Peer two VPC networks

In this quickstart, learn how to peer two Virtual Private Cloud (VPC) networksby using the Google Cloud console.

Consider an organizationorganization-a that needs VPC Network Peeringto be established betweennetwork-a inproject-a andnetwork-b inproject-b. In order for VPC Network Peering to be establishedsuccessfully, administrators ofnetwork-a andnetwork-b must separatelyconfigure the peering association.

By completing the steps on this page, you create the following configuration:

Peering active.
Two networks with an active peering connection (click to enlarge).

The peering connection is inindependent mode(default).

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. If you're using an existing project for this guide,verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  4. Verify that billing is enabled for your Google Cloud project.

  5. Enable the Compute Engine API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

  6. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  7. If you're using an existing project for this guide,verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  8. Verify that billing is enabled for your Google Cloud project.

  9. Enable the Compute Engine API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

  10. Repeat these steps for a second project. This quickstart describes how to peer VPC networks that are in separate projects.

Required roles

To get the permissions that you need to peer two VPC networks, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create two VPC networks

In this section, you create two VPC networks, each in differentprojects.

Createnetwork-a andsubnet-a in your first project

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. In theName field, enternetwork-a.

  4. In theNew subnet section, specify the following:

    1. In theName field, entersubnet-a.
    2. Select anyRegion.
    3. In theIPv4 range field, enter10.0.1.0/24.
    4. ClickDone.

  5. In theIPv4 firewall rules tab, on theright side of the row that contains the predefined ingressfirewall rule namedNETWORK-allow-custom, clickEdit.

    1. DeselectUse subnets' IPv4 ranges.
    2. InOther IPv4 ranges, enter10.0.0.0/20. Entering this rangeensures that the resources in your peered networks cancommunicate with each other and lets you add more subnets in thefuture without having to update firewall rules.
    3. ClickConfirm.

  6. ClickCreate.

Createnetwork-b andsubnet-b in your second project

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. In theName field, enternetwork-b.

  4. In theNew subnet section, specify the following:

    1. In theName field, entersubnet-b.
    2. Select anyRegion.
    3. In theIPv4 range field, enter10.0.8.0/24.
    4. ClickDone.

  5. In theIPv4 firewall rules tab, on theright side of the row that contains the predefined ingressfirewall rule namedNETWORK-allow-custom, clickEdit.

    1. DeselectUse subnets' IPv4 ranges.
    2. InOther IPv4 ranges, enter10.0.0.0/20. Entering this rangeensures that the resources in your peered networks cancommunicate with each other and lets you add more subnets in thefuture without having to update firewall rules.
    3. ClickConfirm.

  6. ClickCreate.

Peernetwork-a withnetwork-b

In this section, you configurenetwork-a to peer withnetwork-b.

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. ClickCreate connection.

  3. ClickContinue.

  4. Enter aName ofpeer-ab for this side of the connection.

  5. UnderYour VPC network, selectnetwork-a.

  6. Set thePeering VPC network radio buttons toIn another project.

  7. Specify theProject ID of the other project.

  8. Specify theVPC network name of the other network,network-b.

  9. SelectImport custom routes andExport custom routes.

  10. ClickCreate.

At this point, the peering state remainsINACTIVE because of the absence of a matchingconfiguration innetwork-b inproject-b.

When the peering state becomesACTIVE, VPC Network Peering automaticallyexchanges subnet routes. Google Cloud also exchanges custom routes (staticroutes and dynamic routes) by importing or exporting them over the peeringconnection. Both networks must be configured to exchange custom routes beforethey are shared. For more information, seeImporting and exporting customroutes.

To see the current peering state, view the peering connection:

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. Selectpeer-ab. On thePeering connection details page, thestatus saysInactive. Waiting for the connection to be created by network-b.

Peernetwork-b withnetwork-a

In this section, you create a matching peering configuration fromnetwork-b tonetwork-a so that the peering becomesACTIVE on both ends.

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. ClickCreate connection.

  3. ClickContinue.

  4. Enter aName ofpeer-ba for this side of the connection.

  5. UnderYour VPC network, select thenetwork-b.

  6. Set thePeering VPC network radio buttons toIn another project.

  7. Specify theProject ID of the other project.

  8. Specify theVPC network name of the other network,network-b.

  9. SelectImport custom routes andExport custom routes.

  10. ClickCreate.

VPC Network Peering becomesACTIVE

As soon as the peering moves to anACTIVE state, subnet routes and customroutes are exchanged, which allows traffic to flow between resources in thenetworks.

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. On the VPC Network Peering page, the status for the connection thatyou created saysACTIVE.

  3. Go to the VPC Network Peering page in the other project to seethat it also saysACTIVE.

The routes to peered network CIDR prefixes are now visible across theVPC network peers. These routes are implicit routes that aregenerated for active peering connections. They don't have corresponding routeresources. The following procedure shows routes for all VPCnetworks forproject-a.

Console

  1. In the Google Cloud console, go to theRoutes page.

    Go to Routes

  2. ForNetwork andRegion, selectnetwork-a and the region inwhich you createdsubnet-a, then clickView.

  3. In the list of routes, there is aPeering subnet route forsubnet-b.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Delete the projects

To delete the projects that you created:

    Caution: Deleting a project has the following effects:
    • Everything in the project is deleted. If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.
    • Custom project IDs are lost. When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as anappspot.com URL, delete selected resources inside the project instead of deleting the whole project.

    If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects can help you avoid exceeding project quota limits.

  1. In the Google Cloud console, go to theManage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then clickDelete.
  3. In the dialog, type the project ID, and then clickShut down to delete the project.

Delete individual resources

If you don't want to delete the entire project, delete the VPC Network Peeringconnections and the VPC networks that you created.

Before you can delete a network, you must delete its VPC Network Peeringconnection.

Delete VPC Network Peering connections

To delete a VPC Network Peering connection:

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. Select the checkbox next to the peering you want to remove.

  3. ClickDelete.

Delete VPC networks

To delete a VPC network:

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show itsVPC networkdetails page.

  3. ClickDelete VPC network.

  4. In the message that appears, clickDelete to confirm.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.