Create and manage VPC networks

This document describes how to create, modify, and delete Virtual Private Cloud (VPC)networks and subnetworks. Before reading this document,ensure that you are familiar with the characteristics ofVPC networks as described inVPC networks.Networks and subnets aredifferentresources in Google Cloud.

Note: If you're getting started with Google Cloud, you can create an initialVPC network as part of the Google Cloud setup process.

If you plan to enable IPv6 ranges on subnets, seeIPv6subnet ranges.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try VPC free

Create networks

You can choose to create an auto mode or custom mode VPC network.Each new network that you create must have a unique name within the sameproject.

You can optionally create your network using a network profile provided byGoogle Cloud for a specific use case. You only need to configure a networkprofile if you want to runAI Hypercomputer workloadsthat require RDMA NICs. For more information, seeRDMA network profiles.

Create an auto mode VPC network

When you create anauto mode VPCnetwork, onesubnet is created in each Google Cloudregion. As new regions become available, new subnets in those regions areautomatically added to the auto mode VPC network. IPv4 ranges forthe automatically created subnets come from apredetermined set ofranges. All auto mode VPC networksuse the same set of IPv4 ranges.

Subnets with IPv6 address ranges are not supported on auto mode VPCnetworks. Create acustom mode VPC networkif you want to create subnets with IPv6 address ranges.

Important: Read the considerations for auto mode VPCnetworks before you create one forproduction use. Production networks should be planned in advance, and custommode VPC networks are better suited for most production use cases.

To create an auto mode VPC network, follow these steps.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
ClickCreate VPC network.
Enter aName for the network.
Maximum transmission unit (MTU): Choose whether the network hasan MTU of1460 (default),1500, or8896. Before setting the MTU toa value higher than1460, reviewMaximum transmission unit.
ChooseAutomatic for theSubnet creation mode.
In theFirewall rules section, select zero or more predefinedfirewall rules. The rules address common use casesfor connectivity to instances.
Whether or not you select pre-defined rules, you cancreate your own firewall rules after you create the network.
Each predefined rule name starts with the name of the VPC network that you are creating,NETWORK. In theIPv4 firewall rules tab, the predefined ingress firewall rule namedNETWORK-allow-custom is editable. By default it specifies the source range10.128.0.0/9, which contains current and future IPv4 ranges for subnets in an auto mode network. The right side of the row that contains the rule, clickEdit to select subnets, add additional IPv4 ranges, and specify protocols and ports.
Choose theDynamic routing mode for the VPC network.
For more information, seedynamic routingmode. You canchange thedynamic routing mode later.
ClickCreate.

gcloud

Use thenetworks create command.

gcloud compute networks createNETWORK \    --subnet-mode=auto \    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \    --mtu=MTU

Replace the following:

NETWORK: a name for the VPC network.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherglobal orregional. The default isregional. For more information, seedynamic routing mode.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.

Terraform

Usethegoogle_compute_network Terraform resource.

MTU is the maximum transmission unit, or largest packetsize, of the network. MTU can be set to any value from1300 to8896.The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.

resource "google_compute_network" "vpc_network" {  project                 = var.project_id # Replace this with your project ID in quotes  name                    = "my-auto-mode-network"  auto_create_subnetworks = true  mtu                     = 1460}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

Make aPOST request tothenetworks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks{  "autoCreateSubnetworks": true,  "name": "auto-network1",  "mtu":MTU}

Replace the following:

PROJECT_ID: the ID of the project where the VPCnetwork is created.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.

To specify thedynamic routingmodeof the VPC network, include theroutingConfig field:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks{  "routingConfig": {    "routingMode": "DYNAMIC_ROUTING_MODE"  },  "autoCreateSubnetworks": true,  "name": "NETWORK",  "mtu":MTU}

Replace the following:

PROJECT_ID: the ID of the project where the VPCnetwork is created.
NETWORK: a name for the VPC network.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherGLOBAL orREGIONAL. The default isREGIONAL. For more information, seedynamic routing mode.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.

Create a custom mode VPC network with IPv4-only subnets

For custom mode VPC networks, create a network, then create the subnets that youwant within a region. You do not have to specify subnets for all regions rightaway, or even at all, but you cannot create instances in a region that has nosubnet defined. Finally, define the firewall rules for your network.

Each subnet in a VPC network can have a different configuration;you don't need to configure them all as IPv4-only, for example. You can alsochange an IPv4-only only subnet to dual-stack later.

To create a custom mode VPC network with IPv4-only subnets,follow these steps.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
ClickCreate VPC network.
Enter aName for the network.
Maximum transmission unit (MTU): Choose whether the network hasan MTU of1460 (default),1500, or8896. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.
ChooseCustom for theSubnet creation mode.
In theNew subnet section, specify the following configurationparameters for a subnet:
1. Provide aName for the subnet.
2. Select aRegion.
3. Enter anIP address range. This is theprimary IPv4range for the subnet.
  If you select a range that is not an RFC 1918 address, confirm thatthe range doesn't conflict with an existing configuration. For moreinformation, seeIPv4 subnetranges.
4. To define a secondary range for the subnet, clickCreate secondaryIP range.
  If you select a range that is not an RFC 1918 address, confirm thatthe range doesn't conflict with an existing configuration. For moreinformation, seeIPv4 subnetranges.
5. Private Google Access: Choose whether to enablePrivate Google Access for thesubnet when you create it or later by editing it.
6. Flow logs: Choose whether to enableVPC flowlogs for the subnet when you create itor later by editing it.
7. ClickDone.
To add more subnets, clickAdd subnet and repeat the previous steps.You can alsoadd more subnets to the network after youhave created the network.
In theFirewall rules section, select zero or more predefinedfirewall rules in theIPv4 firewall rules.The rules address common use cases for connectivity to instances.
If you don't select any predefined rules, you cancreate your own firewall rules after you create the network.
Each predefined rule name starts with the name of the VPC network that you are creating,NETWORK. In theIPv4 firewall rules tab, the predefined ingress firewall rule namedNETWORK-allow-custom is editable. On the right side of the row that contains the rule, clickEdit to select subnets, add additional IPv4 ranges, and specify protocols and ports.
TheNETWORK-allow-custom firewall rule is not automatically updated if you later add additional subnets. If you need firewall rules for the new subnets, you must update the firewall configuration to add the rules.
Choose theDynamic routing mode for the VPC network.
For more information, seedynamic routingmode. You canchange thedynamic routing mode later.
ClickCreate.

gcloud

Use thenetworks create command.

gcloud compute networks createNETWORK \    --subnet-mode=custom \    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \    --mtu=MTU

Replace the following:

NETWORK: a name for the VPC network.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherglobal orregional. The default isregional. For more information, seedynamic routing mode.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.

