🚀 Creating Custom VPC Networks, Firewall Rules, and Multi‑NIC VM in Google Cloud
In this lab, we’ll walk through building custom VPC networks, adding firewall rules, creating VM instances, and finally deploying a VM with multiple network interfaces. This demonstrates how Google Cloud networking isolates traffic and how multi‑homed VMs can bridge networks.
1️⃣ Create Custom VPC Networks
Management Network
gcloud compute networks create managementnet --subnet-mode=custom
gcloud compute networks subnets create managementsubnet-us \
--network=managementnet \
--region=us-central1 \
--range=10.130.0.0/20
Private Network
gcloud compute networks create privatenet --subnet-mode=custom
gcloud compute networks subnets create privatesubnet-us \
--network=privatenet \
--region=us-central1 \
--range=172.16.0.0/24
gcloud compute networks subnets create privatesubnet-notus \
--network=privatenet \
--region=asia-south1 \
--range=172.20.0.0/20
Verify:
gcloud compute networks list
gcloud compute networks subnets list --sort-by=NETWORK
2️⃣ Create Firewall Rules
Allow SSH, RDP, and ICMP ingress traffic:
gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp \
--direction=INGRESS --priority=1000 --network=managementnet \
--action=ALLOW --rules=icmp,tcp:22,tcp:3389 --source-ranges=0.0.0.0/0
gcloud compute firewall-rules create privatenet-allow-icmp-ssh-rdp \
--direction=INGRESS --priority=1000 --network=privatenet \
--action=ALLOW --rules=icmp,tcp:22,tcp:3389 --source-ranges=0.0.0.0/0
Check rules:
gcloud compute firewall-rules list --sort-by=NETWORK
3️⃣ Create VM Instances
Management VM
gcloud compute instances create managementnet-us-vm \
--zone=us-central1-a \
--machine-type=e2-medium \
--subnet=managementsubnet-us
Private VM
gcloud compute instances create privatenet-us-vm \
--zone=us-central1-a \
--machine-type=e2-medium \
--subnet=privatesubnet-us
Verify:
gcloud compute instances list --sort-by=ZONE
4️⃣ Create Multi‑NIC VM (vm-appliance)
Attach to three networks: privatenet, managementnet, and mynetwork.
gcloud compute instances create vm-appliance \
--zone=us-central1-a \
--machine-type=e2-standard-4 \
--network-interface=subnet=privatesubnet-us \
--network-interface=subnet=managementsubnet-us \
--network-interface=subnet=mynetwork
5️⃣ Explore Network Interfaces
SSH into the VM:
gcloud compute ssh vm-appliance --zone=us-central1-a
sudo ifconfig
Sample output:
ens4: inet 172.16.0.3 (privatesubnet-us)
ens5: inet 10.130.0.3 (managementsubnet-us)
ens6: inet 10.128.0.3 (mynetwork)
lo: inet 127.0.0.1 (loopback)
6️⃣ Connectivity Validation
From inside vm-appliance:
# Works
ping -c 3 privatenet-us-vm
ping -c 3 <INTERNAL_IP_of_managementnet-us-vm>
ping -c 3 <INTERNAL_IP_of_mynet-us-vm>
# Fails (no route)
ping -c 3 <INTERNAL_IP_of_mynet-notus-vm>
Check routing table:
ip route
Default route is via ens4 (privatenet). Direct routes exist for managementnet and mynetwork. No route for mynet-notus-vm.
🔑 Key Takeaways
- Custom VPCs give full control over subnet creation.
- Firewall rules define ingress traffic (SSH, RDP, ICMP).
- Internal IP connectivity works only within the same VPC.
- Multi‑NIC VM (
vm-appliance) can connect to multiple VPCs simultaneously. - Routing behavior explains why
mynet-notus-vmfails without policy routing or peering.
✨ This step‑by‑step guide is now clean and professional — perfect to post on Blogger as a lab walkthrough.
Would you like me to also add a diagram (VPC → Subnets → VM NICs) so your Blogger post has a visual flow alongside the commands?
