Using VPC Networks

This page describes how to create, modify, and delete VPC networks. This page assumes that you are familiar with the characteristics of VPC networks as described in the VPC Network Overview. Networks and subnets are different resources in GCP.

Creating networks

You can choose to create an auto mode or custom mode VPC network. Each new network that you create must have a unique name within the same project.

Creating an auto mode network

Auto mode networks create one subnet in each GCP region automatically when you create the network. As new regions become available, new subnets in those regions are automatically added to the auto mode network. IP ranges for the automatically created subnets come from a predetermined set of ranges. All auto mode networks use the same set of IP ranges.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click Create VPC network.
  3. Enter a Name for the network.
  4. Choose Automatic for the Subnet creation mode.
  5. In the Firewall rules section, select one or more predefined firewall rules that address common use cases for connectivity to VMs. If you don't want to use them, select no rules. You can create your own firewall rules after you create the network.
  6. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  7. Click Create.

gcloud

Create an auto mode network using the following gcloud command:


gcloud compute networks create NETWORK_NAME \
    --subnet-mode=auto \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE

Replace the placeholders with valid values:

  • NETWORK_NAME is a name for the VPC network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

API

Create an auto mode network.

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "autoCreateSubnetworks": true,
  "name": "auto-network1"
}

Replace PROJECT_ID with the ID of the project where the VPC network is created.

To specify the dynamic routing mode of the VPC network, use the routingConfig field:

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "routingConfig": {
    "routingMode": "DYNAMIC_ROUTING_MODE"
  },
  "autoCreateSubnetworks": true,
  "name": "NETWORK_NAME"
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the VPC network is created.
  • NETWORK_NAME is a name for the VPC network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

For more information, refer to the networks.insert method.

Creating a new VPC network with custom subnets

For custom mode VPC networks, create a network, then create the subnets that you want within a region. You do not have to specify subnets for all regions right away, or even at all, but you cannot create instances in a region that has no subnet defined.

Creating a custom mode network

You control the subnets created within a custom mode VPC network. You can create subnets when you create the network, or you can add subnets later.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click Create VPC network.
  3. Enter a Name for the network.
  4. Choose Custom for the Subnet creation mode.
  5. In the New subnet section, specify the following configuration parameters for a subnet:
    1. Provide a Name for the subnet.
    2. Select a Region.
    3. Enter an IP address range. This is the primary IP range for the subnet.
    4. To define a secondary range for the subnet, click Create secondary IP range.
    5. Private Google access: Choose whether to enable Private Google Access for the subnet when you create it or later by editing it.
    6. Flow logs: Choose whether to enable VPC flow logs for the subnet when you create it or later by editing it.
    7. Click Done.
  6. To add more subnets, click Add subnet and repeat the previous steps. You can also add more subnets to the network after you have created the network.
  7. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  8. Click Create.

gcloud

Create a new custom mode network using the following gcloud command. After you have created your network, add subnets to it by following the adding subnets directions.

gcloud compute networks create NETWORK_NAME \
    --subnet-mode=custom \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE

Replace the placeholders with valid values:

  • NETWORK_NAME is a name for the VPC network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

API

Create a custom mode network.

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
{
  "autoCreateSubnetworks": false,
  "name": "NETWORK_NAME",
  "routingConfig": {
    "routingMode": "DYNAMIC_ROUTING_MODE"
  }
}

Replace the following placeholders with values from your environment:

  • PROJECT_ID is the ID of the project where the VPC network is created.
  • NETWORK_NAME is a name for the VPC network.
  • DYNAMIC_ROUTING_MODE can be either global or regional to control the route advertisement behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

For more information, refer to the networks.insert method.

Viewing networks

View the VPC and legacy networks in your project. For VPC networks, you can view information about their subnets and their subnet creation mode.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page

    The console lists all of your VPC and legacy networks.

  2. Select a VPC network to view its details, such as its peering connections and subnets.

gcloud

  1. List the networks in your project, as shown in the following example.

    gcloud compute networks list
    

    The command lists all of your VPC and legacy networks. Legacy networks show a subnet creation mode of LEGACY, while VPC networks show either AUTO or CUSTOM.

    NAME             SUBNET_MODE  BGP_ROUTING_MODE  IPV4_RANGE     GATEWAY_IPV4
    custom-network   CUSTOM       REGIONAL
    default          AUTO         REGIONAL
    legacy-network1  LEGACY       REGIONAL          10.240.0.0/16  10.240.0.1
    
  2. Describe a network to view its details, such as its peering connections and subnets.

    gcloud compute networks describe NETWORK_NAME
    

API

  1. List all networks in your project.

    GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
    

    Replace PROJECT_ID with the ID of the project that contains the VPC networks to list.

    For more information, refer to the networks.list method.

