Network Topology overview
Network Topology is a visualization tool that shows the topology of yournetwork infrastructure:
- Infrastructure view: Shows Virtual Private Cloud (VPC) networks, hybridconnectivity to and from your on-premises networks, connectivity toGoogle-managed services, and the associated metrics.
- GKE Enterprise view (for GKE Enterpriseenabled projects): Shows the infrastructure of yourGoogle Kubernetes Engine (GKE) deployments: clusters, namespaces, workloads,pods, and their associated metrics.
You can also view metrics and details of network traffic to other Shared VPCnetworks and inter-region traffic. Network Topology combinesconfiguration information with real-time operational data in a single view. Thisview makes it easier to understand networking relationships between variousworkloads on Google Cloud and their current state, such as the traffic paths andthroughput between virtual machine (VM) instances.
Network Topology lays out information in agraphformat, where the nodes and lines represententities andconnections in your network.
How it works
Network Topology collects real-time telemetry and configuration datafrom Google's infrastructure to visualize your resources. It captures elementssuch as configuration information, metrics, and logs to infer relationshipsbetween resources in a project or in multiple projects. After collecting eachelement, Network Topology combines them to generate a graph thatrepresents your deployment.
Benefits
Using Network Topology provides the following benefits:
You can view the topology of your deployments. No additionalconfigurations or agents are required to use Network Topology.
You can use Network Topology graphs to understand yourGoogle Cloud infrastructure. You don't need to view multiple logs or usethird-party tools.
You can use Network Topology to help you analyze the performance ofyour network. You can drill down and view various metrics that can help youidentify unexpected patterns.
You can use filters to help you highlight and focus on specificresources, especially when you need to diagnose and troubleshoot issues.
You can view cross-project metrics for network traffic sent acrossShared VPC or VPC Network Peering boundaries within the sameorganization.
You can view insights for entities with high egress metric values for furtheranalysis and troubleshooting.
Considerations
Important: If there are many projects and the topology graph is too large to bedisplayed in a browser, a truncated graph is displayed. Some connections andnodes might be missing from the displayed graph. You can remove some projects orresources from this metrics scope. Or, to reduce the graph's size, show dataonly for the current project. Note that the metrics are notsampled or truncated. A message appears below the graph saying that the graph istoo large.Network Topology captures six weeks of history.
Network Topology visualizes entities and connections only if theyhave communicated (sent or received traffic) during the selected time period. Aconnection between entities exists if base entities in their respectivehierarchies are in communication. For example, Network Topologyconnects regionsus-east4 andeurope-west1 if at least one VM instance ineach region communicates with the other. Although other resourcesmight exist, Network Topology doesn't show them if they didn'treceive or send traffic.
For more information, seeData collection and freshness.
Resources and traffic
A Network Topology graph shows your resources and traffic as entitiesand connections. Network Topology aggregates related resources intohierarchical entities, where each resource type has its own hierarchy. Thefollowing sections describe the resources (entities) and traffic paths(connections) that Network Topology can graph.
Entities
A base entity is the lowest level of a particular hierarchy and represents aresource that can directly communicate with other resources over a network, suchas a VM instance or a GKE pod for Google Kubernetes Engine (GKE) Enterprise editionprojects.
When you have multiple networks and many base entities, displayingeverything in a flat view can be overwhelming. To address this issue,Network Topology aggregates base entities into hierarchical entitiesthat you can expand or collapse. When you first view aNetwork Topology graph, it aggregates all of the base entities intotheir top-level hierarchy.
For example, Network Topology aggregates the entities as follows:
- VM instances into their instance group, then aggregates instance groups into aGoogle Cloud zone
- GKE pods into their GKE workloads, thenaggregates GKE workloads into GKEnamespaces, and then the GKE namespaces into aGKE cluster. This is available only forGKE Enterprise enabled projects.
Network Topology represents a base or hierarchical entity as acircular node in a graph. Each base entity possesses its own hierarchy. Forexample, load balancers have a different hierarchy than VM instances.