=============raw code
# Create the managementnet VPC
gcloud compute networks create managementnet \
--subnet-mode=custom
# Create the managementsubnet-us subnet (replace REGION with your lab region, e.g. us-east1)
gcloud compute networks subnets create managementsubnet-us \
--network=managementnet \
--region=us-east1 \
--range=10.130.0.0/20
gcloud compute networks create privatenet --subnet-mode=custom
gcloud compute networks subnets create privatesubnet-us --network=privatenet --region=us-central1 --range=172.16.0.0/24
gcloud compute networks subnets create privatesubnet-notus --network=privatenet --region=asia-south1 --range=172.20.0.0/20
gcloud compute networks list
NXTGN@DESKTOP-E7NBI4Q MINGW64 ~
$ gcloud compute networks list
NAME SUBNET_MODE BGP_ROUTING_MODE IPV4_RANGE GATEWAY_IPV4 INTERNAL_IPV6_RANGE
default AUTO REGIONAL
managementnet CUSTOM REGIONAL
mynetwork AUTO REGIONAL
privatenet CUSTOM REGIONAL
gcloud compute networks subnets list --sort-by=NETWORK
NXTGN@DESKTOP-E7NBI4Q MINGW64 ~
$ gcloud compute networks subnets list --sort-by=NETWORK
NAME REGION NETWORK RANGE STACK_TYPE IPV6_ACCESS_TYPE INTERNAL_IPV6_PREFIX EXTERNAL_IPV6_PREFIX UTILIZATION_DETAILS
default us-central1 default 10.128.0.0/20 IPV4_ONLY
default europe-west1 default 10.132.0.0/20 IPV4_ONLY
default us-west1 default 10.138.0.0/20 IPV4_ONLY
default asia-east1 default 10.140.0.0/20 IPV4_ONLY
default us-east1 default 10.142.0.0/20 IPV4_ONLY
default asia-southeast1 default 10.148.0.0/20 IPV4_ONLY
default us-east4 default 10.150.0.0/20 IPV4_ONLY
default australia-southeast1 default 10.152.0.0/20 IPV4_ONLY
default europe-west3 default 10.156.0.0/20 IPV4_ONLY
default asia-south1 default 10.160.0.0/20 IPV4_ONLY
default europe-west4 default 10.164.0.0/20 IPV4_ONLY
default us-west3 default 10.180.0.0/20 IPV4_ONLY
default us-west4 default 10.182.0.0/20 IPV4_ONLY
default europe-central2 default 10.186.0.0/20 IPV4_ONLY
default southamerica-west1 default 10.194.0.0/20 IPV4_ONLY
default us-east5 default 10.202.0.0/20 IPV4_ONLY
default me-west1 default 10.208.0.0/20 IPV4_ONLY
default europe-west12 default 10.210.0.0/20 IPV4_ONLY
default me-central1 default 10.212.0.0/20 IPV4_ONLY
default europe-west10 default 10.214.0.0/20 IPV4_ONLY
default africa-south1 default 10.218.0.0/20 IPV4_ONLY
default northamerica-south1 default 10.224.0.0/20 IPV4_ONLY
default europe-north2 default 10.226.0.0/20 IPV4_ONLY
default asia-southeast3 default 10.232.0.0/20 IPV4_ONLY
managementsubnet-us us-central1 managementnet 10.130.0.0/20 IPV4_ONLY
mynetwork us-central1 mynetwork 10.128.0.0/20 IPV4_ONLY
mynetwork europe-west1 mynetwork 10.132.0.0/20 IPV4_ONLY
mynetwork us-west1 mynetwork 10.138.0.0/20 IPV4_ONLY
mynetwork asia-east1 mynetwork 10.140.0.0/20 IPV4_ONLY
mynetwork us-east1 mynetwork 10.142.0.0/20 IPV4_ONLY
mynetwork asia-southeast1 mynetwork 10.148.0.0/20 IPV4_ONLY
mynetwork us-east4 mynetwork 10.150.0.0/20 IPV4_ONLY
mynetwork australia-southeast1 mynetwork 10.152.0.0/20 IPV4_ONLY
mynetwork europe-west3 mynetwork 10.156.0.0/20 IPV4_ONLY
mynetwork asia-south1 mynetwork 10.160.0.0/20 IPV4_ONLY
mynetwork europe-west4 mynetwork 10.164.0.0/20 IPV4_ONLY