Next,add subnets to your network.

Terraform

Use thegoogle_compute_network Terraform resource.

resource "google_compute_network" "vpc_network" {  project                 = var.project_id # Replace this with your project ID in quotes  name                    = "my-custom-mode-network"  auto_create_subnetworks = false  mtu                     = 1460}

Next,add subnets to your network.

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

Make aPOST request to thenetworks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks{  "autoCreateSubnetworks": false,  "name": "NETWORK",  "mtu":MTU,  "routingConfig": {    "routingMode": "DYNAMIC_ROUTING_MODE"  }}

Replace the following:

PROJECT_ID: the ID of the project where the VPCnetwork is created.
NETWORK: a name for the VPC network.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherGLOBAL orREGIONAL. The default isREGIONAL. For more information, seedynamic routing mode.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.

Next,add subnets to your network.

Create a custom mode VPC network with a dual-stack subnet

You can create subnets when you create the network, or you can add them later.

A dual-stack subnet can have one of the following configurations for its primaryIP address ranges:

Internal IPv4 range andinternal IPv6 range
Internal IPv4 range andexternal IPv6 range

Each subnet in a VPC network can have a different configuration;you don't need to configure them all as dual-stack, for example. You can alsochange a dual-stack subnet to IPv4-only later ifthe IPv6 access type of the subnet is external.

To configure subnets with internal IPv6 ranges, enable a VPCnetwork unique local address (ULA) internal IPv6 range. Internal IPv6 subnetranges are allocated from this range.

To create a custom mode VPC network with a dual-stack subnet,follow these steps.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
ClickCreate VPC network.
Enter aName for the network.
Maximum transmission unit (MTU): Choose whether the network hasan MTU of1460 (default),1500, or8896. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.
ForSubnet creation mode, chooseCustom.
If you want to configure internal IPv6 address ranges on subnets in thisnetwork, complete these steps:
1. In thePrivate IPv6 address settings section, selectConfigure a ULA internal IPv6 range for this VPC Network.
2. ForAllocate internal IPv6 range, selectAutomatically orManually.
  If you selectManually, enter a/48 range from within thefd20::/20 range. If the range is in use, you are prompted to providea different range.
In theNew subnet section, specify the following configurationparameters for a subnet:
1. Provide aName for the subnet.
2. Select aRegion.
3. To create a dual-stack subnet, forIP stack type, selectIPv4 and IPv6 (dual-stack).
4. Enter anIPv4 range. This is theprimary IPv4range for the subnet.
  If you select a range that is not an RFC 1918 address, confirm thatthe range doesn't conflict with an existing configuration. For moreinformation, seeIPv4 subnetranges.
5. Select anIPv6 access type:External orInternal.
6. ClickDone.
To add more subnets, clickAdd subnet and repeat the previous steps.
Each subnet in a VPC network can have different stack typeand IPv6 access type configurations. You do not need to configure allsubnets in a given network as dual-stack subnets.
You can alsoadd more subnets of any stack type to thenetwork after you create the network.
In theFirewall rules section, select zero or more predefinedfirewall rules in theIPv4 firewall rules andIPv6 firewall rules tabs. The rules address common use cases forconnectivity to instances.
If you don't select any predefined rules, you cancreate your own firewall rules after you create the network.
Each predefined rule name starts with the name of the VPC network that you are creating,NETWORK. In both theIPv4 firewall rules tab and theIPv6 firewall rules tab, there is an editable predefined ingress firewall rule; the IPv4 rule is namedNETWORK-allow-custom and the IPv6 rule is namedNETWORK-allow-ipv6-custom. On the right side of the row that contains the rule, clickEdit to select subnets, add additional IP ranges, and specify protocols and ports.
TheNETWORK-allow-custom andNETWORK-allow-ipv6-custom firewall rule are not automatically updated if you later add additional subnets. If you need firewall rules for the new subnets, you must update the firewall configuration to add the rules.
Choose theDynamic routing mode for the VPC network.
For more information, seedynamic routingmode. You canchange thedynamic routing mode later.
ClickCreate.

gcloud

Use thenetworks create command.After you have created the network, you can addsubnetsto it.

If you want to configureinternal IPv6 ranges on any subnets in thisnetwork, use the--enable-ula-internal-ipv6 flag. This option assigns a/48 ULA prefix from within thefd20::/20 range used by Google for internalIPv6 subnet ranges. If you want to select the/48 IPv6 range that isassigned, use the--internal-ipv6-range flag to specify a range.

You can omit both flags if you want to configure onlyexternal IPv6 onsubnets in this VPC network.

gcloud compute networks createNETWORK \    --subnet-mode=custom \    [ --enable-ula-internal-ipv6 [ --internal-ipv6-range=ULA_IPV6_RANGE ]] \    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \    --mtu=MTU

Replace the following:

NETWORK: a name for the VPC network.
ULA_IPV6_RANGE: a/48 prefix from within thefd20::/20 range used by Google for internal IPv6 subnet ranges. If youdon't use the--internal-ipv6-range flag, Google selects a/48 prefixfor the network.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherglobal orregional. The default isregional. For more information, seedynamic routing mode.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.

Terraform

Use thegoogle_compute_network Terraform resource.

If you want to configure internal IPv6 ranges on any subnets in this network,use theenable_ula_internal_ipv6 argument.

See the following example:

resource "google_compute_network" "default" {  name                     = "vpc-network-ipv6"  auto_create_subnetworks  = false  enable_ula_internal_ipv6 = true}

Next,add subnets to your network.

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

Make aPOST request to thenetworks.insert method.After you have created the network, you can addsubnetsto it.

If you want to configureinternal IPv6 ranges on any subnets in thisnetwork, setenableUlaInternalIpv6 to true. This option assigns a/48range from within thefd20::/20 range used by Google for internal IPv6subnet ranges. If you want to select which/48 IPv6 range is assigned,also use theinternalIpv6Range field when you specify a range.

To configure onlyexternal IPv6 on subnets in this VPC network,omit both fields.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks{  "autoCreateSubnetworks": false,  "name": "NETWORK",  "mtu":MTU,  "enableUlaInternalIpv6": true,  "internalIpv6Range": "ULA_IPV6_RANGE",  "routingConfig": {    "routingMode": "DYNAMIC_ROUTING_MODE"  }}

Replace the following:

PROJECT_ID: the ID of the project where the VPCnetwork is created.
NETWORK: a name for the VPC network.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.
ULA_IPV6_RANGE: a/48 prefix from within thefd20::/20 range used by Google for internal IPv6 subnet ranges. If youdon't provide a value forinternalIpv6Range, Google selects a/48 prefixfor the network.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherGLOBAL orREGIONAL. The default isREGIONAL. For more information, seedynamic routing mode.

