Creating VLAN Attachments

VLAN attachments (also known as InterconnectAttachments) determine which Virtual Private Cloud networks can reach your on-premises network through an interconnect. You can create VLAN attachments over Cloud Interconnect connections that have passed all tests and that are ready to use.

Billing for VLAN attachments starts as soon as you create them and stops as soon as you delete them.

For Partner Interconnect VLAN attachments, see Creating VLAN Attachments in the Partner Interconnect how-to guide.

VLAN attachments and Cloud Router

For Dedicated Interconnect, the VLAN attachment allocates a VLAN on an interconnect and associates that VLAN with the specified Cloud Router. It is possible to associate multiple, different VLAN attachments to the same Cloud Router.

When you create the VLAN attachment, specify a Cloud Router that's in the region containing the subnets that you want to reach. The VLAN attachment automatically allocates a VLAN ID and BGP peering IP addresses. Use that information to configure your on-premises router and establish a BGP session with Cloud Router.

Optionally, you can manually specify the IP address range for the BGP session. The BGP IP address range that you specify must be unique among all Cloud Routers in all regions of a VPC network.

Multiple VLAN attachments

Each interconnect attachment (VLAN) supports a maximum bandwidth of 50 Gbps in increments described on the Pricing page and a maximum packet rate as documented in the Cloud Interconnect limits. This is true even if the attachment is configured on an Cloud Interconnect connection that has a greater bandwidth capacity than the attachment. To fully utilize the bandwidth of an Cloud Interconnect connection, you might need to create multiple interconnect attachments (VLANs).

To utilize multiple VLAN attachments simultaneously for egress traffic in a VPC network, create them in the same region, and configure your on-premises router to advertise routes with the same MED. The custom dynamic routes learned through BGP sessions on Cloud Router(s) managing the VLAN attachments are applied to your VPC network with a route priority corresponding to the MED. When multiple available routes have the same priority, Google Cloud distributes traffic among them using a five-tuple hash for affinity, implementing an ECMP routing design. See applicability and order in the Routes Overview for additional information.

Creating VLAN attachments

Permissions required for this task

To perform this task, you must have been granted the following permissions OR the following IAM roles.

Permissions

compute.interconnectAttachments.create
compute.interconnectAttachments.get
compute.routers.create
compute.routers.get
compute.routers.update

Roles

roles/owner
roles/editor
roles/compute.networkAdmin

Console

Go to the Cloud Interconnect VLAN attachments tab in the Google Cloud Console.
Go to VLAN attachments tab
Select Add VLAN attachment.
Select Dedicated Interconnect to create Dedicated VLAN attachments, and then select Continue.
Select In this project to create attachments for Dedicated Interconnects in your project. For using Dedicated Interconnects in other projects, see Using Interconnect connections in other projects.
Select an existing interconnect in your project, and then select Continue.
Click Add VLAN attachment to attach a new VLAN to your interconnect.
- Name — A name for the attachment. This name is displayed in the console and used by the gcloud command-line tool to reference the attachment, such as my-attachment.
- Cloud Router — A Cloud Router to associate with this attachment. The Cloud Router must be in the Virtual Private Cloud network that you want to connect to. If you don't have an existing Cloud Router, select Create new router. Use any private ASN (16550, 64512-65535, or 4200000000-4294967294) for the BGP AS number.
To specify a VLAN ID, a specific IP address range for the BGP session, or the VLAN attachment's capacity, click VLAN ID, BGP IPs, capacity.
- To specify a VLAN ID, select Customize in the VLAN ID section.
  
  By default, Google automatically generates a VLAN ID. You can specify a VLAN ID in the range 2 - 4094. You cannot specify a VLAN ID that is already in use on the interconnect. If your VLAN ID is in use, you are asked to choose another one.
  
  If you don't enter a VLAN ID, an unused, random VLAN ID is automatically selected for the VLAN attachment.
- To specify an IP address range for the BGP session, select Manually in the Allocate BGP IP address section.
  
  The BGP IP address range that you specify must be unique among all Cloud Routers in all regions of a VPC network.
  
