terraform-gcp-vpc-network

Enterprise VPC Networking on Google Cloud

GCPGoogle Cloud Platform Terraform Module

Executive Summary

This Terraform module creates and manages a complete VPC networking stack on Google Cloud Platform. It provisions custom VPC networks with configurable routing mode and MTU, subnets with secondary IP ranges (for GKE pods/services), Private Google Access, VPC Flow Logs, Cloud NAT with Cloud Router for outbound internet access, firewall rules with allow/deny and target tags or service accounts, Shared VPC host/service project configuration, private DNS zones, and VPC Access Connectors for serverless services. The module serves as the foundational networking layer for all other GCP infrastructure.

Overview

7

Resource Types

VPC, Subnets, Router, NAT, Firewall, DNS, Shared VPC, VPC Connector

2

Routing Modes

REGIONAL and GLOBAL routing

15

Input Variables

Network, subnets, firewall, NAT, DNS, Shared VPC, tags

17

Outputs

Network, subnet, router, NAT, firewall, DNS IDs and links

Architecture Diagram

Custom VPC Network
Routing Mode + MTU
|
Subnet 1
Primary CIDR
Subnet N
Primary CIDR
<-->
Secondary Ranges
GKE Pods/Services
|
Private Google Access
Per Subnet
VPC Flow Logs
5s Intervals
VPC Connector
Serverless Access
|
Cloud Router
BGP ASN 64514
-->
Cloud NAT
Auto IP + Port Config
|
Firewall Allow
Protocol + Ports
Firewall Deny
Priority Rules
<-->
Target Tags
Service Accounts
|
Shared VPC Host
Service Projects
<-->
Private DNS
Managed Zones

Component Breakdown

VPC Network (google_compute_network)

Custom mode VPC with configurable auto-create subnetworks (default: false), routing mode (REGIONAL/GLOBAL, validated), MTU (1300-8896, validated), and optional deletion of default 0.0.0.0/0 routes.

Subnets (google_compute_subnetwork)

Created via for_each from a list of subnet objects. Each supports primary CIDR range, secondary IP ranges for GKE pods/services, Private Google Access per subnet, and VPC Flow Logs with 5-second intervals and 50% sampling.

Cloud NAT (google_compute_router_nat)

Cloud Router with BGP ASN 64514 paired with Cloud NAT gateway. Configurable: IP allocation (AUTO_ONLY), source subnet ranges, min/max ports per VM, idle timeouts (UDP, ICMP, TCP established/transitory/time-wait), endpoint independent mapping, and log config.

Firewall Rules (google_compute_firewall)

Dynamic firewall rules with allow/deny blocks, direction (INGRESS/EGRESS), priority, source/destination ranges, target tags, and target service accounts. Supports multiple protocol/port combinations per rule.

Shared VPC

Optional Shared VPC host project enablement via google_compute_shared_vpc_host_project with service project attachment via google_compute_shared_vpc_service_project.

Private DNS & VPC Connectors

Private DNS managed zones associated with the VPC for internal name resolution. VPC Access Connectors auto-created for subnets with secondary ranges, enabling serverless VPC access.

Data Flow

Internet
<-->
Cloud NAT
<-->
VPC Network
|
Firewall Rules Filter
-->
Subnets (Primary CIDRs)
-->
VM / GKE / Serverless
|
Private Google Access
-->
Google APIs
<-->
Private DNS Resolution
|
Shared VPC Host
-->
Service Projects
-->
Shared Subnets

Security Controls

ControlImplementationDetails
Network SegmentationCustom subnets with specific CIDRsNo auto-create, explicit allocation
Firewall RulesAllow/deny with priority orderingTarget tags or service accounts
Private AccessPrivate Google Access per subnetAccess Google APIs without public IPs
Flow LoggingVPC Flow Logs5-second intervals, 50% sampling, all metadata
NAT SecurityCloud NAT for outbound onlyNo inbound; configurable port/timeout
Default Route ControlOptional default route deletionEnforce all traffic through NAT/proxy
MTU ValidationRange validation 1300-8896Terraform validation block
Routing Mode ValidationREGIONAL or GLOBAL onlyTerraform validation block

Industry Adaptation

GKE Clusters

Subnets with secondary ranges for pods/services. Cloud NAT for node egress. Private Google Access for container pulls.

Multi-Project Org

Shared VPC host with service project attachment. Centralized network management with delegated access.

Serverless Apps

VPC Access Connectors auto-created for subnets. Cloud Functions/Run connect to VPC resources securely.

Hybrid Cloud

Global routing mode for cross-region connectivity. Private DNS zones for on-prem integration. Firewall rules for VPN traffic.

Production Readiness Checklist

Configuration Reference

VariableTypeDefaultDescription
project_idstringrequiredGCP project ID
network_namestringrequiredVPC network name
routing_modestringGLOBALREGIONAL or GLOBAL (validated)
mtunumber1460MTU 1300-8896 (validated)
subnetslist(object)[]Subnet configs with secondary ranges
firewall_ruleslist(object)[]Firewall allow/deny rules
enable_cloud_natbooltrueEnable Cloud NAT
cloud_nat_configobject{}NAT IP, ports, timeouts, logging
enable_shared_vpc_hostboolfalseEnable Shared VPC host
private_dns_zoneslist(object)[]Private DNS managed zones

Deployment

terraform init
terraform plan -out=tfplan
terraform apply tfplan

# Verify network
gcloud compute networks describe $(terraform output -raw network_name) \
  --project=YOUR_PROJECT_ID

# List subnets
gcloud compute networks subnets list \
  --network=$(terraform output -raw network_name) \
  --project=YOUR_PROJECT_ID

Links

VPC Documentation | Cloud NAT Documentation | Terraform Registry | GitHub Repository | Shared VPC