Create a custom mode VPC network with IPv6-only subnets

You can create subnets when you create the network, or you can add them later.

An IPv6-only subnet can have aninternal IPv6 range or anexternal IPv6range. To configure subnets with internal IPv6 ranges, enable aVPC network ULA internal IPv6 range. Internal IPv6 subnet rangesare allocated from this range.

Each subnet in a VPC network can have a different configuration;you don't need to configure them all as IPv6-only, for example.

You can't change a dual-stack or IPv4-only subnet to IPv6-only.Conversely, you can't change an IPv6-only subnet to IPv4-only or dual-stack.

To create a custom mode VPC network with a IPv6-only subnet,follow these steps.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
ClickCreate VPC network.
Enter aName for the network.
Maximum transmission unit (MTU): Choose whether the network hasan MTU of1460 (default),1500, or8896. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.
ForSubnet creation mode, chooseCustom.
To configure internal IPv6 address ranges on subnets in thisnetwork, complete these steps:
1. In thePrivate IPv6 address settings section, selectConfigure a ULA internal IPv6 range for this VPC Network.
2. ForAllocate internal IPv6 range, selectAutomatically orManually.
  If you selectManually, enter a/48 range from within thefd20::/20 range. If the range is in use, you are prompted to providea different range.
In theNew subnet section, specify the following configurationparameters for a subnet:
1. Provide aName for the subnet.
2. Select aRegion.
3. To create an IPv6-only subnet, forIP stack type, selectIPv6 (single-stack).
4. Select an IPv6 access type:External orInternal.
5. ClickDone.
To add more subnets, clickAdd subnet and repeat the previous steps.
Each subnet in a VPC network can have different stack typeand IPv6 access type configurations. You don't need to configure allsubnets in a given network as IPv6-only subnets.
You can alsoadd more subnets of any stack type to thenetwork after you create the network.
In theFirewall rules section, select zero or more predefinedfirewall rules in theIPv6 firewall rulestab. The rules address common use cases for connectivity to instances.
If you don't select any predefined rules, you cancreate your own firewall rules after you create the network.
Each predefined rule name starts with the name of the VPC network that you are creating,NETWORK. In theIPv6 firewall rules tab, there is an editable predefined ingress firewall rule namedNETWORK-allow-ipv6-custom. On the row that contains the rule, clickEdit to select subnets, add additional IP ranges, and specify protocols and ports.
TheNETWORK-allow-ipv6-custom firewall rule isn't automatically updated if you later add additional subnets. If you need firewall rules for the new subnets, you must update the firewall configuration to add the rules.
Choose theDynamic routing mode for the VPC network.
For more information, seeDynamic routingmode. You canchange thedynamic routing mode later.
ClickCreate.

gcloud

Use thenetworks create command.After you have created the network, you can addsubnetsto it.

You can omit both flags if you want to configure onlyexternal IPv6 onsubnets in this VPC network.

gcloud compute networks createNETWORK \    --subnet-mode=custom \    [ --enable-ula-internal-ipv6 [ --internal-ipv6-range=ULA_IPV6_RANGE ]] \    --bgp-routing-mode=DYNAMIC_ROUTING_MODE \    --mtu=MTU

Replace the following:

NETWORK: a name for the VPC network.
ULA_IPV6_RANGE: a/48 prefix from within thefd20::/20 range used by Google for internal IPv6 subnet ranges. If youdon't use the--internal-ipv6-range flag, Google selects a/48 prefixfor the network.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherglobal orregional. The default isregional. For more information, seeDynamic routing mode.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.

Terraform

Use thegoogle_compute_network Terraform resource.

If you want to configure internal IPv6 ranges on any subnets in this network,use theenable_ula_internal_ipv6 argument.

See the following example:

resource "google_compute_network" "default" {  name                     = "vpc-network-ipv6"  auto_create_subnetworks  = false  enable_ula_internal_ipv6 = true}

Next,add subnets to your network.

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

Make aPOST request to thenetworks.insert method.After you have created the network, you can addsubnetsto it.

If you want to configureinternal IPv6 ranges on any subnets in thisnetwork, setenableUlaInternalIpv6 to true. This option assigns a/48range from within thefd20::/20 range used by Google for internal IPv6subnet ranges. If you want to select which/48 IPv6 range that is assigned,also use theinternalIpv6Range field to specify a range.

You can omit both fields if you want to configure onlyexternal IPv6 onsubnets in this VPC network.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks{  "autoCreateSubnetworks": false,  "name": "NETWORK",  "mtu":MTU,  "enableUlaInternalIpv6": true,  "internalIpv6Range": "ULA_IPV6_RANGE",  "routingConfig": {    "routingMode": "DYNAMIC_ROUTING_MODE"  }}

Replace the following:

PROJECT_ID: the ID of the project where the VPCnetwork is created.
NETWORK: a name for the VPC network.
MTU: the maximum transmission unit (MTU), which is thelargest packet size of the network. MTU can be set to any value from1300 to8896. The default is1460. Before setting the MTU to avalue higher than1460, reviewMaximum transmission unit.
ULA_IPV6_RANGE: a/48 prefix from within thefd20::/20 range used by Google for internal IPv6 subnet ranges. If youdon't provide a value forinternalIpv6Range, Google selects a/48 prefixfor the network.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherGLOBAL orREGIONAL. The default isREGIONAL. For more information, seedynamic routing mode.

About firewall rules

After you create a network,create firewall rulesto allow or deny traffic between resources in the network, such as communicationbetween VM instances. You also use firewall rules to control what traffic leavesor enters the VPC network to or from the internet.

View networks

View the VPC and legacy networks in your project. ForVPC networks, you can view information about their subnets andtheir subnet creation mode.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
The console lists all of your VPC and legacy networks.
Select a VPC network to view its details, such as itspeering connections and subnets.

gcloud

To list the networks in your project, use thenetworks list command.

gcloud compute networks list

The command lists all of your VPC and legacy networks.Legacy networks show a subnet creation mode ofLEGACY, whileVPC networks show eitherAUTO orCUSTOM.

