When you create a private cluster, you must specify a /28 RFC 1918 address range to be used by the cluster master. The range you specify for the cluster master must not overlap with any subnetwork in your VPC network. After you create the cluster, you cannot change the cluster master's address range.
To create a private cluster using an automatically-generated subnet, run the following command:
gcloud container clusters create private-cluster-0 \ --create-subnetwork name=my-subnet-0 \ --enable-master-authorized-networks \ --enable-private-nodes \ --master-ipv4-cidr 172.16.0.0/28 \ --no-enable-basic-auth \ --no-issue-client-certificate
--enable-master-authorized-networks specifies that access to the public endpoint is restricted to IP address ranges that you authorize.
--create-subnetwork name=my-subnet-0 causes GKE to automatically create a subnet named my-subnet-0.
--enable-ip-alias makes the cluster VPC-native.
--enable-private-nodes indicates that the cluster's nodes do not have external IP addresses.
--master-ipv4-cidr 172.16.0.0/28 specifies an RFC 1918 range for the master. This setting is permanent for this cluster.
For more info check this out https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters