Using VPC Networks

This page describes how to create, modify, and delete VPC networks. This page assumes that you are familiar with the characteristics of VPC networks as described in the VPC Network Overview. Networks and subnets are different resources in GCP.

Creating networks

You can choose to create an auto or mode network. Each new network that you create must have a unique name within the same project.

Creating an auto mode network

Auto mode networks create one subnet in each GCP region automatically when you create the network. As new regions become available, new subnets in those regions are automatically added to the auto mode network. IP ranges for the automatically created subnets come from a predetermined set of ranges. All auto mode networks use the same set of IP ranges.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click Create VPC network.
  3. Enter a Name for the network.
  4. Choose Automatic for the Subnet creation mode.
  5. In the Firewall rules section, select one or more predefined firewall rules that address common use cases for connectivity to VMs. If you don't want to use them, select no rules. You can create your own firewall rules after you create the network.
  6. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  7. Click Create.

gcloud

Create an auto mode network using the following gcloud command:

gcloud compute networks create [NETWORK_NAME] \
    --subnet-mode=auto \
    --bgp-routing-mode=[DYNAMIC_ROUTING_MODE]

Replace the placeholders with valid values:

  • [NETWORK_NAME] is a name for the VPC network.
  • [DYNAMIC_ROUTING_MODE] can be either global or regional to control the behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

Creating a custom mode network

You control the subnets created within a custom mode VPC network. You can create subnets when you create the network, or you can add subnets later.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click Create VPC network.
  3. Enter a Name for the network.
  4. Choose Custom for the Subnet creation mode.
  5. In the New subnet section, specify the following configuration parameters for a subnet:
    1. Provide a Name for the subnet.
    2. Select a Region.
    3. Enter an IP address range. This is the primary IP range for the subnet.
    4. To define a secondary range for the subnet, click Create secondary IP range.
    5. Private Google access: Choose whether to enable Private Google Access for the subnet when you create it or later by editing it.
    6. Flow logs: Choose whether to enable VPC flow logs for the subnet when you create it or later by editing it.
    7. Click Done.
  6. To add more subnets, click Add subnet and repeat the previous steps. You can also add more subnets to the network after you have created the network.
  7. Choose the Dynamic routing mode for the VPC network.

    For more information, see dynamic routing mode. You can change the dynamic routing mode later.

  8. Click Create.

gcloud

Create a new custom mode network using the following gcloud command. After you have created your network, add subnets to it by following the adding subnets directions.

gcloud compute networks create [NETWORK_NAME] \
    --subnet-mode=custom \
    --bgp-routing-mode=[DYNAMIC_ROUTING_MODE]

Replace the placeholders with valid values:

  • [NETWORK_NAME] is a name for the VPC network.
  • [DYNAMIC_ROUTING_MODE] can be either global or regional to control the behavior of Cloud Routers in the network. For more information, refer to dynamic routing mode.

Working with subnets

You must follow these rules when creating or editing a subnet:

  • Within a project, a subnet cannot have the same name as a VPC network unless it is a member of that network. Within a project, subnets in the same region must have unique names. For example, a network named production can have multiple subnets also named production as long as each of those subnets is in a unique region.

  • You cannot change the name or region of a subnet after you have created it.

  • Each subnet must have a primary range, and, optionally, up to five secondary range for alias IP. Primary and secondary IP ranges must be RFC 1918 IP ranges, though the IP ranges for subnets in a VPC network do not have to be contiguous.

    • The primary IP range for the subnet can be expanded, but not replaced or shrunk, after the subnet has been created.

    • You can remove and replace a subnet's secondary IP address range only if no VM instances are using that range.

  • Primary and secondary ranges for subnets cannot overlap with any allocated range, any primary or secondary range of another subnet in the same network, or any IP ranges of subnets in peered networks.

  • GCP creates corresponding subnet routes for both primary and secondary IP ranges. Subnet routes, and therefore subnet IP ranges, must have the most specific IP ranges by definition.

    • Primary and secondary ranges can't conflict with on-premises IP ranges if you have connected your VPC network to another network with Cloud VPN, Dedicated Interconnect, or Partner Interconnect.

    • Avoid using IP addresses from the 10.128.0.0/9 block for a subnet's primary or secondary IP ranges. Automatically created subnets in auto mode networks use IP addresses from this block. If you use IP addresses in the 10.128.0.0/9 block, you will not be able to connect your network to an auto mode VPC network using VPC Peering or with Cloud VPN tunnels.

