Decommission a hybrid subnet

This page describes how to decommission a hybrid subnet.

If you no longer need Hybrid Subnets functionality—for example, because all on-premises workloads have either migrated to Google Cloud or been decommissioned—you can decommission a hybrid subnet. Decommissioning a hybrid subnet changes the hybrid subnet into a regular subnet and removes the unused components of the hybrid subnet.

Update Cloud Router custom advertised routes

The following sections describe how to replace the custom advertised routes that you created for each migrated workload with a single advertisement for the entire subnet.

Create a single custom advertised route for the entire IP address range of the hybrid subnet that you are decommissioning. For more information, see Advertise specific VPC subnets.

Remove custom advertised routes for migrated workloads

Remove the /32 and other custom advertised routes that you configured on your Cloud Router for individual migrated workloads. For more information, see Remove custom advertised routes on a Cloud Router.

Disable hybrid subnet routing

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network that contains the subnet that you want to update.

  3. Click the Subnets tab.

  4. Click the subnet that you want to update.

  5. Click Edit.

  6. In the Hybrid subnet section, select Off.

  7. Click Save.

gcloud

Use the gcloud beta compute networks subnets update command.

gcloud beta compute networks subnets update SUBNET \
    --region=REGION \
    --no-allow-cidr-routes-overlap

Replace the following:

  • SUBNET: the name of the subnet.
  • REGION: the region of the subnet.

API

  1. Find the fingerprint ID of your subnet.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the ID of your project
    • REGION: the region of your subnet
    • SUBNET_NAME: the name of your subnet

    HTTP method and URL:

    GET https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
      "kind": "compute#subnetwork",
      "id": "5514771331600183201",
      "creationTimestamp": "2022-09-16T12:41:02.010-07:00",
      "name": "subnet-name",
      "network": "https://www.googleapis.com/compute/v1/projects/project-name/global/networks/network-name",
      "ipCidrRange": "10.6.0.0/16",
      "gatewayAddress": "10.6.0.1",
      "region": "https://www.googleapis.com/compute/v1/projects/project-name/regions/us-central1",
      "selfLink": "https://www.googleapis.com/compute/v1/projects/project-name/regions/us-central1/subnetworks/subnet-name",
      "privateIpGoogleAccess": true,
      "fingerprint": "YiItidAFRsA5",
      "allowSubnetCidrRoutesOverlap": false,
      "enableFlowLogs": true,
      "privateIpv6GoogleAccess": "DISABLE_GOOGLE_ACCESS",
      "purpose": "PRIVATE",
      "stackType": "IPV4_ONLY"
    }
    

  2. Disable allowSubnetCidrRoutesOverlap.

    Before using any of the request data, replace SUBNET_FINGERPRINT with the fingerprint ID of your subnet that you found in the previous request—for example, YiItidAFRsA5.

    HTTP method and URL:

    PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME

    Request JSON body:

    {
      "allowSubnetCidrRoutesOverlap": false,
      "fingerprint": "SUBNET_FINGERPRINT"
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
      "kind": "compute#operation",
      "id": "5973660558170953708",
      "name": "operation-1680288003494-5f8368991917a-59bf1c92-1897c7c6",
      "operationType": "compute.subnetworks.patch",
      "targetLink": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1/subnetworks/subnet-name",
      "targetId": "5514771331600183201",
      "status": "RUNNING",
      "user": "user@gmail.com",
      "progress": 0,
      "insertTime": "2023-03-31T11:40:03.882-07:00",
      "startTime": "2023-03-31T11:40:03.893-07:00",
      "selfLink": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1/operations/operation-1680288003494-5f8368991917a-59bf1c92-1897c7c6",
      "region": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1"
    }
    

  3. To verify that allowSubnetCidrRoutesOverlap is disabled for your subnet, make another GET request and ensure that the response includes the following:

    • "allowSubnetCidrRoutesOverlap": false

Delete ingress firewall rules

Delete the ingress firewall rules or firewall policies that you configured for migrated VMs. For more information, see the Cloud Next Generation Firewall documentation.

Remove unnecessary configuration

Consider the following:

  • If you don't need proxy ARP on your on-premises router for another purpose, you can disable proxy ARP. For information about disabling proxy ARP, see the router's public documentation.
  • If you don't need your on-premises subnet for another purpose, you can decommission the on-premises subnet.
  • If all your VMs have migrated to Google Cloud, and you no longer need connectivity between your on-premises and VPC networks, you can disconnect your on-premises and VPC networks. To disconnect your on-premises and VPC networks, complete the following steps:

    1. Do one of the following, depending on how you've configured connectivity:

    2. If you no longer need the Cloud Router that you configured for hybrid subnets, you can delete the Cloud Router.

    3. If you no longer need on-premises firewall configuration that you added for Hybrid Subnets, you can remove it.