To create a new VPC in Google Cloud Console, go to the VPC networks menu and select Create VPC network (shown in Figures 9.2 and 9.3). You can also add additional subnets to an existing VPC by editing an existing subnet.
Figure 9.2 – Creating a VPC network in Google Cloud Console
It is important to note that subnets can be created either during the initial creation of a VPC network or at any point thereafter.
To connect to workloads in my-first-subnet or other subnets in my-vpc-network, firewall rules that allow this communication must exist. To create a firewall rule called ssh-rdp-ping that allows all users (from the default source range, 0.0.0.0/0) to access all instances in my-vpc-network on TCP ports 22 (SSH) and 3389 (RDP) and to send a ping (ICMP), the following command could be used:
gcloud compute firewall-rules create ssh-rdp-ping –network my-vpc-network –allow tcp:22,tcp:3389,icmp
With the command from the preceding example, we created a subnet in my-vpc-network with an assigned IP address range in CIDR notation (10.0.0.0/24). The mode where you manually assign IP address ranges to subnets is called Custom mode. Alternatively, Automatic mode could be used.
Figure 9.3 – Automatic subnet creation mode in VPC
Here are the differences between these modes:
- Automatic mode: This is where subnets are pre-populated for every region in a VPC network. There is a dedicated CIDR of 10.128.0.0/9 that is used for this purpose. Every region has a /20 subnet, which allows up to 4,094 addresses to be created, excluding network, gateway, second-to-last, and broadcast addresses. In the preceding screenshot, you can see that 10.160.0.0/20 will be used by a subnet in the asia-south1 region. When a new region is created, additional subnets are automatically added to a VPC in auto mode. Using auto mode doesn’t prevent you from adding more subnets manually later. A VPC network configured with auto mode can transition to custom mode, but this action can’t be reversed.
- Custom mode: This is where no subnets are automatically created. You control which regions you want subnets to be created in and what their IP ranges and mask length will be. The minimal range that can be configured is /29. You are responsible for planning ranges with custom mode, so there is no CIDR overlap. Custom mode can’t be switched to auto mode. Also, you can expand a custom mode subnet, but a shrink operation is not allowed. The 10.0.0.0/24 subnet, my-first-subnet, from our example, can be expanded to /23 with the following command:
$ gcloud compute networks subnets expand-ip-range my-first-subnet –region=europe-central2 –prefix-length=23
The IP range of subnetwork [my-first-subnet] will be expanded from 10.0.0.0/24 to 10.0.0.0/23. This operation may take several minutes to complete and cannot be undone.
In the following example, there are two VPCs – global-vpc, with three subnets deployed in three regions across the globe, and regional, with two subnets deployed in one region only. VPC is a global service, but with custom mode, you can choose where to create networks:
Figure 9.4 – Custom mode subnets in VPC
When managing a VPC, it is crucial to understand which roles are required to create networking resources and which roles allow you to assign resources to workloads. For example, a predefined IAM Compute Network Admin role provides full control over all network resources except firewall rules and SSL certificates. On the other hand, Compute Security Admins role can only manage firewall rules and SSL certificates. A Compute Network User role allows you to assign subnets from a Shared VPC to local workloads.