  IP addresses used for the BGP session between Cloud Router and your on-premises router are allocated from the link-local IP address space (169.254.0.0/16). By default, Google selects unused IP addresses from the link-local IP address space.
  
  To restrict the IP range from which Google selects from, you can specify up to 16 IP prefixes from the link-local IP address space.
  
  All prefixes must reside within 169.254.0.0/16 and must be a /29 or shorter. For example, /28, /27, and so on. An unused /29 is automatically selected from your specified range of prefixes. The address allocation request fails if all possible /29 prefixes are in use by Google Cloud.
  
  If you don't supply a range of prefixes, Google Cloud picks a /29 CIDR from 169.254.0.0/16, not already used by any BGP session in your VPC network. If you supply one or more prefixes, Google Cloud picks an unused /29 CIDR from the supplied prefixes.
  
  Once the /29 is selected, Google Cloud assigns the Cloud Router one address and assigns your on-premises device another address. The rest of the address space in the /29 is reserved for Google's use.
- To specify the maximum bandwidth, select a value from the Capacity field. If you don't select a value, Cloud Interconnect uses 10 Gbps.
  
  If you have multiple VLAN attachments on an interconnect, the capacity setting helps you control how much bandwidth each attachment can use. The maximum bandwidth is approximate, so it's possible for VLAN attachments to use more bandwidth than the selected capacity.
If you want to connect multiple VPC networks (for example, to build redundancy), click + Add VLAN Attachment to attach additional VLANs to your interconnect. Choose a different Cloud Router for each VLAN attachment. For more information, see the Redundancy section in the Overview page.
When you have created all needed VLAN attachments, click Create. The attachment takes a few moments to create.

The Configure Cloud Routers screen shows each VLAN attachment and its configuration status.
For each VLAN attachment, click Configure to create a BGP session to exchange BGP routes between your Cloud Router network and your on-premises router. Enter the following information:
- Name — A name for the BGP session.
- Peer ASN — The public or private ASN of your on-premises router.
- Advertised route priority — (Optional) The base value Cloud Router uses to calculate route metrics. All routes advertised for this session will use this base value. For more information, see Route metrics.
Click Save and Continue.
After you've added BGP sessions for all of your VLAN attachments, click Save Configuration. The BGP sessions you configured are inactive until you configure BGP on your on-premises router.

gcloud

You must have an existing Cloud Router in the network and region that you want to reach from your on-premises network. If you don't, create one before you create a VLAN attachment. When you create the Cloud Router, use any private ASN (16550, 64512-65535, or 4200000000-4294967294) for the BGP AS number.

Create an InterconnectAttachment, specifying the names of your interconnect and Cloud Router. The attachment allocates a VLAN on your interconnect that connects to the Cloud Router.

The following example creates an attachment for the my-interconnect interconnect that connects to the my-router Cloud Router, which is in the us-central1 region.
```
gcloud compute interconnects attachments dedicated create my-attachment \
  --region us-central1 \
  --router my-router \
  --interconnect my-interconnect
```
For the BGP peering IP addresses, Google allocates unused IP addresses from the link-local IP address space (169.254.0.0/16). You can use the --candidate-subnets flag to constrain the range of IP addresses that Google can select from, as shown in the following example.

The BGP IP address range that you specify must be unique among all Cloud Routers in all regions of a VPC network.
```
gcloud compute interconnects attachments dedicated create my-attachment \
  --router my-router \
  --interconnect my-interconnect \
  --candidate-subnets 169.254.0.0/29,169.254.10.0/24 \
  --region us-central1 
```
You can specify a range of up to 16 IP prefixes from the link-local IP address space. All prefixes must reside within 169.254.0.0/16 and must be a /29 or shorter. For example, /28, /27, and so on. An unused /29 is automatically selected from your specified range of prefixes. The address allocation request fails if all possible /29 prefixes are in use by Google Cloud.

