Create and modify Virtual Private Cloud (VPC) networks

This page describes how to create, modify, and delete VPC networks. This page assumes that you are familiar with the characteristics of VPC networks as described in the VPC network overview. Networks and subnets are different resources in Google Cloud.

If you plan to enable IPv6 ranges on subnets, see IPv6 subnet ranges.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try VPC free

Create networks

You can choose to create an auto mode or custom mode VPC network. Each new network that you create must have a unique name within the same project.

Known issues

Create an auto mode VPC network

When you create an auto mode VPC network, one subnet is created in each Google Cloud region. As new regions become available, new subnets in those regions are automatically added to the auto mode VPC network. IPv4 ranges for the automatically created subnets come from a predetermined set of ranges. All auto mode VPC networks use the same set of IPv4 ranges.

Subnets with IPv6 ranges are not supported on auto mode VPC networks. Create a custom mode VPC network if you want to create dual-stack subnets.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click Create VPC network.
  3. Enter a Name for the network.
  4. Choose Automatic for the Subnet creation mode.
  5. In the Firewall rules section, select zero or more predefined firewall rules. The rules address common use cases for connectivity to instances.

    Whether or not you select pre-defined rules, you can create your own firewall rules after you create the network.

    Each predefined rule name starts with the name of the VPC network that you are creating, NETWORK. In the IPv4 firewall rules tab, the predefined ingress firewall rule named NETWORK-allow-custom is editable. By default it specifies the source range 10.128.0.0/9, which contains current and future IPv4 ranges for subnets in an auto mode network. The right side of the row that contains the rule, click Edit to select subnets, add additional IPv4 ranges, and specify protocols and ports.

  6. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  7. Maximum transmission unit (MTU): Choose whether the network has an MTU of 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

  8. Click Create.

gcloud

gcloud compute networks create NETWORK \
    --subnet-mode=auto \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \
    --mtu=MTU

Replace the placeholders with valid values:

  • NETWORK is a name for the VPC network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.
  • MTU is the maximum transmission unit of the network. MTU can either be 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

API

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "autoCreateSubnetworks": true,
  "name": "auto-network1",
  "mtu": MTU
}

Replace the following:

  • PROJECT_ID is the ID of the project where the VPC network is created.
  • MTU is the maximum transmission unit of the network. MTU can either be 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

To specify the dynamic routing mode of the VPC network, use the routingConfig field:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "routingConfig": {
    "routingMode": "DYNAMIC_ROUTING_MODE"
  },
  "autoCreateSubnetworks": true,
  "name": "NETWORK",
  "mtu": MTU
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the VPC network is created.
  • NETWORK is a name for the VPC network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.
  • MTU is the maximum transmission unit of the network. MTU can either be 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

For more information, refer to the networks.insert method.

Terraform

You can create an auto mode VPC network by using a Terraform resource.

MTU is the maximum transmission unit of the network. You can retain the default 1460 setting or replace it with 1500. Before setting the MTU to 1500, review the maximum transmission unit overview.

resource "google_compute_network" "vpc_network" {
  project                 = var.project_id # Replace this with your project ID in quotes
  name                    = "my-auto-mode-network"
  auto_create_subnetworks = true
  mtu                     = 1460
}

Create a custom mode VPC network with only IPv4 subnets

For custom mode VPC networks, create a network, then create the subnets that you want within a region. You do not have to specify subnets for all regions right away, or even at all, but you cannot create instances in a region that has no subnet defined. Finally, define the firewall rules for your network.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click Create VPC network.
  3. Enter a Name for the network.
  4. Choose Custom for the Subnet creation mode.
  5. In the New subnet section, specify the following configuration parameters for a subnet:

    1. Provide a Name for the subnet.
    2. Select a Region.
    3. Enter an IP address range. This is the primary IPv4 range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    4. To define a secondary range for the subnet, click Create secondary IP range.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    5. Private Google Access: Choose whether to enable Private Google Access for the subnet when you create it or later by editing it.

    6. Flow logs: Choose whether to enable VPC flow logs for the subnet when you create it or later by editing it.

    7. Click Done.

  6. To add more subnets, click Add subnet and repeat the previous steps. You can also add more subnets to the network after you have created the network.

  7. In the Firewall rules section, select zero or more predefined firewall rules in the IPv4 firewall rules. The rules address common use cases for connectivity to instances.

    If you don't select any predefined rules, you can create your own firewall rules after you create the network.

