Create and manage VPC networks

This page describes how to create, modify, and delete Virtual Private Cloud (VPC) networks and subnetworks. This page assumes that you are familiar with the characteristics of VPC networks as described in VPC networks. Networks and subnets are different resources in Google Cloud.

If you plan to enable IPv6 ranges on subnets, see IPv6 subnet ranges.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try VPC free

Create networks

You can choose to create an auto mode or custom mode VPC network. Each new network that you create must have a unique name within the same project.

Create an auto mode VPC network

When you create an auto mode VPC network, one subnet is created in each Google Cloud region. As new regions become available, new subnets in those regions are automatically added to the auto mode VPC network. IPv4 ranges for the automatically created subnets come from a predetermined set of ranges. All auto mode VPC networks use the same set of IPv4 ranges.

Subnets with IPv6 ranges are not supported on auto mode VPC networks. Create a custom mode VPC network if you want to create dual-stack subnets.

To create an auto mode VPC network, follow these steps.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click Create VPC network.

  3. Enter a Name for the network.

  4. Choose Automatic for the Subnet creation mode.

  5. In the Firewall rules section, select zero or more predefined firewall rules. The rules address common use cases for connectivity to instances.

    Whether or not you select pre-defined rules, you can create your own firewall rules after you create the network.

    Each predefined rule name starts with the name of the VPC network that you are creating, NETWORK. In the IPv4 firewall rules tab, the predefined ingress firewall rule named NETWORK-allow-custom is editable. By default it specifies the source range 10.128.0.0/9, which contains current and future IPv4 ranges for subnets in an auto mode network. The right side of the row that contains the rule, click Edit to select subnets, add additional IPv4 ranges, and specify protocols and ports.

  6. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  7. Maximum transmission unit (MTU): Choose whether the network has an MTU of 1460 (default), 1500, or 8896. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

  8. Click Create.

gcloud

Use the networks create command.

gcloud compute networks create NETWORK \
    --subnet-mode=auto \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \
    --mtu=MTU

Replace the following:

  • NETWORK: a name for the VPC network.
  • DYNAMIC_ROUTING_MODE: controls the behavior of Cloud Routers in the network. Can be either global or regional. The default is regional. For more information, see dynamic routing mode.
  • MTU: the maximum transmission unit (MTU), which is the largest packet size of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

Terraform

Use the google_compute_network Terraform resource.

MTU is the maximum transmission unit, or largest packet size, of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

resource "google_compute_network" "vpc_network" {
  project                 = var.project_id # Replace this with your project ID in quotes
  name                    = "my-auto-mode-network"
  auto_create_subnetworks = true
  mtu                     = 1460
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

API

Make a POST request to the networks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "autoCreateSubnetworks": true,
  "name": "auto-network1",
  "mtu": MTU
}

Replace the following:

  • PROJECT_ID: the ID of the project where the VPC network is created.
  • MTU: the maximum transmission unit (MTU), which is the largest packet size of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

To specify the dynamic routing mode of the VPC network, include the routingConfig field:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "routingConfig": {
    "routingMode": "DYNAMIC_ROUTING_MODE"
  },
  "autoCreateSubnetworks": true,
  "name": "NETWORK",
  "mtu": MTU
}

Replace the following:

  • PROJECT_ID: the ID of the project where the VPC network is created.
  • NETWORK: a name for the VPC network.
  • DYNAMIC_ROUTING_MODE: controls the behavior of Cloud Routers in the network. Can be either GLOBAL or REGIONAL. The default is REGIONAL. For more information, see dynamic routing mode.
  • MTU: the maximum transmission unit (MTU), which is the largest packet size of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

Create a custom mode VPC network with only IPv4 subnets

For custom mode VPC networks, create a network, then create the subnets that you want within a region. You do not have to specify subnets for all regions right away, or even at all, but you cannot create instances in a region that has no subnet defined. Finally, define the firewall rules for your network.

To create a custom mode VPC network with only IPv4 subnets, follow these steps.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click Create VPC network.

  3. Enter a Name for the network.

  4. Choose Custom for the Subnet creation mode.

  5. In the New subnet section, specify the following configuration parameters for a subnet:

    1. Provide a Name for the subnet.
    2. Select a Region.
    3. Enter an IP address range. This is the primary IPv4 range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    4. To define a secondary range for the subnet, click Create secondary IP range.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    5. Private Google Access: Choose whether to enable Private Google Access for the subnet when you create it or later by editing it.

    6. Flow logs: Choose whether to enable VPC flow logs for the subnet when you create it or later by editing it.

    7. Click Done.

  6. To add more subnets, click Add subnet and repeat the previous steps. You can also add more subnets to the network after you have created the network.

  7. In the Firewall rules section, select zero or more predefined firewall rules in the IPv4 firewall rules. The rules address common use cases for connectivity to instances.

