Google Cloud

GCP VPC Design Patterns: Shared VPC, Peering, Cloud NAT, and Cloud Armor

2026-05-24
NicheeLab Editorial Team

GCP VPC has a unique architecture where a single VPC is a global resource spanning every region. This article covers the core VPC design patterns, Shared VPC / Peering, Firewall / Cloud Armor, Cloud NAT, how to choose a load balancer, and using Flow Logs.

Characteristics of GCP VPC

  • Global resource: A single VPC spans every region (the biggest difference from AWS / Azure)
  • Subnets are regional: VPCs are global, but subnets are regional
  • Auto-mode vs Custom-mode: Auto-mode auto-provisions subnets in every region (not recommended for production); Custom-mode defines them explicitly
  • Routing is global: Cross-region subnet-to-subnet traffic works automatically
  • BGP-learned routes: Cloud Router provides dynamic routing

Major Design Patterns

1. Single VPC (small scale)

  • One project + one VPC; simple
  • Use cases: personal projects, PoCs, small SaaS

2. Shared VPC (medium to large; recommended)

  • Host project = network administration
  • Service projects = application teams
  • Combines central network governance with business-unit independence
  • Use cases: enterprises, multi-team setups

3. Hub & Spoke (NCC-based)

  • Central hub VPC plus multiple spoke VPCs
  • Managed centrally with Network Connectivity Center
  • Use cases: multi-region WAN, multi-cloud integration

4. VPC Peering (cross-organization)

  • Directly connect two independent VPCs
  • Non-transitive (A↔B and B↔C does not give you A↔C; that needs a separate peering)
  • Use cases: cross-organization integration, SaaS provider ↔ customer

Firewall

VPC Firewall Rules

  • Stateful, with Allow / Deny actions
  • Priority (0-65535; lower wins)
  • Source / Target can be specified by network tag or service account
  • Direction: Ingress / Egress

Hierarchical Firewall Policy

  • Defined at the organization or folder level
  • Evaluated before project-level firewall rules
  • Use cases: baseline rules such as denying SSH from the internet across every project

Cloud NAT

  • Lets VMs with only private IPs reach the internet (egress only)
  • Fully managed, highly available, regional scope
  • Port allocation: Static (fixed) or Dynamic (scales with usage)
  • No public IP needed on VMs, which improves security and reduces IP cost

Cloud Armor (WAF + DDoS)

  • OWASP Top 10 preset rules (XSS, SQLi, LFI, and more)
  • Rate limiting (per IP / per client)
  • Geo-based blocking (country / region)
  • Adaptive Protection (ML-based DDoS detection with automatic mitigation)
  • Threat Intelligence (malicious IPs and botnets)
  • reCAPTCHA Enterprise integration
  • Three tiers: Standard / Plus / Enterprise

The 7 Load Balancer Types

TypeLayerScopeUse case
Global External HTTPS LBL7GlobalGlobal web apps
Regional External HTTPS LBL7RegionalRegion-bound requirements, PCI
Internal HTTPS LBL7Regional / Cross-regionInternal microservices
Global External Proxy Network LB (TCP/SSL)L4GlobalNon-HTTPS global workloads
External Passthrough Network LBL4RegionalUDP, legacy workloads
Internal Passthrough Network LBL4RegionalInternal L4
Cross-region Internal HTTPS LBL7Cross-regionHighly available internal services

VPC Flow Logs

  • Logs 5-tuple (src/dst IP+port, protocol) plus action and byte counts
  • Configurable sampling rate (to optimize CPU and cost)
  • Use cases: troubleshooting, security analysis, cost allocation
  • Exporting to BigQuery and visualizing with Looker / Looker Studio is the standard approach

Common Exam Traps

  • VPC is global, subnet is regional: The biggest difference from AWS
  • VPC Peering is non-transitive: If you need a full mesh, consider NCC
  • Cloud NAT is outbound only: For inbound, use a Load Balancer or IAP
  • Hierarchical Firewall outranks IAM order: An org-level Deny cannot be overridden
  • Auto-mode VPC is not recommended for production: Risk of subnet overlap across all regions

How does GCP VPC differ from AWS / Azure VPC?

