How to design a VPC and firewall rules on Google Cloud
Build a custom-mode Google Cloud VPC with regional subnets, tag-based stateful firewall rules, and Cloud NAT for private workloads, then validate connectivity.
On Google Cloud a VPC is a global resource; subnets are regional. Custom-mode VPCs let you define exactly which subnets and ranges exist, the right choice for production. Firewall rules are stateful and apply to instances by network tag or service account. Cloud NAT provides outbound internet for instances without public IPs.
Prerequisites
- A Google Cloud project, the
gcloudCLI, and Terraform.
Steps
1. Create the VPC
resource "google_compute_network" "main" {
name = "app-vpc"
auto_create_subnetworks = false
}
Disabling auto subnets gives you full control.
2. Add subnets
resource "google_compute_subnetwork" "app" {
name = "app-subnet"
network = google_compute_network.main.id
region = "us-central1"
ip_cidr_range = "10.10.0.0/20"
private_ip_google_access = true
}
Private Google Access lets instances reach Google APIs without public IPs.
3. Write firewall rules
Google Cloud denies ingress by default. Allow only what is needed:
resource "google_compute_firewall" "allow_http" {
network = google_compute_network.main.name
direction = "INGRESS"
allow { protocol = "tcp"; ports = ["443"] }
target_tags = ["web"]
source_ranges = ["0.0.0.0/0"]
}
4. Use network tags
Apply the web tag to instances that should accept the rule. Tags decouple rules from individual machines.
5. Add Cloud NAT
Create a Cloud Router and a Cloud NAT so private instances get outbound internet without public IPs, the GCP equivalent of a NAT gateway.
6. Validate connectivity
Launch an instance with no external IP, tag it web, and confirm it can reach the internet outbound via NAT and accept HTTPS via the firewall rule.
Verification
Use the Connectivity Tests tool in the console to confirm allowed and denied paths. SSH to a private instance through Identity-Aware Proxy and run curl https://example.com to confirm NAT egress works. Confirm no rule allows unintended ingress.
Next Steps
Add hierarchical firewall policies at the org level, enable VPC Flow Logs, and use Private Service Connect for managed services instead of public endpoints.
Prerequisites
- Google Cloud project
- gcloud CLI installed
- Terraform installed
Steps
- 1Create the VPC
- 2Add subnets
- 3Write firewall rules
- 4Use network tags
- 5Add Cloud NAT
- 6Validate connectivity