Prepare for Hybrid Subnets connectivity

This page describes the steps to prepare an on-premises network and a VPC network for Hybrid Subnets connectivity.

Before you begin

• Read About migrating to Google Cloud with Hybrid Subnets.
• Identify or create a VPC network.
• Identify the region for your migration. The subnet that uses hybrid subnet routing, your Cloud Router, and the Cloud VPN tunnels or Cloud Interconnect VLAN attachments that provide hybrid connectivity must all be in this region.
• In the VPC network, identify or create a subnet whose primary internal IPv4 address range matches the CIDR block in your on-premises network that hosts the workloads you plan to migrate. This matched range is the shared CIDR block. Hybrid subnet routing supports both primary and secondary IPv4 address ranges, but this guide focuses on using the subnet's primary IPv4 range for the shared CIDR block.
• To use the command-line examples in this guide, install or update to the latest version of the Google Cloud CLI.
• Enable the Compute Engine API in your Google Cloud project. For more information, see the Compute Engine API.
• Enable the Network Connectivity API in your Google Cloud project. For more information, see the Network Connectivity API.

Required roles

To get the permissions that you need to configure hybrid subnet routing, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Connect a VPC network to an on-premises network

Hybrid subnet routing requires connectivity between a VPC network and an on-premises network. The connection must be one of the following types:

• A pair of HA VPN tunnels
• VLAN attachments for Dedicated Interconnect
• VLAN attachments for Partner Interconnect

The HA VPN tunnels or VLAN attachments must be in the same region as the subnet where you plan to enable hybrid subnet routing.

For help choosing a connection type, see Choosing a Network Connectivity product.

To configure hybrid connectivity, see the following:

• Create an HA VPN gateway to a peer VPN gateway
• Create Dedicated Interconnect VLAN attachments
• Create Partner Interconnect VLAN attachments

Configure custom route advertisement

When you configure hybrid connectivity, you create a Cloud Router. Configure the Cloud Router's BGP session to only advertise custom routes. Don't add any routes now; in a later step, you add custom routes for each migrated VM.

Configure firewall rules

To ensure that Google Cloud instances can communicate with all workloads that use the shared CIDR block, do the following:

• In Google Cloud, create ingress allow firewall rules or rules in firewall policies to allow all packets from the shared CIDR block.

  You can scope firewall rules to specific instances by using the target parameter of the rule. For more information, see:

  • VPC firewall rules
  • Firewall policies

• Configure firewalls in your on-premises network in a similar way.

Configure routing for on-premises network

Configure on-premises routing by completing the steps in the following sections.

Enable proxy ARP for the on-premises network

Enable proxy ARP for your on-premises network. For more information, see Proxy ARP and Hybrid Subnets.

For information about enabling proxy ARP, see the documentation of your proxy ARP solution.

Advertise your shared CIDR block

Configure your on-premises network to advertise the the shared CIDR block. This IP address range must match the primary internal IPv4 address range of the subnet that uses hybrid subnet routing.

For information about configuring route advertisement, see the documentation of your router.

What's next

• To configure hybrid subnet routing and migrate workloads to Google Cloud, see Migrate workloads to Google Cloud with Hybrid Subnets.