Prepare for Hybrid Subnets connectivity

This page describes the steps to prepare a source network and a VPC network for Hybrid Subnets connectivity.

Before you begin

Required roles

To get the permissions that you need to create a hybrid subnet, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Connect a VPC network to a source network

A hybrid subnet requires connectivity between a VPC network and a source network. The source network can be an on-premises network or another VPC network.

If connecting a VPC network to an on-premises network, the connection must be one of the following types:

  • A pair of HA VPN tunnels
  • VLAN attachments for Dedicated Interconnect
  • VLAN attachments for Partner Interconnect

If connecting a VPC network to another VPC network, the connection must be a pair of HA VPN tunnels.

For help choosing a connection type, see Choosing a Network Connectivity product.

To configure hybrid connectivity, see the following:

Configure custom route advertisement

When you configure hybrid connectivity, you create a Cloud Router. Configure the Cloud Router's BGP session to only advertise custom routes. Don't add any routes now; in a later step, you add custom routes for each migrated VM.

If you're configuring a hybrid subnet that connects two VPC networks, configure the BGP session of both routers to only advertise custom routes.

Configure firewall rules

To ensure that Google Cloud virtual machine (VM) instances can communicate with workloads in your source network and Google Cloud VMs that use the hybrid subnet's IP address range, do the following:

  • In Google Cloud, create ingress allow firewall rules or rules in firewall policies to allow all packets from the IP address range that is associated with the hybrid subnet.

    The implied allow egress firewall rule allows egress from Google Cloud VMs. If you've created egress deny firewall rules or egress deny rules in firewall policies, you'll need to create egress allow rules to permit packets to the IP address range that is associated with the hybrid subnet.

    You can scope firewall rules to specific VMs by using the target parameter of the rule. For more information, see:

  • Configure firewalls in your source network in a similar way.

Configure routing for on-premises network

If your source network is on-premises, configure on-premises routing by completing the steps in the following sections.

If your source network is another VPC network, you don't need to complete the steps in the following sections.

Enable proxy ARP for the on-premises network

Enable proxy ARP for your on-premises network. For more information, see Proxy ARP and Hybrid Subnets.

For information about enabling proxy ARP, see the documentation of your proxy ARP solution.

Configure your source network to advertise the segment of its IP address range that you want to use for the hybrid subnet. This IP address range must match the primary internal IPv4 address range of the VPC part of your hybrid subnet.

For information about configuring route advertisement, see the documentation of your router.

What's next