    If you don't select any predefined rules, you can create your own firewall rules after you create the network.

    Each predefined rule name starts with the name of the VPC network that you are creating, NETWORK. In the IPv4 firewall rules tab, the predefined ingress firewall rule named NETWORK-allow-custom is editable. On the right side of the row that contains the rule, click Edit to select subnets, add additional IPv4 ranges, and specify protocols and ports.

    The NETWORK-allow-custom firewall rule is not automatically updated if you later add additional subnets. If you need firewall rules for the new subnets, you must update the firewall configuration to add the rules.

  8. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  9. Maximum transmission unit (MTU): Choose whether the network has an MTU of 1460 (default), 1500, or 8896. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

  10. Click Create.

gcloud

Use the networks create command.

gcloud compute networks create NETWORK \
    --subnet-mode=custom \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \
    --mtu=MTU

Replace the following:

  • NETWORK: a name for the VPC network.
  • DYNAMIC_ROUTING_MODE: controls the behavior of Cloud Routers in the network. Can be either global or regional. The default is regional. For more information, see dynamic routing mode.
  • MTU: the maximum transmission unit (MTU), which is the largest packet size of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

Next, add subnets to your network.

Terraform

Use the google_compute_network Terraform resource.

MTU is the maximum transmission unit, or largest packet size, of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

resource "google_compute_network" "vpc_network" {
  project                 = var.project_id # Replace this with your project ID in quotes
  name                    = "my-custom-mode-network"
  auto_create_subnetworks = false
  mtu                     = 1460
}

Next, add subnets to your network.

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

API

Make a POST request to the networks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "autoCreateSubnetworks": false,
  "name": "NETWORK",
  "mtu": MTU,
  "routingConfig": {
    "routingMode": "DYNAMIC_ROUTING_MODE"
  }
}

Replace the following:

  • PROJECT_ID: the ID of the project where the VPC network is created.
  • NETWORK: a name for the VPC network.
  • DYNAMIC_ROUTING_MODE: controls the behavior of Cloud Routers in the network. Can be either GLOBAL or REGIONAL. The default is REGIONAL. For more information, see dynamic routing mode.
  • MTU: the maximum transmission unit (MTU), which is the largest packet size of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

Next, add subnets to your network.

Create a custom mode VPC network with a dual-stack subnet

You can create subnets when you create the network, or you can add them later.

A subnet can have one of the following configurations for its primary IP address ranges:

  • Single-stack: Internal IPv4 range only
  • Dual-stack: Internal IPv4 range and internal IPv6 range
  • Dual-stack: Internal IPv4 range and external IPv6 range

Each subnet in a VPC network can have a different configuration; you do not need to configure them all as dual-stack, for example.

To configure subnets with internal IPv6 ranges, enable a VPC network ULA internal IPv6 range. Internal IPv6 subnet ranges are allocated from this range.

To create a custom mode VPC network with a dual-stack subnet, follow these steps.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click Create VPC network.

  3. Enter a Name for the network.

  4. If you want to configure internal IPv6 address ranges on subnets in this network, complete these steps:

    1. For VPC network ULA internal IPv6 range, select Enabled.
    2. For Allocate internal IPv6 range, select Automatically or Manually.

      If you select Manually, enter a /48 range from within the fd20::/20 range. If the range is in use, you are prompted to provide a different range.

  5. For Subnet creation mode, choose Custom.

  6. In the New subnet section, specify the following configuration parameters for a subnet:

    1. Provide a Name for the subnet.
    2. Select a Region.
    3. To create a dual-stack subnet, for IP stack type, select IPv4 and IPv6 (dual-stack).
    4. Enter an IPv4 range. This is the primary IPv4 range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    5. Select an IPv6 access type: External or Internal.

    6. Click Done.

  7. To add more subnets, click Add subnet and repeat the previous steps.

    Each subnet in a VPC network can have different stack type and IPv6 access type configurations. You do not need to configure all subnets in a given network as dual-stack subnets.

    You can also add more single-stack or dual stack subnets to the network after you create the network.

  8. In the Firewall rules section, select zero or more predefined firewall rules in the IPv4 firewall rules and IPv6 firewall rules tabs. The rules address common use cases for connectivity to instances.

    If you don't select any predefined rules, you can create your own firewall rules after you create the network.

    Each predefined rule name starts with the name of the VPC network that you are creating, NETWORK. In both the IPv4 firewall rules tab and the IPv6 firewall rules tab, there is an editable predefined ingress firewall rule; the IPv4 rule is named NETWORK-allow-custom and the IPv6 rule is named NETWORK-allow-ipv6-custom. On the right side of the row that contains the rule, click Edit to select subnets, add additional IP ranges, and specify protocols and ports.

    The NETWORK-allow-custom and NETWORK-allow-ipv6-custom firewall rule are not automatically updated if you later add additional subnets. If you need firewall rules for the new subnets, you must update the firewall configuration to add the rules.

