Google Cloud VPC Flow Logs Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking

1. Introduction

VPC Flow Logs is a Google Cloud Networking feature that records network flow metadata for traffic going to and from resources in your Virtual Private Cloud (VPC) network. These logs help you understand who is talking to whom, over which ports and protocols, how much traffic is flowing, and whether connections are allowed or denied.

In simple terms: VPC Flow Logs captures a sampled, time-aggregated record of network connections for resources attached to a subnet. You can then search, alert, and analyze this data using Cloud Logging and downstream tools like BigQuery.

Technically, VPC Flow Logs generates structured log entries (flow records) for network traffic observed on VM network interfaces in a subnet. Flow records are sampled (you choose a sampling rate) and aggregated (you choose an aggregation interval). The logs are delivered to Cloud Logging, where you can retain them, query them, and route them using the Log Router to BigQuery, Cloud Storage, Pub/Sub, or external destinations.

The problem it solves is visibility: without flow logs, teams often struggle to answer questions like: – “Which source IP is scanning my workloads?” – “Why can’t service A reach service B?” – “Which subnets generate the most egress?” – “Which destinations are my workloads calling over the network?”

VPC Flow Logs gives you a practical and scalable starting point for network troubleshooting, security investigations, and cost governance in Google Cloud.

2. What is VPC Flow Logs?

Official purpose (what it is for):
VPC Flow Logs provides network telemetry by recording metadata about IP traffic flows for Google Cloud VPC networks. It is designed to help with network monitoring, forensics, troubleshooting, and security analysis. Official documentation: https://cloud.google.com/vpc/docs/using-flow-logs

Core capabilities: – Capture network flow metadata for traffic associated with a subnet. – Control sampling rate to balance visibility and cost. – Control aggregation interval to balance granularity and volume. – Include different levels of metadata (for example, to enrich records for investigations). – Use Cloud Logging for querying and for exporting flow logs to analytics systems.

Major components: – VPC network / Subnet: VPC Flow Logs is enabled and configured at the subnet level. – Flow log configuration: sampling, aggregation interval, and metadata settings. – Cloud Logging: the default destination where flow log entries appear. – Log Router (sinks): routes logs to BigQuery, Cloud Storage, Pub/Sub, or other supported destinations. – Downstream analytics: BigQuery, SIEM, dashboards, anomaly detection, alerting, and long-term retention.

Service type: – It’s not a standalone “service” you deploy; it’s a Networking feature of Google Cloud VPC integrated with Cloud Logging.

Scope (how it is applied): – Configuration scope: enabled per subnet. – Log routing scope: Cloud Logging routing is configured per project (with options for centralized logging across projects via sinks and aggregated logging patterns). – Data scope: logs represent flows involving network interfaces attached to the subnet (exact coverage depends on workload type and Google Cloud’s supported resources—verify coverage for your specific product like GKE, Cloud Run, etc., in official docs).

How it fits into the Google Cloud ecosystem: – Google Cloud Networking: complements firewall rules, Cloud NAT, load balancers, VPN/Interconnect, and network design patterns. – Cloud Logging: you query flow logs, create log-based metrics, and manage retention. – Security operations: supports threat detection and investigation workflows when exported to BigQuery or a SIEM. – FinOps / cost governance: helps identify unexpected egress, chatty services, and misrouted traffic.

Service name status (renamed/deprecated?):
As of the latest official documentation, “VPC Flow Logs” remains the current product/feature name in Google Cloud and is actively supported. Always validate any newly introduced log fields or format changes in the official docs because log schemas can evolve over time.

3. Why use VPC Flow Logs?

Business reasons

Reduce downtime and incident duration: faster root cause analysis for connectivity issues can reduce business impact.
Support compliance and audits: network-level evidence of traffic patterns helps satisfy security and governance requirements (where logging is mandated).
Control cloud spend: visibility into network paths and egress destinations can reveal misconfigurations and unexpected traffic patterns that drive costs.

Technical reasons

Network visibility without packet capture: you get metadata about flows without running tcpdump everywhere.
Supports analytics at scale: Cloud Logging + BigQuery can handle large volumes with strong query capabilities.
Works well with infrastructure-as-code (IaC): subnet flow logs can be managed consistently across environments.

Operational reasons

Troubleshoot firewall and routing issues: confirm whether traffic is observed, its direction, protocol/port, and volume.
Baseline network behavior: establish normal patterns for services, subnets, and environments.
Build alerts: create log-based metrics and alerts around unexpected ports, denied flows, or suspicious destinations.

Security/compliance reasons

Detect scanning and lateral movement indicators: identify unusual east-west traffic or repeated denied attempts.
Support incident investigations: identify which hosts communicated during an event window.
Improve accountability: logs provide evidence trails (note: logs are sampled and aggregated, so they are not a complete forensic packet record).

Scalability/performance reasons

Sampling and aggregation are built-in controls: you can tune visibility vs. cost/volume.
Centralized analysis: route logs to a central project/dataset for cross-project investigations.

When teams should choose it

Choose VPC Flow Logs when you need: – Network communication visibility between services/subnets/projects. – A scalable logging pipeline using Cloud Logging and BigQuery. – Practical troubleshooting without deploying agents everywhere.

When teams should not choose it

Avoid relying on VPC Flow Logs as your only tool when you need: – Full packet contents (payload inspection): use Packet Mirroring or host-based captures where appropriate. – Complete, unsampled capture of every connection: VPC Flow Logs is typically sampled and aggregated. – Immediate real-time enforcement: it’s an observability tool, not a policy enforcement system.

4. Where is VPC Flow Logs used?

Industries

Finance and insurance: audit trails, segmentation validation, incident response.
Healthcare: monitoring communications between regulated workloads (with appropriate access controls).
SaaS and technology: microservice connectivity troubleshooting and performance baselining.
Retail and e-commerce: detecting unexpected outbound calls, validating architecture changes during peak events.
Public sector: governance and visibility requirements across large networks and multiple projects.

Team types

Network engineers and cloud networking teams
SRE and platform engineering teams
DevOps teams managing connectivity across services
Security engineering and SOC teams
FinOps/cost governance teams

Workloads

Compute Engine VM-based applications
GKE node traffic and east-west patterns (coverage depends on configuration and how traffic is routed; verify in docs for your cluster mode and dataplane)
Multi-tier apps across multiple subnets
Hybrid connectivity via Cloud VPN / Cloud Interconnect (visibility depends on traffic path; verify specifics in official docs)

Architectures

Shared VPC with centralized security/logging
Multi-project environments with centralized observability
Hub-and-spoke network topologies
Segmented environments (prod/dev/test) with consistent telemetry baselines

Real-world deployment contexts

Production: usually enabled selectively (critical subnets, high-risk segments), exported to BigQuery/SIEM with tuned sampling to control costs.
Dev/test: often enabled temporarily at higher sampling to accelerate troubleshooting, then reduced or disabled.