NAME             SUBNET_MODE  BGP_ROUTING_MODE  IPV4_RANGE     GATEWAY_IPV4custom-network   CUSTOM       REGIONALdefault          AUTO         REGIONALlegacy-network1  LEGACY       REGIONAL          10.240.0.0/16  10.240.0.1

To describe a network and view its details, such as peering connectionsand subnets, use thenetworks describe command.
```
gcloud compute networks describeNETWORK
```
ReplaceNETWORK with the name of the network.

API

To list all networks in your project, make aGET request to thenetworks.list method.
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks
```
ReplacePROJECT_ID with the ID of the project that containsthe VPC networks to list.
To describe a network and view its details, make aGET request to thenetworks.get method.
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK
```
Replace the following:
- PROJECT_ID: the ID of the project that contains theVPC network.
- NETWORK: the name of the VPC networkto describe.

Work with subnets

The following sections describe how to create and manage subnets.

List subnets

You can see all the subnets that exist for a project or VPCnetwork, including details about IP address utilization(the number of free and allocated IP addresses in each subnet).

When viewing IP address utilization, theallocated IP address totals include the unusableIPv4 andIPv6addresses that are reserved for internal use.

To view utilization details for IPv6 addresses, use thegcloud CLI or send an API request. For IPv6 utilization, thetotal values are calculated by the following equation:(high * 2^64) +low = total value.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
To view subnets, do one of the following:
- Click the name of a network, and then click theSubnets tab on theVPC network details page.
  This view lets you add new subnets and modify other configurations for a single selected network.
- Click theSubnets in current project tab and select one or more networks from theVPC networks list.
  This view lets you list the subnets in more than one network.
The percentage of available IP addresses that are assigned to resources isdisplayed in thePrimary IPv4 range availability column.To see the specific number of free and allocated IP addresses,hold the pointer over this column in the row where you want toview details.

gcloud

You can list all subnets in all networks in your project, or you can showonly the subnets for a particular network or region. The following examplesdemonstrate how to use thesubnets list command.

To list all subnets in all VPC networks, use the followingcommand:
```
gcloud compute networks subnets list
```
To list all subnets in a particular VPC network, usethe following command:
```
gcloud compute networks subnets list \    --network=NETWORK
```
ReplaceNETWORK with the name of the network.
To list all subnets in a particular region, use the following command:
```
gcloud compute networks subnets list \    --filter="region:(REGION … )"
```
ReplaceREGION with the name of the region.
To list all subnets in your project and include their IP addressutilization, use the following command:
```
gcloud compute networks subnets list \    --view=WITH_UTILIZATION
```

API

To list all subnets in your project, make aGET request to thesubnetworks.aggregatedList method.
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/subnetworks
```
ReplacePROJECT_ID with the ID of the project that contains thesubnets to list.

To list all subnets in a region and include their IP addressutilization, make the followingGET request:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks?views=WITH_UTILIZATION

Describe a subnet

You can view the details of an existing subnet—such as its primary IPv4ranges, secondary IP ranges, IPv6 ranges, IP address utilization(number of free and allocated IP addresses), and region—by following thesteps in this section.

When viewing IP address utilization, theallocated IP address totals include the unusableIPv4 andIPv6addresses that are reserved for internal use.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
All networks and subnets in your project are presented in a hierarchicalview, where subnets are shown as entries within networks.
To focus on subnets for a particular network, click the name of anetwork. On itsVPC network details page, click the name of a subnet intheSubnets tab to view itsSubnet details page.

gcloud

List subnets to determine the namesand regions of existing subnets in your project.
Use thesubnets describe command.
- To describe the subnet, use the following command:
```
gcloud compute networks subnets describeSUBNET \    --region=REGION
```
  Replace the following:
  - SUBNET: the subnet to describe
  - REGION: the region of the subnet to describe
- To describe the subnet and view its IP address utilization, use thefollowing command:
```
gcloud compute networks subnets describeSUBNET \    --region=REGION \    --view=WITH_UTILIZATION
```

API

To list subnets in a particular region and find a subnet's name,make aGET request to thesubnetworks.list method.
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
```
Replace the following:
- PROJECT_ID: the ID of the project that contains thesubnets to list.
- REGION: the name of the Google Cloud regionthat contains the subnets to list.
Make aGET request to thesubnetworks.get method.
- To describe the subnet, send the following request:
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET
```
  Replace the following:
  - PROJECT_ID: the ID of the project thatcontains the subnet to describe.
  - REGION: the name of the Google Cloudregion that contains the subnet to describe.
  - SUBNET: the name of the subnet to describe.
- To describe the subnet and view its IP address utilization,send the following request:
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET?views=WITH_UTILIZATION
```

Add an IPv4-only subnet

When you create a subnet, you set a name, a region, and at least a primary IPv4address range according to thename andIPv4 subnet range limitations.

To create an IPv4-only subnet, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
Click the name of a VPC network to show itsVPC networkdetails page.
ClickAdd subnet. In the panel that appears:
1. Provide aName.
2. Select aRegion.
3. Enter anIP address range. This is theprimary IPv4range for the subnet.
  If you select a range that is not an RFC 1918 address, confirm thatthe range doesn't conflict with an existing configuration. For moreinformation, seeIPv4 subnetranges.
4. To define a secondary range for the subnet, clickCreate secondaryIP range.
  If you select a range that is not an RFC 1918 address, confirm thatthe range doesn't conflict with an existing configuration. For moreinformation, seeIPv4 subnetranges.
5. Private Google access: You can enablePrivate Google Access for thesubnet when you create it or later by editing it.
6. Flow logs: You can enableVPC flowlogs for the subnet when you create itor later by editing it.
7. ClickAdd.

gcloud

Use thesubnets createcommand.

gcloud compute networks subnets createSUBNET \    --network=NETWORK \    --range=PRIMARY_RANGE \    --region=REGION

Replace the following:

SUBNET: a name for the new subnet.
NETWORK: the name of the VPC networkthat contains the new subnet.
PRIMARY_RANGE: the primary IPv4 range for the newsubnet, in CIDR notation. For more information, seeIPv4 subnetranges.
REGION: the Google Cloud region in which thenew subnet is created.

You can modify the preceding command with the following optional flags:

--secondary-range=SECONDARY_RANGE_NAME=SECONDARY_RANGE:ReplaceSECONDARY_RANGE_NAME with a name for thesecondary range. ReplaceSECONDARY_RANGE with asecondary range in CIDR notation. Theper networklimits describe the maximum number ofsecondary ranges that you can define for each subnet.
--enable-flow-logs: EnablesVPC Flow Logs inthe subnet at creation time.
--enable-private-ip-google-access: EnablesPrivate Google Access in thesubnet at creation time.
--purpose: Enables you to specify thepurpose of thesubnet.
--role: Enables you to specify a role (active or backup) for aproxy-only subnet.

