Default vs Custom VPC Networks in GCP
When you create a new GCP project, Google automatically adds a VPC called default. It comes with subnets in every region and firewall rules that allow SSH, RDP, and ICMP from any IP address on the internet. That gets a VM running in minutes, but it is not a safe or scalable starting point for real work. Understanding the difference between the default network, auto mode VPCs, and custom mode VPCs is one of the first decisions you make as a GCP engineer. For almost every production workload, the answer is the same: build a custom mode VPC and treat the default network as something to remove, not something to rely on.
Simple explanation
The default network is a pre-built auto mode VPC that Google creates in every new GCP project without you asking for it. It arrives complete with subnets in every region and four firewall rules that allow common management traffic from anywhere on the internet. It exists so that new users can launch a VM and SSH into it immediately, without understanding networking first.
Auto mode is a VPC configuration where GCP creates one subnet per region automatically when the network is created. You do not choose IP ranges. Google assigns them from the 10.128.0.0/9 block, using a fixed mapping of one /20 subnet per region. The default network is an auto mode network, but you can also create your own auto mode VPCs.
Custom mode is a VPC configuration where GCP creates no subnets at all. You define each subnet yourself: which region it covers, what IP range it uses, and what it is called. Nothing exists until you create it.
The default network exists because convenience matters when learning. Many teams delete or avoid it in practice because its firewall rules allow SSH (port 22) and RDP (port 3389) from 0.0.0.0/0, meaning any VM with an external IP is reachable on those ports by anyone on the internet. Beyond the security concern, the fixed IP ranges make the default network incompatible with VPC peering and awkward to work around as infrastructure grows.
Think of the default network like checking into a hotel room: you can move in immediately and everything works, but the door code is shared with every other guest on the floor (SSH and RDP are open to the internet), and you cannot change the layout. A custom mode VPC is more like taking on an empty flat and fitting it yourself. More effort before you can move in, but the locks are yours, the floor plan is yours, and nothing was left behind by the previous occupant.
How it works
When Google activates a new project, it automatically creates a VPC called default using —subnet-mode=auto. GCP then creates one /20 subnet in each available region, carved out of the 10.128.0.0/9 address block. Alongside the subnets, four firewall rules are attached to the network:
default-allow-internal: allows all traffic between VMs in the same networkdefault-allow-ssh: allows TCP port 22 from all source IPs (0.0.0.0/0)default-allow-rdp: allows TCP port 3389 from all source IPsdefault-allow-icmp: allows ICMP (ping) from all source IPs
The default-allow-ssh and default-allow-rdp rules allow connections from any IP address. Any VM with an external IP placed in the default network is reachable on SSH and RDP by anyone on the internet. This is not an acceptable baseline for production.
How auto mode assigns subnets: Auto mode uses a fixed mapping between regions and IP ranges. Every auto mode VPC in the world uses the same assignments. For example, us-central1 always gets 10.128.0.0/20 and europe-west1 always gets 10.132.0.0/20. This is predictable, which is exactly the problem. Two auto mode VPCs will always have identical, overlapping subnets. VPC peering requires non-overlapping CIDRs, so two auto mode VPCs can never be peered.
# List subnets in an auto mode network (one entry per region)
gcloud compute networks subnets list \
--network=default \
--sort-by=regionHow custom mode handles subnets: A custom mode VPC starts completely empty. No subnets are created until you define them. Each subnet requires a name, a region, and a CIDR range that you choose. You create subnets only in the regions you need, using IP ranges that fit your broader address plan. For guidance on planning those ranges correctly, see Subnets in GCP.
# Create a custom mode VPC
gcloud compute networks create production-vpc \
--subnet-mode=custom
# Add a subnet in a specific region with your chosen CIDR
gcloud compute networks subnets create prod-subnet-uc1 \
--network=production-vpc \
--region=us-central1 \
--range=10.0.1.0/24
# Add another subnet in a different region
gcloud compute networks subnets create prod-subnet-ew1 \
--network=production-vpc \
--region=europe-west1 \
--range=10.0.2.0/24Firewall behaviour: A custom mode VPC you create yourself has no firewall rules. The implicit GCP behaviour is deny all ingress and allow all egress. No VM in a new custom VPC can receive inbound connections until you explicitly allow them. That is a much safer starting point than inheriting the open rules attached to the default network. For a complete guide to building firewall rules, see Firewall Rules Explained.
Why IP planning matters from the start: Subnet CIDR ranges cannot be changed or shrunk once created. If you pick a range that overlaps with another VPC or an on-premises network, you will face a conflict with no clean solution other than migrating to a new subnet. The right time to plan your address space is before you create a single subnet. Resources connected to the network through routes also depend on the underlying CIDR structure, so changes later ripple outward. See Routes in GCP for how routing ties into subnet design.
