Legacy networks

Legacy networks are not recommended and can no longer be created. Many newerGoogle Cloud features are not supported in legacy networks. Instead, useVirtual Private Cloud (VPC) networks. For more information, seeVPC networks. For more information aboutreplacing legacy networks, seeReplace legacy networks.

Note: TheIPv4Range fieldfor creating legacy networks is deprecated and is no longer available for anyGoogle Cloud project. You cannot create new legacy networks. However, existinglegacy networks are not affected and continue to operate normally.

About legacy networks

Legacy networks have a singleRFC 1918range, which you specify when you create the network.The network is global in scope and spans all cloud regions.

In a legacy network, instance IP addresses are not grouped by region or zone.One IP address can appear in one region, and the following IP address can be ina different region. Any given range of IPs can be spread across all regions, andthe IP addresses of instances created within a region are not necessarilycontiguous.

The following figure shows a legacy (non-VPC) network. Trafficfrom the internet passes through a global switching function in the network(shown in the diagram as a virtual switch), then down to individual instances.

Instances in a region can have IP addresses that are not grouped in any way.As shown in the example, instances from 10.240.0.0/16 are spread unpredictablyacross regions 1 and 2. For example,10.240.1.4 is in region 2,10.240.1.5is in region 1, and10.240.1.6 is in region 2.

Differences between legacy and VPC networks

• Legacy networks can no longer be created.

• Legacy networks have a single global IP address range that cannot be dividedinto subnets. VPC networks are divided into subnets.

• With VPC networks, each Google Cloud region can have zeroor more subnets. It is not possible to create regional subnets with a legacynetwork.

• Some Google Cloud networking features arenotavailable in legacy networks.

Note: You can convert a legacy network to a VPC network. For moreinformation, seeSingle-region conversiontool.

Routes

Legacy networks start with only two routes, the default route to outside thenetwork and the route to the overall legacy network IP range. SeeUsing Routes for instructions on creatingroutes.

Firewall rules

User-created networks have a default Allow-all firewall rule for outboundtraffic and a default Deny-all firewall rule for inbound traffic. SeeUse VPC firewall rules for instructions oncreating firewall rules.

Replace legacy networks

If you want to move individual VM instances out of your legacynetwork, seeMigrating a VM betweennetworks.

If you have an existing legacy network, you can replace it with aVPC network in one of two ways:

• Single-region conversion tool: Use thegcloud or API single-regionconversion tool. This tool converts a legacy network to a custom modeVPC network. Before starting the conversion, allGoogle Cloud resources in the legacy network must be in asingle region.If the legacy network contains resources in multiple regions, including stoppedVMs, the conversion fails. After the conversion, the subnet in the new networkhas the same internal IP address range as the entire legacy network. After theconversion is complete, you can use all features that VPCnetworks offer, such as creating regional subnets. For more information aboutthe conversion, seeConverting a single-region legacy network to aVPC network.

• Manual migration: Recreate resources in your legacy network in aVPC network. For more information, seeManually migrating to aVPC network.

Single-region conversion tool

Preview

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

You can convert a legacy network to a custom mode VPC networkby using thesingle-region conversion tool.During the conversion, the legacy network's IP address range is used toconfigure a subnet in the converted VPC network. Because a givensubnet can be associated with only one region, the conversion tool works only ifall resources in the legacy network are in a single region.

Using the tool to convert from a legacy network to a VPC networkdoes not disrupt network traffic; your resources continue to operate normally.The conversion is one way, so you cannot revert to a legacy network afterconverting to a VPC network.

If your legacy network contains Google Kubernetes Engine clusters, your GKEclusters must be upgradedafter the conversion to ensure that componentsoperate correctly. For more information, seeConverting a legacy network thatcontains GKEclusters.

After the conversion is complete, the new VPC network operates asany other VPC network. You canadd newsubnets and use other VPC-relatedfeatures. However, the converted subnet has the same internal IP address rangeas the entire legacy network, so new subnets must be created fromother validranges.

The following descriptions detail what happens to resources during theconversion. Most resources remain unchanged and refer to theVPC subnet instead of the legacy network.

Legacy network

The legacy network isn't deleted; it's converted to a VPCnetwork. The legacy network's IPv4 range is converted to the primary range of asingle subnet in a VPC network.

VPC network

Google Cloud converts the legacy network to acustom modeVPC network with a single subnet inthe region where your VM instances are located. The VPC networkand subnet both have the same name as the original legacy network.

Subnet

Google Cloud creates a subnet and its subnet route during theconversion. The subnet is created in the region where your VM instances arelocated. Google Cloud automatically converts resources such as VMinstances, regional forwarding rules, and instance group managers to the subnet.The subnet has the same name as the original legacy network.If the legacy network didn't contain any resources, Google Cloud doesn'tcreate a subnet.

VM instances

All instances with a network interface in the converted network will referencethe newly created subnet.

Forwarding rules

All internal forwarding rules in the VPC network will referencethe newly created subnet.

Routes

All custom static routes stay the same when the network is converted to aVPC network. If Google Cloud creates a new subnet, it doesadd one system-generated route called asubnet route. For more information,seeRoute types.

Firewall rules

All existing firewall rules stay the same when the network is converted to aVPC network. All VPC networks also have twoimplied firewall rules that cannot be removed. For more information, seeImplied rules.

Instance group managers and instance templates

All instance templates that have a primary network interface (nic0)referencing the legacy network will reference the newly created subnet.

VPN tunnels and gateways

VPN tunnels and gateways stay the same and continue to function when thenetwork is converted to a VPC network.

Cloud Router

Cloud Routers stay the same and continue to function when thenetwork is converted to a VPC network.

Load balancers

Existing load balancers stay the same and continue to function when thenetwork is converted to a VPC network.

What's next

• To migrate, convert, or delete a legacy network, seeManage legacy networks.

• To learn more about Google Cloud VPC networks, see theVirtual Private Cloud (VPC) overview.

• To learn how to create and modify VPC networks, seeCreate and manage VPC networks.