  9. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  10. Maximum transmission unit (MTU): Choose whether the network has an MTU of 1460 (default), 1500, or 8896. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

  11. Click Create.

gcloud

Use the networks create command. After you have created the network, you can add IPv4 only subnets and dual-stack subnets to it.

If you want to configure internal IPv6 ranges on any subnets in this network, use the --enable-ula-internal-ipv6 flag. This option assigns a /48 ULA prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you want to select the /48 IPv6 range that is assigned, use the --internal-ipv6-range flag to specify a range.

You can omit both flags if you want to configure only external IPv6 on subnets in this VPC network.

gcloud compute networks create NETWORK \
    --subnet-mode=custom \
    [ --enable-ula-internal-ipv6 [ --internal-ipv6-range=ULA_IPV6_RANGE ]] \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \
    --mtu=MTU

Replace the following:

  • NETWORK: a name for the VPC network.

  • ULA_IPV6_RANGE: a /48 prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you don't use the --internal-ipv6-range flag, Google selects a /48 prefix for the network.

  • DYNAMIC_ROUTING_MODE: controls the behavior of Cloud Routers in the network. Can be either global or regional. The default is regional. For more information, see dynamic routing mode.

  • MTU: the maximum transmission unit (MTU), which is the largest packet size of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

API

Make a POST request to the networks.insert method. After you have created the network, you can add IPv4 only subnets and dual-stack subnets to it.

If you want to configure internal IPv6 ranges on any subnets in this network, set enableUlaInternalIpv6 to true. This option assigns a /48 range from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you want to select which /48 IPv6 range that is assigned, also use the internalIpv6Range field to specify a range.

You can omit both fields if you want to configure only external IPv6 on subnets in this VPC network.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "autoCreateSubnetworks": false,
  "name": "NETWORK",
  "mtu": MTU,
  "enableUlaInternalIpv6": true,
  "internalIpv6Range": "ULA_IPV6_RANGE",
  "routingConfig": {
    "routingMode": "DYNAMIC_ROUTING_MODE"
  }
}

Replace the following:

  • PROJECT_ID: the ID of the project where the VPC network is created.
  • NETWORK: a name for the VPC network.
  • MTU: the maximum transmission unit (MTU), which is the largest packet size of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.
  • ULA_IPV6_RANGE: a /48 prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you don't provide a value for internalIpv6Range, Google selects a /48 prefix for the network.
  • DYNAMIC_ROUTING_MODE: controls the behavior of Cloud Routers in the network. Can be either GLOBAL or REGIONAL. The default is REGIONAL. For more information, see dynamic routing mode.

About firewall rules

After you create a network, create firewall rules to allow or deny traffic between resources in the network, such as communication between VM instances. You also use firewall rules to control what traffic leaves or enters the VPC network to or from the internet.

View networks

View the VPC and legacy networks in your project. For VPC networks, you can view information about their subnets and their subnet creation mode.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

    The console lists all of your VPC and legacy networks.

  2. Select a VPC network to view its details, such as its peering connections and subnets.

gcloud

  1. To list the networks in your project, use the networks list command.

    gcloud compute networks list
    

    The command lists all of your VPC and legacy networks. Legacy networks show a subnet creation mode of LEGACY, while VPC networks show either AUTO or CUSTOM.

    NAME             SUBNET_MODE  BGP_ROUTING_MODE  IPV4_RANGE     GATEWAY_IPV4
    custom-network   CUSTOM       REGIONAL
    default          AUTO         REGIONAL
    legacy-network1  LEGACY       REGIONAL          10.240.0.0/16  10.240.0.1
    
  2. To describe a network and view its details, such as peering connections and subnets, use the networks describe command.

    gcloud compute networks describe NETWORK
    

    Replace NETWORK with the name of the network.

API

  1. To list all networks in your project, make a GET request to the networks.list method.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
    

    Replace PROJECT_ID with the ID of the project that contains the VPC networks to list.

  2. To describe a network and view its details, make a GET request to the networks.get method.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK
    

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the VPC network.
    • NETWORK: the name of the VPC network to describe.

Work with subnets

You must follow these rules when creating or editing a subnet:

  • Within a project, a subnet cannot have the same name as a VPC network unless it is a member of that network. Within a project, subnets in the same region must have unique names. For example, a network named production can have multiple subnets also named production as long as each of those subnets is in a unique region.

  • You cannot change the name or region of a subnet after you create it. However, you can delete a subnet and replace it as long as no resources are using it.

  • Each subnet must have a primary IPv4 range and optionally one or more secondary IPv4 ranges for alias IP. The per network limits describe the maximum number of secondary ranges that you can define for each subnet. Primary and secondary IPv4 ranges must be a valid range.

