Creating VLAN attachments

VLAN attachments (also known as interconnectAttachments) determine which Virtual Private Cloud (VPC) networks can reach your on-premises network through a Dedicated Interconnect connection. You can create VLAN attachments over connections that have passed all tests and are ready to use.

Billing for VLAN attachments starts when you create them and stops when you delete them.

If you need to create a VLAN attachment for a connection in another Google Cloud project, see Using Dedicated Interconnect connections in other projects.

For VLAN attachments for Partner Interconnect, see Creating VLAN attachments for Partner Interconnect.

For definitions of terms used on this page, see Cloud Interconnect key terms.

To help you solve common issues that you might encounter when using Dedicated Interconnect, see Troubleshooting.

Associating VLAN attachments with a Cloud Router

For Dedicated Interconnect, the VLAN attachment allocates a VLAN on an Interconnect connection and associates that VLAN with the specified Cloud Router. It is possible to associate multiple, different VLAN attachments to the same Cloud Router.

When you create the VLAN attachment, specify a Cloud Router that's in the region that contains the subnets that you want to reach. The VLAN attachment automatically allocates a VLAN ID and BGP peering IP addresses. Use that information to configure your on-premises router and establish a BGP session with your Cloud Router.

Optionally, you can manually specify the IP address range for the BGP session. The BGP IP address range that you specify must be unique among all Cloud Routers in all regions of a VPC network.

Utilizing multiple VLAN attachments

Each VLAN attachment supports a maximum bandwidth of 50 Gbps in increments described on the Pricing page, and a maximum packet rate as documented in Cloud Interconnect limits. This is true even if the attachment is configured on an Interconnect connection that has a greater bandwidth capacity than the attachment.

To fully utilize the bandwidth of a connection, you might need to create multiple VLAN attachments.

To utilize multiple VLAN attachments simultaneously for egress traffic in a VPC network, create them in the same region. Then configure your on-premises router to advertise routes with the same MED. The custom dynamic routes, learned through BGP sessions on one or more Cloud Routers that manage the VLAN attachments, are applied to your VPC network with a route priority corresponding to the MED.

When multiple available routes have the same priority, Google Cloud distributes traffic among them by using a five-tuple hash for affinity, implementing an equal-cost multipath (ECMP) routing design. For more information, see Applicability and order in the VPC documentation.

Creating VLAN attachments

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following Identity and Access Management (IAM) roles.

Permissions

compute.interconnectAttachments.create
compute.interconnectAttachments.get
compute.routers.create
compute.routers.get
compute.routers.update

Roles

roles/owner
roles/editor
roles/compute.networkAdmin

Console

In the Google Cloud Console, go to the Cloud Interconnect VLAN attachments tab.

Go to VLAN attachments
Click Add VLAN attachment.
Select Dedicated Interconnect, and then click Continue.
Select In this project to create attachments in your project. For other projects, see Using Dedicated Interconnect connections in other projects.
Select an existing Interconnect connection in your project, and then click Continue.
Select Add VLAN attachment, and then specify the following details:
- Name: A name for the attachment. This name is displayed in the Cloud Console and is used by the gcloud command-line tool to reference the attachment, such as my-attachment.
- Router: A Cloud Router to associate with this attachment. The Cloud Router must be in the VPC network that you want to connect to. If you don't have an existing Cloud Router, select Create new router. For the BGP AS number, use any private ASN (64512-65535 or 4200000000-4294967294) or 16550.
To specify a VLAN ID, a specific IP address range for the BGP session, the VLAN attachment's capacity, or the MTU, click VLAN ID, BGP IPs, capacity, MTU.
- To specify a VLAN ID, in the VLAN ID section, select Customize.
  
  By default, Google automatically generates a VLAN ID. You can specify a VLAN ID in the range 2-4093. You cannot specify a VLAN ID that is already in use on the Interconnect connection. If your VLAN ID is in use, you are asked to choose another one.
  
  If you don't enter a VLAN ID, an unused, random VLAN ID is automatically selected for the VLAN attachment.
- To specify an IP address range for the BGP session, in the Allocate BGP IP address section, select Manually.
  
  The BGP IP address range that you specify must be unique among all Cloud Routers in all regions of a VPC network.
  
  IP addresses used for the BGP session between a Cloud Router and your on-premises router are allocated from the link-local IP address space (169.254.0.0/16). By default, Google selects unused IP addresses from the link-local IP address space.
  
  To restrict the IP range that Google selects from, you can specify up to 16 IP prefixes from the link-local IP address space. All prefixes must reside within 169.254.0.0/16 and must be a /29 or shorter, for example, /28 or /27. An unused /29 is automatically selected from your specified range of prefixes. The address allocation request fails if all possible /29 prefixes are in use by Google Cloud.
  
