VPC — Virtual Private Cloud

A VPC is a software-defined global network of subnets. Each subnet is regional and defined by a CIDR block (e.g. 10.0.0.0/20). Subnets can be auto-mode (one per region, pre-assigned) or custom-mode (you define each range). For any non-trivial project, use custom-mode to control IP allocation.

Firewall rules operate at the VPC level with priority, direction (ingress/egress), action (allow/deny), source/target filters (CIDR, tag, service account), and protocols/ports. Implied rules: deny all ingress, allow all egress. Rules apply to all instances in the VPC unless filtered.

Private connectivity options: (a) VPC peering — two VPCs in different projects connected privately, non-transitive; (b) Shared VPC — one 'host' project holds the VPC, multiple 'service' projects share its subnets, useful for multi-tenant orgs; (c) Private Service Connect / Private Service Access — publish a service (like Cloud SQL) inside the consumer's VPC without exposing a public IP.

Serverless VPC Access: Cloud Run / Cloud Functions are outside customer VPCs by default. A Serverless VPC Connector (a pool of managed instances with IPs in your subnet) bridges them, enabling private calls to Cloud SQL, Memorystore, or on-prem resources via VPN/Interconnect.

Cloud NAT: allows private VMs (no public IP) to reach the internet for outbound calls (npm install, package updates) while remaining unreachable from outside. Strongly recommended over public IPs on compute instances.

Hybrid connectivity: Cloud VPN (IPsec) for low-throughput secure tunnels; Cloud Interconnect (Partner or Dedicated) for high-bandwidth/low-latency links to on-prem. Both terminate on a Cloud Router that exchanges BGP routes with your VPC.