    Each predefined rule name starts with the name of the VPC network that you are creating, NETWORK. In the IPv4 firewall rules tab, the predefined ingress firewall rule named NETWORK-allow-custom is editable. On the right side of the row that contains the rule, click Edit to select subnets, add additional IPv4 ranges, and specify protocols and ports.

    The NETWORK-allow-custom firewall rule is not automatically updated if you later add additional subnets. If you need firewall rules for the new subnets, you must update the firewall configuration to add the rules.

  8. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  9. Maximum transmission unit (MTU): Choose whether the network has an MTU of 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

  10. Click Create.

gcloud

gcloud compute networks create NETWORK \
    --subnet-mode=custom \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \
    --mtu=MTU

Replace the placeholders with valid values:

  • NETWORK is a name for the VPC network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.
  • MTU is the maximum transmission unit of the network. MTU can either be 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

Next, add subnets to your network.

API

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "autoCreateSubnetworks": false,
  "name": "NETWORK",
  "mtu": MTU,
  "routingConfig": {
    "routingMode": "DYNAMIC_ROUTING_MODE"
  }
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the VPC network is created.
  • NETWORK is a name for the VPC network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.
  • MTU is the maximum transmission unit of the network. MTU can either be 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

    For more information, refer to the networks.insert method.

Next, add subnets to your network.

Terraform

You can create a custom mode VPC network by using a Terraform resource.

MTU is the maximum transmission unit of the network. You can retain the default 1460 setting or replace it with 1500. Before setting the MTU to 1500, review the maximum transmission unit overview.

resource "google_compute_network" "vpc_network" {
  project                 = var.project_id # Replace this with your project ID in quotes
  name                    = "my-custom-mode-network"
  auto_create_subnetworks = false
  mtu                     = 1460
}

Next, add subnets to your network.

Create a custom mode VPC network with a dual-stack subnet

You can create subnets when you create the network, or you can add them later.

A subnet can have one of the following configurations for its primary IP address ranges:

  • Single-stack: Internal IPv4 range only
  • Dual-stack: Internal IPv4 range and internal IPv6 range
  • Dual-stack: Internal IPv4 range and external IPv6 range

Each subnet in a VPC can have different configurations; you do not need to configure them all as dual-stack, for example.

To configure subnets with internal IPv6 ranges, enable a VPC network ULA internal IPv6 range. Internal IPv6 subnet ranges are allocated from this range.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click Create VPC network.
  3. Enter a Name for the network.
  4. If you want to configure internal IPv6 address ranges on subnets in this network, complete these steps:

    1. For VPC network ULA internal IPv6 range, select Enabled.
    2. For Allocate internal IPv6 range, select Automatically or Manually.

      If you select Manually, enter a /48 range from within the fd20::/20 range. If the range is in use, you are prompted to provide a different range.

  5. For Subnet creation mode, choose Custom.

  6. In the New subnet section, specify the following configuration parameters for a subnet:

    1. Provide a Name for the subnet.
    2. Select a Region.
    3. To create a dual-stack subnet, for IP stack type, select IPv4 and IPv6 (dual-stack).
    4. Enter an IPv4 range. This is the primary IPv4 range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    5. Select an IPv6 access type: External or Internal.

    6. Click Done.

  7. To add more subnets, click Add subnet and repeat the previous steps.

    Each subnet in a VPC network can have different stack type and IPv6 access type configurations. You do not need to configure all subnets in a given network as dual-stack subnets.

    You can also add more single-stack or dual stack subnets to the network after you create the network.

  8. In the Firewall rules section, select zero or more predefined firewall rules in the IPv4 firewall rules and IPv6 firewall rules tabs. The rules address common use cases for connectivity to instances.

    If you don't select any predefined rules, you can create your own firewall rules after you create the network.

    Each predefined rule name starts with the name of the VPC network that you are creating, NETWORK. In both the IPv4 firewall rules tab and the IPv6 firewall rules tab, there is an editable predefined ingress firewall rule; the IPv4 rule is named NETWORK-allow-custom and the IPv6 rule is named NETWORK-allow-ipv6-custom. On the right side of the row that contains the rule, click Edit to select subnets, add additional IP ranges, and specify protocols and ports.

    The NETWORK-allow-custom and NETWORK-allow-ipv6-custom firewall rule are not automatically updated if you later add additional subnets. If you need firewall rules for the new subnets, you must update the firewall configuration to add the rules.

  9. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  10. Maximum transmission unit (MTU): Choose whether the network has an MTU of 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

  11. Click Create.

gcloud

Create a new custom mode VPC network. After you have created your network, you can add IPv4 only subnets and dual-stack subnets to it.