Note: When you drill down into a hierarchy, Network Topology mightskip a level. If a particular hierarchy contains only one entity,Network Topology skips that level until it reaches a level thatcontains multiple entities or base entities. For an example, see theAuditingnetwork performance use case.The following table shows the base entities and their aggregation hierarchies.In a graph, Network Topology represents each base entity by usingan icon shown in the table.
| Base entity | Icon | Description | Aggregation hierarchy (top to bottom) |
|---|---|---|---|
| VM instance |  | A Compute Engine VM instance | region > network > subnet > zone > instance group > instance |
| VM instance group |  | The collection of VM instances that you can manage as a single entity. | region > network > subnet > zone > instance group > |
Classic Application Load Balancer External passthrough Network Load Balancer External proxy Network Load Balancer |  | The base entity for external load balancer components, such as the forwarding rule and backend service. | external load balancing > load balancer |
| Internal load balancer | | The base entity for internal load balancer components, such as the forwarding rule and backend service. | internal load balancing > load balancer |
| Cloud NAT gateway |  | A NAT gateway | region > network > NATs > NAT gateway |
| VPC Network Peering |  | A VPC peering endpoint that is shown when you don't have permissions to view the peer network. If you do, Network Topology shows the resources of the peer network. | peer networks > network |
| Country |  | Network Topology shows the country where external clients are located. These clients are outside of Google Cloud. They are typically hosts that communicate with resources in your network over external IP addresses. | business region* > country# |
| Cloud Interconnect |  | Network Topology shows the Dedicated Interconnect or Partner Interconnect connections. For more information, see theCloud Interconnect overview. | interconnect |
| VLAN attachments | | Network Topology shows the VLAN attachments to Dedicated Interconnect or Partner Interconnect connections. | interconnect > interconnect attachments |
| Cloud VPN gateway | | Network Topology shows the Cloud VPN gateway connections. For more information, see theCloud VPN overview. | gateway > |
| Cloud VPN | | Network Topology shows the Cloud VPN connections. | gateway > vpn tunnel |
| On-premises |  | Network Topology shows the on-premises networks. An on-premises network can refer to any remote network that is outside the Google Cloud domain. | on-premises |
| Router appliance instances |  | Network Topology shows the Router appliance instances. | |
| Google-managed services |  | Network Topology shows the Google-managed service instance. | Google services > Google service |
*A business region can be one of the following entities:Americas for North and South America,APAC for Asia and Oceania, andEMEA for Europe, the Middle East, and Africa.
#Google uses the external IP addresses to categorize the origin of the external client. However, the IP address might not indicate the actual location of the client. For example, if you deliver content through Cloud CDN, the IP address observed by Network Topology might not be the actual address of the external client.
The following table shows the base entities and their aggregation hierarchies inthe GKE Enterprise view, which is available only forGKE Enterprise projects. In a graph, Network Topologyrepresents each base entity by using an icon shown in the table.
| Base entity | Icon | Description | Aggregation hierarchy (top to bottom) |
|---|---|---|---|
| GKE Pod |  | The base entity for GKE entities such as clusters, workloads, and namespaces. | region > network > subnet > zone > GKE cluster > GKE namespace > GKE workload > GKE pod |
| GKE Workload |  | A GKE workload | region > network > subnet > zone > GKE cluster > GKE namespace > GKE workload |
| GKE namespace |  | A GKE namespace | region > network > subnet > zone > GKE cluster > GKE namespace |
| GKE cluster |  | A GKE cluster | region > network > subnet > zone > GKE cluster |
Connections
Network Topology represents traffic between entities as lines, suchas traffic between VM instances. Network Topology connects entitiesif at least one side of the connection is sending traffic.
Network Topology shows connections at various levels of a hierarchyas long as their base entities are in communication. For example,Network Topology shows a connection between two regions if at leastone VM instance in each region is communicating with the other.
Network Topology supports TCP, UDP, ICMP, ICMPV6, ESP, and GREtraffic for certain traffic paths. The following list describes the paths thatNetwork Topology visualizes between entities:
- Traffic in a VPC network such as traffic between VM instancesand internal load balancers that are in the same network.
- Traffic across peered VPC networks such as traffic between VMinstances and internal load balancers that are in peer VPCnetworks.
- Traffic between Google Cloud and the internet such as traffic betweenclients on the internet and entities (for example, VM instances orexternal Application Load Balancers that have external IP addresses).
- Traffic to and from Cloud VPN gateways, Cloud Interconnectconnections, and router appliance instances.
The following list describes the paths that Network Topologyvisualizes between entities in the GKE Enterprise view, availableonly for GKE Enterprise projects:
- Traffic within a GKE cluster such as the traffic betweenpairs of GKE pods on different GKE nodes.Network Topology doesn't show metrics for the traffic between theGKE nodes within a cluster.
- Traffic between two pods within the same GKE node if intranodevisibility is enabled.
- Traffic between GKE clusters and external IP addressessuch as service flows. These connections might flow through load balancers.
