Creating your first subnet
Google Cloud VMware Engine creates a network for each private cloud and uses VLANs for network management. For workload virtual machines (VMs), you create subnets as network segments on NSX Manager for your private cloud. VMware Engine includes NSX for workload networking and security features such as microsegmentation and firewall policies. This page explains how to create subnets for your workloads using NSX Manager.
Before you begin
This quickstart assumes that you have done the following:
- Created a Google Cloud VMware Engine private cloud. You can create one by completing the following quickstart: Creating your first private cloud.
- Allocated address ranges in your network for the following purposes:
- A DHCP service
- A subnet for the NSX workload network segment
 
Access NSX Manager from the VMware Engine portal
The process of creating a subnet happens in NSX, which you access through VMware Engine:
- In the Google Cloud console, go to the Private clouds page. 
- Click Select a project and then select the organization, folder, or project where the private cloud is located. 
- Click the private cloud name where you want to create the subnet. 
- Under Management appliances, click the URL corresponding to NSX Manager. 
- When prompted, enter your sign-in credentials. As a reminder, you can retrieve generated credentials from the private cloud details page. 
If you've set up vIDM and connected it to an identity source, such as Active Directory, use your identity source credentials instead.
Set up DHCP service for the subnet
Before you can create a subnet, set up a DHCP service:
- In NSX, go to Networking > DHCP. The networking dashboard shows that the service creates one tier-0 and one tier-1 gateway.
- To begin provisioning a DHCP server, click Add DHCP Profile. 
- In the DHCP name field, enter a name for the profile. 
- For Profile type, select DHCP server. 
- In the Server IP address column, provide a DHCP service IP address range. 
- Click Save to create the DHCP service. 
Next, attach this DHCP service to the relevant tier-1 gateway. A default tier-1 gateway has already been provisioned by the service:
- In NSX, go to Networking > Tier-1 Gateways.
- Click the vertical ellipses next to your tier-1 gateway and select Edit.
- In the DHCP field, click the Set DHCP Configuration link.
- Set Type to DHCP Server and select the DHCP Server Profile that you just created.
- Click Save.
- Click Close Editing.
You can now create a network segment in NSX. For more information about DHCP in NSX, see the VMware documentation for DHCP.
Create a network segment in NSX
For workload VMs, you create subnets as NSX network segments for your private cloud:
- In NSX, go to Networking > Segments.
- Click Add Segment.
- In the Segment Name field, enter a name for your segment.
- In the Connected Gateway list, select Tier1 to connect to the tier-1 gateway.
- In the Transport zone list, select TZ-OVERLAY | Overlay.
- In the Subnets column, enter the subnet range. Specify the subnet range
with .1as the last octet. For example,10.12.2.1/24.
- Click Set DHCP Config, and provide values for the DHCP Ranges field.
- Click Apply to save your DHCP configuration.
- Click Save. You can now select this network segment in vCenter when creating a VM.
In a given region, you can advertise at most 250 unique routes from VMware Engine to your VPC network using private services access. For example, those unique routes include private cloud management IP address ranges, NSX workload network segments, and HCX internal IP address ranges. This route limit includes all private clouds in the region and corresponds to the Cloud Router learned route limit.
For information about routing limits, see Cloud Router Quotas and limits.
Best practices for subnet configuration and route redistribution in NSX
To ensure optimal network operation and to prevent routing loops and service disruptions, follow these guidelines when configuring subnets and routes redistribution within NSX:
- Subnet overlapping: Avoid overlapping subnets - Ensure that IP subnets used in VMware Engine are unique and don't overlap with subnets in your private cloud or external networks. Overlaps can cause routing problems and disrupt services.
- Tier-0 route redistribution:
- Automatic redistribution - VMware Engine redistributes routes for connected Tier-1 segments within the Tier-0 router using BGP for proper connectivity between workloads and the external world.
- Redistributing static routes - When redistributing static routes on
Tier-0, it's crucial to first deny the default route (0.0.0.0/0) and then allow all traffic using a prefix list to prevent routing loops. To do this, you should create and attach a prefix-list to both of the BGP neighbors on the Tier-0 gateway, as VMware Engine already configures a default route (0.0.0.0/0) on Tier-0 gateways pointing toward the underlying infrastructure, which you can do by following the steps in the next two sections.
 
Create a prefix-list in NSX
To create a prefix-list in NSX in VMware Engine, do the following:
- In NSX, go to Networking > Tier-0 Gateways.
- Click the menu icon (three dots) and click Edit.
- Click Routing.
- Click Set next to IP Prefix List.
- Click Add IP Prefix List.
- Enter a name for the IP prefix list.
- Click Set to add IP prefixes.
- Click Add Prefix.
- In the Network field, enter a keyword "any".
- Leave all fields as is, and in the Action field, select Permit from the drop-down menu.
- Click Add.
 
- Click Add Prefix again.
- In the Network field, enter an IP address in CIDR format, for
example 0.0.0.0/0.
- Leave all fields as is, and in the Action field, select Deny from the drop-down menu.
- Click Add.
 
- In the Network field, enter an IP address in CIDR format, for
example 
- Click Apply.
- Click Save > Close.
Attach the prefix-list to both BGP neighbors
After creating the prefix-list, the next task is to attach the prefix-list to both the BGP neighbors in NSX by doing the following:
- In NSX, go to Networking > Tier-0 Gateways.
- Click the menu icon (three dots) and click Edit.
- Click BGP.
- Click BGP Neighbors.
- Click the menu icon (three dots) and select Edit.
- Click Route Filter.
- Click the menu icon (three dots) and select Edit.
- Click Configure on the Out Filter field.
- Select the prefix-list name previously created.
- Click Save.
- Click Add > Apply.
- Click Save.
- Repeat steps 5-13 to update another BGP neighbor.
- Click Close Editing.
What's next
- Learn more about IP address management (IPAM) using NSX.