If you want to configure internal IPv6 ranges on any subnets in this network, use the --enable-ula-internal-ipv6 flag. This option assigns a /48 ULA prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you want to select the /48 IPv6 range that is assigned, use the --internal-ipv6-range flag to specify a range.

You can omit both flags if you want to configure only external IPv6 on subnets in this VPC network.

gcloud compute networks create NETWORK \
    --subnet-mode=custom \
    [ --enable-ula-internal-ipv6 [ --internal-ipv6-range=ULA_IPV6_RANGE ]] \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \
    --mtu=MTU

Replace the placeholders with valid values:

  • NETWORK: a name for the VPC network.

  • ULA_IPV6_RANGE: a /48 prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you don't use the --internal-ipv6-range flag, Google selects a /48 prefix for the network.

  • DYNAMIC_ROUTING_MODE: can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

  • MTU: the maximum transmission unit of the network. MTU can either be 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.

API

Create a new custom mode VPC network. After you have created the network, you can add IPv4 only subnets and dual-stack subnets to it.

If you want to configure internal IPv6 ranges on any subnets in this network, set enableUlaInternalIpv6 to true. This option assigns a /48 range from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you want to select which /48 IPv6 range that is assigned, also use the internalIpv6Range field to specify a range.

You can omit both fields if you want to configure only external IPv6 on subnets in this VPC network.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "autoCreateSubnetworks": false,
  "name": "NETWORK",
  "mtu": MTU,
  "enableUlaInternalIpv6": true,
  "internalIpv6Range": "ULA_IPV6_RANGE",
  "routingConfig": {
    "routingMode": "DYNAMIC_ROUTING_MODE"
  }
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the VPC network is created.
  • NETWORK is a name for the VPC network.
  • MTU is the maximum transmission unit of the network. MTU can either be 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.
  • ULA_IPV6_RANGE: a /48 prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you don't provide a value for internalIpv6Range, Google selects a /48 prefix for the network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

    For more information, refer to the networks.insert method.

About firewall rules

After you create a network, create firewall rules to allow or deny traffic between resources in the network, such as communication between VM instances. You also use firewall rules to control what traffic leaves or enters the VPC network to or from the internet.

View networks

View the VPC and legacy networks in your project. For VPC networks, you can view information about their subnets and their subnet creation mode.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks

    The console lists all of your VPC and legacy networks.

  2. Select a VPC network to view its details, such as its peering connections and subnets.

gcloud

  1. List the networks in your project, as shown in the following example.

    gcloud compute networks list
    

    The command lists all of your VPC and legacy networks. Legacy networks show a subnet creation mode of LEGACY, while VPC networks show either AUTO or CUSTOM.

    NAME             SUBNET_MODE  BGP_ROUTING_MODE  IPV4_RANGE     GATEWAY_IPV4
    custom-network   CUSTOM       REGIONAL
    default          AUTO         REGIONAL
    legacy-network1  LEGACY       REGIONAL          10.240.0.0/16  10.240.0.1
    
  2. Describe a network to view its details, such as its peering connections and subnets.

    gcloud compute networks describe NETWORK
    

API

  1. List all networks in your project.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
    

    Replace PROJECT_ID with the ID of the project that contains the VPC networks to list.

    For more information, refer to the networks.list method.

  2. Describe a network to view its details.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK
    

    Replace the placeholders with valid values:

    • PROJECT_ID is the ID of the project that contains the VPC network.
    • NETWORK is the name of the VPC network to describe.

    For more information, refer to the networks.get method.

Work with subnets

You must follow these rules when creating or editing a subnet:

  • Within a project, a subnet cannot have the same name as a VPC network unless it is a member of that network. Within a project, subnets in the same region must have unique names. For example, a network named production can have multiple subnets also named production as long as each of those subnets is in a unique region.

  • You cannot change the name or region of a subnet after you have created it. However, you can delete a subnet and replace it, as long as no resources are using it.

  • Each subnet must have a primary IPv4 range, and, optionally, one or more secondary IPv4 ranges for alias IP. The per network limits describe the maximum number of secondary ranges that you can define for each subnet. Primary and secondary IPv4 ranges must be a valid range.

    • Within a VPC network, all primary and secondary IPv4 ranges must be unique, but they do not need to be contiguous. For example, the primary range of a subnet can be 10.0.0.0/24 while the primary range of another subnet in the same network can be 192.168.0.0/16.

    • The primary IPv4 range for the subnet can be expanded, but not replaced or shrunk, after the subnet has been created.