Google-managed services
Network Topology also visualizes traffic to and from Google-managedservices. Google Cloud users can use Network Topology to audittheir networking configuration and troubleshoot networking issues related to thedifferent Google services in use.
Network Topology supports direct access of VMs to Google-managedservices by using a default route with a next hop as thedefault-internet-gateway orPrivate Google Access. It does notsupport the following access methods to Google-managed services:
- External traffic from the internet
- Direct Google access from the VMs
- Private Google Access from on-premises hosts
Network Topology doesn't show traffic to or from some of theGoogle-managed services such as App Engine Memcache, Filestore, Memorystore, Cloud SQL, and partner and marketplace solutions.
IP address considerations
For traffic between VM instances in Google Cloud that communicate using externalIP addresses, Network Topology does not display a single connectiondirectly between the VMs. Instead, Network Topology displays the trafficas if it were to and from an external location by using twoconnections: one connection between the first VM and the country of the secondVM, and another connection between the second VM and the country of the first VM.
Network interface considerations
Network Topology only visualizes traffic to or from the first networkinterface (nic0) of a VM.
For VMs that use internal IP addresses to communicate, Network Topologyonly displays a connection if both VMs are communicating by using their firstnetwork interface (nic0-to-nic0).
For VMs that use external IP addresses to communicate, Network Topologynormally displays two connections as described inIP address considerations. However, if only oneof the VMs is usingnic0, Network Topology only displays a connectionfor that VM. For example, if one VM is communicating throughnic0 and the otherVM is communicating throughnic1, Network Topology only displaysa connection between thenic0 VM and a country.
Metrics for entities
Network Topology shows the average traffic within the selected hour. You canalso view average packet loss for the hour and median latency (RTT) for manyentity types.
Metrics for the selected hour on the timeline include the following:
- Average hourly throughput available for most entities
- Average hourly packet loss available for traffic within Google Cloudregions and zones
- Hourly median latency (RTT) available for many entity types
In the GKE Enterprise view available forGKE Enterprise projects, the metrics for the selected hour on thetimeline also include the following:
- Average hourly throughput available for most entities
- Median latency available for traffic within Google Cloud regions andzones with GKE clusters
- Network verdict metrics displaying the GKE workloads with themost dropped and most forwarded traffic flows for the selected cluster
You can also download the table of outliers in a CSV format for theHigh egress andNetwork verdict traffic insights.
Insights for entities with high metric values
In addition to the average hourly metrics, Network Topology alsoshows the ranking of VMs or instance groups that generatethe highest egress. Network Topology provides dedicated views thatrank resources where you can start your troubleshooting and analysis.
In the Infrastructure view, the insights for metrics for the selected hour onthe timeline include the following:
- High egress instances: aggregated hourly values for various types ofegress
- High egress instance groups: aggregated hourly values for various typesof egress
In the GKE Enterprise view available forGKE Enterprise projects, the insights for metrics for theselected hour on the timeline include the following:
- High egress GKE workloads: aggregated hourly values forvarious types of egress for GKE workloads, in theGKE Enterprise view
Filter the traffic based on the traffic types
You can further filter the traffic based on the following traffic types:
- All egress traffic for an entity
- Cross-zonal egress traffic: useful for analyzing billable traffic
- Egress to internet: used for analyzing billable traffic and foranalyzing the traffic that reaches external endpoints
- Hybrid egress: used to analyze the volume of traffic toon-premises, including Cloud Interconnect, Cloud VPN, andRouter appliance connections
In the GKE Enterprise view, you can further filter the trafficbased on the following traffic types:
- All measured egress traffic from the selected entity
- Cross-zonal egress traffic: useful for analyzing billable trafficbetween Google Cloud zones
Multiple projects
Network Topology visualizes resources in your project, or you canuse Cloud Monitoring, which can visualize metrics for multipleGoogle Cloud projects. When you configure Cloud Monitoring to have access tothe metrics for multiple projects, Network Topology can shownetwork traffic that crosses multiple projects.
For example, assume that you have two VM instances in two different projects.vm-a is inproject-a, andvm-b is inproject-b. Both VM instancescommunicate with each other and are in a Shared VPC network. If you onlyhave visibility intoproject-b, Network Topology showsvm-b butnothing to indicate that it communicated withvm-a. However, if youconfigure Cloud Monitoring to view metrics for both projects,Network Topology showsvm-a,vm-b, and their communication.
Cloud Monitoring is especially useful for Shared VPCand VPC Network Peering scenarios, where resources or networks can be indifferent projects. For more information, seeView metrics for multiple Cloud projects.
