Skip to main content

How to design a VPC and firewall rules on Google Cloud

Build a custom-mode Google Cloud VPC with regional subnets, tag-based stateful firewall rules, and Cloud NAT for private workloads, then validate connectivity.

Difficulty
Intermediate
Duration
50 minutes
Steps
6

On Google Cloud a VPC is a global resource; subnets are regional. Custom-mode VPCs let you define exactly which subnets and ranges exist, the right choice for production. Firewall rules are stateful and apply to instances by network tag or service account. Cloud NAT provides outbound internet for instances without public IPs.

Prerequisites

  • A Google Cloud project, the gcloud CLI, and Terraform.

Steps

1. Create the VPC

resource "google_compute_network" "main" {
  name                    = "app-vpc"
  auto_create_subnetworks = false
}

Disabling auto subnets gives you full control.

2. Add subnets

resource "google_compute_subnetwork" "app" {
  name          = "app-subnet"
  network       = google_compute_network.main.id
  region        = "us-central1"
  ip_cidr_range = "10.10.0.0/20"
  private_ip_google_access = true
}

Private Google Access lets instances reach Google APIs without public IPs.

3. Write firewall rules

Google Cloud denies ingress by default. Allow only what is needed:

resource "google_compute_firewall" "allow_http" {
  network       = google_compute_network.main.name
  direction     = "INGRESS"
  allow { protocol = "tcp"; ports = ["443"] }
  target_tags   = ["web"]
  source_ranges = ["0.0.0.0/0"]
}

4. Use network tags

Apply the web tag to instances that should accept the rule. Tags decouple rules from individual machines.

5. Add Cloud NAT

Create a Cloud Router and a Cloud NAT so private instances get outbound internet without public IPs, the GCP equivalent of a NAT gateway.

6. Validate connectivity

Launch an instance with no external IP, tag it web, and confirm it can reach the internet outbound via NAT and accept HTTPS via the firewall rule.

Verification

Use the Connectivity Tests tool in the console to confirm allowed and denied paths. SSH to a private instance through Identity-Aware Proxy and run curl https://example.com to confirm NAT egress works. Confirm no rule allows unintended ingress.

Next Steps

Add hierarchical firewall policies at the org level, enable VPC Flow Logs, and use Private Service Connect for managed services instead of public endpoints.

Prerequisites

  • Google Cloud project
  • gcloud CLI installed
  • Terraform installed

Steps

  • 1
    Create the VPC
  • 2
    Add subnets
  • 3
    Write firewall rules
  • 4
    Use network tags
  • 5
    Add Cloud NAT
  • 6
    Validate connectivity