GCP Network Architecture
This page describes the network infrastructure that Fractal Cloud deploys when you initialize a GCP environment. The architecture follows the Google Cloud Foundation Toolkit and Landing Zone Blueprint recommendations for enterprise deployments.
Overview
Fractal Cloud deploys a Shared VPC model using a single host VPC network with VPC Access Connectors for serverless-to-VPC connectivity and Service Networking Peering for private access to Google-managed services. Operational environments attach to the host network as service projects rather than getting their own peered VPCs. All network address ranges are allocated dynamically by the built-in IPAM system.
┌──────────────────────────────────────────────────────┐
│ Management Project (Shared VPC Host) │
│ │
│ Host Network │
│ ├── Compute subnet + secondary ranges (GKE) │
│ ├── Per-env spoke subnets (one set per ops env) │
│ ├── VPC Access Connector (Cloud Run ↔ VPC) │
│ └── Service Networking Peering (managed services) │
└──────────────────┬───────────────────────────────────┘
│
Shared VPC attachment
│
┌──────────────┼──────────────┐
│ │ │
▼ ▼ ▼
Spoke A Spoke B Spoke C
Service Service Service
Project Project Project
(Ops Env A) (Ops Env B) (Ops Env C)
Host Network
The Host Network is a custom-mode VPC that serves as the foundation for all networking in the management environment. It includes:
- Primary subnet with Private IP Google Access and Flow Logs enabled
- Secondary IP ranges for GKE pods and services (sized appropriately by IPAM)
- VPC Access Connector bridging Cloud Run services to VPC resources
- Service Networking Peering for private connectivity to Google-managed services (Cloud SQL)
What Runs Here
- Fractal Cloud Agent — Cloud Run service connected to the VPC via VPC Access Connector
- Custom Workload Agent — Cloud Run service for application-level deployments
- Cloud SQL (PostgreSQL) — agent state database with private IP only
- Artifact Registry — agent container images
Private Connectivity
- VPC Access Connector enables Cloud Run services to reach VPC resources (Cloud SQL, internal services) over private IPs
- Service Networking Peering provides private access to Google-managed services without public internet traversal
- Private IP Google Access allows subnet resources to reach Google APIs over Google's internal backbone
Operational Environment Spokes
When an Operational Environment is created:
- A new GCP Project is created under the Management Environment's folder hierarchy and attached to the management project's Shared VPC as a service project
- IPAM allocates a CIDR block from the management environment's address space
- Env-scoped subnets are created directly in the host network — a
{env}-primarysubnet carrying the GKE{env}-k8s-servicesand{env}-k8s-podssecondary ranges, plus a{env}-service-peeringsubnet. In the Shared VPC model there is no separate spoke VPC; the operational project consumes subnets owned by the host network. - Service accounts allow the Cloud Agents to manage resources in the operational project
Live Systems using Molecule-level Blueprints deploy into the env-scoped host subnets automatically. Live Systems with explicit VPC components are created as standalone infrastructure outside the Shared VPC topology.
Resource Hierarchy
Fractal Cloud uses GCP Resource Hierarchy with cascading Organization Policies:
Organization
└── Platform Folder
└── Fractal Cloud Management Folder
└── Landing Zones Folder
└── Environment Folder
├── Management Project
├── Operational Project A
└── Operational Project B
Security
- No inbound access required — agents initiate all communication outbound over HTTPS
- Private-first connectivity — Cloud SQL has no public IP; all inter-service traffic uses private IPs
- Flow Logs enabled on subnets for security analysis and compliance auditing
- Project isolation — each operational environment runs in its own GCP project