  2. Describe a network to view its details.

    GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME
    

    Replace the placeholders with valid values:

    • PROJECT_ID is the ID of the project that contains the VPC network.
    • NETWORK_NAME is the name of the VPC network to describe.

    For more information, refer to the networks.get method.

Working with subnets

You must follow these rules when creating or editing a subnet:

  • Within a project, a subnet cannot have the same name as a VPC network unless it is a member of that network. Within a project, subnets in the same region must have unique names. For example, a network named production can have multiple subnets also named production as long as each of those subnets is in a unique region.

  • You cannot change the name or region of a subnet after you have created it. However, you can delete a subnet and replace it, as long as no resources are using it.

  • Each subnet must have a primary range, and, optionally, one or more secondary ranges for alias IP. The per network limits describe the maximum number of secondary ranges that you can define for each subnet. Primary and secondary IP ranges must be RFC 1918 addresses.

    • Within a VPC network, all primary and secondary IP ranges must be unique, but they do not need to be contiguous. For example, the primary range of a subnet can be 10.0.0.0/24 while the primary range of another subnet in the same network can be 192.168.0.0/16.

    • The primary IP range for the subnet can be expanded, but not replaced or shrunk, after the subnet has been created.

    • You can remove and replace a subnet's secondary IP address range only if no instances are using that range.

    • The minimum primary or secondary range size is eight IP addresses. In other words, the longest subnet mask you can use is /29.

  • Primary and secondary ranges for subnets cannot overlap with any allocated range, any primary or secondary range of another subnet in the same network, or any IP ranges of subnets in peered networks.

  • GCP creates corresponding subnet routes for both primary and secondary IP ranges. Subnet routes, and therefore subnet IP ranges, must have the most specific IP ranges by definition.

    • Primary and secondary ranges can't conflict with on-premises IP ranges if you have connected your VPC network to another network with Cloud VPN, Dedicated Interconnect, or Partner Interconnect.

    • IP ranges for all subnets must be unique among VPC networks that are connected to one another by VPC Network Peering.

    • Subnet IP ranges cannot conflict with destinations for static routes.

    • Avoid using IP addresses from the 10.128.0.0/9 block for a subnet's primary or secondary IP ranges. Automatically created subnets in auto mode networks use IP addresses from this block. If you use IP addresses in the 10.128.0.0/9 block, you will not be able to connect your network to an auto mode VPC network using VPC Peering or with Cloud VPN tunnels.

Listing subnets

You can see all the subnets that exist for a project.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
    Subnets in all VPC networks are shown.
  2. Click the name of a network then click the Subnets tab on the VPC network details page to view subnets for just that network, instead of for all networks.

gcloud

You can list all subnets in all networks in your project, or you can show only the subnets for a particular network or region. The following list shows example commands.

  • Use this command to list all subnets in all VPC networks, in all regions:

    gcloud compute networks subnets list
    
  • Use this command to list all subnets in a particular VPC network, replacing NETWORK with the name of the network:

    gcloud compute networks subnets list \
       --network=NETWORK
    
  • Use this command to list all subnets in a particular region, replacing REGION with a region name:

    gcloud compute networks subnets list \
       --filter="region:( REGION … )"
    

API

List all subnets in your project.

GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/subnetworks

Replace PROJECT_ID with the ID of the project that contains the subnets to list.

For more information, refer to the subnetworks.aggregatedList method.

Describing a subnet

You can view details of an existing subnet, such as its primary IP range, any secondary IP ranges, and its region, by following the steps in this section.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.
  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.

gcloud

  1. List subnets to determine the names and regions of existing subnets in your project.

  2. Describe the subnet using the following gcloud command, replacing SUBNET_NAME with its name and REGION with its region.

    gcloud compute networks subnets describe SUBNET_NAME \
    --region=REGION
    

API

  1. List subnets in a particular region to find the subnet's name.

    GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
    

    Replace the placeholders with valid values:

    • PROJECT_ID is the ID of the project that contains the subnets to list.
    • REGION is the name of the GCP region that contains the subnets to list.

    For more information, refer to the subnetworks.list method.

  2. Describe the subnets to view its details.

    GET https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
    

    Replace the placeholders with valid values:

    • PROJECT_ID is the ID of the project that contains the subnet to describe.
    • REGION is the name of the GCP region that contains the subnet to describe.
    • SUBNET is the name of the subnet to describe.

    For more information, refer to the subnetworks.get method.