    • You can remove and replace a subnet's secondary IPv4 address range only if no instances are using that range.

    • The minimum primary or secondary range size is eight IPv4 addresses. In other words, the longest subnet mask you can use is /29.

  • Primary and secondary ranges for subnets cannot overlap with any allocated range, any primary or secondary range of another subnet in the same network, or any IPv4 ranges of subnets in peered networks.

  • Google Cloud creates corresponding subnet routes for both primary and secondary IP ranges. Subnet routes, and therefore subnet IP ranges, must have the most specific IP ranges by definition.

    • Primary and secondary ranges can't conflict with on-premises IP ranges if you have connected your VPC network to another network with Cloud VPN, Dedicated Interconnect, or Partner Interconnect.

    • IPv4 ranges for all subnets must be unique among VPC networks that are connected to one another by VPC Network Peering.

    • Subnet IPv4 ranges cannot conflict with destinations for static routes.

    • Avoid using IPv4 addresses from the 10.128.0.0/9 block for a subnet's primary or secondary IPv4 ranges. Automatically created subnets in auto mode VPC networks use IPv4 addresses from this block. If you use IP addresses in the 10.128.0.0/9 block, you will not be able to connect your network to an auto mode VPC network using VPC Peering or with Cloud VPN tunnels.

List subnets

You can see all the subnets that exist for a project.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
    Subnets in all VPC networks are shown.
  2. Click the name of a network then click the Subnets tab on the VPC network details page to view subnets for just that network, instead of for all networks.

gcloud

You can list all subnets in all networks in your project, or you can show only the subnets for a particular network or region. The following list shows example commands.

  • Use this command to list all subnets in all VPC networks, in all regions:

    gcloud compute networks subnets list
    
  • Use this command to list all subnets in a particular VPC network, replacing NETWORK with the name of the network:

    gcloud compute networks subnets list \
       --network=NETWORK
    
  • Use this command to list all subnets in a particular region, replacing REGION with a region name:

    gcloud compute networks subnets list \
       --filter="region:( REGION … )"
    

API

List all subnets in your project.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/subnetworks

Replace PROJECT_ID with the ID of the project that contains the subnets to list.

For more information, refer to the subnetworks.aggregatedList method.

Describe a subnet

You can view details of an existing subnet, such as its primary IPv4 ranges, any secondary IP ranges, any IPv6 ranges, and its region, by following the steps in this section.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.
  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.

gcloud

  1. List subnets to determine the names and regions of existing subnets in your project.

  2. Describe the subnet, replacing SUBNET with its name and REGION with its region.

    gcloud compute networks subnets describe SUBNET \
        --region=REGION
    

API

  1. List subnets in a particular region to find the subnet's name.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
    

    Replace the placeholders with valid values:

    • PROJECT_ID is the ID of the project that contains the subnets to list.
    • REGION is the name of the Google Cloud region that contains the subnets to list.

    For more information, refer to the subnetworks.list method.

  2. Describe the subnets to view its details.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
    

    Replace the placeholders with valid values:

    • PROJECT_ID is the ID of the project that contains the subnet to describe.
    • REGION is the name of the Google Cloud region that contains the subnet to describe.
    • SUBNET is the name of the subnet to describe.

    For more information, refer to the subnetworks.get method.

Add an IPv4 only subnet

When you create a subnet, you set a name, a region, and at least a primary IPv4 address range according to the subnet rules.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click the name of a VPC network to show its VPC network details page.
  3. Click Add subnet. In the panel that appears:

    1. Provide a Name.
    2. Select a Region.
    3. Enter an IP address range. This is the primary IPv4 range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    4. To define a secondary range for the subnet, click Create secondary IP range.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    5. Private Google access: You can enable Private Google Access for the subnet when you create it or later by editing it.

    6. Flow logs: You can enable VPC flow logs for the subnet when you create it or later by editing it.

    7. Click Add.

gcloud

gcloud compute networks subnets create SUBNET \
    --network=NETWORK \
    --range=PRIMARY_RANGE \
    --region=REGION

Replace the placeholders with valid values:

  • SUBNET is a name for the new subnet.
  • NETWORK is the name of the VPC network that will contain the new subnet.
  • PRIMARY_RANGE is the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges.
  • REGION is the Google Cloud region in which the new subnet will be created.