    • Within a VPC network, all primary and secondary IPv4 ranges must be unique, but they do not need to be contiguous. For example, the primary range of a subnet can be 10.0.0.0/24, while the primary range of another subnet in the same network can be 192.168.0.0/16.

    • After you create a subnet, the primary IPv4 range for the subnet can be expanded but not replaced or shrunk.

    • You can remove and replace a subnet's secondary IPv4 address range only if no instances are using that range.

    • The minimum primary or secondary range size is eight IPv4 addresses. In other words, the longest subnet mask that you can use is /29.

    • The shortest subnet mask that you can use is /4. However, for most /4 IP address ranges, additional validations prevent you from creating a subnet that is this large. For example, a subnet range cannot overlap with a private IPv4 range or other reserved range. To minimize the chance of choosing an invalid subnet range, we recommend that you limit your maximum subnet size to /8.

      For information about valid ranges, see Valid IPv4 ranges.

  • Primary and secondary ranges for subnets cannot overlap with any allocated range, any primary or secondary range of another subnet in the same network, or any IPv4 ranges of subnets in peered networks.

  • Google Cloud creates corresponding subnet routes for both primary and secondary IP ranges. Subnet routes, and therefore subnet IP ranges, must have the most specific IP ranges by definition.

    • Primary and secondary ranges can't conflict with on-premises IP ranges if you have connected your VPC network to another network with Cloud VPN, Dedicated Interconnect, or Partner Interconnect.

    • IPv4 ranges for all subnets must be unique among VPC networks that are connected to one another by VPC Network Peering.

    • Subnet IPv4 ranges cannot conflict with destinations for static routes.

    • Avoid using IPv4 addresses from the 10.128.0.0/9 block for a subnet's primary or secondary IPv4 ranges. Automatically created subnets in auto mode VPC networks use IPv4 addresses from this block. If you use IP addresses in the 10.128.0.0/9 block, you will not be able to connect your network to an auto mode VPC network using VPC Peering or with Cloud VPN tunnels.

List subnets

You can see all the subnets that exist for a project.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. To view subnets, do one of the following:

    • Click the name of a network, and then click the Subnets tab on the VPC network details page.

      This view lets you add new subnets and modify other configurations for a single selected network.

    • Click the Subnets in current project tab and select one or more networks from the VPC networks list.

      This view lets you list the subnets in more than one network.

gcloud

You can list all subnets in all networks in your project, or you can show only the subnets for a particular network or region. The following examples demonstrate how to use the subnets list command.

  • To list all subnets in all VPC networks, use the following command:

    gcloud compute networks subnets list
    
  • To list all subnets in a particular VPC network, use the following command:

    gcloud compute networks subnets list \
       --network=NETWORK
    

    Replace NETWORK with the name of the network.

  • To list all subnets in a particular region, use the following command:

    gcloud compute networks subnets list \
       --filter="region:( REGION … )"
    

    Replace REGION with the name of the region.

API

To list all subnets in your project, make a GET request to the subnetworks.aggregatedList method.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/subnetworks

Replace PROJECT_ID with the ID of the project that contains the subnets to list.

Describe a subnet

You can view the details of an existing subnet—such as its primary IPv4 ranges, secondary IP ranges, IPv6 ranges, and region—by following the steps in this section.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.

  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.

gcloud

  1. List subnets to determine the names and regions of existing subnets in your project.

  2. Use the subnets describe command.

    gcloud compute networks subnets describe SUBNET \
        --region=REGION
    

    Replace the following:

    • SUBNET: the subnet to describe
    • REGION: the region of the subnet to describe

API

  1. To list subnets in a particular region and find a subnet's name, make a GET request to the subnetworks.list method.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
    

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the subnets to list.
    • REGION: the name of the Google Cloud region that contains the subnets to list.
  2. Make a GET request to the subnetworks.get method.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
    

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the subnet to describe.
    • REGION: the name of the Google Cloud region that contains the subnet to describe.
    • SUBNET: the name of the subnet to describe.

Add an IPv4 only subnet

When you create a subnet, you set a name, a region, and at least a primary IPv4 address range according to the subnet rules. To create an IPv4-only subnet, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Click Add subnet. In the panel that appears:

    1. Provide a Name.
    2. Select a Region.
    3. Enter an IP address range. This is the primary IPv4 range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    4. To define a secondary range for the subnet, click Create secondary IP range.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    5. Private Google access: You can enable Private Google Access for the subnet when you create it or later by editing it.

    6. Flow logs: You can enable VPC flow logs for the subnet when you create it or later by editing it.

    7. Click Add.

gcloud

Use the subnets create command.

gcloud compute networks subnets create SUBNET \
    --network=NETWORK \
    --range=PRIMARY_RANGE \
    --region=REGION

Replace the following:

  • SUBNET: a name for the new subnet.
  • NETWORK: the name of the VPC network that contains the new subnet.
  • PRIMARY_RANGE: the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges.
  • REGION: the Google Cloud region in which the new subnet is created.

