Peer two VPC networks
Learn how to peer two Virtual Private Cloud (VPC) networks by using the Google Cloud console.
Consider an organization organization-a
that needs VPC Network Peering
to be established between network-a
in project-a
and network-b
in
project-b
. In order for VPC Network Peering to be established
successfully, administrators of network-a
and network-b
must separately
configure the peering association.
By completing the steps in this document, you create the following configuration:
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Compute Engine API.
-
Make sure that you have the following role or roles on the project: Compute Network Admin or Project Editor
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
-
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Compute Engine API.
-
Make sure that you have the following role or roles on the project: Compute Network Admin or Project Editor
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
-
- Repeat these steps for a second project. This quickstart describes how to peer VPC networks that are in separate projects.
Create two VPC networks
In this section, you create two VPC networks, each in different projects.
Create network-a
and subnet-a
in your first project
Console
In the Google Cloud console, go to the VPC networks page.
Click Create VPC network.
In the Name field, enter
network-a
.In the New subnet section, specify the following:
- In the Name field, enter
subnet-a
. - Select any Region.
- In the IPv4 range field, enter
10.0.1.0/24
. - Click Done.
- In the Name field, enter
In the IPv4 firewall rules tab, on the right side of the row that contains the predefined ingress firewall rule named
NETWORK-allow-custom
, click Edit.- Deselect Use subnets' IPv4 ranges.
- In Other IPv4 ranges, enter
10.0.0.0/20
. Entering this range ensures that the resources in your peered networks can communicate with each other and lets you add more subnets in the future without having to update firewall rules. - Click Confirm.
Click Create.
Create network-b
and subnet-b
in your second project
Console
In the Google Cloud console, go to the VPC networks page.
Click Create VPC network.
In the Name field, enter
network-b
.In the New subnet section, specify the following:
- In the Name field, enter
subnet-b
. - Select any Region.
- In the IPv4 range field, enter
10.0.8.0/24
. - Click Done.
- In the Name field, enter
In the IPv4 firewall rules tab, on the right side of the row that contains the predefined ingress firewall rule named
NETWORK-allow-custom
, click Edit.- Deselect Use subnets' IPv4 ranges.
- In Other IPv4 ranges, enter
10.0.0.0/20
. Entering this range ensures that the resources in your peered networks can communicate with each other and lets you add more subnets in the future without having to update firewall rules. - Click Confirm.
Click Create.
Peer network-a
with network-b
In this section, you configure network-a
to peer with network-b
.
Console
In the Google Cloud console, go to the VPC Network Peering page.
Click Create connection.
Click Continue.
Enter a Name of
peer-ab
for this side of the connection.Under Your VPC network, select
network-a
.Set the Peering VPC network radio buttons to
In another project
.Specify the Project ID of the other project.
Specify the VPC network name of the other network,
network-b
.Select Import custom routes and Export custom routes.
Click Create.
At this point, the peering state remains INACTIVE
because of the absence of a matching
configuration in network-b
in project-b
.
When the peering state becomes ACTIVE
, VPC Network Peering automatically
exchanges subnet routes. Google Cloud also exchanges custom routes (static
routes and dynamic routes) by importing or exporting them over the peering
connection. Both networks must be configured to exchange custom routes before
they are shared. For more information, see Importing and exporting custom
routes.
To see the current peering state, view the peering connection:
Console
In the Google Cloud console, go to the VPC Network Peering page.
Select
peer-ab
. On the Peering connection details page, the status saysInactive. Waiting for the connection to be created by network-b
.
Peer network-b
with network-a
In this section, you create a matching peering configuration from network-b
to
network-a
so that the peering becomes ACTIVE
on both ends.
Console
In the Google Cloud console, go to the VPC Network Peering page.
Click Create connection.
Click Continue.
Enter a Name of
peer-ba
for this side of the connection.Under Your VPC network, select the
network-b
.Set the Peering VPC network radio buttons to
In another project
.Specify the Project ID of the other project.
Specify the VPC network name of the other network,
network-b
.Select Import custom routes and Export custom routes.
Click Create.
VPC Network Peering becomes ACTIVE
As soon as the peering moves to an ACTIVE
state, subnet routes and custom
routes are exchanged, which allows traffic to flow between resources in the
networks.
Console
In the Google Cloud console, go to the VPC Network Peering page.
On the VPC Network Peering page, the status for the connection that you created says
ACTIVE
.Go to the VPC Network Peering page in the other project to see that it also says
ACTIVE
.
The routes to peered network CIDR prefixes are now visible across the
VPC network peers. These routes are implicit routes that are
generated for active peering connections. They don't have corresponding route
resources. The following procedure shows routes for all VPC
networks for project-a
.
Console
In the Google Cloud console, go to the Routes page.
For Network and Region, select
network-a
and the region in which you createdsubnet-a
, then click View.In the list of routes, there is a
Peering subnet
route forsubnet-b
.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
Delete the projects
To delete the projects that you created:
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete individual resources
If you don't want to delete the entire project, delete the VPC Network Peering connections and the VPC networks that you created.
Before you can delete a network, you must delete its VPC Network Peering connection.
Delete VPC Network Peering connections
To delete a VPC Network Peering connection:
Console
In the Google Cloud console, go to the VPC Network Peering page.
Select the checkbox next to the peering you want to remove.
Click Delete.
Delete VPC networks
To delete a VPC network:
Console
In the Google Cloud console, go to the VPC networks page.
Click the name of a VPC network to show its VPC network details page.
Click Delete VPC network.
In the message that appears, click Delete to confirm.
What's next
For more information about VPC Network Peering, see:
- VPC Network Peering overview.
- Using VPC Network Peering.