You can modify the previous command with the following optional flags:

  • --secondary-range=SECONDARY_RANGE_NAME=SECONDARY_RANGE: Replace SECONDARY_RANGE_NAME with name for the secondary range and SECONDARY_RANGE with a secondary range in CIDR notation. The per network limits describe the maximum number of secondary ranges that you can define for each subnet.
  • --enable-flow-logs: Enables VPC Flow Logs in the subnet at creation time.
  • --enable-private-ip-google-access: Enables Private Google Access in the subnet at creation time.
  • --purpose: Enables you to create a proxy-only subnet for Internal HTTP(S) Load Balancing.
  • --role: For Internal HTTP(S) Load Balancing only, enables you to specify a role (active or backup) for a proxy-only subnet.

Next, create firewall rules.

API

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
{
  "ipCidrRange": "IP_RANGE",
  "network": "NETWORK_URL",
  "name": "SUBNET"
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to modify.
  • REGION is the name of the Google Cloud region where the subnet is added.
  • IP_RANGE is the primary IPv4 address range for the subnet. For more information, see IPv4 subnet ranges.
  • NETWORK_URL is the URL of the VPC network where you're adding the subnet.
  • SUBNET is a name for the subnet.

For more information, refer to the subnetworks.insert method.

Next, create firewall rules.

Terraform

You can create a custom mode VPC network and subnets by using a Terraform module.

MTU is the maximum transmission unit of the network. You can retain the default 1460 setting or replace it with 1500. Before setting the MTU to 1500, review the maximum transmission unit overview.

module "test-vpc-module" {
  source       = "terraform-google-modules/network/google"
  version      = "~> 4.0.1"
  project_id   = var.project_id # Replace this with your project ID in quotes
  network_name = "my-custom-mode-network"
  mtu          = 1460

  subnets = [
    {
      subnet_name   = "subnet-01"
      subnet_ip     = "10.10.10.0/24"
      subnet_region = "us-west1"
    },
    {
      subnet_name           = "subnet-02"
      subnet_ip             = "10.10.20.0/24"
      subnet_region         = "us-west1"
      subnet_private_access = "true"
      subnet_flow_logs      = "true"
    },
    {
      subnet_name               = "subnet-03"
      subnet_ip                 = "10.10.30.0/24"
      subnet_region             = "us-west1"
      subnet_flow_logs          = "true"
      subnet_flow_logs_interval = "INTERVAL_10_MIN"
      subnet_flow_logs_sampling = 0.7
      subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
      subnet_flow_logs_filter   = "false"
    }
  ]
}

Next, create firewall rules.

Add a dual-stack subnet

Dual-stack subnets have both IPv4 and IPv6 address ranges.

You can create a subnet with external or internal IPv6 addresses enabled. Configuring an IPv6 range on a subnet does not configure IPv6 on VMs that you connect to that subnet. For more information about configuring IPv6 on VMs, see configure IPv6 addresses on VMs.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click the name of a VPC network to show its VPC network details page.
  3. Click Add subnet. In the panel that appears:

    1. Provide a Name.
    2. Select a Region.
    3. For IP stack type, select IPv4 and IPv6 (dual-stack).
    4. Enter an IPv4 range. This is the primary IPv4 range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.

    5. Select an IPv6 access type: Internal or External.

      If you want to set the access type to Internal, but the Internal option is not available, check that an internal IPv6 range is assigned on the network.

    6. Click Add.

gcloud

gcloud compute networks subnets create SUBNET \
    --network=NETWORK \
    --range=PRIMARY_IPv4_RANGE \
    --stack-type=IPV4_IPV6 \
    --ipv6-access-type=IPv6_ACCESS_TYPE \
    --region=REGION

Replace the placeholders with valid values:

  • SUBNET is a name for the new subnet.
  • NETWORK is the name of the VPC network that will contain the new subnet.
  • PRIMARY_IPv4_RANGE is the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges.
  • IPv6_ACCESS_TYPE is the IPv6 access type. It can be EXTERNAL or INTERNAL.
  • REGION is the Google Cloud region in which the new subnet will be created.

API

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
{
  "ipCidrRange": "IP_RANGE",
  "network": "NETWORK_URL",
  "name": "SUBNET"
  "stackType": IPV4_IPV6,
  "ipv6AccessType": IPv6_ACCESS_TYPE
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to modify.
  • REGION is the name of the Google Cloud region where the subnet is added.
  • IP_RANGE is the primary IPv4 address range for the subnet. For more information, see IPv4 subnet ranges.
  • NETWORK_URL is the URL of the VPC network where you're adding the subnet.
  • SUBNET is a name for the subnet.
  • IPv6_ACCESS_TYPE is the IPv6 access type. It can be EXTERNAL or INTERNAL.

For more information, refer to the subnetworks.insert method.