5. Top Use Cases and Scenarios

Below are realistic scenarios where VPC Flow Logs is commonly used.

1) Investigate “service cannot connect” incidents

Problem: Service A times out calling Service B.
Why VPC Flow Logs fits: confirms whether traffic is leaving A, reaching B’s subnet, and whether responses are seen.
Example: A VM in subnet-app cannot reach a VM in subnet-db on TCP/5432. Flow logs reveal only SYN packets are seen and responses are missing, narrowing the issue to firewall or routing.

2) Validate firewall segmentation (least privilege)

Problem: Teams create firewall rules but don’t know if segmentation works as expected.
Why it fits: observe allowed/denied flows across subnet boundaries.
Example: After tightening firewall rules, use flow logs to confirm no unexpected ports are used between app and admin networks.

3) Detect and triage port scanning attempts

Problem: Suspicious sources attempt many ports.
Why it fits: flow records show repeated denied attempts and target port ranges.
Example: A VM shows repeated denied connections to TCP/22 across multiple instances; SOC investigates potential compromise or misconfiguration.

4) Identify unexpected outbound (egress) destinations

Problem: A workload begins sending traffic to unknown IPs/domains.
Why it fits: flow logs show destination IPs and traffic volumes.
Example: A compromised VM starts calling a command-and-control IP. Flow logs highlight high-frequency outbound flows.

5) Reduce network egress costs through visibility

Problem: Network egress costs are higher than expected.
Why it fits: you can attribute egress volume by subnet/workload and destination patterns (with enrichment).
Example: A data pipeline accidentally egresses to the internet rather than using Private Service Connect or internal endpoints. Flow logs help identify misrouted paths.

6) Audit lateral movement pathways after an incident

Problem: Need to understand what a suspected compromised host talked to.
Why it fits: provides network communication history (subject to sampling/retention).
Example: During incident response, export flow logs to BigQuery and query all flows involving an instance IP for the incident window.

7) Baseline normal traffic for anomaly detection

Problem: No baseline of “normal” east-west traffic exists.
Why it fits: you can build BigQuery models or dashboards on top of flow logs.
Example: A microservice normally talks to 3 backends; flow logs show it suddenly contacts 30 destinations, triggering investigation.

8) Capacity planning and “chatty service” identification

Problem: Services create excessive internal traffic, stressing NAT gateways or backends.
Why it fits: byte/packet counts by flow help identify high-volume pairs.
Example: A service misconfiguration causes repeated retries; flow logs show high packet counts and repeated short-lived connections.

9) Change validation after network redesign

Problem: After adding new subnets/peering/VPN, you need to ensure traffic uses intended paths.
Why it fits: flow logs validate connectivity and traffic direction at subnet boundaries.
Example: After introducing Shared VPC, verify that workloads in service projects communicate only with approved shared services.

10) Enrich SIEM detection and correlation

Problem: SIEM needs network telemetry to correlate with identity and host logs.
Why it fits: export to BigQuery or stream via Pub/Sub to a SIEM pipeline.
Example: Correlate suspicious authentication events with subsequent outbound connections from the same host IP.

11) Monitor denied traffic to critical subnets

Problem: Need to know what’s being blocked (and from where) to tune policy and detect attacks.
Why it fits: provides denied flow metadata (when logged).
Example: A restricted admin subnet sees repeated denied attempts from a dev subnet; investigate policy violations.

12) Troubleshoot DNS or dependency resolution patterns (indirectly)

Problem: Applications fail because dependencies are unreachable, often triggered by DNS changes.
Why it fits: while it doesn’t log DNS query payloads, it can show traffic patterns to DNS servers or dependency endpoints.
Example: A service suddenly contacts a different IP range for the same dependency; flow logs help confirm the change.

6. Core Features

This section summarizes important current capabilities. For exact field lists and configuration flags, always validate against official docs: https://cloud.google.com/vpc/docs/using-flow-logs

Feature 1: Subnet-level enablement and configuration

What it does: enables flow logging on a specific subnet and applies sampling/aggregation/metadata settings.
Why it matters: lets you target critical network segments without logging everything.
Practical benefit: reduce noise and cost by enabling logs only where needed (prod subnets, sensitive segments).
Caveats: if you forget to enable logs on a subnet, you will not see flows for resources attached to it.

Feature 2: Traffic sampling (flow sampling rate)

What it does: logs only a fraction of flows based on a configured sampling rate.
Why it matters: reduces log volume and cost.
Practical benefit: you can start at a moderate sampling level and adjust based on incident needs.
Caveats: sampling means you might miss short-lived or low-volume flows; do not treat as a perfect record of all traffic.

Feature 3: Time aggregation interval

What it does: aggregates observed flow data into time buckets before logging (granularity control).
Why it matters: affects how many log entries are generated and how precisely you can time events.
Practical benefit: shorter intervals provide finer detail; longer intervals reduce log volume.
Caveats: aggregation can blur short spikes; choose based on investigation needs.

Feature 4: Metadata inclusion / enrichment options

What it does: includes additional metadata fields in log entries (for example, resource identifiers).
Why it matters: enriched logs are easier to join with asset inventories and incident records.
Practical benefit: improved investigations and BigQuery queries without needing extra lookups.
Caveats: more metadata can increase log size, which can increase Cloud Logging ingestion costs.

Feature 5: Default integration with Cloud Logging

What it does: flow logs appear as log entries in Cloud Logging.
Why it matters: you can search immediately, apply retention, and route logs.
Practical benefit: consistent operational workflow with the rest of Google Cloud logs.
Caveats: Cloud Logging costs and quotas apply.

Feature 6: Log Router export (sinks) to analytics destinations

What it does: routes flow logs to supported destinations such as BigQuery, Cloud Storage, Pub/Sub, and third-party integrations.
Why it matters: enables long-term storage and advanced analytics beyond basic log search.
Practical benefit: BigQuery queries for threat hunting; Cloud Storage for archival; Pub/Sub for streaming pipelines.
Caveats: downstream services have their own costs, IAM, and operational requirements.

Feature 7: Log-based metrics and alerting (via Cloud Logging)

What it does: create metrics derived from logs to drive dashboards/alerts.
Why it matters: converts raw flow logs into actionable operational signals.
Practical benefit: alert on unusual denied flows, unexpected ports, or spikes in egress bytes.
Caveats: metric design matters; poor filters can create noisy alerts.

Feature 8: Works with centralized logging patterns

What it does: supports exporting logs to a central project/dataset for multi-project analysis.
Why it matters: enterprises often need consistent visibility across many projects.
Practical benefit: one BigQuery dataset for organization-wide network telemetry (with proper access controls).
Caveats: ensure governance and least-privilege access; flow logs may contain sensitive internal IP data.