  If you don't supply a range of prefixes, Google Cloud picks a /29 CIDR from 169.254.0.0/16 that is not already used by any BGP session in your VPC network. If you supply one or more prefixes, Google Cloud picks an unused /29 CIDR from the supplied prefixes.
  
  After the /29 is selected, Google Cloud assigns the Cloud Router one address and your on-premises router another address. The rest of the address space in the /29 is reserved for Google's use.
- To specify the maximum bandwidth, in the Capacity field, select a value. If you don't select a value, Cloud Interconnect uses 10 Gbps.
  
  If you have multiple VLAN attachments on an Interconnect connection, the capacity setting helps you control how much bandwidth each attachment can use. The maximum bandwidth is approximate, so it's possible for VLAN attachments to use more bandwidth than the selected capacity.
- To specify the maximum transmission unit (MTU) for the attachment, select a value from the field.
  
  To make use of the 1500-byte MTU, the VPC network using the attachment must have an MTU set to 1500. In addition, the on-premises VMs and routers must have an MTU set to 1500. If your network has the default MTU of 1460, leave the field at 1440.
If you want to connect multiple VPC networks (for example, to build redundancy), click + Add VLAN attachment to attach additional VLANs to your Interconnect connection. Choose a different Cloud Router for each VLAN attachment. For more information, see the Redundancy section in the overview.
When you have created all needed VLAN attachments, click Create. The attachment takes a few moments to create.

The Configure Cloud Routers page shows each VLAN attachment and its configuration status.
For each VLAN attachment, to create a BGP session to exchange BGP routes between your Cloud Router network and your on-premises router, click Configure, and then enter the following information:
- Name: A name for the BGP session.
- Peer ASN: The public or private ASN of your on-premises router.
- Advertised route priority (optional): The base value that Cloud Router uses to calculate route metrics. All routes advertised for this session use this base value. For more information, see Advertised prefixes and priorities.
- Custom route advertisements (optional): This enables you to choose which routes Cloud Router advertises to your on-premises router through the Border Gateway Protocol (BGP). For configuration steps, see the overview for custom route advertisements.
- Bidirectional forwarding detection (BFD) for Cloud Router (optional): This detects forwarding path outages such as link down events, allowing for more resilient hybrid networks. For instructions about how to update a BGP session to use BFD, see Configuring BFD.
  Important: BFD can only be enabled on provisioned VLAN attachments that use Dataplane version 2. You can view the dataplaneVersion for a VLAN attachment by viewing the attachment details in one of the following ways:
  - In the Cloud Console for Dedicated Interconnect or Partner Interconnect.
  - In the output of the gcloud describe command for Dedicated Interconnect or Partner Interconnect.
  The dataplaneVersion field appears only in the output for the VLAN attachment types of PARTNER and DEDICATED. The field is not present for PARTNER_PROVIDER. For more information, contact your customer account team.
Click Save and continue.
After you add BGP sessions for all your VLAN attachments, click Save configuration. The BGP sessions that you configured are inactive until you configure BGP on your on-premises router.

gcloud

Before you create a VLAN attachment, you must have an existing Cloud Router in the network and region that you want to reach from your on-premises network. If you don't have an existing Cloud Router, create one. The Cloud Router must have a BGP ASN of 16550, or you can use any private ASN (64512-65535 or 4200000000-4294967294).

Create an interconnectAttachment, specifying the names of your Interconnect connection and Cloud Router. The attachment allocates a VLAN on your connection that connects to the Cloud Router.

The following example creates an attachment for the Interconnect connection my-interconnect that connects to the Cloud Router my-router, which is in the region us-central1.
```
gcloud compute interconnects attachments dedicated create my-attachment \
    --region us-central1 \
    --router my-router \
    --interconnect my-interconnect
```
For the BGP peering IP addresses, Google allocates unused IP addresses from the link-local IP address space (169.254.0.0/16). To constrain the range of IP addresses that Google can select from, you can use the --candidate-subnets flag, as shown in the following example.

The BGP IP address range that you specify must be unique among all Cloud Routers in all regions of a VPC network.
```
gcloud compute interconnects attachments dedicated create my-attachment \
    --router my-router \
    --interconnect my-interconnect \
    --candidate-subnets 169.254.0.0/29,169.254.10.0/24 \
    --region us-central1
```
You can specify a range of up to 16 IP prefixes from the link-local IP address space. All prefixes must reside within 169.254.0.0/16 and must be a /29 or shorter, for example, /28 or /27. An unused /29 is automatically selected from your specified range of prefixes. The address allocation request fails if all possible /29 prefixes are in use by Google Cloud.