Change a subnet's stack type to dual-stack

Dual-stack subnets have both IPv4 and IPv6 subnet ranges. You can add either an internal or an external IPv6 subnet range to an existing IPv4 only subnet in a custom mode VPC network. For more information, see IPv6 subnet ranges.

Adding an IPv6 subnet range to a subnet does not configure IPv6 on connected VMs. For information about configuring VMs, see configure IPv6 on VMs.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click the name of a network to view the VPC network details page.
  3. In the Subnets tab, click the name of the subnet that you want to modify.
  4. In the Subnet details page, click Edit.
  5. For IP stack type, select IPv4 and IPv6 (dual-stack).
  6. Select an IPv6 access type: Internal or External.

    If you want to set the access type to Internal, but the Internal option is not available, check that an internal IPv6 range is assigned for the network.

  7. Click Save.

gcloud

gcloud compute networks subnets update SUBNET \
    --stack-type=IPV4_IPV6 \
    --ipv6-access-type=IPv6_ACCESS_TYPE \
    --region=REGION

Replace the placeholders with valid values:

  • SUBNET is the name of the subnet.
  • REGION is the Google Cloud region in which the subnet will be updated.
  • IPv6_ACCESS_TYPE is the IPv6 access type of the subnet. It can be EXTERNAL or INTERNAL.

API

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
{
  "stackType": IPV4_IPV6,
  "ipv6AccessType": IPv6_ACCESS_TYPE
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to modify.
  • REGION is the name of the Google Cloud region where the subnet is added.
  • SUBNET is a name for the subnet.
  • IPv6_ACCESS_TYPE is the IPv6 access type. It can be EXTERNAL or INTERNAL.

Change subnet stack type to IPv4 only

You can change a subnet's stack type from IPv4 and IPv6 (dual-stack) to IPv4 only (single-stack) if the IPv6 access type is external.

If you make this change, you cannot create new dual-stack VMs that are connected to that subnet. However, existing dual-stack VMs are not affected. If you need to change a VM's stack type to be IPv4 only, see Change the stack type of a VM.

This change is supported in Google Cloud CLI and the API only.

Changing the stack type from IPv4 and IPv6 (dual-stack) to IPv4 only (single-stack) is not supported if the IPv6 access type is internal.

gcloud

gcloud compute networks subnets update SUBNET \
    --stack-type=IPV4_ONLY \
    --region=REGION

Replace the placeholders with valid values:

  • SUBNET is the name of the subnet.
  • REGION is the Google Cloud region in which the subnet will be updated.

API

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
{
  "stackType": IPV4_ONLY,
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to modify.
  • REGION is the name of the Google Cloud region where the subnet is added.
  • SUBNET is the name of the subnet.

Delete a subnet

Use the following directions to delete a manually created subnet. Before you can delete a subnet, you must delete all resources that use it. For example, you need to delete VMs, reserved internal IP addresses, internal forwarding rules, and Cloud NAT gateways that use the subnet.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks

    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.

  2. To view a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.

  3. Click Delete subnet.

  4. In the message that appears, click Delete to confirm.

gcloud

gcloud compute networks subnets delete SUBNET \
    --region=REGION

Replace the placeholders with valid values:

  • SUBNET is the name of the subnet to delete.
  • REGION is the region where the subnet exists.

API

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the subnet to delete.
  • REGION is the name of the Google Cloud region that contains the subnet to describe.
  • SUBNET is the name of the subnet to delete.

For more information, refer to the subnetworks.delete method.

Expand a primary IPv4 range

You can expand the primary IPv4 range of an existing subnet by modifying its subnet mask, setting the prefix length to a smaller number. The proposed new primary IPv4 range of the subnet must follow the subnet rules.

When expanding the IPv4 range of an automatically created subnet in an auto mode VPC network (or in a custom mode VPC network that was previously an auto mode VPC network), the broadest prefix (subnet mask) you can use is /16. Any prefix broader than /16 would conflict with the primary IPv4 ranges of the other automatically created subnets.

You can't expand subnets that are used exclusively for load balancer proxies. For more information, see Proxy-only subnets for load balancers.

Expanding the primary IPv4 range of a subnet can take several minutes to complete. During expansion, traffic within the subnet is not interrupted.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.
  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.
  3. Click Edit.
  4. Enter a new, broader CIDR block in the IP address range field.

    For valid ranges, see IPv4 subnet ranges.