mynetwork us-west3 mynetwork 10.180.0.0/20 IPV4_ONLY
mynetwork us-west4 mynetwork 10.182.0.0/20 IPV4_ONLY
mynetwork europe-central2 mynetwork 10.186.0.0/20 IPV4_ONLY
mynetwork southamerica-west1 mynetwork 10.194.0.0/20 IPV4_ONLY
mynetwork us-east5 mynetwork 10.202.0.0/20 IPV4_ONLY
mynetwork me-west1 mynetwork 10.208.0.0/20 IPV4_ONLY
mynetwork europe-west12 mynetwork 10.210.0.0/20 IPV4_ONLY
mynetwork me-central1 mynetwork 10.212.0.0/20 IPV4_ONLY
mynetwork europe-west10 mynetwork 10.214.0.0/20 IPV4_ONLY
mynetwork africa-south1 mynetwork 10.218.0.0/20 IPV4_ONLY
mynetwork northamerica-south1 mynetwork 10.224.0.0/20 IPV4_ONLY
mynetwork europe-north2 mynetwork 10.226.0.0/20 IPV4_ONLY
mynetwork asia-southeast3 mynetwork 10.232.0.0/20 IPV4_ONLY
privatesubnet-us us-central1 privatenet 172.16.0.0/24 IPV4_ONLY
privatesubnet-notus asia-south1 privatenet 172.20.0.0/20 IPV4_
***Create the firewalls
gcloud compute firewall-rules create managementnet-allow-icmp-ssh-rdp \
--direction=INGRESS \
--priority=1000 \
--network=managementnet \
--action=ALLOW \
--rules=icmp,tcp:22,tcp:3389 \
--source-ranges=0.0.0.0/0
gcloud compute firewall-rules create privatenet-allow-icmp-ssh-rdp --direction=INGRESS --priority=1000 --network=privatenet --action=ALLOW --rules=icmp,tcp:22,tcp:3389 --source-ranges=0.0.0.0/0
$ gcloud compute firewall-rules list --sort-by=NETWORK
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED
default-allow-icmp default INGRESS 65534 icmp False
default-allow-internal default INGRESS 65534 tcp:0-65535,udp:0-65535,icmp False
default-allow-rdp default INGRESS 65534 tcp:3389 False
default-allow-ssh default INGRESS 65534 tcp:22 False
managementnet-allow-icmp-ssh-rdp managementnet INGRESS 1000 icmp,tcp:22,tcp:3389 False
mynetwork-allow-icmp mynetwork INGRESS 1000 icmp False
mynetwork-allow-rdp mynetwork INGRESS 1000 tcp:3389 False
mynetwork-allow-ssh mynetwork INGRESS 1000 tcp:22 False
privatenet-allow-icmp-ssh-rdp privatenet INGRESS 1000 icmp,tcp:22,tcp:3389 False
To show all fields of the firewall, please show in JSON format: --format=json
To show all fields in table format, please see the examples in --help.
Task 2. Create VM instances
gcloud compute instances create managementnet-us-vm \
--zone=us-central1-a \
--machine-type=e2-medium \
--subnet=managementsubnet-us
gcloud compute instances create privatenet-us-vm \
--zone=us-central1-a \
--machine-type=e2-medium \
--subnet=privatesubnet-us
NXTGN@DESKTOP-E7NBI4Q MINGW64 ~
$ gcloud compute instances list --sort-by=ZONE
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
mynet-notus-vm asia-south1-b e2-medium 10.160.0.2 34.14.177.165 RUNNING
managementnet-us-vm us-central1-a e2-medium 10.130.0.2 34.133.237.33 RUNNING
mynet-us-vm us-central1-a e2-medium 10.128.0.2 104.198.182.133 RUNNING
privatenet-us-vm us-central1-a e2-medium 172.16.0.2 34.122.226.9 RUNNING
Create VM with multiple NICs (vm-appliance)
Notes:-
Note: You can ping the external IP address of all VM instances, even though they are in either a different zone or VPC network. This confirms that public access to those instances is only controlled by the ICMP firewall rules that you established earlier.