You can modify the preceding command with the following optional flags:

  • --secondary-range=SECONDARY_RANGE_NAME=SECONDARY_RANGE: Replace SECONDARY_RANGE_NAME with a name for the secondary range. Replace SECONDARY_RANGE with a secondary range in CIDR notation. The per network limits describe the maximum number of secondary ranges that you can define for each subnet.
  • --enable-flow-logs: Enables VPC Flow Logs in the subnet at creation time.
  • --enable-private-ip-google-access: Enables Private Google Access in the subnet at creation time.
  • --purpose: Enables you to specify the purpose of the subnet.
  • --role: Enables you to specify a role (active or backup) for a proxy-only subnet.

Next, create firewall rules.

Terraform

Use a Terraform module.

MTU is the maximum transmission unit, or largest packet size, of the network. MTU can be set to any value from 1300 to 8896. The default is 1460. Before setting the MTU to a value higher than 1460, review Maximum transmission unit.

module "test-vpc-module" {
  source       = "terraform-google-modules/network/google"
  version      = "~> 9.0"
  project_id   = var.project_id # Replace this with your project ID in quotes
  network_name = "my-custom-mode-network"
  mtu          = 1460

  subnets = [
    {
      subnet_name   = "subnet-01"
      subnet_ip     = "10.10.10.0/24"
      subnet_region = "us-west1"
    },
    {
      subnet_name           = "subnet-02"
      subnet_ip             = "10.10.20.0/24"
      subnet_region         = "us-west1"
      subnet_private_access = "true"
      subnet_flow_logs      = "true"
    },
    {
      subnet_name               = "subnet-03"
      subnet_ip                 = "10.10.30.0/24"
      subnet_region             = "us-west1"
      subnet_flow_logs          = "true"
      subnet_flow_logs_interval = "INTERVAL_10_MIN"
      subnet_flow_logs_sampling = 0.7
      subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
      subnet_flow_logs_filter   = "false"
    }
  ]
}

Next, create firewall rules.

API

Make a POST request to the subnetworks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
{
  "ipCidrRange": "IP_RANGE",
  "network": "NETWORK_URL",
  "name": "SUBNET"
}

Replace the following:

  • PROJECT_ID: the ID of the project that contains the VPC network to modify.
  • REGION: the name of the Google Cloud region where the subnet is added.
  • IP_RANGE: the primary IPv4 address range for the subnet. For more information, see IPv4 subnet ranges.
  • NETWORK_URL: the URL of the VPC network where you're adding the subnet.
  • SUBNET: a name for the subnet.

Next, create firewall rules.

Add a dual-stack subnet

Dual-stack subnets have both IPv4 and IPv6 address ranges.

You can create a subnet with external or internal IPv6 addresses enabled. Configuring an IPv6 range on a subnet does not configure IPv6 on VMs that you connect to that subnet. For more information about configuring IPv6 on VMs, see configure IPv6 addresses on VMs.

To create a dual-stack subnet, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Click Add subnet. In the panel that appears:

    1. Provide a Name.
    2. Select a Region.
    3. For IP stack type, select IPv4 and IPv6 (dual-stack).
    4. Enter an IPv4 range. This is the primary IPv4 range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    5. Select an IPv6 access type: Internal or External.

      If you want to set the access type to Internal, but the Internal option is not available, check that an internal IPv6 range is assigned on the network.

    6. Click Add.

gcloud

Use the subnets create command.

gcloud compute networks subnets create SUBNET \
    --network=NETWORK \
    --range=PRIMARY_IPv4_RANGE \
    --stack-type=IPV4_IPV6 \
    --ipv6-access-type=IPv6_ACCESS_TYPE \
    --region=REGION

Replace the following:

  • SUBNET: a name for the new subnet.
  • NETWORK: the name of the VPC network that will contain the new subnet.
  • PRIMARY_IPv4_RANGE: the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges.
  • IPv6_ACCESS_TYPE: the IPv6 access type. It can be EXTERNAL or INTERNAL.
  • REGION: the Google Cloud region in which the new subnet will be created.

API

Make a POST request to the subnetworks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
{
  "ipCidrRange": "IP_RANGE",
  "network": "NETWORK_URL",
  "name": "SUBNET"
  "stackType": IPV4_IPV6,
  "ipv6AccessType": IPv6_ACCESS_TYPE
}

Replace the following:

  • PROJECT_ID: the ID of the project that contains the VPC network to modify.
  • REGION: the name of the Google Cloud region where the subnet is added.
  • IP_RANGE: the primary IPv4 address range for the subnet. For more information, see IPv4 subnet ranges.
  • NETWORK_URL: the URL of the VPC network where you're adding the subnet.
  • SUBNET: a name for the subnet.
  • IPv6_ACCESS_TYPE: the IPv6 access type. It can be EXTERNAL or INTERNAL.