  5. Click Save.

gcloud

gcloud compute networks subnets expand-ip-range SUBNET \
  --region=REGION \
  --prefix-length=PREFIX_LENGTH

Replace the placeholders with valid values:

  • SUBNET is the name of the subnet.
  • REGION is the region in which the subnet is located.
  • PREFIX_LENGTH is a subnet mask size in bits. If the primary IPv4 range is 10.1.2.0/24, you can supply 20 to reduce the subnet mask to 20 bits, which changes the primary IPv4 range to 10.1.2.0/20. For valid ranges, see IPv4 subnet ranges.

API

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET/expandIpCidrRange
{
  "ipCidrRange": "IP_RANGE"
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the subnet to modify.
  • REGION is the name of the Google Cloud region that contains the subnet to modify.
  • SUBNET is the name of the subnet to modify.
  • IP_RANGE is the expanded IPv4 address range for the subnet. For valid ranges, see IPv4 subnet ranges.

For more information, refer to the subnetworks.expandIpCidrRange method.

Edit secondary IPv4 ranges

You can add secondary IPv4 ranges to subnets, or you can remove any secondary IPv4 range as long as no resources are using IP addresses in it.

gcloud

Add a new secondary IPv4 range to a subnet using the following gcloud CLI command:

gcloud compute networks subnets update SUBNET \
  --region=REGION \
  --add-secondary-ranges=SECONDARY_RANGE_NAME=SECONDARY_RANGE

Replace the placeholders with valid values:

  • SUBNET is the name of the subnet.
  • REGION is the region in which the subnet is located.
  • SECONDARY_RANGE_NAME is a name for the secondary range.
  • SECONDARY_RANGE is the secondary IPv4 range in CIDR notation. For valid ranges, see IPv4 subnet ranges.

Remove a secondary IPv4 range from a subnet using the following gcloud CLI command:

gcloud compute networks subnets update SUBNET \
  --region=REGION \
  --remove-secondary-ranges=SECONDARY_RANGE_NAME

Replace the placeholders with valid values:

  • SUBNET is the name of the subnet.
  • REGION is the region in which the subnet is located.
  • SECONDARY_RANGE_NAME is the name of the secondary range to be removed.

API

Modify secondary IPv4 address ranges for an existing subnet.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
{
  "secondaryIpRanges": [
  {
    "rangeName": "SECONDARY_RANGE_NAME",
    "ipCidrRange": "IP_RANGE"
  },
  {
    "rangeName": "SECONDARY_RANGE_NAME",
    "ipCidrRange": "IP_RANGE"
  }],
  "fingerprint": "SUBNETWORK_FINGERPRINT"
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the subnet to modify.
  • REGION is the name of the Google Cloud region that contains the subnet to modify.
  • SUBNET is the name of the subnet to modify.
  • SECONDARY_RANGE_NAME is a name for the secondary IPv4 address range.
  • IP_RANGE is the expanded IPv4 address range for the subnet. For valid ranges, see IPv4 subnet ranges.
  • SUBNET_FINGERPRINT is the finger print ID for the existing subnet, which is provided when you describe a subnet.

For more information, refer to the subnetworks.patch method.

Modify networks

Convert an auto mode VPC network to custom mode

You can convert an auto mode VPC network to a custom mode VPC network using this procedure. Review the considerations for auto mode VPC networks for background information about reasons why you might want to do this.

Converting an auto mode VPC network to a custom mode VPC network preserves all of its automatically created subnets and any subnets you have added. Subnet names and IP ranges are not changed.

After you convert an auto mode VPC network to custom mode, you must review all API calls and gcloud CLI commands that implicitly reference any subnet that was automatically created while the network was in auto mode. API calls and commands will need to be modified so that they reference the subnet explicitly. For gcloud CLI commands that have a subnet specification flag (--subnet), that flag is required to reference subnets in a custom mode VPC network.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click the name of a VPC network to show its VPC network details page.
  3. Click Edit.
  4. In the Subnet creation mode section, choose Custom.
  5. Click Save.

gcloud

Convert an auto mode VPC network to a custom mode VPC network using the following command, replacing NETWORK with the network's name.

gcloud compute networks update NETWORK \
    --switch-to-custom-subnet-mode

API

Convert an existing auto mode VPC network to a custom mode VPC network.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK/switchToCustomMode

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to convert.
  • NETWORK is the name of the VPC network to convert.

For more information, refer to the networks.switchToCustomMode method.

Assign an internal IPv6 range to a network

If you want to configure internal IPv6 addresses on a subnet, you must first enable internal IPv6 addresses on the VPC network. When you enable internal IPv6, a /48 unique local address (ULA) range is assigned to the network.

