VPC firewall & private access
SA-targeted rules, hierarchical policies, no public IPs.
GCP networking gives you identity-aware firewalling and org-level firewall guardrails that go beyond simple IP rules. The goal, as everywhere, is default-closed: nothing reachable until you open the smallest necessary path.
Firewall rules by identity, guardrails by hierarchy
VPC firewall rules are stateful and can target instances by network tag or, better, by service account — and SA-based targeting is harder to abuse, because adding a network tag needs less privilege than changing an instance’s identity. Above per-VPC rules, hierarchical firewall policies let the org or a folder enforce rules that every project inherits and cannot override, such as denying SSH/RDP from the internet everywhere. Put internet-facing load balancers in front and keep workloads on internal IPs.
# Allow Postgres to the DB tier ONLY from the app tier's service account.gcloud compute firewall-rules create allow-app-to-db \--network=prod-vpc --direction=INGRESS --action=ALLOW --rules=tcp:5432 \--source-service-accounts=app@payments-prod.iam.gserviceaccount.com \--target-service-accounts=db@payments-prod.iam.gserviceaccount.com# Org-level hierarchical policy: deny inbound RDP from anywhere, everywhere.gcloud compute firewall-policies rules create 1000 \--firewall-policy=org-baseline --direction=INGRESS --action=deny \--layer4-configs=tcp:3389 --src-ip-ranges=0.0.0.0/0
Private access and controlled egress
Give VMs no external IPs and use Private Google Access so they still reach Google APIs over internal paths, Private Service Connect to reach managed and partner services privately, and Cloud NAT for controlled outbound without exposing instances to inbound. Shared VPC then lets a central network team own the security-critical topology while service projects merely attach — separating network administration from the teams deploying workloads.