Note: You can ping the internal IP address of mynet-notus-vm because it is on the same VPC network as the source of the ping (mynet-us-vm), even though both VM instances are in separate zones, regions, and continents!
To test connectivity to managementnet-us-vm's internal IP, run the following command, replacing managementnet-us-vm's internal IP:
ping -c 3 <Enter managementnet-us-vm's internal IP here>
Copied!
Note: This should not work, as indicated by a 100% packet loss!
To test connectivity to privatenet-us-vm's internal IP, run the following command, replacing privatenet-us-vm's internal IP:
ping -c 3 <Enter privatenet-us-vm's internal IP here>
Copied!
Note: This should not work either, as indicated by a 100% packet loss! You cannot ping the internal IP address of managementnet-us-vm and privatenet-us-vm because they are in separate VPC networks from the source of the ping (mynet-us-vm), even though they are all in the same zone.
VPC networks are by default isolated private networking domains. However, no internal IP address communication is allowed between networks, unless you set up mechanisms such as VPC peering or VPN.
*** Create a VM instance with multiple network interfaces
gcloud compute instances create vm-appliance \
--zone=us-central1-a \
--machine-type=e2-standard-4 \
--network-interface=subnet=privatesubnet-us \
--network-interface=subnet=managementsubnet-us \
--network-interface=subnet=mynetwork
Excellent, Rajesh 👌 — let’s consolidate everything you’ve done with **vm-appliance** so far, including the `ifconfig` output you pasted, the NIC details, and the connectivity validation. This way you have a complete reference.
---
## 🔹 Network Interfaces on `vm-appliance`
From your `sudo ifconfig` output:
- **ens4 → privatesubnet-us**
- IP: `172.16.0.3`
- Primary NIC (nic0), attached to `privatenet`.
- Owns the **default route** → traffic to non-local subnets leaves via this interface.
- **ens5 → managementsubnet-us**
- IP: `10.130.0.3`
- Secondary NIC (nic1), attached to `managementnet`.
- Directly connected to `10.130.0.0/20`.
- **ens6 → mynetwork**
- IP: `10.128.0.3`
- Secondary NIC (nic2), attached to `mynetwork`.
- Directly connected to `10.128.0.0/20`.
- **lo → loopback**
- IP: `127.0.0.1`
- Standard local loopback interface.
---
## 🔹 Connectivity Validation
From inside `vm-appliance`:
```bash
# Works (same subnet via ens4)
ping -c 3 <INTERNAL_IP_of_privatenet-us-vm>
ping -c 3 privatenet-us-vm # DNS resolves to nic0
# Works (direct route via ens5)
ping -c 3 <INTERNAL_IP_of_managementnet-us-vm>
# Works (direct route via ens6)
ping -c 3 <INTERNAL_IP_of_mynet-us-vm>
# Fails (no route for 10.132.0.0/20, leaves via default ens4)
ping -c 3 <INTERNAL_IP_of_mynet-notus-vm>
```
✅ Success: `privatenet-us-vm`, `managementnet-us-vm`, `mynet-us-vm`
❌ Failure: `mynet-notus-vm` (because its subnet 10.132.0.0/20 isn’t in the routing table)
---
## 🔹 Routing Table Check
Run:
```bash
ip route
```
Expected entries:
- Default route → `172.16.0.1` via `ens4`
- Direct routes for `10.130.0.0/20` (ens5) and `10.128.0.0/20` (ens6)
- No route for `10.132.0.0/20` (mynet-notus-vm), so traffic leaves via default → fails.
---
## 🔹 Key Takeaways
- **vm-appliance** is multi-homed: connected to three VPC networks simultaneously.
- Each NIC has its own IP and subnet route.
- Internal connectivity works only for directly attached subnets.
- External IP connectivity works for all VMs (controlled by firewall rules).
- `mynet-notus-vm` fails internally because its subnet isn’t in the routing table — you’d need **policy routing** or **VPC peering** to fix that.
0 Comments