Change a subnet's stack type to dual-stack

Dual-stack subnets have both IPv4 and IPv6 subnet ranges. You can add either an internal or an external IPv6 subnet range to an existing IPv4 only subnet in a custom mode VPC network. For more information, see IPv6 subnet ranges.

Adding an IPv6 subnet range to a subnet does not configure IPv6 on connected VMs. For information about configuring VMs, see configure IPv6 on VMs.

To change a subnet's stack type to dual-stack, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a network to view the VPC network details page.

  3. In the Subnets tab, click the name of the subnet that you want to modify.

  4. In the Subnet details page, click Edit.

  5. For IP stack type, select IPv4 and IPv6 (dual-stack).

  6. Select an IPv6 access type: Internal or External.

    If you want to set the access type to Internal, but the Internal option is not available, check that an internal IPv6 range is assigned for the network.

  7. Click Save.

gcloud

Use the subnets update command.

gcloud compute networks subnets update SUBNET \
    --stack-type=IPV4_IPV6 \
    --ipv6-access-type=IPv6_ACCESS_TYPE \
    --region=REGION

Replace the following:

  • SUBNET: the name of the subnet.
  • REGION: the region of the subnet.
  • IPv6_ACCESS_TYPE: the IPv6 access type of the subnet. It can be EXTERNAL or INTERNAL.

API

Make a PATCH request to the subnetworks.patch method.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
{
  "stackType": IPV4_IPV6,
  "ipv6AccessType": IPv6_ACCESS_TYPE
}

Replace the following:

  • PROJECT_ID: the ID of the project that contains the VPC network to modify.
  • REGION: the subnet's region.
  • SUBNET: the name of the subnet.
  • IPv6_ACCESS_TYPE: the IPv6 access type. It can be EXTERNAL or INTERNAL.

Change subnet stack type to IPv4 only

You can change a subnet's stack type from IPv4 and IPv6 (dual-stack) to IPv4 only (single-stack) if the IPv6 access type is external.

If you make this change, you cannot create new dual-stack VMs that are connected to that subnet. However, existing dual-stack VMs are not affected. If you need to change a VM's stack type to be IPv4 only, see Change the stack type of a VM.

This change is supported in Google Cloud CLI and the API only.

Changing the stack type from IPv4 and IPv6 (dual-stack) to IPv4 only (single-stack) is not supported if the IPv6 access type is internal.

To change a subnet's stack type to IPv4 only, do the following.

gcloud

Use the subnets update command.

gcloud compute networks subnets update SUBNET \
    --stack-type=IPV4_ONLY \
    --region=REGION

Replace the following:

  • SUBNET: the name of the subnet.
  • REGION: the subnet's Google Cloud region

API

Make a PATCH request to the subnetworks.patch method.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
{
  "stackType": IPV4_ONLY,
}

Replace the following:

  • PROJECT_ID: the ID of the project that contains the VPC network to modify.
  • REGION: the subnet's Google Cloud region.
  • SUBNET: the name of the subnet.

Delete a subnet

Use the following directions to delete a manually created subnet. Before you can delete a subnet, you must delete all resources that use it. For example, you need to delete VMs, reserved internal IP addresses, internal forwarding rules, and Cloud NAT gateways that use the subnet.

To delete a subnet, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.

  2. To view a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.

  3. Click Delete subnet.

  4. In the message that appears, click Delete to confirm.

gcloud

Use the subnets delete command.

gcloud compute networks subnets delete SUBNET \
    --region=REGION

Replace the following:

  • SUBNET: the name of the subnet to delete.
  • REGION: the region of the subnet to delete.

API

Make a DELETE request to the subnetworks.delete method.

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET

Replace the following:

  • PROJECT_ID: the ID of the project that contains the subnet to delete.
  • REGION: the name of the Google Cloud region that contains the subnet to delete.
  • SUBNET: the name of the subnet to delete.

Expand a primary IPv4 range

You can expand the primary IPv4 range of an existing subnet by modifying its subnet mask, setting the prefix length to a smaller number. The proposed new primary IPv4 range of the subnet must follow the subnet rules.

When expanding the IPv4 range of an automatically created subnet in an auto mode VPC network (or in a custom mode VPC network that was previously an auto mode VPC network), the broadest prefix (subnet mask) you can use is /16. Any prefix broader than /16 would conflict with the primary IPv4 ranges of the other automatically created subnets.

You can't expand subnets that are used exclusively for load balancer proxies. For more information, see Proxy-only subnets for load balancers.

Expanding the primary IPv4 range of a subnet can take several minutes to complete. During expansion, traffic within the subnet is not interrupted.

If you expand the primary IPv4 range of a subnet, you might need to modify other configurations that are assuming this IP address range.

To expand a subnet's primary IPv4 range, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.

  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.