Comparing network types
The three network types serve different purposes. The table below shows the key differences across the attributes that matter most in practice.
| Default network | Auto mode VPC | Custom mode VPC | |
|---|---|---|---|
| Created by | GCP automatically | You | You |
| Subnets | One per region, auto-assigned | One per region, auto-assigned | None until you define them |
| IP range control | None | None | Full control |
| IP ranges | Fixed (10.128.0.0/9 block) | Fixed (10.128.0.0/9 block) | You choose |
| Default firewall rules | SSH, RDP, ICMP open to 0.0.0.0/0 | None | None |
| VPC peering | Cannot peer with other auto mode VPCs | Cannot peer with other auto mode VPCs | Yes, if CIDRs do not overlap |
| Hybrid connectivity | Awkward due to fixed ranges | Awkward due to fixed ranges | Straightforward with planned ranges |
| Production suitability | No | Generally no | Yes |
| Operational flexibility | Low | Low | High |
The rule of thumb: use a custom mode VPC for any project where you care about security, cost control, or future connectivity. That covers virtually every production workload.
When to use each network type
Building anything that matters? Use custom mode. The extra five minutes of setup now saves hours of CIDR migration work later. If you are just experimenting and will delete the project afterwards, the default network is fine.
Default network: Acceptable for quick personal experiments, tutorial walkthroughs, and throwaway sandboxes where you do not care about security or IP planning. If you are learning GCP for the first time and just want to launch a VM and SSH into it, the default network will work. It should not survive longer than the session that needed it.
Auto mode VPC (one you create yourself): Occasionally reasonable for isolated development environments or proof-of-concept projects where you are certain peering will never be needed. Creating your own auto mode VPC avoids inheriting the permissive firewall rules from the default network, which is an improvement. However, the same IP range limitations apply. If there is any chance the environment grows, connects to another VPC, or eventually needs hybrid connectivity, start with custom mode instead.
Custom mode VPC: The right choice for any workload you care about: production services, staging environments, multi-team infrastructure, and anything that might eventually connect to other VPCs through VPC peering or Shared VPC, or to on-premises systems through hybrid connectivity.
What most production teams do: Build a custom mode VPC with a deliberate address plan, create explicit and minimal firewall rules, and remove the default network from the project at setup time. Many organisations enforce the compute.skipDefaultNetworkCreation organisation policy at the folder or organisation level so that new projects start clean, without a default network to accidentally use.
Should new projects keep or remove the default network? If you are setting up a project for real work, delete the default network. Its open firewall rules create risk even if you do not intend to use it. An engineer on your team may accidentally attach a VM to the default network rather than your custom VPC, inheriting those rules without realising it. Preventing the issue at source through an organisation policy is more reliable than relying on everyone to remember. The Network Security Best Practices guide covers this alongside other org-level controls.
Default vs custom: what the choice really means
The practical difference between default and custom mode is not just convenience versus control. It is about what problems you encounter in six months when your infrastructure grows.
A default or auto mode network ties you to a fixed IP space. Every subnet occupies a predictable range from 10.128.0.0/9. That makes the network easy to start with, but it causes real problems later. When you want to connect two environments through VPC peering, the connection will fail because the ranges overlap. When you want to connect to an on-premises network, you may find that your cloud IP ranges collide with what the corporate network already uses. These are not edge cases. They are common situations that teams hit when they start with auto mode and grow beyond a single environment.
A custom mode network starts blank. You decide which regions get subnets, which IP ranges those subnets use, and which firewall rules exist. That blank slate takes more planning upfront, but the planning pays off. Ranges can be chosen to avoid conflicts before the conflicts happen. You can implement least-privilege access from day one: no inbound traffic until you explicitly allow it, using specific ports and sources rather than 0.0.0.0/0.
Auto mode assigns us-central1 the range 10.128.0.0/20 in every project, everywhere, every time. If you ever try to peer two environments that both used auto mode, the peering will be rejected because the CIDRs are identical. This is not a rare edge case. It is one of the most common reasons teams end up rebuilding their networking from scratch after growing past a single project.
The default network also sits in your project silently if you do not delete it. That matters because it is easy for a misconfigured resource to end up attached to it. Cloud SQL instances, GKE nodes, and Compute Engine VMs can all end up on the default network if someone selects it by accident or if tooling defaults to it. Once a VM is on the default network, it inherits all four permissive firewall rules. That exposure may go unnoticed for a long time. Understanding private vs public IP addresses in GCP helps you assess which resources are externally reachable and through which network they are exposed.
Default mode is convenient. Custom mode scales. The choice is mostly about whether you are optimising for getting started quickly or for building something that can grow without being rebuilt.