7. Architecture and How It Works

High-level architecture

You enable VPC Flow Logs on a subnet.
Google Cloud observes traffic to/from network interfaces in that subnet and produces flow records.
Flow records are sampled and aggregated based on your configuration.
The resulting log entries are written into Cloud Logging under the VPC flow logs log stream.
Optionally, you configure Log Router sinks to export these logs to: – BigQuery (analytics / threat hunting) – Cloud Storage (archive) – Pub/Sub (stream processing) – Other supported destinations (verify in Cloud Logging routing docs)

Request/data/control flow

Control plane: you configure the subnet logging settings (sampling, aggregation, metadata).
Data plane: traffic flows between workloads; VPC Flow Logs observes metadata for those flows.
Telemetry pipeline: log entries are delivered to Cloud Logging; from there, log routing exports them elsewhere.

Integrations with related services

Cloud Logging: search, retention, log-based metrics, routing.
BigQuery: large-scale querying, joins with asset inventories, dashboards.
Pub/Sub + Dataflow: streaming analytics and custom enrichment pipelines.
Cloud Storage: archival and cold storage for compliance.
Cloud Monitoring: alerting often uses metrics derived from logs (log-based metrics) rather than raw logs.

Dependency services

VPC networking and subnetworks (Compute Engine networking).
Cloud Logging (for storage, indexing, querying, routing).
Optional: BigQuery/Cloud Storage/Pub/Sub for exports.

Security/authentication model

Access to logs is controlled via IAM in Cloud Logging (e.g., Logging Viewer).
Exports use sink writer identities (service accounts) that must be granted access to the destination (e.g., BigQuery dataset permissions).
Sensitive data handling depends on who can read logs and exports.

Networking model

VPC Flow Logs observes network flows associated with a subnet. It is not a firewall and does not change routing.
You typically combine it with:
VPC firewall rules and firewall logging (separate feature)
Cloud NAT logs (for NAT visibility)
Load balancer logs (application-facing traffic)

Monitoring/logging/governance considerations

Log volume can be large. Define:
Which subnets are in scope
Sampling/aggregation defaults by environment (prod vs dev)
Retention policies in Cloud Logging and downstream storage
Centralized export design and access controls

Simple architecture diagram

flowchart LR
  A[VMs / workloads in a subnet] --> B[VPC network traffic]
  B --> C[VPC Flow Logs<br/>(sampling + aggregation)]
  C --> D[Cloud Logging]
  D --> E[Logs Explorer / Alerts]
  D --> F[Log Router Sink]
  F --> G[BigQuery]
  F --> H[Cloud Storage]
  F --> I[Pub/Sub]

Production-style architecture diagram (centralized analytics)

flowchart TB
  subgraph Org[Google Cloud Organization]
    subgraph NetProject[Network Host Project (Shared VPC)]
      S1[Prod Subnet A<br/>Flow Logs enabled]
      S2[Prod Subnet B<br/>Flow Logs enabled]
      WL1[Compute/GKE workloads]
      WL1 --> S1
      WL1 --> S2
    end

    subgraph AppProjects[Service Projects]
      P1[Project: Payments]
      P2[Project: Analytics]
    end

    subgraph LoggingProject[Central Logging Project]
      CL[Cloud Logging<br/>Log Buckets & Retention]
      LR[Log Router<br/>Aggregated sinks]
      BQ[(BigQuery Dataset<br/>vpc_flow_logs)]
      CS[(Cloud Storage Archive)]
    end

    subgraph SecOps[Security Operations]
      SOC[SIEM / Threat Hunting]
      Dash[Dashboards / Looker Studio]
    end
  end

  S1 --> CL
  S2 --> CL
  CL --> LR
  LR --> BQ
  LR --> CS
  BQ --> SOC
  BQ --> Dash

8. Prerequisites

Account / project requirements

A Google Cloud project with billing enabled.
Permissions to create and manage VPC networks, subnets, VM instances, and logs.

IAM permissions (common minimums)

Exact least-privilege varies by environment, but for this tutorial you typically need: – To create networks/subnets and enable flow logs: – roles/compute.networkAdmin (or a custom role including compute.subnetworks.create and compute.subnetworks.update) – To create VM instances: – roles/compute.instanceAdmin.v1 (and possibly roles/iam.serviceAccountUser to attach service accounts) – To view logs: – roles/logging.viewer – To create log sinks: – roles/logging.configWriter – If exporting to BigQuery: – BigQuery dataset create permissions (e.g., roles/bigquery.admin for labs; in production prefer narrower roles)

If you use IAP-based SSH in the lab, you may also need: – roles/iap.tunnelResourceAccessor for the user initiating SSH

Billing requirements

Cloud Logging ingestion/retention beyond free allotments may incur cost.
Compute Engine VM usage may incur cost (free tier may apply depending on region and eligible machine types—verify current free tier details).

CLI / tools

Cloud Shell (recommended) includes:
gcloud
bq
Or install the Google Cloud CLI: https://cloud.google.com/sdk/docs/install

Region availability

VPC and Cloud Logging are global services, but subnets and VM instances are regional/zonal.
Choose a region close to you and consistent with your organization’s policies.

Quotas / limits

Cloud Logging quotas and billing apply (log ingestion volume, API usage).
Compute Engine quotas apply (VMs, CPUs, etc.).
BigQuery quotas apply if exporting and running queries.

Always check: – Cloud Logging quotas: https://cloud.google.com/logging/quotas – Compute Engine quotas: https://cloud.google.com/compute/quotas

Prerequisite services/APIs

Enable these APIs in your project: – Compute Engine API (compute.googleapis.com) – Cloud Logging API (logging.googleapis.com) is typically available by default, but verify if restricted by policy – BigQuery API (bigquery.googleapis.com) only if you export to BigQuery

9. Pricing / Cost

VPC Flow Logs itself is a feature, but the logs it generates create billable usage in Cloud Logging and any export destination.

Pricing dimensions (what you pay for)

Cloud Logging ingestion (log volume): – You are billed based on the volume of log data ingested beyond any free allotment. – Flow logs can be high-volume depending on traffic, sampling rate, aggregation interval, and metadata.
Cloud Logging retention: – Retention beyond included/default periods can incur cost depending on bucket configuration and retention settings. – Verify current retention pricing and default retention behavior in Cloud Logging docs.
Log Router exports: – Exporting logs is supported, but you pay for the destination service:
- BigQuery: storage + query costs (and streaming ingestion behavior if applicable to Log Router exports—verify current export mechanics).
- Cloud Storage: storage and operations.
- Pub/Sub: message volume and delivery.
Network and egress implications: – Exporting logs across regions or to external destinations can incur network egress costs depending on architecture. – If you move log data out of Google Cloud (e.g., to a third-party SIEM), egress charges may apply.