Listing subnets

You can see all the subnets that exist for a project.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
    Subnets in all VPC networks are shown.
  2. Click the name of a network then click the Subnets tab on the VPC network details page to view subnets for just that network, instead of for all networks.

gcloud

You can list all subnets in all networks in your project, or you can show only the subnets for a particular network or region. The following list shows example commands.

  • Use this command to list all subnets in all VPC networks, in all regions:

    gcloud compute networks subnets list
    

  • Use this command to list all subnets in a particular VPC network, replacing [NETWORK] with the name of the network:

    gcloud compute networks subnets list \
       --network=[NETWORK]
    

  • Use this command to list all subnets in a particular region, replacing [REGION] with a region name:

    gcloud compute networks subnets list \
       --region=[REGION]
    

Describing a subnet

You can view details of an existing subnet, such as its primary IP range, any secondary IP ranges, and its region, by following the steps in this section.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.
  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.

gcloud

  1. List subnets to determine the names and regions of existing subnets in your project.

  2. Describe the subnet using the following gcloud command, replacing [SUBNET_NAME] with its name and [REGION] with its region.

    gcloud compute networks subnets describe [SUBNET_NAME] \
        --region=[REGION]
    

Adding subnets

When you create a subnet, you set a name, a region, and at least a primary IP address range according to the subnet rules.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name a VPC network to show its VPC network details page.
  3. Click Add subnet. In the panel that appears:
    1. Provide a Name.
    2. Select a Region.
    3. Enter an IP address range. This is the primary IP range for the subnet.
    4. To define a secondary range for the subnet, click Create secondary IP range.
    5. Private Google access: You can enable Private Google Access for the subnet when you create it or later by editing it.
    6. Flow logs: You can enable VPC flow logs for the subnet when you create it or later by editing it.
    7. Click Add.

gcloud

The following gcloud command creates a new subnet in a given network.

gcloud compute networks subnets create [SUBNET_NAME] \
    --network=[NETWORK] \
    --range=[PRIMARY_RANGE] \
    --region=[REGION]

Replace the placeholders with valid values:

  • [SUBNET_NAME] is a name for the new subnet.
  • [NETWORK] is the name of the VPC network that will contain the new subnet.
  • [PRIMARY_RANGE] is the primary IP range for the new subnet, in CIDR notation.
  • [REGION] is the GCP region in which the new subnet will be created.

You can modify the previous command with the following optional flags:

  • --secondary-range=[SECONDARY_RANGE]: Replace [SECONDARY_RANGE] with a secondary range in CIDR notation. You can add up to five secondary ranges.
  • --enable-flow-logs: Enables VPC Flow Logs in the subnet at creation time.
  • --enable-private-ip-google-access: Enables Private Google Access in the subnet at creation time.

Deleting subnets

Use the following directions to delete a manually created subnet. Before you can delete a subnet, you must delete VM instances, reserved internal IP addresses, and internal forwarding rules that use the subnet.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.
  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.
  3. Click Delete subnet.
  4. In the message that appears, click Delete to confirm.

gcloud

Use the following gcloud command to delete a subnet:

gcloud compute networks subnets delete [SUBNET_NAME] \
    --region=[REGION]

Replace the placeholders with valid values:

  • [SUBNET_NAME] is the name of the subnet to delete.
  • [REGION] is the region where the subnet exists.

Expanding a primary IP range

You can expand the primary IP range of an existing subnet by modifying its subnet mask, setting the prefix length to a smaller number. The proposed new primary IP range of the subnet must follow the subnet rules.

When expanding the IP range of an automatically created subnet in an auto mode network (or in a custom mode network that was previously an auto mode network), the broadest prefix (subnet mask) you can use is /16. Any prefix broader than /16 would conflict with the primary IP ranges of the other automatically created subnets.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
    All networks and subnets in your project are presented in a hierarchical view, where subnets are shown as entries within networks.
  2. To focus on subnets for a particular network, click the name of a network. On its VPC network details page, click the name of a subnet in the Subnets tab to view its Subnet details page.
  3. Click Edit.
  4. Enter a new, broader CIDR block in the IP address range field.
  5. Click Save.

gcloud

Expand the primary IP range of a subnet with the following gcloud command:

gcloud compute networks subnets expand-ip-range [SUBNET_NAME] \
  --region=[REGION] \
  --prefix-length=[PREFIX_LENGTH]

Replace the placeholders with valid values:

  • [SUBNET_NAME] is the name of the subnet.
  • [REGION] is the region in which the subnet is located.
  • [PREFIX_LENGTH] is a subnet mask size in bits. If the primary IP range is 10.1.2.0/24, you can supply 20 to reduce the subnet mask to 20 bits, which changes the primary IP range to 10.1.2.0/20.