Project aggregation
When you view multiple projects in a Network Topology graph, you canaggregate Google Cloud entities by project and then by their standardhierarchies. This option lets you view resources by project. Entitiesoutside of Google Cloud, such as external clients, aren't included inproject aggregation.
As an example, if you aggregate by project and then expand a project, the graphshows a region entity for each region that contains a VM instance. If you don'tuse project aggregation, the graph shows all of the entities as if they were inthe same project. To enable project aggregation, seeAggregate entities by project.
Change project scope
To view multiple projects in Network Topology, configure ametrics scope and add monitored projects to it.
When you add projects to a metrics scope, then this metrics scope lets youmonitor the data for the scoping project and the monitored projects. From thismetrics scope, you can access the combined metrics of the scoping projectand the monitored projects. For more information, seeView metrics for multiple projects.
To make use of an existing metrics scope and monitor multiple Google Cloudprojects in a single view, select the scoping project using the Google Cloud consoleproject picker or theChange Scope button. You can also select a singlemonitoring project using these options.
Data collection and freshness
Network Topology captures six weeks of history.
The Network Topology history is divided into hourly snapshots, whichstart at the beginning of an hour. For each hourly snapshot, the graph showsbase entities and their communication that occurred during that hour. Forexample, if two instances communicated with each other and then were deletedduring the hour, they would appear for that hour even though they no longerexist.
The visualization of entities and their connections includes overlaid metrics onthe connections where applicable. Network Topology also displaysseparate time series charts that show metrics such as the traffic throughputbetween communicating entities or the CPU utilization of VM instances. The timeseries charts don't have the same hourly constraints as the visualizedentities, connections, and overlaid metrics.
For more information about viewing metrics, seeMonitor your networking configuration with Network Topology.
Present snapshot
When you view the present time, the Network Topology graph shows anhourly snapshot from the previous hour. Each time that you load a graph,Network Topology shows the latest available snapshot.
For more details about each component and its data during thepresent segment, see the following table.
| For this component | Data comes from this time period | And is available at this time | Example |
|---|---|---|---|
| Entities and connections | The previous hour | Immediately after each hour1 | If the current time is 01:19 PM, the graph visualizes entities that communicated from 12:00 PM to 01:00 PM, but the graph can change. At 01:20 PM the graph is fixed and won't change. |
| Overlaid metric values | The previous hour2 | As entities and connections become available | If the current time is 10:37 AM and the selected metric isTraffic, the overlaid values are an average from 09:55 AM to 10:00 AM. |
| Time series charts | Real-time, with historical data from a timeframe that you specify. The default timeframe shows minute-by-minute metric values from the past hour. The available timeframes range from1 hour to6 weeks3. | At most 7 minutes after an activity | If the current time is 10:37 AM and you open the time series charts for a VM, you see minute-by-minute metric values for the hour from 09:37 AM to 10:37 AM. |
1The graph can change up to 20 minutes after the end of an hour.
2The traffic and packetloss metrics use the average of the selected hour, while latency uses the median.
3Theaggregation interval, or how often the data is sampled,depends on the timeframe. For example, the1 hour timeframe has anaggregation interval of 1 minute, while the1 day timeframe hasan aggregation interval of 1 hour.
Past snapshots
For details about each component and its data when viewingpast snapshots, see the following table.
| For this component | Data comes from this time period | Example |
|---|---|---|
| Entities and connections | An hour that you select from the past | 11:00 AM to 12:00 PM from the previous day |
| Overlaid metric values | The selected hour1 | If you select the segment that runs from 11:00 AM to 12:00 PM on the previous day and the selected metric isTraffic, the overlaid values are an average from 11:55 AM to 12:00 PM. |
| Time series charts | Real-time, with historical data from a timeframe that you specify. The default timeframe shows minute-by-minute metric values from the past hour. The available timeframes range from1 hour to6 weeks2. | If you set the timeframe of the time series chart to1 day, the chart shows metric values from the current time to 24 hours ago using a 5-minute aggregation interval. |
1The traffic and packetloss metrics use the average of the last one hour, while latency uses the median.
2Theaggregation interval, or how often the data is sampled,depends on the timeframe. For example, the1 hour timeframe has anaggregation interval of 1 minute, while the1 day timeframe hasan aggregation interval of 1 hour.
What's next
- View graph interface elements
- Monitor your networking configuration with Network Topology
- Troubleshoot Network Topology
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.