GCP VPC Subnet Planning
Google Cloud reserves 4 IP addresses in every subnet. That is fewer than AWS and Azure (both reserve 5), but the reservation pattern is unique: GCP reserves the second-to-last address in addition to the usual network, gateway, and broadcast addresses.
GCP Reserved IPs
For any subnet, GCP reserves:
| Address | Purpose |
|---|---|
| Network + 0 | Network address |
| Network + 1 | Default gateway |
| Second-to-last | Reserved by GCP |
| Last address | Broadcast address |
Example: In a 10.128.0.0/24 subnet:
- 10.128.0.0 is the network address
- 10.128.0.1 is the default gateway
- 10.128.0.254 is reserved by GCP
- 10.128.0.255 is the broadcast address
- Usable range: 10.128.0.2 through 10.128.0.253 = 252 hosts
Note the unusual last usable address. In Standard mode and AWS/Azure, the last usable in a /24 is .254. In GCP it is .253 because .254 is reserved.
Minimum Subnet Size
The smallest subnet GCP allows is /29 (8 addresses, 4 usable). You cannot create a /30, /31, or /32 subnet in GCP.
VPC Network Modes
GCP VPCs have two modes:
Auto mode VPC: GCP creates one /20 subnet per region automatically, using ranges from 10.128.0.0/9. Quick to start but inflexible.
Custom mode VPC: You define every subnet manually, choosing any RFC 1918 range. This is the recommended approach for production because you control the address plan.
You can convert an auto mode VPC to custom mode (one-way, irreversible). The existing auto-created subnets remain, and you can add or remove subnets freely.
Recommended VPC Layout
A common production GCP architecture uses a custom mode VPC with /24 subnets per region:
VPC: custom mode (no single VPC CIDR in GCP)
+----- us-central1
| +--- 10.0.1.0/24 Web tier (252 hosts)
| +--- 10.0.2.0/24 App tier (252 hosts)
| +--- 10.0.3.0/24 Data tier (252 hosts)
+----- europe-west1
| +--- 10.1.1.0/24 Web tier (252 hosts)
| +--- 10.1.2.0/24 App tier (252 hosts)
| +--- 10.1.3.0/24 Data tier (252 hosts)
+----- GKE secondary ranges (alias IP)
+--- 10.10.0.0/16 Pods (65,532 pod IPs)
+--- 10.11.0.0/20 Services (4,092 service IPs)Key difference from AWS/Azure: GCP VPCs are global. A single VPC spans all regions, and subnets are regional (not zonal). You do not need to duplicate subnets across availability zones within a region.
GKE and Secondary Ranges
Google Kubernetes Engine (GKE) uses alias IP ranges (secondary ranges) for pod and service IPs. These secondary ranges do not consume primary subnet addresses.
| Range | Purpose | Recommended Size |
|---|---|---|
| Primary | Node IPs | /24 (252 nodes max) |
| Secondary 1 | Pod IPs | /16 to /14 (depends on max pods) |
| Secondary 2 | Service IPs | /20 (4,092 services) |
Pod IP calculation: By default, GKE allocates a /24 per node for pods (110 pods max per node). A 50-node cluster needs 50 x 256 = 12,800 pod IPs, so a /14 (16,384 IPs per /24 = not enough) … actually you need at least a /14 to get 50 x /24 allocations. Use the GKE IP calculator in the GCP console to plan this accurately.
For smaller clusters, a /20 pod range supports about 16 nodes with default settings.
Sizing Tips
| Scenario | Recommended CIDR | Usable (GCP) |
|---|---|---|
| Small utility subnet | /29 | 4 |
| Standard workload | /24 | 252 |
| GKE node subnet | /24 | 252 |
| Large workload | /20 | 4,092 |
| GKE pod range (secondary) | /16 or /14 | 65,532 or 262,140 |
Shared VPC
For organizations with multiple projects, GCP offers Shared VPC:
- A host project owns the VPC and subnets.
- Service projects attach to subnets in the host project.
- IAM controls which projects can use which subnets.
- All networking (firewall rules, routes, VPN) is managed centrally.
This is equivalent to AWS Transit Gateway or Azure hub-and-spoke, but built into GCP’s IAM model.
Common Mistakes
- Using auto mode VPC in production. The auto-created /20 subnets use fixed ranges from 10.128.0.0/9. If you peer VPCs or connect to on-premises, these may overlap. Always use custom mode.
- Forgetting the second-to-last reservation. GCP’s 4th reserved IP is the second-to-last address, not a DNS server like AWS/Azure.
- Undersizing GKE secondary ranges. Pod IP exhaustion is a common outage cause. Overallocate pod ranges; unused space costs nothing.
- Overlapping ranges across peered VPCs. VPC peering requires non-overlapping primary and secondary ranges.
Tools
Use our subnet calculator with Google Cloud mode to see correct host counts with 4 reserved IPs. The VLSM planner can plan multi-region subnet layouts with correct GCP sizing.