Next, createfirewallrules.

Terraform

Use aTerraform module.

module "test-vpc-module" {  source       = "terraform-google-modules/network/google"  version      = "~> 13.0"  project_id   = var.project_id # Replace this with your project ID in quotes  network_name = "my-custom-mode-network"  mtu          = 1460  subnets = [    {      subnet_name   = "subnet-01"      subnet_ip     = "10.10.10.0/24"      subnet_region = "us-west1"    },    {      subnet_name           = "subnet-02"      subnet_ip             = "10.10.20.0/24"      subnet_region         = "us-west1"      subnet_private_access = "true"      subnet_flow_logs      = "true"    },    {      subnet_name               = "subnet-03"      subnet_ip                 = "10.10.30.0/24"      subnet_region             = "us-west1"      subnet_flow_logs          = "true"      subnet_flow_logs_interval = "INTERVAL_10_MIN"      subnet_flow_logs_sampling = 0.7      subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"      subnet_flow_logs_filter   = "false"    }  ]}

Next, createfirewall rules.

API

Make aPOST request to thesubnetworks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks{  "ipCidrRange": "IP_RANGE",  "network": "NETWORK_URL",  "name": "SUBNET"}

Replace the following:

PROJECT_ID: the ID of the project that contains theVPC network to modify.
REGION: the name of the Google Cloud region wherethe subnet is added.
IP_RANGE: the primary IPv4 address range for the subnet.For more information, seeIPv4 subnetranges.
NETWORK_URL: the URL of the VPC networkwhere you're adding the subnet.
SUBNET: a name for the subnet.

Next, createfirewall rules.

Add a dual-stack subnet

Dual-stack subnets have both IPv4 and IPv6 address ranges.

You can create a subnet withexternal or internal IPv6addresses enabled. Configuring an IPv6 range ona subnet doesn't configure IPv6 on virtual machine (VM) instances that you connectto that subnet. For more information about configuring IPv6 on VMs, seeConfiguring IPv6 for instances and instance templates.

To create a dual-stack subnet, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
Click the name of a VPC network to show itsVPC networkdetails page.
ClickAdd subnet. In the panel that appears:
1. Provide aName.
2. Select aRegion.
3. ForIP stack type, selectIPv4 and IPv6 (dual-stack).
4. Enter anIPv4 range. This is theprimary IPv4range for the subnet.
  If you select a range that is not an RFC 1918 address, confirm thatthe range doesn't conflict with an existing configuration. For moreinformation, seeIPv4 subnetranges.
5. Select anIPv6 access type:Internal orExternal.
  If you want to set the access type toInternal, but theInternal option is not available, check thatan internal IPv6 range is assigned on the network.
6. ClickAdd.

gcloud

Use thesubnets create command.

gcloud compute networks subnets createSUBNET \    --network=NETWORK \    --range=PRIMARY_IPv4_RANGE \    --stack-type=IPV4_IPV6 \    --ipv6-access-type=IPv6_ACCESS_TYPE \    --region=REGION

Replace the following:

SUBNET: a name for the new subnet.
NETWORK: the name of the VPC networkthat will contain the new subnet.
PRIMARY_IPv4_RANGE: the primary IPv4 range for the newsubnet, in CIDR notation. For more information, seeIPv4 subnetranges.
IPv6_ACCESS_TYPE: the IPv6 access type.It can beEXTERNAL orINTERNAL.
REGION: the Google Cloud region in which the newsubnet will be created.

Terraform

Use thegoogle_compute_subnetwork Terraform resource.

See the following example:

resource "google_compute_subnetwork" "subnet_dual_stack" {  name             = "subnet-dual-stack"  ip_cidr_range    = "10.0.0.0/22"  region           = "us-west2"  stack_type       = "IPV4_IPV6"  ipv6_access_type = "INTERNAL"  network          = google_compute_network.default.id}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

Make aPOST request to thesubnetworks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks{  "ipCidrRange": "IP_RANGE",  "network": "NETWORK_URL",  "name": "SUBNET"  "stackType": IPV4_IPV6,  "ipv6AccessType":IPv6_ACCESS_TYPE}

Replace the following:

PROJECT_ID: the ID of the project that contains theVPC network to modify.
REGION: the name of the Google Cloud regionwhere the subnet is added.
IP_RANGE: the primary IPv4 address range for the subnet.For more information, seeIPv4 subnetranges.
NETWORK_URL: the URL of the VPC networkwhere you're adding the subnet.
SUBNET: a name for the subnet.
IPv6_ACCESS_TYPE: the IPv6 access type. It can beEXTERNAL orINTERNAL.

Add an IPv6-only subnet

You can create an IPv6-only subnet withexternal or internal IPv6addresses enabled. Configuring an IPv6 range ona subnet doesn't configure IPv6 on VMs that you connect to that subnet. Formore information about configuring IPv6 on VMs, seeConfiguring IPv6 for instances and instance templates.

To create an IPv6-only subnet, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
To view theVPC network details page, click the name of a VPC network.
On theSubnets tab, clickAdd subnet.In the panel that appears:
1. Provide aName.
2. Select aRegion.
3. ForIP stack type, selectIPv6 (single-stack).
4. Select an IPv6 access type:Internal orExternal.
  If you want to set the access type toInternal, but theInternal option is not available, check thatan internal IPv6 range is assigned on the network.
5. ClickAdd.

gcloud

Use thegcloud compute networks subnets create command.

gcloud compute networks subnets createSUBNET \    --network=NETWORK \    --stack-type=IPV6_ONLY \    --ipv6-access-type=IPv6_ACCESS_TYPE \    --region=REGION

Replace the following:

SUBNET: a name for the new subnet.
NETWORK: the name of the VPC networkto contain the new subnet.
IPv6_ACCESS_TYPE: the IPv6 access type.The access type can be eitherEXTERNAL orINTERNAL.
REGION: the Google Cloud region in which the newsubnet is to be created.

Terraform

Use thegoogle_compute_subnetwork Terraform resource.