Removing the default network
If your project has the default network and you want to enforce clean networking, delete it. Before deleting, check that no resources are attached. VMs, Cloud SQL instances, and other services may be using default subnets, and the deletion will fail if any are.
# Check what is using the default network
gcloud compute instances list --filter="networkInterfaces[].network:default"
# Delete the default network (only works once no resources are attached)
gcloud compute networks delete defaultFor organisations managing many projects, the better approach is to prevent the default network from being created at all. Apply the compute.skipDefaultNetworkCreation constraint at the organisation or folder level and every new project will start without a default network.
# Apply organisation policy to prevent default network creation
gcloud resource-manager org-policies set-policy \
--organization=ORG_ID \
policy.jsonThe policy JSON sets compute.skipDefaultNetworkCreation to enforced. This is a standard control in security-conscious organisations and should be applied before any project is created, not after. See Organisation Policies for how to structure and apply constraints across your project hierarchy.
Common mistakes
- Deploying production workloads to the default network. The default network allows SSH and RDP from any IP address. Any VM with an external IP is immediately reachable on those ports by anyone on the internet. Always create a custom VPC with explicit, minimal firewall rules. See Firewall Rules Explained for the correct approach.
- Forgetting the default network still exists in the project. Even if you create a custom mode VPC and use it for everything, the default network remains in the project until you delete it. A VM accidentally attached to the default network inherits its permissive rules. Either delete the default network at project setup or enforce the
compute.skipDefaultNetworkCreationpolicy through Organisation Policies. - Trying to peer two auto mode VPCs. Auto mode VPCs use identical IP ranges. Peering fails because the ranges overlap. If you discover this after resources are already deployed, migrating to custom mode subnets is disruptive. Plan your network type before deploying anything. See VPC Peering for CIDR requirements and peering setup.
- Failing to plan CIDR ranges before creating subnets. Subnet ranges cannot be shrunk once created, and overlapping ranges within the same VPC are not allowed. If you use broad or poorly chosen ranges early on, adding subnets or peering with other networks later becomes difficult. Review Subnets in GCP before creating your first subnet.
- Deleting the default network without checking attached resources. If any VMs, Cloud SQL instances, or GKE clusters are attached to the default network, the deletion will fail or leave resources without connectivity. Run the instance filter command first, check for other attached resources, and migrate or remove them before deleting the network.
Summary
- The default network is an auto mode VPC created automatically in every new GCP project
- It includes SSH, RDP, and ICMP firewall rules open to the entire internet, which is not acceptable for production
- Auto mode VPCs create one subnet per region from a fixed IP block; two auto mode VPCs can never be peered because their ranges overlap
- Custom mode VPCs start empty; you define every subnet, region, and IP range, giving you full control
- Custom mode is the correct choice for any workload you care about
- Delete the default network or enforce
compute.skipDefaultNetworkCreationvia organisation policy to prevent it being created in new projects - Plan IP ranges before creating subnets as overlaps are difficult to fix without migrating resources
- The VPC is the foundation all other networking builds on; see VPC Networks Explained for the full networking model
Frequently asked questions
What is the default network in GCP?
The default network is an auto-mode VPC that GCP creates automatically in every new project. It has one subnet per region with pre-defined IP ranges and comes with four firewall rules that allow SSH, RDP, and ICMP traffic from any source IP address (0.0.0.0/0). It is convenient for learning but should not be used for production workloads.
What is the difference between auto mode and custom mode VPC?
An auto-mode VPC automatically creates one subnet in every GCP region using pre-defined IP ranges from the 10.128.0.0/9 block. A custom-mode VPC creates no subnets at all. You define each subnet, its region, and its IP range. Custom mode gives you full control over addressing and is recommended for any production workload.
Should I delete the default VPC in Google Cloud?
Yes, for any project you use for real work. The default network has permissive firewall rules open to the internet, and any VM accidentally attached to it inherits those rules. You can delete it via the console or gcloud once no resources are attached. For organisations managing many projects, enforce the compute.skipDefaultNetworkCreation organisation policy to prevent the default network from being created in new projects at all.
Can two auto mode VPCs be peered?
No. Auto mode VPCs all use the same pre-defined IP ranges from 10.128.0.0/9, so their subnets overlap by design. VPC peering requires non-overlapping CIDR ranges. You cannot peer two auto mode VPCs, which is one of the main reasons custom mode is recommended for any environment where peering or hybrid connectivity may be needed.
Does a custom mode VPC have firewall rules by default?
No. A custom mode VPC you create yourself starts with no firewall rules. The implicit GCP behaviour is deny all ingress and allow all egress. No inbound connections are permitted until you explicitly add allow rules. This is a safer baseline than the default network, which comes pre-loaded with rules opening SSH and RDP to the entire internet.