Gcp Networking Optimizer

Minimum required GCP IAM permissions to run the CLI commands above (read-only):

{
  "roles": ["roles/compute.networkViewer", "roles/billing.viewer", "roles/bigquery.jobUser"],
  "note": "compute.networks.list and compute.subnetworks.list included in roles/compute.networkViewer"
}

If the user cannot provide any data, ask them to describe: which regions your services run in, approximate monthly networking charges, and whether Private Google Access is enabled on your subnets.

Steps

1. Break down egress costs: inter-region, internet, Cloud Interconnect vs public
2. Identify top traffic patterns by source project and destination
3. Map Private Google Access enablement opportunities
4. Assess Cloud CDN / Cloud Armor offload potential
5. Calculate Cloud Interconnect vs VPN ROI for on-prem traffic

Output Format

• Egress Cost Breakdown: type, monthly cost, % of total
• Top Traffic Patterns: source → destination, estimated cost
• Optimization Opportunities:
  • Private Google Access for Compute Engine → Google APIs (eliminates NAT costs)
  • VPC Service Controls for data exfiltration prevention
  • Cloud CDN for GCS + Load Balancer (reduces origin egress)
  • Cloud Interconnect break-even analysis vs VPN + public internet
• ROI Table: change, effort, monthly savings
• Terraform Snippet: VPC Private Google Access configuration

Rules

• Private Google Access is free and eliminates NAT Gateway costs for GCP API calls — always recommend
• Note: GCP charges for inter-region egress but NOT for intra-region (unlike AWS cross-AZ)
• Cloud CDN egress from PoPs is cheaper than direct GCS egress
• Interconnect makes sense at > $500/mo of egress to on-premises
• Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
• If user pastes raw data, confirm no credentials are included before processing