Adding subnets

When you create a subnet, you set a name, a region, and at least a primary IP address range according to the subnet rules.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name a VPC network to show its VPC network details page.
  3. Click Add subnet. In the panel that appears:
    1. Provide a Name.
    2. Select a Region.
    3. Enter an IP address range. This is the primary IP range for the subnet.
    4. To define a secondary range for the subnet, click Create secondary IP range.
    5. Private Google access: You can enable Private Google Access for the subnet when you create it or later by editing it.
    6. Flow logs: You can enable VPC flow logs for the subnet when you create it or later by editing it.
    7. Click Add.

gcloud

The following gcloud command creates a new subnet in a given network.

gcloud compute networks subnets create SUBNET_NAME \
    --network=NETWORK \
    --range=PRIMARY_RANGE \
    --region=REGION

Replace the placeholders with valid values:

  • SUBNET_NAME is a name for the new subnet.
  • NETWORK is the name of the VPC network that will contain the new subnet.
  • PRIMARY_RANGE is the primary IP range for the new subnet, in CIDR notation.
  • REGION is the GCP region in which the new subnet will be created.

You can modify the previous command with the following optional flags:

  • --secondary-range=SECONDARY_RANGE: Replace SECONDARY_RANGE with a secondary range in CIDR notation. The per network limits describe the maximum number of secondary ranges that you can define for each subnet.
  • --enable-flow-logs: Enables VPC Flow Logs in the subnet at creation time.
  • --enable-private-ip-google-access: Enables Private Google Access in the subnet at creation time.

API

Create a subnet in a given VPC network.

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
{
  "ipCidrRange": "IP_RANGE",
  "network": "NETWORK_URL",
  "name": "SUBNET_NAME"
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to modify.
  • REGION is the name of the GCP region where the subnet is added.
  • IP_RANGE is the primary IP address range for the subnet.
  • <var>NETWORK_URL</var> is the URL of the VPC network where you're adding the subnet.
  • SUBNET_NAME is a name for the subnet.

For more information, refer to the subnetworks.insert method.

Deleting subnets

Use the following directions to delete a manually created subnet. Before you can delete a subnet, you must delete all resources that use it. For example, you need to delete VMs, reserved internal IP addresses, internal forwarding rules, and Cloud NAT gateways that use the subnet.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.
  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.
  3. Click Delete subnet.
  4. In the message that appears, click Delete to confirm.

gcloud

Use the following gcloud command to delete a subnet:

gcloud compute networks subnets delete SUBNET_NAME \
    --region=REGION

Replace the placeholders with valid values:

  • SUBNET_NAME is the name of the subnet to delete.
  • REGION is the region where the subnet exists.

API

Delete a subnet in a given VPC network.

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the subnet to delete.
  • REGION is the name of the GCP region that contains the subnet to describe.
  • SUBNET_NAME is the name of the subnet to delete.

For more information, refer to the subnetworks.delete method.

Expanding a primary IP range

You can expand the primary IP range of an existing subnet by modifying its subnet mask, setting the prefix length to a smaller number. The proposed new primary IP range of the subnet must follow the subnet rules.

When expanding the IP range of an automatically created subnet in an auto mode network (or in a custom mode network that was previously an auto mode network), the broadest prefix (subnet mask) you can use is /16. Any prefix broader than /16 would conflict with the primary IP ranges of the other automatically created subnets.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.
  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.
  3. Click Edit.
  4. Enter a new, broader CIDR block in the IP address range field.
  5. Click Save.

gcloud

Expand the primary IP range of a subnet with the following gcloud command:

gcloud compute networks subnets expand-ip-range SUBNET_NAME \
  --region=REGION \
  --prefix-length=PREFIX_LENGTH

Replace the placeholders with valid values:

  • SUBNET_NAME is the name of the subnet.
  • REGION is the region in which the subnet is located.
  • PREFIX_LENGTH is a subnet mask size in bits. If the primary IP range is 10.1.2.0/24, you can supply 20 to reduce the subnet mask to 20 bits, which changes the primary IP range to 10.1.2.0/20.

API

Expand the primary IP address range of an existing subnet.

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME/expandIpCidrRange
{
  "ipCidrRange": "IP_RANGE"
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the subnet to modify.
  • REGION is the name of the GCP region that contains the subnet to modify.
  • SUBNET_NAME is the name of the subnet to modify.
  • IP_RANGE is the expanded IP address range for the subnet.

For more information, refer to the subnetworks.expandIpCidrRange method.

Editing secondary ranges

You can add secondary IP ranges to subnets, or you can remove any secondary range as long as no resources are using IP addresses in it.

gcloud

Add a new secondary IP range to a subnet using the following gcloud command:

gcloud compute networks subnets update SUBNET_NAME \
  --region=REGION \
  --add-secondary-ranges=SECONDARY_RANGE_NAME=SECONDARY_RANGE

Replace the placeholders with valid values:

  • SUBNET_NAME is the name of the subnet.
  • REGION is the region in which the subnet is located.
  • SECONDARY_RANGE_NAME is a name for the secondary range.
  • SECONDARY_RANGE is the secondary IP range in CIDR notation.