  3. Click Edit.

  4. Enter a new, broader CIDR block in the IP address range field.

    For valid ranges, see IPv4 subnet ranges.

  5. Click Save.

gcloud

Use the subnets expand-ip-range command.

gcloud compute networks subnets expand-ip-range SUBNET \
  --region=REGION \
  --prefix-length=PREFIX_LENGTH

Replace the following:

  • SUBNET: the name of the subnet.
  • REGION: the region in which the subnet is located.
  • PREFIX_LENGTH: a subnet mask size in bits. If the primary IPv4 range is 10.1.2.0/24, you can supply 20 to reduce the subnet mask to 20 bits, which changes the primary IPv4 range to 10.1.2.0/20. For valid ranges, see IPv4 subnet ranges.

API

Make a POST request to the subnetworks.expandIpCidrRange method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET/expandIpCidrRange
{
  "ipCidrRange": "IP_RANGE"
}

Replace the following:

  • PROJECT_ID: the ID of the project that contains the subnet to modify.
  • REGION: the name of the Google Cloud region that contains the subnet to modify.
  • SUBNET: the name of the subnet to modify.
  • IP_RANGE: the expanded IPv4 address range for the subnet. For valid ranges, see IPv4 subnet ranges.

Edit secondary IPv4 ranges

You can add secondary IPv4 ranges to subnets, or you can remove any secondary IPv4 range as long as no resources are using IP addresses in it.

gcloud

To add a new secondary IPv4 range to a subnet, use the subnets update command.

gcloud compute networks subnets update SUBNET \
  --region=REGION \
  --add-secondary-ranges=SECONDARY_RANGE_NAME=SECONDARY_RANGE

Replace the following:

  • SUBNET: the name of the subnet.
  • REGION: the region in which the subnet is located.
  • SECONDARY_RANGE_NAME: a name for the secondary range.
  • SECONDARY_RANGE: the secondary IPv4 range in CIDR notation. For valid ranges, see IPv4 subnet ranges.

To remove a secondary IPv4 range from a subnet, use the subnets update command.

gcloud compute networks subnets update SUBNET \
  --region=REGION \
  --remove-secondary-ranges=SECONDARY_RANGE_NAME

Replace the following:

  • SUBNET: the name of the subnet.
  • REGION: the region in which the subnet is located.
  • SECONDARY_RANGE_NAME: the name of the secondary range to remove.

API

To modify secondary IPv4 address ranges for an existing subnet, make a PATCH request to the subnetworks.patch method.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
{
  "secondaryIpRanges": [
  {
    "rangeName": "SECONDARY_RANGE_NAME",
    "ipCidrRange": "IP_RANGE"
  },
  {
    "rangeName": "SECONDARY_RANGE_NAME",
    "ipCidrRange": "IP_RANGE"
  }],
  "fingerprint": "SUBNETWORK_FINGERPRINT"
}

Replace the following:

  • PROJECT_ID: the ID of the project that contains the subnet to modify.
  • REGION: the name of the Google Cloud region that contains the subnet to modify.
  • SUBNET: the name of the subnet to modify.
  • SECONDARY_RANGE_NAME: a name for the secondary IPv4 address range.
  • IP_RANGE: the expanded IPv4 address range for the subnet. For valid ranges, see IPv4 subnet ranges.
  • SUBNET_FINGERPRINT: the fingerprint ID for the existing subnet, which is provided when you describe a subnet.

Modify networks

Convert an auto mode VPC network to custom mode

You can convert an auto mode VPC network to a custom mode VPC network using this procedure. Review the considerations for auto mode VPC networks for background information about reasons why you might want to do this.

Converting an auto mode VPC network to a custom mode VPC network preserves all of its automatically created subnets and any subnets you have added. Subnet names and IP ranges are not changed.

After you convert an auto mode VPC network to custom mode, you must review all API calls and gcloud CLI commands that implicitly reference any subnet that was automatically created while the network was in auto mode. API calls and commands will need to be modified so that they reference the subnet explicitly. For gcloud CLI commands that have a subnet specification flag (--subnet), that flag is required to reference subnets in a custom mode VPC network.

To convert an auto mode VPC network to a custom mode VPC network, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Click Edit.

  4. In the Subnet creation mode section, choose Custom.

  5. Click Save.

gcloud

Use the networks update command.

gcloud compute networks update NETWORK \
    --switch-to-custom-subnet-mode

Replace NETWORK with the name of the network to update.

API

Make a POST request to the networks.switchToCustomMode method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK/switchToCustomMode

Replace the following:

  • PROJECT_ID: the ID of the project that contains the VPC network to convert.
  • NETWORK: the name of the VPC network to convert.

Assign an internal IPv6 range to a network

If you want to configure internal IPv6 addresses on a subnet, you must first enable internal IPv6 addresses on the VPC network. When you enable internal IPv6, a /48 unique local address (ULA) range is assigned to the network.