Free tier / free allotment

Cloud Logging typically provides a free allotment of log ingestion per project per month, but the amount and rules can change. Do not assume your flow logs are “free.”
Verify current Cloud Logging pricing here: – Official pricing page: https://cloud.google.com/logging/pricing – Pricing calculator: https://cloud.google.com/products/calculator

Primary cost drivers for VPC Flow Logs

Total traffic volume in the subnet(s)
Sampling rate (higher sampling → more logs)
Aggregation interval (shorter interval → more entries)
Metadata level (more metadata → larger entries)
Number of subnets enabled (blast radius of telemetry)
Retention period in Cloud Logging and/or BigQuery storage duration
Query patterns in BigQuery (frequent large scans can be expensive)

Hidden or indirect costs to plan for

BigQuery query costs during threat hunting (large time ranges).
Storage costs for long retention (especially if you keep raw logs for months).
Operational overhead: building dashboards, managing IAM, reviewing alerts.
SIEM licensing/ingestion costs if exporting outside Google Cloud.

How to optimize cost (practical guidance)

Enable flow logs only on subnets that matter (prod, sensitive, boundary networks).
Start with moderate sampling and adjust:
Increase temporarily during an incident.
Reduce for steady-state operations.
Use longer aggregation intervals in steady state to reduce volume.
Be selective with metadata inclusion; only include what you actually use.
Export to BigQuery only if you need advanced analytics; otherwise use Cloud Logging queries and log-based metrics.
Use partitioned tables (where applicable) and time-bounded queries in BigQuery.
Apply lifecycle policies in Cloud Storage if archiving.
Use log sinks with filters to export only the subset you need (for example, only prod subnets).

Example low-cost starter estimate (qualitative)

A small lab setup with: – Flow logs enabled on one subnet – Low traffic – Moderate sampling – Short retention in Cloud Logging will typically generate modest log volume; costs usually remain low, but the actual bill depends on your traffic and configuration. Use the Cloud Billing reports and Logging usage metrics to validate.

Example production cost considerations

For production environments with: – Many subnets enabled – High east-west traffic – High sampling and rich metadata – Long retention and BigQuery exports you should expect meaningful Cloud Logging ingestion and BigQuery storage/query costs. Plan budgets and enforce guardrails (sampling defaults, sink filters, retention policies).

10. Step-by-Step Hands-On Tutorial

Objective

Enable VPC Flow Logs on a subnet in Google Cloud, generate real network traffic between two VM instances, view flow logs in Cloud Logging, and (optionally) export them to BigQuery for querying.

Lab Overview

You will: 1. Create a custom VPC and subnet with VPC Flow Logs enabled. 2. Create two small VM instances in the subnet. 3. Generate traffic (ICMP and HTTP) between the VMs. 4. Verify flow logs in Cloud Logging. 5. (Optional) Export flow logs to BigQuery and run a basic query. 6. Clean up resources to avoid ongoing costs.

Step 1: Set variables and enable required APIs

Use Cloud Shell (recommended).

PROJECT_ID="$(gcloud config get-value project)"
REGION="us-central1"
ZONE="us-central1-a"

gcloud services enable compute.googleapis.com logging.googleapis.com

Expected outcome: APIs enable successfully (may take a minute).
Verify:

gcloud services list --enabled --filter="name:compute.googleapis.com OR name:logging.googleapis.com"

Step 2: Create a VPC network and subnet with VPC Flow Logs enabled

Create a custom mode VPC:

gcloud compute networks create vpc-flowlab --subnet-mode=custom

Create a subnet and enable flow logs with a reasonable lab configuration.

Note: gcloud flags and allowed values can evolve. If a flag fails, use gcloud compute networks subnets create --help and verify against official docs.

gcloud compute networks subnets create flow-subnet \
  --network=vpc-flowlab \
  --region="$REGION" \
  --range=10.10.0.0/24 \
  --enable-flow-logs \
  --logging-aggregation-interval=INTERVAL_5_SEC \
  --logging-flow-sampling=0.5 \
  --logging-metadata=INCLUDE_ALL_METADATA

Expected outcome: subnet is created and flow logs are enabled.

Verify subnet settings:

gcloud compute networks subnets describe flow-subnet --region="$REGION" \
  --format="yaml(name,region,enableFlowLogs,logConfig)"

Step 3: Create firewall rules for internal traffic and SSH (IAP-based)

Allow internal traffic inside the subnet (ICMP and TCP/8080 for the web server test):

gcloud compute firewall-rules create allow-internal-icmp-8080 \
  --network=vpc-flowlab \
  --direction=INGRESS \
  --priority=1000 \
  --action=ALLOW \
  --rules=tcp:8080,icmp \
  --source-ranges=10.10.0.0/24

For SSH access without public IPs, use IAP tunneling. Create a firewall rule allowing IAP to reach TCP/22:

gcloud compute firewall-rules create allow-iap-ssh \
  --network=vpc-flowlab \
  --direction=INGRESS \
  --priority=1000 \
  --action=ALLOW \
  --rules=tcp:22 \
  --source-ranges=35.235.240.0/20 \
  --target-tags=iap-ssh

Expected outcome: firewall rules created.

Verify:

gcloud compute firewall-rules list --filter="network:vpc-flowlab" --format="table(name, direction, allowed, sourceRanges, targetTags)"

Step 4: Create two VM instances without external IPs

Create vm-a and vm-b in the same subnet. Use small machine types to keep costs low (verify eligible free tier in your region if you rely on it).

gcloud compute instances create vm-a \
  --zone="$ZONE" \
  --machine-type=e2-micro \
  --subnet=flow-subnet \
  --no-address \
  --tags=iap-ssh

gcloud compute instances create vm-b \
  --zone="$ZONE" \
  --machine-type=e2-micro \
  --subnet=flow-subnet \
  --no-address \
  --tags=iap-ssh

Expected outcome: two VMs are created with only internal IPs.

Verify internal IPs:

gcloud compute instances list --filter="name=(vm-a vm-b)" --format="table(name, zone, networkInterfaces[0].networkIP, networkInterfaces[0].accessConfigs)"

Step 5: Generate traffic between the VMs

Get vm-a internal IP:

VM_A_IP="$(gcloud compute instances describe vm-a --zone="$ZONE" --format='value(networkInterfaces[0].networkIP)')"
echo "vm-a internal IP: $VM_A_IP"

5a) Start a simple HTTP server on vm-a

SSH into vm-a via IAP and start a server on port 8080:

gcloud compute ssh vm-a --zone="$ZONE" --tunnel-through-iap --command \
  "nohup python3 -m http.server 8080 >/tmp/http.log 2>&1 & sleep 1; ss -lntp | grep 8080 || true"

Expected outcome: port 8080 is listening on vm-a.

