Welcome to the fourth lesson of GCP Security and Networking Fundamentals! In the previous lesson, you learned how to create Virtual Private Cloud (VPC) networks and subnets in Google Cloud, building isolated network environments for your resources. However, by default, these VPCs and subnets are not configured to communicate with the public internet. In this lesson, you'll learn how to enable internet connectivity for your GCP VPC networks by configuring routes that direct traffic to the internet and by assigning external IP addresses to your resources. You'll also see how to use firewall rules to control access, ensuring your network remains secure while allowing necessary connectivity. By the end of this lesson, you'll understand how GCP resources connect to the internet and how to manage public and private network segments within your VPC.

Unlike some other cloud providers, Google Cloud does not require you to explicitly create or attach an internet gateway resource to your VPC. Instead, every GCP VPC network has a built-in, highly available, and managed internet gateway that is always present. Internet connectivity in GCP is controlled by the presence of specific routes in your VPC's global routing table. These routes determine whether traffic destined for the public internet (i.e., addresses outside your VPC's IP ranges) is forwarded to the internet gateway. The key to enabling internet access is to ensure that your VPC has a route with a destination of 0.0.0.0/0 (all IPv4 addresses) that targets the default-internet-gateway. This, combined with assigning external IP addresses to your resources and configuring firewall rules, allows your VMs and other services to communicate with the internet securely.

In Google Cloud, each VPC network has a single, global routing table that applies to all subnets within the network, regardless of region. This means that routing decisions are made at the VPC level, not per subnet. Every subnet in a VPC automatically uses this global routing table, and you cannot associate different route tables with individual subnets. By default, GCP creates routes for internal communication (within the VPC) and, if you use the default network, a route for internet access. For custom VPCs, you may need to add your own internet route. You can add, remove, or modify routes in the VPC's routing table to control how traffic flows to and from your resources.

Each route also has a priority, which helps GCP choose between routes when multiple routes could match the same destination. Route priorities range from 0 to 65535, and lower numbers mean higher priority. In practice, the most specific destination match is chosen first, and if routes are equally specific, the route with the lower priority value wins. For most custom internet routes, a priority of 1000 is a sensible default and usually does not need to be changed. You would typically change it only when you want one route to take precedence over another matching route, such as when directing certain traffic through a different gateway or network appliance.

To enable internet connectivity for your VPC, you need to ensure there is a route that directs all outbound traffic (0.0.0.0/0) to the internet gateway. In GCP, this is done by creating a route with the next hop set to default-internet-gateway. You can manage routes using the Google API Python client (googleapiclient.discovery) or via the gcloud CLI. Below is an example of how to create a custom route using Python:

This function creates a route in the specified VPC network that sends all outbound traffic to the internet. The nextHopGateway field must reference the default-internet-gateway, which is a special, always-available resource in GCP.

We'll use the add_internet_route function from the previous section throughout this lesson. The most important fields in the route are:

• destRange: '0.0.0.0/0' means the route applies to all IPv4 destinations not matched by a more specific route
• nextHopGateway points traffic to GCP's built-in internet gateway
• priority: 1000 sets the route's precedence if another route with the same destination specificity also matches

In most beginner and standard setups, you can leave the priority at 1000. You would only lower or raise it if you intentionally need this route to win or lose against another equally specific route.

This route will apply to all subnets in the VPC, making them capable of sending traffic to the internet, provided other requirements (external IP, firewall rules) are met.

For a VM or other resource in a GCP subnet to be reachable from the internet, the following conditions must be met:

• Internet Route Exists: The VPC network must have a route with destination 0.0.0.0/0 and next hop set to the default-internet-gateway.
• External IP Address: The VM instance (or other resource) must have an external (public) IP address assigned. This can be done at creation time or by assigning a static external IP later.
• Firewall Rules Allow Traffic: The VPC's firewall rules must allow ingress traffic from the internet to the required ports (e.g., TCP 22 for SSH, TCP 80/443 for web servers) and allow egress as needed. By default, GCP blocks all incoming traffic except for certain default rules; you must explicitly allow the traffic you need.

If any of these prerequisites are not met, your resources will not be accessible from the public internet, even if the route exists.

To verify your VPC's routing configuration, you can list all routes in the network and inspect their properties. Here's how to do this using the discovery client:

This function retrieves all routes in the project and filters them to show only those associated with your VPC network. You can use this information to confirm that the internet route is present and to audit other custom or default routes.

Let's walk through the complete process of enabling internet connectivity for a GCP VPC network and subnet using the discovery client:

This script demonstrates the creation of a VPC network and subnet, the addition of an internet route, and the inspection of the resulting routing configuration. To make a VM publicly accessible, you would also create a VM instance in the subnet, assign it an external IP, and set up appropriate firewall rules.

To avoid unnecessary charges and keep your GCP environment tidy, you should delete resources when you're done experimenting. The order of deletion matters due to dependencies:

You must delete the route before deleting the network and the subnet before deleting the network as well. Attempting to delete resources out of order will result in dependency errors.

In this lesson, you learned how to enable internet connectivity for your GCP VPC networks by creating routes to the default internet gateway, assigning external IP addresses, and configuring firewall rules. You saw how GCP's global routing table model simplifies network management and how to inspect and manage routes using Python and the Google API client. In upcoming exercises, you'll practice building multi-subnet architectures with both public and private segments, configuring different connectivity patterns, and troubleshooting common networking issues in Google Cloud. Through hands-on experimentation, you'll gain the skills needed to design secure and robust GCP network topologies for real-world applications.