Create a hybrid subnet

Hybrid Subnets helps you migrate workloads from an on-premises subnet to a Virtual Private Cloud (VPC) subnet without needing to change any IP addresses. This document describes the steps to create a hybrid subnet, migrate workloads to the Google Cloud part of a hybrid subnet, and test connectivity in a hybrid subnet.

Before you begin

Required roles

To get the permissions that you need to create a hybrid subnet, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on your project. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Configure hybrid subnet routing

To configure hybrid subnet routing, do one of the following:

  • Create a new subnet that has hybrid subnet routing enabled.
  • Enable hybrid subnet routing for an existing subnet.

Create a new subnet with hybrid subnet routing enabled

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network where you want to create a hybrid subnet.

  3. Click the Subnets tab.

  4. Click Add subnet. In the panel that appears:

    1. Provide a Name.
    2. Select a Region.
    3. In the Purpose section, select None.
    4. In the Stack type section, select IPv4 (single-stack).
    5. In the IPv4 range field, enter the IPv4 address range of the segment of your on-premises network that you want to use for the hybrid subnet.
    6. In the Private Google Access section, select Off.
    7. In the Hybrid subnet section, select On.
    8. Click Add.

Enable hybrid subnet routing for an existing subnet

You can enable hybrid subnet routing for an existing subnet whose primary IPv4 address range matches the range of the segment of the on-premises network that you want to use for the hybrid subnet.

To enable hybrid subnet routing for an existing subnet, enable CIDR routes overlap for that subnet. This modifies the VPC network routing behavior to allow overlap between the subnet's IP address range and those of custom dynamic routes.

For more information about CIDR routes overlap, see the allowSubnetCidrRoutesOverlap field in the Compute Engine API reference.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network that contains the subnet that you want to update.

  3. Click the Subnets tab.

  4. Click the subnet that you want to update.

  5. Click Edit.

  6. In the Hybrid subnet section, select On.

  7. Click Save.

gcloud

Use the gcloud beta compute networks subnets update command.

gcloud beta compute networks subnets update SUBNET \
    --region=REGION \
    --allow-cidr-routes-overlap

Replace the following:

  • SUBNET: the name of the subnet.
  • REGION: the region of the subnet.

API

  1. Find the fingerprint ID of your subnet.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the ID of your project
    • REGION: the region of your subnet
    • SUBNET_NAME: the name of your subnet

    HTTP method and URL:

    GET https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
      "kind": "compute#subnetwork",
      "id": "5514771331600183201",
      "creationTimestamp": "2022-09-16T12:41:02.010-07:00",
      "name": "subnet-name",
      "network": "https://www.googleapis.com/compute/v1/projects/project-name/global/networks/network-name",
      "ipCidrRange": "10.6.0.0/16",
      "gatewayAddress": "10.6.0.1",
      "region": "https://www.googleapis.com/compute/v1/projects/project-name/regions/us-central1",
      "selfLink": "https://www.googleapis.com/compute/v1/projects/project-name/regions/us-central1/subnetworks/subnet-name",
      "privateIpGoogleAccess": true,
      "fingerprint": "YiItidAFRsA5",
      "allowSubnetCidrRoutesOverlap": false,
      "enableFlowLogs": true,
      "privateIpv6GoogleAccess": "DISABLE_GOOGLE_ACCESS",
      "purpose": "PRIVATE",
      "stackType": "IPV4_ONLY"
    }
    

  2. Enable hybrid subnet routing.

    Before using any of the request data, replace SUBNET_FINGERPRINT with the fingerprint ID of your subnet that you found in the previous request—for example, YiItidAFRsA5.

    HTTP method and URL:

    PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME

    Request JSON body:

    {
      "allowSubnetCidrRoutesOverlap": true,
      "fingerprint": "SUBNET_FINGERPRINT"
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
      "kind": "compute#operation",
      "id": "5973660558170953708",
      "name": "operation-1680288003494-5f8368991917a-59bf1c92-1897c7c6",
      "operationType": "compute.subnetworks.patch",
      "targetLink": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1/subnetworks/subnet-name",
      "targetId": "5514771331600183201",
      "status": "RUNNING",
      "user": "user@gmail.com",
      "progress": 0,
      "insertTime": "2023-03-31T11:40:03.882-07:00",
      "startTime": "2023-03-31T11:40:03.893-07:00",
      "selfLink": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1/operations/operation-1680288003494-5f8368991917a-59bf1c92-1897c7c6",
      "region": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1"
    }
    

  3. To verify that allowSubnetCidrRoutesOverlap is enabled for your subnet, make another GET request and ensure that the response includes the following:

    • "allowSubnetCidrRoutesOverlap": true

Configure route advertisement

Configure the Border Gateway Protocol (BGP) session for your hybrid connectivity product—VPN tunnel, VLAN attachment, or router appliance virtual machine (VM) instance—to advertise only custom IPv4 and IPv6 prefixes.

Test on-premises connectivity from your VPC network

To test connectivity between your hybrid subnet and the overlapping IP address range of your on-premises network, you can do the following:

  1. Create a test VM in your VPC network's hybrid subnet.
  2. Note the primary internal IPv4 address of the test VM.
  3. Update the custom route advertisement of the Cloud Router's BGP session to include a /32 custom route advertisement for the primary internal IPv4 address of your test VM.
  4. Use SSH to connect to the VM.
  5. At the operating system prompt, use ICMP to ping the IP address of an on-premises system in the hybrid subnet.

If the ping test fails, ensure that Google Cloud firewall rules and the on-premises firewall permit ICMP within the IP address ranges of the hybrid subnet.

Move workloads and update routing

Each time you migrate a workload or group of workloads, complete the following steps together.

Migrate workloads

Migrate workloads and VMs from your on-premises network to your VPC network by using your preferred method. For migrating VMs to Compute Engine, we recommend using Migrate to Virtual Machines.

For information about migration options, see Hybrid Subnets and Migrate to Virtual Machines.

Update custom route advertisement

As you migrate VMs to Google Cloud, update the custom route advertisement of your Cloud Router's BGP session to include the primary internal IPv4 address of each migrated VM. Add individual IP addresses by using a /32 custom route advertisement.

For contiguous IP address blocks, consolidate addresses into as few custom advertisements as possible. The advertisements must remain more specific (have longer subnet masks) than the hybrid subnet's IP address range.

Test connectivity to a migrated VM from your on-premises network

To test connectivity to a VM that you migrated to Google Cloud, you can do the following:

  1. Ensure that you updated the custom route advertisements for the BGP sessions that manage hybrid connectivity. The route advertisements must include the primary internal IPv4 address of the migrated VM.
  2. Send an ICMP ping from an on-premises system to the IP address of the migrated VM.

What's next