5b) From vm-b, ping and curl vm-a

gcloud compute ssh vm-b --zone="$ZONE" --tunnel-through-iap --command \
  "ping -c 3 $VM_A_IP; curl -sS --max-time 3 http://$VM_A_IP:8080 | head"

Expected outcome: ping succeeds and curl returns HTML directory listing (or similar output).

Step 6: View VPC Flow Logs in Cloud Logging

Flow logs can take a few minutes to appear. First, confirm you’re filtering the correct log stream.

In Cloud Shell, run:

gcloud logging read \
  "logName=\"projects/${PROJECT_ID}/logs/compute.googleapis.com%2Fvpc_flows\"" \
  --freshness=30m \
  --limit=10 \
  --format="table(timestamp, resource.labels.subnetwork_name, jsonPayload.src_instance.vm_name, jsonPayload.dest_instance.vm_name, jsonPayload.connection.src_ip, jsonPayload.connection.dest_ip, jsonPayload.connection.protocol, jsonPayload.connection.src_port, jsonPayload.connection.dest_port, jsonPayload.bytes_sent, jsonPayload.packets_sent)"

Expected outcome: you see log entries for flows between vm-b and vm-a (and possibly other background traffic).
If the table format fails due to field name differences, output JSON to inspect the exact schema:

gcloud logging read \
  "logName=\"projects/${PROJECT_ID}/logs/compute.googleapis.com%2Fvpc_flows\"" \
  --freshness=30m \
  --limit=2 \
  --format=json

Console verification option (often easier): 1. Go to Logs Explorer: https://console.cloud.google.com/logs 2. Use this query: logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" resource.type="gce_subnetwork" resource.labels.subnetwork_name="flow-subnet" 3. Set time range to “Last 30 minutes”.

Step 7 (Optional): Export VPC Flow Logs to BigQuery

This step demonstrates how teams typically analyze flow logs at scale.

7a) Enable BigQuery API and create a dataset

gcloud services enable bigquery.googleapis.com

bq --location=US mk -d "${PROJECT_ID}:vpc_flow_logs"

Expected outcome: dataset exists.

7b) Create a Log Router sink to BigQuery

Create a sink that routes only VPC flow logs:

gcloud logging sinks create vpc-flows-to-bq \
  bigquery.googleapis.com/projects/${PROJECT_ID}/datasets/vpc_flow_logs \
  --log-filter="logName=\"projects/${PROJECT_ID}/logs/compute.googleapis.com%2Fvpc_flows\"" \
  --use-partitioned-tables

Expected outcome: sink is created.

Get the sink writer identity (a service account managed for the sink):

SINK_WRITER="$(gcloud logging sinks describe vpc-flows-to-bq --format='value(writerIdentity)')"
echo "$SINK_WRITER"

7c) Grant the sink permission to write to the dataset

BigQuery dataset permissions are managed at the dataset level.

Console method (recommended for accuracy): 1. Go to BigQuery: https://console.cloud.google.com/bigquery 2. Find dataset vpc_flow_logs 3. Click Sharing → Permissions (or Manage permissions, UI varies) 4. Add principal = the sink writer identity you printed (e.g., serviceAccount:...) 5. Grant role: BigQuery Data Editor on the dataset (or a least-privilege equivalent that allows table creation and data write; verify in your org)

Expected outcome: sink can create/write tables.

7d) Wait for data and query it

Generate a bit more traffic (repeat Step 5b), wait 2–5 minutes, then check for tables:

bq ls "${PROJECT_ID}:vpc_flow_logs"

If you see a table related to VPC flow logs, run a query (table names vary; pick the correct one you see in your dataset UI). Example query pattern:

# Replace TABLE_NAME with the actual table name shown in your dataset.
TABLE_NAME="compute_googleapis_com_vpc_flows"

bq query --use_legacy_sql=false "
SELECT
  timestamp,
  jsonPayload.connection.src_ip AS src_ip,
  jsonPayload.connection.dest_ip AS dest_ip,
  jsonPayload.connection.dest_port AS dest_port,
  jsonPayload.bytes_sent AS bytes_sent
FROM \`${PROJECT_ID}.vpc_flow_logs.${TABLE_NAME}\`
WHERE timestamp >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 1 HOUR)
ORDER BY timestamp DESC
LIMIT 50
"

Expected outcome: you see flow records in query output.

If your export schema differs (e.g., fields are not under jsonPayload), inspect the table schema in BigQuery and adjust the query accordingly. Google Cloud can evolve exported log schemas—always verify field paths.

Validation

Use the checklist below to confirm the lab is successful:

Subnet shows flow logs enabled: bash gcloud compute networks subnets describe flow-subnet --region="$REGION" \ --format="get(enableFlowLogs)" Should output True.
You generated traffic: – ping succeeded – curl returned content from vm-a
Cloud Logging contains VPC flow logs: bash gcloud logging read \ "logName=\"projects/${PROJECT_ID}/logs/compute.googleapis.com%2Fvpc_flows\" AND resource.labels.subnetwork_name=\"flow-subnet\"" \ --freshness=1h --limit=5 --format=json Should return entries.
Optional BigQuery export works: – dataset exists – sink exists – table exists and query returns rows

Troubleshooting

Common issues and fixes:

No flow logs appear – Wait 5–10 minutes; flow logs are not always instantaneous. – Confirm you enabled flow logs on the correct subnet and that VMs are attached to that subnet. – Verify your Logs Explorer filter uses the correct logName. – Ensure you generated traffic (ping/curl). – Check IAM: you need roles/logging.viewer to read logs.
gcloud compute ssh --tunnel-through-iap fails – Ensure you created the allow-iap-ssh firewall rule for 35.235.240.0/20 and applied --tags=iap-ssh to the instances. – Ensure your user has roles/iap.tunnelResourceAccessor. – Verify the instance has access to required OS Login settings if enforced in your org.
BigQuery sink exports but no tables appear – Confirm dataset permissions granted to the sink writer identity. – Confirm sink filter matches the log stream exactly. – Generate more traffic and wait a few minutes.
Field names don’t match the example – Output JSON from Cloud Logging and inspect actual keys. – Use BigQuery schema view and adjust queries accordingly. – Always verify log schema in official docs.

Cleanup

To avoid ongoing charges, delete resources created in this lab.