Editing secondary ranges

You can add up to five secondary IP ranges to subnets, and you can remove any secondary range as long as no resources are using IP addresses in it.

gcloud

Add a new secondary IP range to a subnet using the following gcloud command:

gcloud compute networks subnets update [SUBNET_NAME] \
  --region=[REGION] \
  --add-secondary-ranges=[SECONDARY_RANGE_NAME]=[SECONDARY_RANGE]

Replace the placeholders with valid values:

  • [SUBNET_NAME] is the name of the subnet.
  • [REGION] is the region in which the subnet is located.
  • [SECONDARY_RANGE_NAME] is a name for the secondary range.
  • [SECONDARY_RANGE] is the secondary IP range in CIDR notation.

Remove a secondary IP range from a subnet using the following gcloud command:

gcloud compute networks subnets update [SUBNET_NAME] \
  --region=[REGION] \
  --remove-secondary-ranges=[SECONDARY_RANGE_NAME]

Replace the placeholders with valid values:

  • [SUBNET_NAME] is the name of the subnet.
  • [REGION] is the region in which the subnet is located.
  • [SECONDARY_RANGE_NAME] is the name of the secondary range to be removed.

Modifying networks

Converting to custom mode

You can convert an auto mode network to a custom mode network using this procedure. Review the considerations for auto mode networks for background information about reasons why you might want to do this.

Converting an auto mode network to a custom mode network preserves all of its automatically created subnets and any subnets you have added. Subnet names and IP ranges are not changed.

After you convert an auto mode network to custom mode, you must review all API calls and gcloud commands that implicitly reference any subnet subnet that was automatically created while the network was in auto mode. API calls and commands will need to be modified so that they reference the subnet explicitly. For gcloud commands that have a subnet specification flag (--subnet), that flag is required to reference subnets in a custom mode network.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name a VPC network to show its VPC network details page.
  3. Click Edit.
  4. In the Subnet creation mode section, choose Custom.
  5. Click Save.

gcloud

Convert an auto mode network to a custom mode network using the following command, replacing [NETWORK_NAME] with the network's name.

gcloud compute networks update [NETWORK_NAME] \
    --switch-to-custom-subnet-mode

Changing the dynamic routing mode

Each VPC network has an associated dynamic routing mode that controls the behavior of Cloud Routers in the network. Refer to dynamic routing mode section in the VPC Network Overview page to understand how each mode affects how Cloud Routers share routes and apply learned routes.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name a VPC network to show its VPC network details page.
  3. Click Edit.
  4. In the Dynamic routing mode section, choose either Global or Regional.
  5. Click Save.

gcloud

Change the dynamic routing mode of a VPC network with the following gcloud command:

gcloud compute networks update [NETWORK_NAME] \
    --bgp-routing-mode=[DYNAMIC_ROUTING_MODE]

Replace the placeholders with valid values:

  • [NETWORK_NAME] is the name of the VPC network whose dynamic routing mode you need to change.
  • [DYNAMIC_ROUTING_MODE] is either global or regional, depending on the desired behavior of all Cloud Routers in the network.

Deleting a network

If a network is not being used, you can delete it. Before you can delete a network, you must delete all resources in all of its subnets, and all resources that reference the network. Resources that reference the network include Cloud VPN gateways, Cloud Routers, firewall rules, and custom static routes.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name a VPC network to show its VPC network details page.
  3. Click Delete VPC network.
  4. In the message that appears, click Delete to confirm.

gcloud

Delete a network by using the following gcloud command, replacing [NETWORK_NAME] with the name of the network to remove.

gcloud compute networks delete [NETWORK_NAME]

Monitoring your VPC network

You can enable logging of network flows to and from VMs. See Using VPC Flow Logs for instructions.

You can enable logging for firewall rules to see which rules allowed or blocked which traffic. See Using Firewall Rules Logging for instructions.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...