To specify a VLAN ID, use the --vlan flag, as shown in the following example:
```
gcloud compute interconnects attachments dedicated create my-attachment \
  --router my-router \
  --interconnect my-interconnect \
  --vlan 5 \
  --region us-central1 
```
By default, Google automatically generates a VLAN ID. You can specify a VLAN ID from the range 2 - 4094. You cannot specify a VLAN ID that is already in use on the interconnect. If your VLAN ID is in use, you are asked to choose another one.

If you don't enter a VLAN ID, an unused, random VLAN ID is automatically selected for the VLAN attachment.

To specify the attachment's maximum bandwidth, use the --bandwidth flag, as shown in the following example. If you have multiple VLAN attachments on an interconnect, the capacity helps you control how much bandwidth each attachment can use. The maximum bandwidth is approximate, so it's possible for VLAN attachments to use more bandwidth than the selected capacity.
```
gcloud compute interconnects attachments dedicated create my-attachment \
  --router my-router \
  --interconnect my-interconnect \
  --bandwidth 500M \
  --region us-central1 
```
If you don't specify a capacity, Cloud Interconnect uses the default of 10 Gbps. For more information, see the gcloud command line reference.
Describe the attachment to retrieve the resources that it allocated, such as the VLAN ID and BGP peering addresses, as shown in the following example. Use these values to configure your Cloud Router and your on-premises router.
```
gcloud compute interconnects attachments describe my-attachment \
  --region us-central1
```
```
cloudRouterIpAddress: 169.254.180.81/29
creationTimestamp: '2017-05-22T10:31:40.829-07:00'
customerRouterIpAddress: 169.254.180.82/29
id: '2973197662755397267'
interconnect: https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/myinterconnect
kind: compute#interconnectAttachment
name: my-attachment
operationalStatus: ACTIVE
privateInterconnectInfo:
  tag8021q: 1000
region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1
router: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/routers/my-router
```
- The VLAN tag (1000) identifies traffic that will go across this attachment. You'll need this value to configure a tagged VLAN subinterface on your on-premises router.
- The Cloud Router IP address (169.254.180.81/29) is a link local IP address. Assign this address to a Cloud Router interface. You'll use this same address for the BGP neighbor on your on-premises router.
- The customer router IP address (169.254.180.82/29) is a link local IP address. On the Cloud Router, configure a BGP peer with this address over the interface that has the Cloud Router address assigned to it. You'll assign this address to the VLAN subinterface on your on-premises router.

On your Cloud Router, add an interface that connects to the VLAN attachment. For the IP address, use the Cloud Router IP address that was allocated by your attachment.

gcloud compute routers add-interface my-router \
  --region us-central1 \
  --ip-address 169.254.180.81 \
  --mask-length 29 \
  --interface-name my-router-i1 \
  --interconnect-attachment my-attachment

Add a BGP peer to the interface. For the peer IP address, use the customer router IP address that was allocated by your attachment. For the peer ASN value, use the same number that you will configure on your on-premises router.

To specify a base priority value, use the --advertised-route-priority flag. Cloud Router uses this value to calculate route metrics for all routes it advertises for this session. For more information, see Route metrics in the Cloud Router documentation.

You can also use the --advertisement-mode, --advertisement-groups, and --advertisement-ranges flags to specify custom route advertisements. For more information, see Route advertisements in the Cloud Router documentation.
```
gcloud compute routers add-bgp-peer my-router \
  --interface my-router-i1 \
  --region us-central1 \
  --peer-name bgp-for-my-interconnect \
  --peer-ip-address 169.254.180.82 \
  --peer-asn 65201
```

If you're building redundancy with a duplicate interconnect, repeat these steps for the second interconnect, and specify a different Cloud Router. For more information, see the Redundancy section in the Overview page.

Restricting Dedicated Interconnect usage

By default, any VPC network can use Cloud Interconnect. To control which VPC networks can use Cloud Interconnect, you can set an organization policy. For more information, see Restricting Cloud Interconnect usage.

What's next

On your on-premises router, configure a VLAN subinterface and a BGP peer by using the values allocated by your VLAN attachment. For more information, see Configuring On-premises Router.