by using the Google Cloud console. Internet access requirementsThe following criteria must be satisfied for an instance to have outgoing internet access:
Communications and access for App EngineVPC firewall rules apply to resources running in the VPC network, such as Compute Engine VMs. For App Engine instances, firewall rules work as follows:
For more information about how to control access to App Engine instances, see App security. Traceroute to external IP addressesFor internal reasons, Google Cloud increases the TTL counter of packets that traverse next hops in Google's network. Tools like The number of hidden hops varies based on the instance's Network Service Tiers, region, and other factors. If there are only a few hops, it's possible for all of them to be hidden. Missing hops from a There is no workaround for this behavior. You must take it into account if you configure third-party monitoring that connects to an external IP address associated with a VM. Egress throughput limitsNetwork throughput information is available on the Network bandwidth page in the Compute Engine documentation. Packet sizeYou can find information about packet size in Maximum transmission unit. VPC network exampleThe following example illustrates a custom mode VPC network with three subnets in two regions: VPC network example (click to enlarge)
Maximum transmission unitFor more information about the maximum transmission unit (MTU) setting for a VPC network and its connected VMs, see Maximum transmission unit. For information about changing the MTU of a VPC network, or migrating VMs between VPC networks with different MTU settings, see Change the MTU setting of a VPC network. Network performanceLatencyThe measured inter-region latency for Google Cloud networks can be found in our live dashboard. The dashboard shows Google Cloud's median inter-region latency and throughput performance metrics and methodology to reproduce these results using PerfKit Benchmarker. Google Cloud typically measures round-trip latencies less than 55 μs at the 50th percentile and tail latencies less than 80μs at the 99th percentile between c2-standard-4 VM instances in the same zone. Google Cloud typically measures round-trip latencies less than 45μs at the 50th percentile and tail latencies less than 60μs at the 99th percentile between c2-standard-4 VM instances in the same low-latency network ("compact" placement policy). Compact placement policy lowers the network latency by ensuring that the VMs are located physically within the same low-latency network. Methodology: Intra-zone latency is monitored via a blackbox prober that constantly runs netperf TCP_RR benchmark between a pair of c2-types VMs in every zone c2 instances are available. It collects P50 and P99 results for setup with and without compact placement policy. TCP_RR benchmark measures request/response performance by measuring the transaction rate. If your applications require best possible latency, c2 instances are recommended. Packet lossGoogle Cloud tracks cross-region packet loss by regularly measuring round-trip loss between all regions. We target the global average of those measurements to be lower than 0.01% . Methodology: A blackbox vm-to-vm prober monitors the packet loss for every zone pair using pings and aggregates the results into one global loss metric. This metric is tracked with a one-day window. What's next
Try it for yourselfIf you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads. Try VPC free How can companies most easily implement a deny by default policy to VMs cannot connect?How can companies most easily implement a deny by default policy so VMs can't connect? Answer : Create a network security group rule that prevents access from another VM on the same network.
What's the best way for companies to limit all outbound traffic from VMs to Known_hosts?What's the best way for Tailwind Traders to limit all outbound traffic from VMs to known hosts? Configure Azure DDoS Protection to limit network access to trusted ports and hosts.
Which is the best way for companies to safely store its certificates so that they re accessible to cloud VMs select one?Which is the best way for companies to safely store its certificates so that they're accessible to cloud VMs? Place the certificates on a network share.
Which is the best way for companies to ensure that they only deploy cost effective virtual machine SKU sizes?Which is the best way for companies to ensure that they only deploy cost-effective virtual machine SKU sizes? Create a policy in Azure Policy that specifies the allowed SKU sizes. Periodically inspect the deployment manually to see which SKU sizes are used.
|