# Delete VMs
gcloud compute instances delete vm-a vm-b --zone="$ZONE" --quiet

# Delete firewall rules
gcloud compute firewall-rules delete allow-internal-icmp-8080 allow-iap-ssh --quiet

# Delete subnet and VPC
gcloud compute networks subnets delete flow-subnet --region="$REGION" --quiet
gcloud compute networks delete vpc-flowlab --quiet

If you created the BigQuery export:

# Delete the logging sink
gcloud logging sinks delete vpc-flows-to-bq --quiet

# Delete the BigQuery dataset (deletes tables inside)
bq rm -r -f -d "${PROJECT_ID}:vpc_flow_logs"

Cloud Logging entries may remain according to your project’s retention settings.

11. Best Practices

Architecture best practices

Enable flow logs strategically: start with boundary subnets (ingress/egress), sensitive segments, and production subnets.
Use a centralized logging/analytics pattern: export flow logs to a central project/dataset where security and SRE teams can query consistently.
Combine with other telemetry: VPC Flow Logs + firewall rule logging + load balancer logs + Cloud NAT logs often provides a more complete story than any single signal.

IAM/security best practices

Restrict who can read flow logs: internal IPs and communication patterns are sensitive.
Use least privilege for sinks: grant sink writer identities only dataset-level permissions they need.
Separate duties: network admins configure flow logs; security/ops teams consume analytics with read-only access.

Cost best practices

Tune sampling and aggregation: define environment defaults:
Prod: moderate sampling, moderate aggregation
Dev/test: higher sampling temporarily for troubleshooting
Filter exports: export only the logs you truly need to BigQuery/SIEM.
Set retention intentionally: keep high-detail logs for a short period; archive longer-term if required.

Performance best practices

Avoid over-logging: enabling full sampling + short aggregation on many high-traffic subnets can create significant log volume and operational overhead.
Prefer BigQuery for long-range analytics: Cloud Logging is great for search; BigQuery is better for large-scale joins and long time windows.

Reliability best practices

Treat flow logs as best-effort telemetry: do not build mission-critical logic assuming every flow is logged.
Test in staging: validate sampling/aggregation values and export pipelines before deploying org-wide.

Operations best practices

Create standard queries and dashboards: common filters for denied flows, top talkers, unusual ports.
Use log-based metrics for alerting: focus on high-signal conditions to avoid alert fatigue.
Document ownership: who changes sampling, who owns BigQuery datasets, who manages retention.

Governance/tagging/naming best practices

Use consistent naming for:
Subnets: prod-app-uscentral1, prod-db-uscentral1
Sinks: sink-vpcflows-prod-to-bq
Datasets: net_telemetry_vpcflows
Label resources (where supported) to support chargeback and ownership mapping.
Use org policies where appropriate to standardize logging posture (verify org policy capabilities relevant to logging and networking in your environment).

12. Security Considerations

Identity and access model

Cloud Logging access is controlled by IAM. Anyone with permission to read logs can see flow metadata.
Log Router sinks use a dedicated writer identity (service account). You must grant it access to the destination.
In enterprises, consider:
Centralizing logs into a dedicated project with tightly controlled IAM.
Granting analysts access via groups and predefined roles.

Encryption

Logs in Google Cloud are encrypted at rest by default (Google-managed encryption).
If you require customer-managed encryption keys (CMEK), verify whether your chosen log storage/export destination supports it and how to configure it (for example, BigQuery and Cloud Storage support CMEK under specific configurations—verify current capabilities and limitations).

Network exposure

VPC Flow Logs does not expose workloads directly, but the logs can reveal:
Internal IP ranges
Service communication patterns
Potentially sensitive destinations Treat flow logs as sensitive operational/security data.

Secrets handling

Flow logs are not intended to capture payloads, so application secrets should not appear in them.
However, flow metadata can still be sensitive (e.g., identifying a database port or a restricted subnet).

Audit/logging

Use Cloud Audit Logs to track changes to subnet configurations and sink creation.
In regulated environments, keep:
Change management records for flow log configuration
Retention and access reviews for log datasets

Compliance considerations

Retention requirements vary (PCI, HIPAA, SOC 2, ISO). Ensure:
Retention meets policy
Access is restricted and reviewed
Data residency needs are considered (region of BigQuery dataset / storage bucket)

Common security mistakes

Enabling flow logs everywhere with broad read access (unnecessary exposure).
Exporting to BigQuery without dataset-level IAM hygiene.
Keeping logs too long without a reason (increases exposure and cost).
Assuming flow logs are complete enough to serve as the only evidence source.

Secure deployment recommendations

Start with a centralized logging project and least privilege access.
Export only required subsets to SIEM; keep raw flow logs access restricted.
Use dataset/table partitioning and time-bounded queries for both cost and operational safety.
Document and test incident response queries ahead of time.

13. Limitations and Gotchas

The exact details can vary by product evolution; always confirm in official docs. Key practical limitations include:

Sampling means incomplete visibility: you might not see every short-lived or low-volume connection.
Aggregation reduces timing precision: flows are summarized over intervals; exact per-packet timing is not available.
Not a packet capture tool: no payload, no full headers beyond flow metadata fields.
Log volume can grow quickly: high-traffic subnets + high sampling + short aggregation can create very large ingestion.
Schema evolution: log fields can change over time; build queries defensively and validate schema periodically.
Export pipeline complexity: BigQuery sink permissions are a frequent stumbling block (dataset-level IAM).
Not all “network events” are flows: some failures happen before a flow is established (DNS issues, application errors, or routing misconfigurations outside observed scope).
Multiple telemetry sources may be required: load balancer traffic behavior, NAT translations, and firewall evaluations may require their own logging features for complete context.
Quotas and rate limits: Cloud Logging quotas can impact very high-volume exports; monitor logging usage and quotas.

14. Comparison with Alternatives

VPC Flow Logs is one tool in a larger network observability toolkit.

Comparison table

Option	Best For	Strengths	Weaknesses	When to Choose
Google Cloud VPC Flow Logs	Network flow visibility in VPC subnets	Native, scalable, integrates with Cloud Logging/BigQuery, tunable sampling	Sampled/aggregated, no payload, can be high-volume	Default choice for subnet-level network telemetry in Google Cloud
Firewall Rules Logging (Google Cloud)	Understanding firewall allow/deny decisions	Directly ties to firewall actions, great for policy validation	Not a full picture of all traffic volume; different scope than flow logs	When debugging/validating firewall policy outcomes
Cloud NAT Logging (Google Cloud)	Visibility into NAT translations and egress	Helps trace outbound connections through NAT	Not a substitute for subnet-level flow visibility	When troubleshooting egress/NAT behavior or attribution
Load Balancer logging (Google Cloud)	HTTP(S)/TCP proxy behavior and client requests	Application-facing visibility and request logs	Not a replacement for east-west flow visibility	When troubleshooting client traffic and LB behavior
Packet Mirroring (Google Cloud)	Deep packet inspection / payload analysis	Full packet capture capabilities (via collector tools)	Higher complexity, storage/processing heavy, privacy concerns	When you need payload-level forensics/IDS-like analysis
AWS VPC Flow Logs	Similar capability in AWS	Mature flow logging ecosystem	Different schema/tooling; not applicable to Google Cloud	Choose when operating in AWS environments
Azure NSG Flow Logs	Similar capability in Azure	Integrates with Azure networking and monitoring	Different schema/tooling; not applicable to Google Cloud	Choose when operating in Azure environments
Self-managed NetFlow/sFlow/host logging	Custom or on-prem/hybrid environments	Full control, can integrate with existing tools	Operational burden, scaling complexity, inconsistent coverage	When you must standardize across multi-cloud/on-prem with custom pipelines