GCP VPC is a global resource (one VPC spans every region in the world), while AWS / Azure VPCs are regional. Only subnets are region-bound. Not needing cross-region VPC Peering is a key GCP advantage.

What is Shared VPC?

A design where a host project centrally manages the VPC and assigns it to multiple service projects. It cleanly separates responsibilities: a central team owns networking while business unit teams own applications.

Should I use VPC Peering or Shared VPC?

Use Shared VPC when you want central governance inside an organization, and VPC Peering between independent organizations or projects. Note that VPC Peering is non-transitive (A↔B and B↔C does not give you A↔C).

What is a Hierarchical Firewall Policy?

Firewall rules enforced at the organization or folder level. Project-level rules cannot override them, so you can apply baseline controls (e.g., deny SSH from the internet) uniformly.

What is Cloud NAT for?

It lets VMs with only private IPs initiate outbound traffic to the internet (egress only). You avoid assigning public IPs to VMs, which improves security.

Is Cloud Armor a WAF?

Yes. It offers OWASP Top 10 protections, rate limiting, geo-based blocking, Adaptive Protection (ML-based DDoS defense), Threat Intelligence integration, and more.

Global vs Regional load balancer?

Global uses a single Anycast IP and routes worldwide traffic to the nearest backend (HTTPS / TCP / SSL Proxy), while Regional distributes within a region. Use Global for worldwide apps and Regional for region-bound requirements like PCI.

What are VPC Flow Logs used for?

They log VPC flows (5-tuple + action). They are essential for troubleshooting, security analysis, and traffic statistics. Exporting to BigQuery and visualizing with Looker is the standard pattern.

Related articles: Networking

GCP Professional Cloud Network Engineer (PCNE) 完全ガイド|VPC・Interconnect・Load Balancing

Google Cloud Professional Cloud Network Engineer の試験範囲、VPC / Cloud Interconnect / Cloud Load Balancing / Cloud Armor、AWS ANS・Azure AZ-700 比較を詳解。

GCP Professional Cloud Developer (PCD) 完全ガイド|Cloud Run・GKE・CI/CD・APM

Google Cloud Professional Cloud Developer の試験範囲、Cloud Run / GKE / Cloud Build / Cloud Trace、AWS DVA / Azure AZ-204 比較、学習ロードマップを徹底解説。

Cloud Logging 完全ガイド|ログクエリ・Log Router・Audit Logs・保持期間 (GCP)

Google Cloud Cloud Logging の全機能解説。Logging Query Language (LQL)、Log-based Metric、Log Router (Sink)、Audit Logs、Log Bucket、料金、CloudWatch Logs / Azure Monitor 比較を網羅。

Cloud Scheduler + Cloud Functions/Run で定期バッチ自動化チュートリアル (GCP)

Google Cloud Scheduler と Cloud Functions / Cloud Run Job で定期バッチ自動化。cron 形式、OIDC 認証、リトライ、Dead Letter、Workflows 連携、Cloud Run Job 並列実行を 2026 年最新版で解説。

Google Cloud is a trademark of Google LLC. For the latest information, see the official VPC documentation.

Check what you learned with practice questions

Practice with certification-focused question sets

Visit the GCP Exam Prep Hub
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Google Cloud

Google Cloud Certification Roadmap (2026)

Choose your GCP certification path — Foundational, Associate...

Google Cloud

CDL Cloud Digital Leader: Complete Exam Guide (2026)

Pass the Cloud Digital Leader exam — cloud business value, G...

Google Cloud

GAIL Generative AI Leader: Complete Exam Guide (2026)

Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...

Google Cloud

Vertex AI Fundamentals for GCP Certs (2026)

Vertex AI basics every cert candidate needs — Workbench, Pip...

Google Cloud

Associate Cloud Engineer (ACE): Complete Guide (2026)

Pass the Associate Cloud Engineer exam — Console, gcloud, pr...

Browse all Google Cloud articles (103)
© 2026 NicheeLab All rights reserved.