See the following example:

resource "google_compute_subnetwork" "subnet_ipv6_only" {  name             = "subnet-ipv6-only"  region           = "us-central1"  network          = google_compute_network.default.id  stack_type       = "IPV6_ONLY"  ipv6_access_type = "INTERNAL"}

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

API

Make aPOST request to thesubnetworks.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks{  "network": "NETWORK_URL",  "name": "SUBNET"  "stackType": IPV6_ONLY,  "ipv6AccessType":IPv6_ACCESS_TYPE}

Replace the following:

PROJECT_ID: the ID of the project that contains theVPC network to modify.
REGION: the name of the Google Cloud regionwhere the subnet is added.
NETWORK_URL: the URL of the VPC networkwhere you are adding the subnet.
SUBNET: a name for the subnet.
IPv6_ACCESS_TYPE: the IPv6 access type. Theaccess type can be eitherEXTERNAL orINTERNAL.

Change an IPv4-only subnet to dual-stack

Dual-stack subnets have both IPv4 and IPv6 subnet ranges. You can add eitheraninternal or an external IPv6 subnet range to anexisting IPv4-only subnet in a custom mode VPC network. For moreinformation, seeIPv6 subnet ranges.

Adding an IPv6 subnet range to a subnet does not configure IPv6 on connectedVMs. For information about configuring VMs, seeconfigure IPv6 onVMs.

To change a subnet's stack type to dual-stack, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
Click the name of a network to view theVPC network details page.
In theSubnets tab, click the name of the subnet that you want tomodify.
In theSubnet details page, clickEdit.
ForIP stack type, selectIPv4 and IPv6 (dual-stack).
Select anIPv6 access type:Internal orExternal.
If you want to set the access type toInternal, but theInternal option is not available, check thatan internal IPv6range is assigned for the network.
ClickSave.

gcloud

Use thesubnets update command.

gcloud compute networks subnets updateSUBNET \    --stack-type=IPV4_IPV6 \    --ipv6-access-type=IPv6_ACCESS_TYPE \    --region=REGION

Replace the following:

SUBNET: the name of the subnet.
REGION: the region of the subnet.
IPv6_ACCESS_TYPE: the IPv6 access type of the subnet.It can beEXTERNAL orINTERNAL.

API

Make aPATCH request tothesubnetworks.patch method.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET{  "stackType": IPV4_IPV6,  "ipv6AccessType":IPv6_ACCESS_TYPE}

Replace the following:

PROJECT_ID: the ID of the project that contains theVPC network to modify.
REGION: the subnet's region.
SUBNET: the name of the subnet.
IPv6_ACCESS_TYPE: the IPv6 access type. It can beEXTERNAL orINTERNAL.

Change a dual-stack subnet to IPv4 only

You can change a subnet's stack type from IPv4 and IPv6 (dual-stack) to IPv4only (single-stack) if the IPv6 access type isexternal.

If you make this change, you cannot create new dual-stack VMs that are connectedto that subnet. However, existing dual-stack VMs are not affected. If you needto change a VM's stack type to be IPv4 only, seeChange the stack type of aVM.

This change is supported in Google Cloud CLI and the API only.

Changing the stack type from IPv4 and IPv6 (dual-stack) to IPv4 only(single-stack) is not supported if the IPv6 access type isinternal.

To change a subnet's stack type to IPv4 only, do the following.

gcloud

Use thesubnets update command.

gcloud compute networks subnets updateSUBNET \    --stack-type=IPV4_ONLY \    --region=REGION

Replace the following:

SUBNET: the name of the subnet.
REGION: the subnet's Google Cloud region

API

Make aPATCH request to thesubnetworks.patch method.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET{  "stackType": IPV4_ONLY,}

Replace the following:

PROJECT_ID: the ID of the project that contains theVPC network to modify.
REGION: the subnet's Google Cloud region.
SUBNET: the name of the subnet.

Create subnets with IPv6 BYOIP address ranges

You canBring your own IP addresses (BYOIP) touse for the external IPv6 address range of a dual-stack or IPv6-only subnet.BYOIP-provided external IPv6 subnet ranges can only be used by VMs.

For more information, seeCreate and use IPv6 sub-prefixes.

Delete a subnet

Use the following directions to delete a manually created subnet. Before you candelete a subnet, you must delete all resources that use it. For example, youneed todeleteVMs,reserved internal IP addresses, internal forwarding rules, andCloud NAT gateways that use the subnet.

Note: For auto mode VPC networks, youcannot delete any of the automaticallycreated subnets. However, you can convert an auto mode VPC network to a custommode VPC network and then delete any unused automaticallycreated subnets.

To delete a subnet, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
All networks and subnets in your project are presented in a hierarchicalview, where subnets are shown as entries within networks.
To view a particular network, click the name of anetwork. On itsVPC network details page, click the name of a subnetin theSubnets tab to view itsSubnet details page.
ClickDelete subnet.
In the message that appears, clickDelete to confirm.

gcloud

Use thesubnets delete command.

gcloud compute networks subnets deleteSUBNET \    --region=REGION

Replace the following:

SUBNET: the name of the subnet to delete.
REGION: the region of the subnet to delete.

API

Make aDELETE request to thesubnetworks.delete method.

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET

Replace the following:

PROJECT_ID: the ID of the project that contains thesubnet to delete.
REGION: the name of the Google Cloud region thatcontains the subnet to delete.
SUBNET: the name of the subnet to delete.

Expand a primary IPv4 range

You can expand the primary IPv4 range of an existing subnet by modifying itssubnet mask, setting the prefix length to asmaller number. The proposednew primary IPv4 range of the subnet must follow the rules listed in theIPv4 subnet range limitations.

When expanding the IPv4 range of an automatically created subnet in an auto modeVPC network (or in a custom mode VPC network thatwas previously an auto mode VPC network),the broadest prefix (subnet mask) you can use is/16. Any prefix broader than/16 would conflict withthe primary IPv4 ranges of the other automaticallycreated subnets.

You can't expand subnets that are used exclusively for loadbalancer proxies. For more information, seeProxy-only subnets for loadbalancers.

Expanding the primary IPv4 range of a subnet can take severalminutes to complete. During expansion, traffic within the subnet isnotinterrupted.

If you expand the primary IPv4 range of a subnet, you might need to modifyother configurations that are assuming this IP address range.

If you haveVPC firewall rules orfirewall policy rules that use theoriginal IPv4 address range as a source or destination, add additional firewallrules to apply the same rules to the extended range.
If a Google Kubernetes Engine (GKE) cluster uses the subnet whose primaryIPv4 address range you expand, you mustadd the expanded IP range to the control plane authorized networkslist.

Caution: Expanding the primary IPv4 range of a subnet cannot be undone. Youcannot shrink the primary IPv4 range of a subnet. Expand primary IPv4 rangesconservatively; you can always expand them again. Consider IPv4 addressspace in any networks to which your VPC network is or will beconnected before you expand a subnet's primary IPv4 range.

