Virtual Private Cloud (VPC) overview
Virtual Private Cloud (VPC) provides networking functionality toCompute Engine virtual machine (VM) instances,Google Kubernetes Engine (GKE) clusters, andserverless workloads.
VPC provides networking for your cloud-based resources andservices that is global, scalable, and flexible.
This page provides a high-level overview of VPCconcepts and features.
VPC networks
You can think of a VPC network the same way you'd think of aphysical network, except that it is virtualized within Google Cloud.A VPC network is a global resource that consists of a list ofregional virtual subnetworks (subnets) in data centers, all connected by aglobal wide area network.VPC networks are logically isolated from each other inGoogle Cloud.
A VPC network does the following:
- Provides connectivity for yourCompute Engine virtual machine (VM) instances, includingGoogle Kubernetes Engine (GKE) clusters,serverless workloads, and other Google Cloud products built on Compute Engine VMs.
- Offers built-in internal passthrough Network Load Balancers and proxy systems for internal Application Load Balancers.
- Connects to on-premises networks by using Cloud VPN tunnels and VLAN attachments for Cloud Interconnect.
- Distributes traffic from Google Cloud external load balancers to backends.
For more information, seeVPC networks.
Firewall rules
Each VPC network implements a distributed virtual firewall thatyou can configure. Firewall rules let you control which packets are allowedto travel to which destinations. Every VPC network has twoimplied firewall rules that blockall incoming connections and allow all outgoing connections.
Thedefault network hasadditional firewallrules, including thedefault-allow-internal rule, which permit communication among instances in thenetwork.For more information, seeVPC firewall rules.
Routes
Routes tell VM instances and the VPC network how to send trafficfrom an instance to a destination, either inside the network or outside ofGoogle Cloud. Each VPC network comes with somesystem-generated routes to routetraffic among its subnets and send traffic fromeligible instances to the internet.
You can create custom static routes to direct some packets to specificdestinations.
For more information, seeRoutes.
Forwarding rules
While routes govern traffic leaving an instance, forwarding rules direct trafficto a Google Cloud resource in a VPC network based on IPaddress, protocol, and port.
Some forwarding rules direct traffic from outside of Google Cloud to adestination in the network; others direct traffic from inside the network.Destinations for forwarding rules aretarget instances,load balancer targets (backend services, target proxies, and target pools), andClassic VPN gateways.
For more information, seeForwarding rules overview.
Interfaces and IP addresses
VPC networks provide the following configurations for IPaddresses and VM network interfaces.
IP addresses
Google Cloud resources, such as Compute Engine VM instances,forwarding rules, and GKE containers,rely on IP addresses to communicate.
For more information, seeIP addresses.
Alias IP ranges
If you have multiple services running on a single VM instance, you can give eachservice a different internal IP address by using alias IP ranges. TheVPC network forwards packets that are destined to a particularservice to the corresponding VM.
For more information, seeAlias IP ranges.
Multiple network interfaces
You can add multiple network interfaces to a VM instance, where each interfaceresides in a unique VPC network. Multiple network interfacesenable a network appliance VM to act as a gateway for securing traffic amongdifferent VPC networks or to and from the internet.
For more information, seeMultiple network interfaces.
VPC sharing and peering
Google Cloud provides the following configurations for sharingVPC networks across projects and connecting VPCnetworks to each other.
Shared VPC
You can share a VPC network from one project (called a hostproject) to other projects in your Google Cloud organization. You cangrant access to entire Shared VPC networks or select subnets therein by usingspecific IAM permissions. This letsyou provide centralized control over a common network while maintainingorganizational flexibility. Shared VPC is especially useful in largeorganizations.
For more information, seeShared VPC.
VPC Network Peering
VPC Network Peering lets you buildsoftware as a service (SaaS)ecosystems in Google Cloud, making services available privately acrossdifferent VPC networks, whether the networks are in the sameproject, different projects, or projects in different organizations.
With VPC Network Peering, all communication happens by using internal IPaddresses. Subject to firewall rules, VM instances in each peered network cancommunicate with one another without using external IP addresses.
Peered networks automatically exchange subnet routes for private IP addressranges. VPC Network Peering lets you configure whether the followingtypes of routes are exchanged:
- Subnet routes for privately re-used public IP ranges
- Custom static and dynamic routes
Network administration for each peered network is unchanged: IAM policiesare never exchanged by VPC Network Peering. For example, Network andSecurity Admins for one VPC network do not automatically getthose roles for the peered network.
For more information, seeVPC Network Peering.
Hybrid cloud
Google Cloud provides the following configurations that let you connectyour VPC networks to on-premises networks and networks from othercloud providers.
Cloud VPN
Cloud VPN lets you connect your VPC network toyour physical, on-premises network or another cloud provider by using a securevirtual private network.
For more information, seeCloud VPN.
Cloud Interconnect
Cloud Interconnect lets you connect your VPC network toyour on-premises network by using a high speed physical connection.
For more information, seeCloud Interconnect.
Hybrid Subnets
Preview
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
Hybrid Subnets helps you migrate workloads to Google Cloudwithout needing to change any IP addresses. A hybrid subnet is a singlelogical subnet that combines a segment of an on-premises network with a subnetin a VPC network.
For more information, seeHybrid Subnets.
Cloud Load Balancing
Google Cloud offers several load balancing configurations to distributetraffic and workloads across many backend types.
For more information, seeCloud Load Balancingoverview.
Private access to services
You can usePrivate Service ConnectandPrivate Google Access, andprivate services access to let VMs thatdon't have an external IP address communicate with supported services.For more information, seePrivate access options for services.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.