To specify a VLAN ID, use the --vlan flag, as shown in the following example:
```
gcloud compute interconnects attachments dedicated create my-attachment \
    --router my-router \
    --interconnect my-interconnect \
    --vlan 5 \
    --region us-central1
```
By default, Google automatically generates a VLAN ID. You can specify a VLAN ID in the range 2-4093. You cannot specify a VLAN ID that is already in use on the Interconnect connection. If your VLAN ID is in use, you are asked to choose another one.

If you don't enter a VLAN ID, an unused, random VLAN ID is automatically selected for the VLAN attachment.

To specify the attachment's maximum bandwidth, use the --bandwidth flag, as shown in the following example. If you have multiple VLAN attachments on an Interconnect connection, the capacity setting helps you control how much bandwidth each attachment can use. The maximum bandwidth is approximate, so it's possible for VLAN attachments to use more bandwidth than the selected capacity.
```
gcloud compute interconnects attachments dedicated create my-attachment \
    --router my-router \
    --interconnect my-interconnect \
    --bandwidth 500M \
    --region us-central1
```
If you don't specify a capacity, Cloud Interconnect uses the default of 10 Gbps. For more information, see the gcloud compute interconnects attachments dedicated create reference.

The default MTU of an attachment is 1440 bytes. You can also specify an attachment MTU of 1500 bytes. To specify an MTU of 1500 bytes for the attachment, use the --mtu flag, as shown in the following example:
```
gcloud compute interconnects attachments dedicated create my-attachment \
    --router my-router \
    --interconnect my-interconnect \
    --mtu 1500 \
    --region us-central1
```
To make use of the 1500-byte MTU, the VPC network using the attachment and the on-premises systems and routers must all have an MTU set to 1500.
Describe the attachment to retrieve the resources that it allocated, such as the VLAN ID and BGP peering IP addresses, as shown in the following example. Use these values to configure your Cloud Router and your on-premises router.
```
gcloud compute interconnects attachments describe my-attachment \
    --region us-central1
```
Output:
```
cloudRouterIpAddress: 169.254.180.81/29
creationTimestamp: '2017-05-22T10:31:40.829-07:00'
customerRouterIpAddress: 169.254.180.82/29
id: '2973197662755397267'
interconnect: https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/myinterconnect
kind: compute#interconnectAttachment
name: my-attachment
operationalStatus: ACTIVE
privateInterconnectInfo:
  tag8021q: 1000
region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1
router: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/routers/my-router
```
- The VLAN tag (1000) identifies traffic that goes across this attachment. You need this value to configure a tagged VLAN subinterface on your on-premises router.
- The Cloud Router IP address (169.254.180.81/29) is a link-local IP address. Assign this address to a Cloud Router interface. You use this same address for the BGP neighbor on your on-premises router.
- The customer router IP address (169.254.180.82/29) is a link-local IP address. On the Cloud Router, configure a BGP peer with this address over the interface that has the Cloud Router address assigned to it. You assign this address to the VLAN subinterface on your on-premises router.

On your Cloud Router, add an interface that connects to the VLAN attachment. For the IP address, use the Cloud Router IP address that your attachment allocated.

gcloud compute routers add-interface my-router \
    --region us-central1 \
    --ip-address 169.254.180.81 \
    --mask-length 29 \
    --interface-name my-router-i1 \
    --interconnect-attachment my-attachment

Add a BGP peer to the interface. For the peer IP address, use the customer router IP address that your attachment allocated. For the peer ASN value, use the same number that you configure on your on-premises router.

To specify a base priority value, use the --advertised-route-priority flag. Cloud Router uses this value to calculate route metrics for all routes that it advertises for this session. For more information, see Advertised prefixes and priorities in the Cloud Router documentation.

You can also use the --advertisement-mode, --advertisement-groups, and --advertisement-ranges flags to specify custom route advertisements. For more information, see Route advertisements in the Cloud Router documentation.
```
gcloud compute routers add-bgp-peer my-router \
   --interface my-router-i1 \
   --region us-central1 \
   --peer-name bgp-for-my-interconnect \
   --peer-ip-address 169.254.180.82 \
   --peer-asn 65201
```

Optional: Custom route advertisements enable you to choose which routes Cloud Router advertises to your on-premises router through the Border Gateway Protocol (BGP). For configuration steps, see the overview for custom route advertisements.

Optional: Bidirectional Forwarding Detection (BFD) for Cloud Router detects forwarding path outages such as link down events, allowing for more resilient hybrid networks. To update your BGP session to use BFD, see Configuring BFD.

If you're building redundancy with a duplicate Interconnect connection, repeat these steps for the second connection, and specify the same Cloud Router. For more information, see Redundancy and SLA.

Restricting Dedicated Interconnect usage

By default, any VPC network can use Cloud Interconnect. To control which VPC networks can use Cloud Interconnect, you can set an organization policy. For more information, see Restricting Cloud Interconnect usage.

Test connections

Configure on-premises routers