After you've enabled an internal IPv6 range for your VPC network, you can add dual-stack subnets or convert an IPv4 subnet to a dual-stack subnet.

To assign an internal IPv6 range to a network, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Click Edit.

  4. For VPC network ULA internal IPv6 range, select Enabled

  5. Optional: You can provide the prefix to use for the internal IPv6 range.

    1. For Allocate ULA internal IPv6 range, click Manually.
    2. Enter a /48 range from within the fd20::/20 range.

      If the range is in use, you are prompted to enter a different range.

  6. Click Save.

gcloud

Use the networks update command.

The --enable-ula-internal-ipv6 flag assigns a /48 prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you want to select the /48 IPv6 range that is assigned, use the --internal-ipv6-range flag to specify a range.

gcloud compute networks update NAME \
    --enable-ula-internal-ipv6 \
    [ --internal-ipv6-range=ULA_IPV6_RANGE ]

Replace the following:

  • NAME: the name of the VPC network.
  • ULA_IPV6_RANGE: the range of IPv6 addresses to which you need to allocate a ULA prefix.

API

Make a PATCH request to the networks.insert method.

Setting enableUlaInternalIpv6 to true assigns a /48 range from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you want to select which /48 IPv6 range is assigned, also use the internalIpv6Range field to specify a range.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networksa/NETWORK
{
  "enableUlaInternalIpv6": true,
  "internalIpv6Range": "ULA_IPV6_RANGE",
}

Replace the following:

  • PROJECT_ID: the ID of the project where the VPC network is created.
  • NETWORK: a name for the VPC network.
  • ULA_IPV6_RANGE: a /48 prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you don't provide a value for internalIpv6Range, Google selects a /48 prefix for the network.

Change the dynamic routing mode

Each VPC network has an associated dynamic routing mode that controls the behavior of Cloud Routers in the network. Refer to the dynamic routing mode section in VPC networks to understand how each mode affects how Cloud Routers share routes and apply learned routes.

To change a VPC network's dynamic routing mode, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Click Edit.

  4. In the Dynamic routing mode section, choose either Global or Regional.

  5. Click Save.

gcloud

Use the networks update command.

gcloud compute networks update NETWORK \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE

Replace the following:

  • NETWORK: the name of the VPC network to update.
  • DYNAMIC_ROUTING_MODE: controls the behavior of Cloud Routers in the network. Can be either global or regional. The default is regional. For more information, see dynamic routing mode.

API

Make a PATCH request to the subnetworks.patch method.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK
{
  "routingConfig": {
    "routingMode": "ROUTING_MODE"
  }
}

Replace the following:

  • PROJECT_ID: the ID of the project that contains the VPC network to modify.
  • NETWORK: the name of the VPC network to modify.
  • ROUTING_MODE: controls the behavior of Cloud Routers in the network. Can be either GLOBAL or REGIONAL. The default is REGIONAL. For more information, see dynamic routing mode.

Change the MTU of a network

For information about changing the MTU of a VPC network, see Change the MTU setting of a VPC network.

Delete a network

If a network is not being used, you can delete it. Before you can delete a network, you must delete all resources in all of its subnets, and all resources that reference the network. Resources that reference the network include Cloud VPN gateways, Cloud Routers, Serverless VPC Access connectors and their connected services, firewall rules, and custom static routes.

To delete a VPC network, do the following.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Click Delete VPC network.

  4. In the message that appears, click Delete to confirm.

gcloud

Use the networks delete command.

gcloud compute networks delete NETWORK

Replace NETWORK with the name of the network to delete.

API

Make a DELETE request to the networks.delete method.

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK

Replace the following:

  • PROJECT_ID: the ID of the project that contains the VPC network to delete.
  • NETWORK: the name of the VPC network to delete.

Monitor your VPC network

You can enable logging of network flows to and from VMs. See Using VPC Flow Logs for instructions.

You can enable logging for firewall rules to see which rules allowed or blocked which traffic. See Using Firewall Rules Logging for instructions.

Migrate VMs

You can migrate your virtual machine (VM) instances from one network to another within a given project. For instructions, see Migrating a VM between networks.

Troubleshooting

Error: Constraint constraints/compute.requireVpcFlowLogs violated

This error occurs if both of these conditions apply:

  • An organization policy constraint has been set that requires that VPC Flow Logs is configured.

  • You create a subnet, or update the VPC Flow Logs configuration of an existing subnet, and the configuration does not meet the requirements of the policy.

For more information about this constraint and its effects on subnet creation and updates, see Organization policy constraints for VPC Flow Logs.

Resource not found error

When deleting a VPC network, you might see a message that is similar to the following: The resource "aet-uscentral1-subnet--1-egrfw" was not found.

For information about this error and its solution, see Resource not found error in the VPC firewall rules documentation.

What's next

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try VPC free