15. Real-World Example

Enterprise example: Centralized threat hunting for a Shared VPC organization

Problem: A large enterprise runs hundreds of projects using Shared VPC. Security needs to detect lateral movement and unexpected egress, and SRE needs faster network troubleshooting across teams.
Proposed architecture:
Enable VPC Flow Logs on production and sensitive subnets in the Shared VPC host project(s).
Route flow logs to a central logging project using Cloud Logging sinks.
Export to BigQuery in a centralized dataset with strict IAM (security analysts, SRE read-only groups).
Build standardized BigQuery views and scheduled queries for:
- top talkers by subnet
- denied flow spikes
- unusual ports
- outbound to suspicious IP ranges (fed by threat intel lists)
Why VPC Flow Logs was chosen:
Native Google Cloud Networking integration.
Works across many projects with centralized export patterns.
Sampling/aggregation controls keep costs manageable.
Expected outcomes:
Faster incident response (one place to query flows).
Reduced mean time to resolution (MTTR) for connectivity tickets.
Improved policy compliance validation and evidence trails.

Startup / small-team example: Debugging microservice connectivity and controlling egress

Problem: A startup runs a small set of services on Compute Engine and sees intermittent timeouts plus unexplained egress spend.
Proposed architecture:
Enable VPC Flow Logs only on the primary production subnet.
Keep a short retention in Cloud Logging for quick investigations.
Export only production flow logs to a small BigQuery dataset.
Use a few saved queries:
- “Denied flows last 1 hour”
- “Top egress destinations by bytes”
- “Traffic to database port over time”
Why VPC Flow Logs was chosen:
Minimal operational setup (no agents).
BigQuery enables quick ad-hoc queries when issues occur.
Expected outcomes:
Identify misconfigured dependencies and chatty services quickly.
Find unexpected outbound destinations driving egress.
Maintain low operational overhead with targeted logging.

16. FAQ

Is VPC Flow Logs a separate Google Cloud product I need to deploy?
No. VPC Flow Logs is a feature of Google Cloud VPC. You enable it on subnets, and logs appear in Cloud Logging.
Where do VPC Flow Logs show up?
In Cloud Logging, typically under a log name like compute.googleapis.com/vpc_flows.
Is every packet logged?
No. VPC Flow Logs records flow metadata, usually sampled and aggregated.
Can I set sampling to 100%?
Sampling configuration supports higher rates, but exact allowed values and behavior should be verified in official docs and tested in your environment. Even with high sampling, treat logs as telemetry, not perfect capture.
How long does it take for flow logs to appear?
It can take minutes. Expect some delay between generating traffic and seeing log entries.
Can I enable VPC Flow Logs for only one environment (prod) and not dev?
Yes. Because it is configured per subnet, you can enable it only where required.
Do flow logs include application payload data?
No. They include metadata such as IPs, ports, protocol, byte/packet counts, and timestamps.
How do I analyze flow logs at scale?
Export to BigQuery using a Log Router sink and query over time ranges, join with CMDB/asset inventory, and build dashboards.
Why don’t I see logs for certain traffic?
Common reasons: flow logs not enabled on the correct subnet, sampling missed the flow, aggregation/time window issues, traffic doesn’t traverse the expected network interface, or log filters are incorrect. Verify coverage in official docs for your workload type.
Do VPC Flow Logs help debug firewall rule issues?
They help you see observed flows and metadata, but for direct firewall action logging you may also want Firewall Rules Logging.
Are there privacy concerns with VPC Flow Logs?
Yes. Internal IPs, communication patterns, and service behavior can be sensitive. Apply strict IAM controls and retention policies.
Can I export VPC Flow Logs to Cloud Storage instead of BigQuery?
Yes. Cloud Logging sinks can route logs to Cloud Storage. This is often used for low-cost archival (with tradeoffs in queryability).
How do I reduce VPC Flow Logs cost?
Reduce sampling, increase aggregation interval, limit metadata, enable only on key subnets, and export only what you need.
Can I build alerts on flow logs?
Yes. Use Cloud Logging queries + log-based metrics + Cloud Monitoring alerting.
What is the difference between VPC Flow Logs and Packet Mirroring?
VPC Flow Logs records metadata about flows. Packet Mirroring provides packet-level visibility suitable for deep inspection tools, with higher complexity and cost.
Do flow logs work across projects with Shared VPC?
Yes, but you must design log access and exports carefully. Centralized logging patterns are common.
What’s the best retention strategy?
Keep short retention in Cloud Logging for fast investigations, export selected logs to BigQuery for analytics, and optionally archive to Cloud Storage if compliance requires long retention.

17. Top Online Resources to Learn VPC Flow Logs

Resource Type	Name	Why It Is Useful
Official documentation	VPC Flow Logs overview and usage	Primary reference for configuration, behavior, and limitations: https://cloud.google.com/vpc/docs/using-flow-logs
Official documentation	Cloud Logging documentation	Understand log storage, querying, retention, and routing: https://cloud.google.com/logging/docs
Official documentation	Log Router overview	Learn how to route/export flow logs to BigQuery/Storage/PubSub: https://cloud.google.com/logging/docs/routing/overview
Official tutorial/docs	Configure and manage log sinks	Step-by-step sink configuration and permissions: https://cloud.google.com/logging/docs/export/configure_export_v2
Official pricing	Cloud Logging pricing	Flow logs cost is primarily logging ingestion/retention: https://cloud.google.com/logging/pricing
Official tool	Google Cloud Pricing Calculator	Model Logging, BigQuery, and Storage costs: https://cloud.google.com/products/calculator
CLI reference	`gcloud compute networks subnets` reference	Verify current flags for enabling flow logs: https://cloud.google.com/sdk/gcloud/reference/compute/networks/subnets
Official quotas	Cloud Logging quotas	Plan high-volume telemetry and avoid throttling: https://cloud.google.com/logging/quotas
Official learning	Google Cloud Skills Boost	Hands-on labs often include Logging/networking analysis (search within): https://www.cloudskillsboost.google/
Video (official channel)	Google Cloud Tech (YouTube)	Look for Logging and Networking observability videos: https://www.youtube.com/@googlecloudtech

