How To Build A Secure GCP Stack Using A Custom VPC, VM With Private Access, Managed Cloud SQL PostgreSQL, And BigQuery

|

Google Cloud Platform (GCP) provides a robust set of tools to build scalable, secure, and reliable cloud infrastructure. This article details how to build a secure GCP stack using a custom Virtual Private Cloud (VPC), a Compute Engine VM with private access, Cloud SQL for PostgreSQL, and BigQuery. We will cover best practices, step-by-step instructions, and code examples to help you implement a secure setup.

Designing the Secure GCP Architecture

The architecture will include:

  1. Custom VPC with segregated subnets to isolate workloads.
  2. Compute Engine VM with no external IP, connected to the VPC.
  3. Cloud SQL PostgreSQL instance using private IP to avoid public exposure.
  4. BigQuery datasets accessed securely from the VM.
  5. IAM roles and service accounts to enforce least privilege access.

This design eliminates public endpoints, reduces attack surface, and enforces secure communications through private IP and IAM authentication.

Creating a Custom VPC

A custom VPC allows full control over subnets, IP ranges, and firewall rules.

Create the VPC

gcloud compute networks create secure-vpc \

–subnet-mode=custom

Create a Subnet

gcloud compute networks subnets create secure-subnet \

–network=secure-vpc \

–region=us-central1 \

–range=10.10.0.0/24

Configure Firewall Rules

  • Allow only SSH access from specific IPs (or use IAP for tunneling).
  • Deny all other inbound traffic by default.
gcloud compute firewall-rules create allow-ssh-iap \
–network=secure-vpc \
–allow=tcp:22 \
–source-ranges=35.235.240.0/20 \
–target-tags=secure-vm

This allows SSH only through Identity-Aware Proxy (IAP), avoiding direct internet exposure.

Deploying a Private VM (No External IP)

Create a Service Account for the VM

gcloud iam service-accounts create secure-vm-sa \

–description=“Service account for secure VM” \

–display-name=“Secure VM Service Account”

Create the VM with Private Access

gcloud compute instances create secure-vm \

–zone=us-central1-a \

–machine-type=e2-medium \

–subnet=secure-subnet \

–no-address \

–tags=secure-vm \

–service-account=secure-vm-sa@<PROJECT_ID>.iam.gserviceaccount.com \

–scopes=https://www.googleapis.com/auth/cloud-platform

The --no-address flag ensures no public IP is assigned. Access the VM through gcloud IAP tunneling:

gcloud compute ssh secure-vm –zone=us-central1-a –tunnel-through-iap

Configuring Cloud SQL for PostgreSQL with Private IP

Enable the Service Networking API

gcloud services enable servicenetworking.googleapis.com

Allocate an IP range for private service access

gcloud compute addresses create google-managed-services-secure-vpc \

–global \

–purpose=VPC_PEERING \

–prefix-length=24 \

–network=secure-vpc

Establish VPC Peering

gcloud services vpc-peerings connect \

–service=servicenetworking.googleapis.com \

–network=secure-vpc \

–ranges=google-managed-services-secure-vpc

Create the Cloud SQL Instance with Private IP

gcloud sql instances create secure-postgres \

–database-version=POSTGRES_14 \

–cpu=2 –memory=7680MB \

–region=us-central1 \

–network=secure-vpc \

–no-assign-ip

Create a Database and User

gcloud sql databases create appdb –instance=secure-postgres

gcloud sql users create appuser –instance=secure-postgres –password=<PASSWORD>

Your VM can now connect to the database using the private IP address assigned to the instance.

Accessing BigQuery Securely from the VM

BigQuery does not require private IP configuration since it is a serverless service, but you must control access with IAM roles.

Grant BigQuery Permissions to the VM Service Account

gcloud projects add-iam-policy-binding <PROJECT_ID> \

–member=“serviceAccount:secure-vm-sa@<PROJECT_ID>.iam.gserviceaccount.com” \

–role=“roles/bigquery.dataViewer”

Use the BigQuery CLI or Python Client From the VM:

gcloud auth application-default login # Only if testing interactively

bq query –use_legacy_sql=false ‘SELECT CURRENT_DATE()’

Python Example:

from google.cloud import bigquery
client = bigquery.Client()
query = “SELECT name, COUNT(*) as name_count FROM `bigquery-public-data.usa_names.usa_1910_2013` GROUP BY name ORDER BY name_count DESC LIMIT 5”
for row in client.query(query):
print(f”{row.name}: {row.name_count})

Because the VM uses the secure service account, no credentials need to be stored on disk.

Best Practices for Security

  1. Use IAM least privilege: Grant only necessary roles to service accounts.
  2. Disable public IPs: For all Compute Engine and Cloud SQL instances.
  3. Enforce SSL/TLS connections: Even when using private IPs.
  4. Audit with Cloud Logging: Monitor VM and database access logs.
  5. Use Secret Manager: Store and manage database passwords or sensitive tokens.
  6. Apply OS patching and Shielded VMs: Regularly update your VM image.

Conclusion

Building a secure GCP stack with a custom VPC, private VM, Cloud SQL PostgreSQL, and BigQuery involves careful planning and a defense-in-depth approach. By eliminating public IPs, using private service networking, and enforcing IAM-based access, you significantly reduce the attack surface while maintaining operational efficiency.

The process begins with creating a custom VPC to control your networking environment, then deploying a Compute Engine VM without an external IP to ensure internal-only access. A Cloud SQL PostgreSQL instance with private IP securely handles transactional data, while BigQuery allows you to analyze datasets without compromising security. Together, these components form a scalable and secure cloud architecture that aligns with industry best practices.

Following these steps not only improves security posture but also prepares your infrastructure for compliance audits and future scalability. With well-implemented IAM roles, firewall rules, and encrypted communications, your GCP environment becomes both resilient and auditable—ready for production workloads and sensitive data handling.