Since several design choices on an organizational level can’t be easily reversed later on in the process, make Virtual Private Cloud network design an early part of designing your organizational setup in Google Cloud.
Keep the design of your VPC network topology simple to help ensure a manageable, reliable, and well-understood architecture.

We recommend that enterprises use VPC networks in custom mode to better integrate into existing IP address management schemes and to provide explicit control over which cloud regions are included in the VPC.

For organizations with multiple teams, Shared VPC provides an effective tool to extend the architectural simplicity of a single VPC network across multiple working groups.

Make your naming conventions simple, intuitive, and consistent. This ensures that administrators and end users understand the purpose of each resource, where it’s located, and how it’s differentiated from other resources.

In the context of network security, you can use connectivity tests to verify that traffic you intend to prevent between two endpoints is, in fact, blocked. By defining a test between two endpoints and evaluating the results, you can validate that traffic would be blocked and exactly why it’s blocked (e.g. a specific VPC firewall rule).

With Private Service Connect (PSC) for Google APIs, you can create private endpoints for accessing Google services using your own IP addressing scheme. The private endpoints are accessible from within your VPC and through hybrid connectivity that terminates in your VPC.

When possible, manage traffic with Google Cloud native firewall rules as this will help manage L3 traffic within your VPCs. Also, try to ensure your firewalls are not too broad. You can use hierarchical firewall policies to apply common firewall rules across your VPC networks.

Additionally, as your deployments mature, employ service account-based access controls. This ensures only authorized resources can access appropriate resources in your network. If you’re using network tags to control network traffic, use Forseti Security to automate configuration monitoring.

Google Cloud Marketplace features a large ecosystem of third-party solutions that will help you deploy security capabilities to monitor VPC traffic effectively.

Limit access to the internet to only those resources that need access. Resources with only a private, internal IP address can still access many Google APIs and services through Private Google Access.

After you draft your VPC architecture, a good practice is to review VPC limits to ensure it meets your scaling requirements, especially to accommodate peak traffic resource usage.

​​As you decouple your workloads, consider isolating workloads using different VPCs. This allows you to address various considerations across the other Google Cloud Architecture Framework pillars.

Evaluate Google Cloud's native capabilities to control and monitor traffic as these products are meant to help scale your networking capabilities. Using a third-party appliance may limit your scaling capabilities due to VM-based management overhead.

Verify if your vendor provides support for Google Cloud. Google Cloud Marketplace features a large ecosystem of appliance vendors, including how-to guides, tutorials, and best practices.

Refer to the Google Cloud documentation on centralized network appliances to understand best practices for designing your VPC communication.

The next step after deciding to implement multiple VPC networks is connecting those VPC networks. VPC networks are isolated tenant spaces within Google's Andromeda SDN (software-defined networking), and there are several ways that they can communicate with each other. A full comparison of the available options are provided here.

Based on your bandwidth, latency, and SLA requirements, choose the best connection option.

Use Network Telemetry to enhance visibility into your cloud network.

Identify traffic and access patterns that may impose security or operational risks to your organization in near real time. Network Telemetry provides both network and security operations with in-depth, responsive logs for Google Cloud networking services.