18. Training and Certification Providers

Institute	Suitable Audience	Likely Learning Focus	Mode	Website URL
DevOpsSchool.com	DevOps engineers, SREs, cloud engineers	Google Cloud operations, logging, networking fundamentals, practical labs	check website	https://www.devopsschool.com/
ScmGalaxy.com	Beginners to intermediate DevOps learners	DevOps tooling, CI/CD, cloud basics, operational practices	check website	https://www.scmgalaxy.com/
CLoudOpsNow.in	Cloud operations teams	CloudOps practices, monitoring/logging, incident response workflows	check website	https://www.cloudopsnow.in/
SreSchool.com	SREs, platform engineers	Reliability engineering, observability, production operations	check website	https://www.sreschool.com/
AiOpsSchool.com	Operations and platform teams exploring AIOps	AIOps concepts, monitoring analytics, automation approaches	check website	https://www.aiopsschool.com/

19. Top Trainers

Platform/Site	Likely Specialization	Suitable Audience	Website URL
RajeshKumar.xyz	DevOps/cloud training content and guidance (verify specific offerings)	Engineers seeking structured coaching	https://www.rajeshkumar.xyz/
devopstrainer.in	DevOps training services (verify course list)	Beginners to intermediate DevOps practitioners	https://www.devopstrainer.in/
devopsfreelancer.com	Freelance DevOps consulting/training platform (verify services)	Teams needing short-term, hands-on enablement	https://www.devopsfreelancer.com/
devopssupport.in	DevOps support and training resources (verify offerings)	Ops teams needing practical troubleshooting skills	https://www.devopssupport.in/

20. Top Consulting Companies

Company Name	Likely Service Area	Where They May Help	Consulting Use Case Examples	Website URL
cotocus.com	Cloud/DevOps consulting (verify exact portfolio)	Architecture reviews, observability setup, cloud operations improvements	Centralized logging design, cost optimization for logging, network telemetry rollout	https://www.cotocus.com/
DevOpsSchool.com	DevOps and cloud consulting/training	Cloud migrations, DevOps platform setup, operational excellence	Implementing logging pipelines, creating runbooks for network troubleshooting, building monitoring/alerting patterns	https://www.devopsschool.com/
DEVOPSCONSULTING.IN	DevOps consulting services (verify specific capabilities)	DevOps transformation, tooling, cloud operations	Setting up log routing to BigQuery, standardizing IAM for observability data, building dashboards for network flows	https://www.devopsconsulting.in/

21. Career and Learning Roadmap

What to learn before VPC Flow Logs

Google Cloud VPC fundamentals:
VPCs, subnets, routes, firewall rules
Private vs public IPs, NAT basics
Cloud Logging fundamentals:
Logs Explorer queries
Log buckets, retention, exclusions
Log Router sinks
Basic Linux networking:
TCP/UDP, ports, ICMP
Tools like curl, ping, ss, netstat

What to learn after VPC Flow Logs

BigQuery for log analytics:
Partitioning, clustering (where applicable)
Cost-aware querying
Security operations on Google Cloud:
Incident response playbooks
Integration patterns with SIEM tooling
Broader Google Cloud Networking observability:
Firewall Rules Logging
Cloud NAT logging
Load balancer logging
Packet Mirroring (for deeper inspection use cases)

Job roles that use it

Cloud network engineer
Site Reliability Engineer (SRE)
DevOps engineer / platform engineer
Security engineer / SOC analyst (for cloud telemetry)
Cloud solutions architect

Certification path (Google Cloud)

Google Cloud certifications evolve. A practical path often includes: – Associate Cloud Engineer (broad foundation) – Professional Cloud Network Engineer (network specialization) – Professional Cloud Security Engineer (security specialization)

Verify current certification details in official Google Cloud certification pages: https://cloud.google.com/learn/certification

Project ideas for practice

Build a “top talkers” dashboard in BigQuery from VPC Flow Logs.
Create log-based metrics for denied flows and alert when they spike.
Implement centralized logging: export flow logs from multiple projects into a single BigQuery dataset.
Run a controlled “attack simulation” in a lab (port scan within allowed boundaries) and detect it using flow logs.
Compare traffic patterns before and after a firewall policy change.

22. Glossary

VPC (Virtual Private Cloud): A logically isolated network in Google Cloud where you run resources with IP addressing, routing, and firewall policies.
Subnet (subnetwork): A regional IP range within a VPC where VM interfaces are attached.
Flow (network flow): A set of packets sharing common properties (often a 5-tuple) over a period of time.
5-tuple: Source IP, destination IP, source port, destination port, protocol.
Sampling rate: The fraction of flows captured and logged (used to control volume and cost).
Aggregation interval: The time window over which flow observations are summarized into a log entry.
Cloud Logging: Google Cloud service for collecting, storing, querying, and routing logs.
Log Router: Cloud Logging component that routes logs to destinations using sinks and filters.
Log sink: A configuration that exports selected logs to a destination like BigQuery, Cloud Storage, or Pub/Sub.
BigQuery: Google Cloud’s data warehouse used for large-scale querying and analytics.
Pub/Sub: Messaging service used for streaming data pipelines.
Cloud Storage: Object storage for archiving and durable storage.
Shared VPC: A Google Cloud design where a host project provides networking to service projects.
IAM (Identity and Access Management): Google Cloud’s authorization system controlling who can do what on which resources.
IAP (Identity-Aware Proxy): A secure access method to reach internal VMs without public IPs, commonly used for SSH via tunneling.
Telemetry: Observability data (logs/metrics/traces) used to monitor and understand systems.

23. Summary

VPC Flow Logs is a Google Cloud Networking feature that records sampled, time-aggregated network flow metadata for traffic associated with subnets in your VPC. It matters because it provides practical visibility for troubleshooting connectivity, validating segmentation, investigating incidents, and understanding traffic patterns that affect both security posture and cost.

In Google Cloud, VPC Flow Logs fits naturally into an observability architecture using Cloud Logging for search and retention, and Log Router exports to BigQuery for scalable analytics. The most important cost and security points are: – Costs are primarily driven by Cloud Logging ingestion/retention and downstream analytics destinations. – Logs can contain sensitive network metadata, so apply least-privilege IAM and thoughtful retention.

Use VPC Flow Logs when you need subnet-level network visibility without packet capture, especially in production troubleshooting and security investigations. Next, deepen your skills by exporting to BigQuery, building cost-aware queries, and combining flow logs with firewall, NAT, and load balancer logging for a more complete networking observability strategy.

rajeshkumar

Category