Build a Google Cloud VPC from scratch: create a custom network with subnets, control traffic with firewall rules, reserve a static external IP, and give private VMs outbound internet with Cloud NAT.
A VPC (Virtual Private Cloud) is your private network. Why GCP is different: a VPC is global — its subnets live in regions but the network spans the whole world, so resources in different regions can talk privately without extra peering. Every VM attaches to a VPC.
Create a custom-mode VPC (you define the subnets yourself)
gcloud compute networks create my-vpc \
--subnet-mode customA subnet is an IP range that lives in one region (e.g. 10.0.1.0/24 ≈ 256 addresses). Why custom mode: you choose the ranges deliberately and add one subnet per region you use. VMs get their private IP from the subnet of the region they launch in.
Add a subnet in us-central1
gcloud compute networks subnets create central-subnet \
--network my-vpc \
--region us-central1 \
--range 10.0.1.0/24List your subnets
gcloud compute networks subnets list --network my-vpcA firewall rule allows or denies traffic to VMs, matched by tags or service accounts. Why tags: you label a VM "web" and write a rule "allow 443 to anything tagged web," so policy follows the role, not the IP. Google denies inbound by default, so you open only what you need.
Allow HTTPS from anywhere to VMs tagged "web"
gcloud compute firewall-rules create allow-https \
--network my-vpc --direction INGRESS \
--action ALLOW --rules tcp:443 \
--source-ranges 0.0.0.0/0 --target-tags webAllow SSH only from one office IP — never open 22 to the world
gcloud compute firewall-rules create allow-ssh \
--network my-vpc --action ALLOW --rules tcp:22 \
--source-ranges 203.0.113.25/32 --target-tags webA normal external IP changes when a VM stops and starts. A reserved static IP is one you own and can keep or move. Why: so DNS records and firewall allow-lists keep working across restarts. Note: a reserved IP that is not attached to anything is billed.
Reserve a regional static external IP
gcloud compute addresses create web-ip --region us-central1See the address you got
gcloud compute addresses describe web-ip --region us-central1 \
--format "value(address)"VMs without an external IP cannot reach the internet. Cloud NAT (which rides on a Cloud Router) gives them outbound-only access — they can download updates but cannot be reached from outside. Why: keep your VMs private while still letting them fetch packages and call external APIs.
Cloud NAT needs a Cloud Router in the region
gcloud compute routers create my-router \
--network my-vpc --region us-central1Create the NAT, covering all subnet ranges, auto-allocating IPs
gcloud compute routers nats create my-nat \
--router my-router --region us-central1 \
--nat-all-subnet-ip-ranges \
--auto-allocate-nat-external-ips