Remove a secondary IP range from a subnet using the following gcloud command:

gcloud compute networks subnets update SUBNET_NAME \
  --region=REGION \
  --remove-secondary-ranges=SECONDARY_RANGE_NAME

Replace the placeholders with valid values:

  • SUBNET_NAME is the name of the subnet.
  • REGION is the region in which the subnet is located.
  • SECONDARY_RANGE_NAME is the name of the secondary range to be removed.

API

Modify secondary IP address ranges for an existing subnet.

PATCH https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
  "secondaryIpRanges": [
  {
    "rangeName": "SECONDARY_RANGE_NAME",
    "ipCidrRange": "IP_RANGE"
  },
  {
    "rangeName": "SECONDARY_RANGE_NAME",
    "ipCidrRange": "IP_RANGE"
  }],
  "fingerprint": "SUBNETWORK_FINGERPRINT"
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the subnet to modify.
  • REGION is the name of the GCP region that contains the subnet to modify.
  • SUBNET_NAME is the name of the subnet to modify.
  • SECONDARY_RANGE_NAME is a name for the secondary IP address range.
  • IP_RANGE is the expanded IP address range for the subnet.
  • SUBNET_FINGERPRINT is the finger print ID for the existing subnet, which is provided when you describe a subnet.

For more information, refer to the subnetworks.patch method.

Modifying networks

Converting to custom mode

You can convert an auto mode network to a custom mode network using this procedure. Review the considerations for auto mode networks for background information about reasons why you might want to do this.

Converting an auto mode network to a custom mode network preserves all of its automatically created subnets and any subnets you have added. Subnet names and IP ranges are not changed.

After you convert an auto mode network to custom mode, you must review all API calls and gcloud commands that implicitly reference any subnet that was automatically created while the network was in auto mode. API calls and commands will need to be modified so that they reference the subnet explicitly. For gcloud commands that have a subnet specification flag (--subnet), that flag is required to reference subnets in a custom mode network.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name a VPC network to show its VPC network details page.
  3. Click Edit.
  4. In the Subnet creation mode section, choose Custom.
  5. Click Save.

gcloud

Convert an auto mode network to a custom mode network using the following command, replacing NETWORK_NAME with the network's name.

gcloud compute networks update NETWORK_NAME \
    --switch-to-custom-subnet-mode

API

Convert an existing auto mode network to a custom mode network.

POST https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME/switchToCustomMode

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to convert.
  • NETWORK_NAME is the name of the VPC network to convert.

For more information, refer to the subnetworks.switchToCustomMode method.

Changing the dynamic routing mode

Each VPC network has an associated dynamic routing mode that controls the behavior of Cloud Routers in the network. Refer to dynamic routing mode section in the VPC Network Overview page to understand how each mode affects how Cloud Routers share routes and apply learned routes.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name a VPC network to show its VPC network details page.
  3. Click Edit.
  4. In the Dynamic routing mode section, choose either Global or Regional.
  5. Click Save.

gcloud

Change the dynamic routing mode of a VPC network with the following gcloud command:

gcloud compute networks update NETWORK_NAME \
    --bgp-routing-mode=DYNAMIC_ROUTING_MODE

Replace the placeholders with valid values:

  • NETWORK_NAME is the name of the VPC network whose dynamic routing mode you need to change.
  • DYNAMIC_ROUTING_MODE is either global or regional, depending on the desired behavior of all Cloud Routers in the network.

API

Change the dynamic routing mode of an existing VPC network.

PATCH https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME
{
  "routingConfig": {
    "routingMode": "ROUTING_MODE"
  }
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to modify.
  • NETWORK_NAME is the name of the VPC network to modify.
  • ROUTING_MODE is either GLOBAL or REGIONAL.

For more information, refer to the subnetworks.patch method.

Deleting a network

If a network is not being used, you can delete it. Before you can delete a network, you must delete all resources in all of its subnets, and all resources that reference the network. Resources that reference the network include Cloud VPN gateways, Cloud Routers, firewall rules, and custom static routes.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name a VPC network to show its VPC network details page.
  3. Click Delete VPC network.
  4. In the message that appears, click Delete to confirm.

gcloud

Delete a network by using the following gcloud command, replacing NETWORK_NAME with the name of the network to remove.

gcloud compute networks delete NETWORK_NAME

API

Delete a VPC network to remove it from your project.

DELETE https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the VPC network to delete.
  • NETWORK_NAME is the name of the VPC network to delete.

For more information, refer to the subnetworks.delete method.

Monitoring your VPC network

You can enable logging of network flows to and from VMs. See Using VPC Flow Logs for instructions.

You can enable logging for firewall rules to see which rules allowed or blocked which traffic. See Using Firewall Rules Logging for instructions.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...