To expand a subnet's primary IPv4 range, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
All networks and subnets in your project are presented in a hierarchicalview, where subnets are shown as entries within networks.
To focus on subnets for a particular network, click the name of anetwork. On itsVPC network details page, click the name of a subnetin theSubnets tab to view itsSubnet details page.
ClickEdit.
Enter a new, broader CIDR block in theIP address range field.
For valid ranges, seeIPv4 subnetranges.
ClickSave.

gcloud

Use thesubnets expand-ip-range command.

gcloud compute networks subnets expand-ip-rangeSUBNET \    --region=REGION \    --prefix-length=PREFIX_LENGTH

Replace the following:

SUBNET: the name of the subnet.
REGION: the region in which the subnet is located.
PREFIX_LENGTH: a subnet mask size in bits. If the primary IPv4range is10.1.2.0/24, you can supply20 to reduce the subnet mask to20 bits, which changes the primary IPv4 range to10.1.2.0/20. For validranges, seeIPv4 subnetranges.

API

Make aPOST request to thesubnetworks.expandIpCidrRange method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET/expandIpCidrRange{  "ipCidrRange": "IP_RANGE"}

Replace the following:

PROJECT_ID: the ID of the project that contains the subnet tomodify.
REGION: the name of the Google Cloud region that contains thesubnet to modify.
SUBNET: the name of the subnet to modify.
IP_RANGE: the expanded IPv4 address range for the subnet. Forvalid ranges, seeIPv4 subnetranges.

Edit secondary IPv4 ranges

You can add secondary IPv4 ranges to subnets, or you can remove anysecondary IPv4 range as long as no resources are using IP addresses in it.

gcloud

To add a new secondary IPv4 range to a subnet, use thesubnets update command.

gcloud compute networks subnets updateSUBNET \    --region=REGION \    --add-secondary-ranges=SECONDARY_RANGE_NAME=SECONDARY_RANGE

Replace the following:

SUBNET: the name of the subnet.
REGION: the region in which the subnet is located.
SECONDARY_RANGE_NAME: a name for the secondary range.
SECONDARY_RANGE: the secondary IPv4 range in CIDR notation. Forvalid ranges, seeIPv4 subnetranges.

To remove a secondary IPv4 range from a subnet, use thesubnets update command.

gcloud compute networks subnets updateSUBNET \    --region=REGION \    --remove-secondary-ranges=SECONDARY_RANGE_NAME

Replace the following:

SUBNET: the name of the subnet.
REGION: the region in which the subnet is located.
SECONDARY_RANGE_NAME: the name of the secondary range toremove.

API

To modify secondary IPv4 address ranges for an existing subnet, make aPATCH request to thesubnetworks.patch method.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET{  "secondaryIpRanges": [  {    "rangeName": "SECONDARY_RANGE_NAME",    "ipCidrRange": "IP_RANGE"  },  {    "rangeName": "SECONDARY_RANGE_NAME",    "ipCidrRange": "IP_RANGE"  }],  "fingerprint": "SUBNETWORK_FINGERPRINT"}

Replace the following:

PROJECT_ID: the ID of the project that contains the subnet tomodify.
REGION: the name of the Google Cloud region thatcontains the subnet to modify.
SUBNET: the name of the subnet to modify.
SECONDARY_RANGE_NAME: a name for the secondary IPv4 addressrange.
IP_RANGE: the expanded IPv4 address range for the subnet. Forvalid ranges, seeIPv4 subnetranges.
SUBNET_FINGERPRINT: the fingerprint ID for the existingsubnet, which is provided when youdescribe asubnet.

Modify networks

Convert an auto mode VPC network to custom mode

You can convert an auto mode VPC network to a custom modeVPC network using this procedure. Review theconsiderations forauto mode VPC networksfor background information about reasons why you might want to do this.

Converting an auto mode VPC network to a custom modeVPC networkpreserves all of its automatically createdsubnets and any subnets you have added. Subnet names and IP ranges are notchanged.

Important: You cannot convert a custom mode VPC network to anauto mode VPC network. Conversion from auto to custom mode is aone-way process. Auto mode VPC networks that have been convertedto custom mode operate as if they had been created in custom mode.

After you convert an auto mode VPC network to custom mode, youmust review all API calls and gcloud CLI commands that implicitlyreference any subnet that was automatically created while the network was inauto mode. API calls and commands will need to be modified so that theyreference the subnet explicitly. For gcloud CLI commands that have asubnet specification flag (--subnet), that flag is required to referencesubnets in a custom mode VPC network.

To convert an auto mode VPC network to a custom modeVPC network, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
Click the name of a VPC network to show itsVPC networkdetails page.
ClickEdit.
In theSubnet creation mode section, chooseCustom.
ClickSave.

gcloud

Use thenetworks update command.

gcloud compute networks updateNETWORK \    --switch-to-custom-subnet-mode

ReplaceNETWORK with the name of the network toupdate.

API

Make aPOST request to thenetworks.switchToCustomMode method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK/switchToCustomMode

Replace the following:

PROJECT_ID: the ID of the project that contains theVPC network to convert.
NETWORK: the name of the VPC network toconvert.

Assign an internal IPv6 range to a network

If you want to configure internal IPv6 addresses on a subnet, you must firstenable internal IPv6 addresses on the VPC network. When youenable internal IPv6, a/48 unique local address (ULA) range is assigned tothe network.

After you have enabled an internal IPv6 range for your VPC network,you can do the following:

To assign an internal IPv6 range to a network, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
Click the name of a VPC network to show itsVPC networkdetails page.
ClickEdit.
In thePrivate IPv6 address settings section, selectConfigure a ULA internal IPv6 range for this VPC Network.
Optional: You can provide the prefix to use for the internal IPv6 range.
1. ForAllocate ULA internal IPv6 range, clickManually.
2. Enter a/48 range from within thefd20::/20 range.
  If the range is in use, you are prompted to enter a different range.
ClickSave.

gcloud

Use thenetworks update command.

The--enable-ula-internal-ipv6 flag assigns a/48 prefix from within thefd20::/20 range used by Google for internal IPv6 subnet ranges. If youwant to select the/48 IPv6 range that is assigned, use the--internal-ipv6-range flag to specify a range.

gcloud compute networks updateNAME \    --enable-ula-internal-ipv6 \    [ --internal-ipv6-range=ULA_IPV6_RANGE ]

Replace the following:

NAME: the name of the VPC network.
ULA_IPV6_RANGE: the range of IPv6 addresses to which you needto allocate a ULA prefix.

