Introduction
A virtual private cloud (VPC) is a private cloud that is housed inside of a public cloud and is secure and separated. Customers of VPC can perform all of the functions of a typical private cloud, including running code, storing data, hosting websites, and so on, but the private cloud is hosted remotely by a public cloud provider. (This is not how all private clouds are hosted.) VPCs combine the data isolation of private cloud computing with the scalability and practicality of public cloud computing.
Need of VPC
Google Kubernetes Engine (GKE) clusters, the App Engine flexible environment, and virtual private cloud (VPC) instances all receive networking capability from VPC. VPC offers global, scalable, and adaptable networking for your cloud-based resources and services.
There are many cloud providers which support the VPC like amazon,azure and many more but we are going to focus on VPC provided by Google private cloud.
Consider a virtual private cloud as a reserved table in a busy restaurant, and a public cloud as the latter. A table marked "Reserved" can only be reached by the party that booked the reservation, even if the restaurant is full of patrons.
A VPC reserves some of those resources for use by just one client, in contrast to a public cloud that is congested with numerous cloud users accessing computational resources.
How can we isolate a VPC in a public cloud?
Computer resources are separated from other computing resources in the public cloud by a VPC.
The following are the main techniques for separating a VPC from the rest of the public cloud:
Subnets: A subnet is a group of IP addresses that are reserved in a network so that no one else can use them. This effectively separates a portion of the network for private use. These IP addresses are private in a VPC, as opposed to normal IP addresses, which are accessible via the public Internet.
VLAN: A local area network, or LAN, is a collection of connected computing devices that are not all connected to the Internet. A virtual LAN is a VLAN. Similar to a subnet, a VLAN is a method of dividing a network, however the division occurs at a different layer of the OSI model (layer 2 instead of layer 3).
VPN: A virtual private network (VPN) overlays a public network with a private network using encryption. VPN traffic travels through routers, switches, and other publicly accessible Internet infrastructure, but it is scrambled and hidden from view.
A VPC will have a unique subnet and VLAN that only the VPC customer may access. This effectively puts the "Reserved" sign on the table and stops anyone else using the public cloud from accessing computing resources inside the VPC. Data entering and leaving the VPC is not visible to other users of the public cloud since the VPC client connects via VPN.
Advantages of VPC
Scalability: Customers can add more computer resources as needed because a VPC is hosted by a public cloud provider.
Easy hybrid cloud deployment: Connecting a VPC to a public cloud or to on-premises infrastructure through a VPN is not too difficult.
Better performance: Websites and apps hosted in the cloud often perform better than those hosted on local servers located on-site.
Greater security: Especially for small and mid-market organisations, the public cloud providers that offer VPCs frequently have more resources for updating and maintaining the infrastructure. This has less of a benefit for large corporations or any businesses that must adhere to extremely strict data security requirements.
Network features
VPC firewall rules
Based on a configuration you define, VPC firewall rules enable you to accept or restrict connections to or from your virtual machine (VM) instances. Regardless of their configuration or operating system, instances are always protected by enabled VPC firewall rules, even if they have not yet started up.
Distributed firewall functionality is provided by each VPC network. Although connections are approved or rejected on an instance-by-instance basis, firewall rules are specified at the network level. The VPC firewall rules can be thought of as governing communication not only between your instances and other networks, but also between particular instances located inside the same network.
VPC Firewall policies
Firewall policies, which are essentially managed by Identity and Access Management (IAM) roles, allow you to group various firewall rules so that you may update them all at once. These policies, like the firewall rules for Virtual Private Cloud (VPC), contain rules that can expressly allow or refuse connections.
Different types of firewall policies
Hierarchical firewall policies
You can establish and enforce a uniform firewall policy across your department using hierarchical firewall policies. You can link hierarchical firewall rules to specific folders or the entire organisation.
Network firewall policies
By combining all firewall rules into a single policy object, network firewall policies allow you to batch update every firewall rule. A VPC network can be associated with network firewall rules.
Regional firewall policies
Regional firewall policies guarantee that only workloads located in the given area are deployed and subject to the rules defined in these policy objects. A VPC network can be linked to regional firewall policies.
Add IP addresses
In Google Cloud, resources like VM instances and load balancers have IP addresses. These IP addresses enable communication between Google Cloud resources and those on-premises networks, the public internet, and other Google Cloud resources.
The following labels are used by Google Cloud to categorise various sorts of IP addresses. An internal IP address, for instance, is not routed publicly. An openly routed IP address is one that is external. An external IP address can be assigned to a Google Cloud VM's network interface.
External IP address
- Since external IP addresses are publicly available, any host on the internet can access them. Publicly routable IP addresses are required for external IP addresses. The public internet can be accessed by resources with external IP addresses.
- Google can give external IPv4 addresses for resources, or you can BYOIP (bring your own IP) addresses to Google. There are certain exceptions even though BYOIP addresses are static external IPv4 addresses and can be used with the majority of sites that accept them.
- Google offers IPv6 addresses from outside networks. See IPv6 subnet ranges for further details.
Internal IP address
- Internal IP addresses are not publicly routable and cannot be accessed through the internet.
- Internal IPv4 addresses can be either privately utilised public IPv4 addresses or private IPv4 addresses. See Valid IPv4 ranges for a list of legitimate internal IPv4 addresses.
- Within Google Cloud, internal IPv6 addresses are exclusive. See IPv6 subnet ranges for further details.
Private IP address
- Internet traffic cannot be routed through private IP addresses.
- See the entries for Private IP address ranges in the table of valid internal IPv4 address ranges for a list of private IPv4 ranges.
- distinctive local addresses (ULAs). are IPv6 private addresses. For internal IPv6 subnet ranges, ULAs are used.
Public IP address
- Internet routable public IP addresses are available. External IPv4 and IPv6 addresses are always public IP addresses in Google Cloud.
- When configuring the primary or secondary IPv4 address range of a subnet in your VPC network, you can also use public IPv4 addresses as internal addresses. These numbers are known as publicly available IP addresses that are privately used.
Routes
A route in a VPC network consists of a single CIDR-formatted destination prefix and a single next hop. If the packet's destination address falls within the destination range of the route, Google Cloud will transmit the packet to the next hop when an instance in a VPC network sends a packet.
Routes in Google cloud
A scalable, distributed virtual routing system is used by every VPC network. The network is not given any physical hardware. However, the routing table for a VPC network is set up at the VPC network level. Some routes can be implemented selectively.
24+ registered 
