VPC Networking for AI Intermediate

Virtual Private Cloud (VPC) networking provides the isolated, secure network foundation for AI workloads on GCP. This lesson covers VPC design, subnet configuration, Private Google Access, firewall rules, and VPC Service Controls for data exfiltration prevention.

VPC Design for AI Projects

Create a custom-mode VPC with purpose-specific subnets:

# Create custom VPC
gcloud compute networks create vpc-ai-platform \
  --subnet-mode=custom

# Training subnet with large CIDR for GPU clusters
gcloud compute networks subnets create subnet-training \
  --network=vpc-ai-platform \
  --region=us-central1 \
  --range=10.0.0.0/20 \
  --enable-private-ip-google-access

# Inference subnet
gcloud compute networks subnets create subnet-inference \
  --network=vpc-ai-platform \
  --region=us-central1 \
  --range=10.0.16.0/24 \
  --enable-private-ip-google-access

Private Google Access

Enable Private Google Access on subnets so GPU VMs without external IPs can reach GCP APIs (Cloud Storage, Vertex AI, Container Registry):

• VMs with only internal IPs can access *.googleapis.com
• Training data stays on Google's private network
• No NAT gateway needed for API access

Firewall Rules

# Allow internal communication for distributed training
gcloud compute firewall-rules create allow-internal-training \
  --network=vpc-ai-platform \
  --allow=tcp,udp,icmp \
  --source-ranges=10.0.0.0/20 \
  --target-tags=training-node

# Allow SSH via IAP for secure access
gcloud compute firewall-rules create allow-iap-ssh \
  --network=vpc-ai-platform \
  --allow=tcp:22 \
  --source-ranges=35.235.240.0/20 \
  --target-tags=allow-ssh

VPC Service Controls

Create a service perimeter to prevent data exfiltration from AI projects:

• Restrict which projects can access Cloud Storage buckets containing training data
• Prevent copying data to unauthorized projects
• Control access to Vertex AI, BigQuery, and other data services
• Define access levels based on identity, device, and network