API

Make aPATCH request to thenetworks.insert method.

SettingenableUlaInternalIpv6 to true assigns a/48 range from withinthefd20::/20 range used by Google for internal IPv6 subnet ranges. If youwant to select which/48 IPv6 range is assigned, also use theinternalIpv6Range field to specify a range.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networksa/NETWORK{  "enableUlaInternalIpv6": true,  "internalIpv6Range": "ULA_IPV6_RANGE",}

Replace the following:

PROJECT_ID: the ID of the project where the VPCnetwork is created.
NETWORK: a name for the VPC network.
ULA_IPV6_RANGE: a/48 prefix from within thefd20::/20 range used by Google for internal IPv6 subnet ranges. If youdon't provide a value forinternalIpv6Range, Google selects a/48 prefixfor the network.

Change the dynamic routing mode

Each VPC network has an associated dynamic routing mode thatcontrols the behavior of Cloud Routers in the network. Refer to thedynamic routing mode section inVPC networks to understand how each mode affectshow Cloud Routers share routes and apply learned routes.

Caution: Changing the dynamic routing mode has the potential to interrupttraffic within the network, or enable or disable routes in unexpected ways.Carefully review the role of each Cloud Router before changing thedynamic routing mode.

To change a VPC network's dynamic routing mode, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
Click the name of a VPC network to show itsVPC networkdetails page.
ClickEdit.
In theDynamic routing mode section, choose eitherGlobal orRegional.
ClickSave.

gcloud

Use thenetworks update command.

gcloud compute networks updateNETWORK \    --bgp-routing-mode=DYNAMIC_ROUTING_MODE

Replace the following:

NETWORK: the name of the VPC networkto update.
DYNAMIC_ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherglobal orregional. The default isregional. For more information, seedynamic routing mode.

API

Make aPATCH request to thesubnetworks.patch method.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK{  "routingConfig": {    "routingMode": "ROUTING_MODE"  }}

Replace the following:

PROJECT_ID: the ID of the project that contains theVPC network to modify.
NETWORK: the name of the VPC network tomodify.
ROUTING_MODE: controls the behavior ofCloud Routers in the network. Can be eitherGLOBAL orREGIONAL. The default isREGIONAL. For more information, seedynamic routing mode.

Change the MTU of a network

For information about changing the MTU of a VPC network, seeChange the MTU setting of a VPCnetwork.

Delete a network

If a network is not being used, you can delete it. Before you can deletea network, you must delete all resources in all of its subnets, and allresources that reference the network. Resources that reference the networkincludeVPC Network Peering connections,Cloud VPN gateways,Cloud Routers,Serverless VPC Access connectors and their connected services,firewall rules, andcustom static routes.

To delete a VPC network, do the following.

Console

In the Google Cloud console, go to theVPC networks page.
Go to VPC networks
Click the name of a VPC network to show itsVPC networkdetails page.
ClickDelete VPC network.
In the message that appears, clickDelete to confirm.

gcloud

Use thenetworks delete command.

gcloud compute networks deleteNETWORK

ReplaceNETWORK with the name of the network to delete.

API

Make aDELETE request to thenetworks.delete method.

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK

Replace the following:

PROJECT_ID: the ID of the project that contains theVPC network to delete.
NETWORK: the name of the VPC network todelete.

Monitor your VPC network

You can enable logging of network flows to and from VMs. SeeUsing VPC Flow Logs for instructions.

You can enable logging for firewall rules to see which rules allowed orblocked which traffic. SeeUsing Firewall Rules Logging for instructions.

Migrate VMs

You can migrate your virtual machine (VM) instances from one network toanother within a given project. For instructions, seeMigrating a VM betweennetworks.

Troubleshooting

Error:`Constraint constraints/compute.requireVpcFlowLogs violated`

This error occurs if both of these conditions apply:

An organization policy constraint has been set that requires thatVPC Flow Logs is configured.
You create a subnet, or update the VPC Flow Logs configuration of anexisting subnet, and the configuration does not meet the requirements of thepolicy.

For more information about this constraint and its effects on subnet creationand updates, seeOrganization policy constraints forVPC Flow Logs.

Resource not found error

When deleting a VPC network, you might see a message that issimilar to the following:The resource "aet-uscentral1-subnet--1-egrfw" was notfound.

For information about this error and its solution, seeResource not found error in theVPC firewall rules documentation.

Can't delete subnet due to existing`gk3-` resources

If you can't delete a subnet due to existing resources that are namedgk3-, even though you don't have any existing GKE clustersthat are associated with that subnet, contactGoogle Cloud Support. For moreinformation, seeRemaining resources from deleted GKE clusters withPrivate Service Connect.

Example error message:

The subnetwork resource 'projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME' is already being used by 'projects/PROJECT_ID/regions/REGION/addresses/gk3-ID'

What's next

For information about routes, seeRoutes.
For information about firewall rules, seeFirewall rules.
For more details about VPC networking, seeAdvanced VPC concepts.
Learn aboutusing a hybrid subnet to migrate workloads to a VPC network without changing IP addresses.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try VPC free

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Create and manage VPC networks

Try it for yourself

Create networks

Create an auto mode VPC network

Console

gcloud

Terraform

API

Create a custom mode VPC network with IPv4-only subnets

Console

gcloud

Terraform

API

Create a custom mode VPC network with a dual-stack subnet

Console

gcloud

Terraform

API

Create a custom mode VPC network with IPv6-only subnets

Console

gcloud

Terraform

API

About firewall rules

View networks

Console

gcloud

API

Work with subnets

List subnets

Console

gcloud

API

Describe a subnet

Console

gcloud

API

Add an IPv4-only subnet

Console

gcloud

Terraform

API

Add a dual-stack subnet

Console

gcloud

Terraform

API

Add an IPv6-only subnet

Console

gcloud

Terraform

API

Change an IPv4-only subnet to dual-stack

Console

gcloud

API

Change a dual-stack subnet to IPv4 only

gcloud

API

Create subnets with IPv6 BYOIP address ranges

Delete a subnet

Console

gcloud

API

Expand a primary IPv4 range

Console

gcloud

API

Edit secondary IPv4 ranges

gcloud

API

Modify networks

Convert an auto mode VPC network to custom mode

Console

gcloud

API

Assign an internal IPv6 range to a network

Console

gcloud

Error:`Constraint constraints/compute.requireVpcFlowLogs violated`

Can't delete subnet due to existing`gk3-` resources