After you've enabled an internal IPv6 range for your VPC network, you can add dual-stack subnets or convert an IPv4 subnet to a dual-stack subnet.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click the name of a VPC network to show its VPC network details page.
  3. Click Edit.
  4. For VPC network ULA internal IPv6 range, select Enabled
  5. Optional: You can provide the prefix to use for the internal IPv6 range.

    1. For Allocate ULA internal IPv6 range, click Manually.
    2. Enter a /48 range from within the fd20::/20 range.

      If the range is in use, you are prompted to enter a different range.

  6. Click Save.

gcloud

The --enable-ula-internal-ipv6 flag assigns a /48 prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you want to select the /48 IPv6 range that is assigned, use the --internal-ipv6-range flag to specify a range.

gcloud compute networks update NAME \
    --enable-ula-internal-ipv6 \
    [ --internal-ipv6-range=ULA_IPV6_RANGE ]

Replace the placeholders with valid values:

  • NAME is the name of the VPC network.
  • ULA_IPV6_RANGE is the range of IPv6 addresses to which you need to allocate ULA prefix.

API

Setting enableUlaInternalIpv6 to true assigns a /48 range from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you want to select which /48 IPv6 range that is assigned, also use the internalIpv6Range field to specify a range.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networksa/NETWORK
{
  "enableUlaInternalIpv6": true,
  "internalIpv6Range": "ULA_IPV6_RANGE",
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the VPC network is created.
  • NETWORK is a name for the VPC network.
  • MTU is the maximum transmission unit of the network. MTU can either be 1460 (default) or 1500. Review the maximum transmission unit overview before setting the MTU to 1500.
  • ULA_IPV6_RANGE: a /48 prefix from within the fd20::/20 range used by Google for internal IPv6 subnet ranges. If you don't provide a value for internalIpv6Range, Google selects a /48 prefix for the network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

    For more information, refer to the networks.insert method.

Change the dynamic routing mode

Each VPC network has an associated dynamic routing mode that controls the behavior of Cloud Routers in the network. Refer to dynamic routing mode section in the VPC Network Overview page to understand how each mode affects how Cloud Routers share routes and apply learned routes.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click the name of a VPC network to show its VPC network details page.
  3. Click Edit.
  4. In the Dynamic routing mode section, choose either Global or Regional.
  5. Click Save.

gcloud

gcloud compute networks update NETWORK \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE

Replace the placeholders with valid values:

  • NETWORK is the name of the VPC network whose dynamic routing mode you need to change.
  • DYNAMIC_ROUTING_MODE is either global or regional, depending on the desired behavior of all Cloud Routers in the network.

API

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK
{
  "routingConfig": {
    "routingMode": "ROUTING_MODE"
  }
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to modify.
  • NETWORK is the name of the VPC network to modify.
  • ROUTING_MODE is either GLOBAL or REGIONAL.

For more information, refer to the subnetworks.patch method.

Change the MTU of a network

For information about changing the MTU of a VPC network, see Change the MTU setting of a VPC network.

Delete a network

If a network is not being used, you can delete it. Before you can delete a network, you must delete all resources in all of its subnets, and all resources that reference the network. Resources that reference the network include Cloud VPN gateways, Cloud Routers, Serverless VPC Access connectors and their connected services, firewall rules, and custom static routes.

Console

  1. Go to the VPC networks page in the Google Cloud console.
    Go to VPC networks
  2. Click the name of a VPC network to show its VPC network details page.
  3. Click Delete VPC network.
  4. In the message that appears, click Delete to confirm.

gcloud

Replace NETWORK with the name of the network to remove.

gcloud compute networks delete NETWORK

API

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to delete.
  • NETWORK is the name of the VPC network to delete.

For more information, refer to the subnetworks.delete method.

Monitor your VPC network

You can enable logging of network flows to and from VMs. See Using VPC Flow Logs for instructions.

You can enable logging for firewall rules to see which rules allowed or blocked which traffic. See Using Firewall Rules Logging for instructions.

Migrate VMs

You can migrate your virtual machine (VM) instances from one network to another within a given project. For instructions, see Migrating a VM between networks.

Troubleshooting

Error: Constraint constraints/compute.requireVpcFlowLogs violated

This error occurs if both of these conditions apply:

  • An organization policy constraint has been set that requires that VPC Flow Logs is configured.

  • You create a subnet, or update the VPC Flow Logs configuration of an existing subnet, and the configuration does not meet the requirements of the policy.

For more information about this constraint and its effects on subnet creation and updates, see Organization policy constraints for VPC Flow Logs.

What's next

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try VPC free