Set up and manage VPC Network Peering

Google Cloud VPC Network Peering enablesinternal IPaddress connectivity across twoVirtual Private Cloud (VPC) networks, regardless of whether they belong to thesame Google Cloud project or organization. Peering supports connectivity betweennetworks having any combination of IPv4-only, dual-stack, and IPv6-onlysubnets.

Before you begin

IAM permissions

Make sure that you have one of the following roles on the project:

  • Compute Network Admin role (roles/compute.networkAdmin)
  • A custom role that includes the following permissions:
    • compute.networks.addPeering
    • compute.networks.updatePeering
    • compute.networks.removePeering
    • compute.networks.listPeeringRoutes

Create a peering configuration

Before you begin, you must have the name of the VPC networkthat you intend to peer with. If that network is located in another project, youmust also have its project ID. You can't list peering requests for yourVPC network. If necessary, ask the administrator of the networkthat you intend to peer with for the network name and project ID.

Your network and the other network are connected after each network has apeering configuration that references the other network. For more information,seeAbout peering connections.

Google Cloud allows only one peering operation at a time acrosspeered networks. For example, if you set up peering with one network andimmediately try to set up another, the operation fails with the following:Error: There is a peering operation in progress on the local or peer network.Try again later.

Console

Perform the following steps for each side of the peering connection.

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. ClickCreate connection.

  3. ClickContinue.

  4. In thePeering connection name field, enter a name for your peeringconfiguration.

  5. In theYour VPC network field, select a network you want to peer.

  6. In thePeered VPC network section, select the network to peer with:

    • If the network that you want to peer with is in the same project,selectIn project [name-of-your-project] and then the network topeer with.
    • If the network that you want to peer with is in a different project,selectIn another project. Specify the project ID that includesthe network you want to peer with and the name of theVPC network.

  7. Select the IP version of routes that you want to exchange between thepeered networks:

    • IPv4 (single-stack): exchange IPv4 routes only.
    • IPv4 and IPv6 (dual-stack): exchange both IPv4 and IPv6 routes.

  8. To exchange IPv4 custom routes, in theExchange IPv4 custom routessection, choose one or both of the following options:

    • Import custom routes: import custom routes from the peer network.The peer network must enable custom route export for routes to beimported.
    • Export custom routes: export custom routes to the peernetwork. The peer network must enable custom route import forroutes to be exported.

  9. If your network or the peer network has privately used public IPv4ranges in their subnets, these routes are exported by default, but notimported by default.

    To import privately used public IPv4 subnet routes, in theExchange subnet routes with privately used public IPv4 addresses section, selectImport subnet routes with public IP.

  10. InAdvanced options section, choose the update strategy forthe peering connection:

    • Independent (default): when this option is selected, either sideof the peering connection can update or delete the connection at anytime. For more information, seeConnection mode.
    • Consensus: when this option is selected, both sides of thepeering connection must submit a deletion request before theconnection can be deleted. For more information, seeConnection mode.

  11. ClickCreate.

gcloud

Use thegcloud compute networks peerings create command.

You can create a peering configuration using the default configuration,or you can customize your configuration.

Create a default peering configuration

To create a default peering configuration, run the following command:

gcloud compute networks peerings createPEERING_NAME \    --network=NETWORK \    --peer-project=PEER_PROJECT_ID \    --peer-network=PEER_NETWORK_NAME

Replace the following:

  • PEERING_NAME: the name of the peeringconfiguration.
  • NETWORK: the name of the network in your projectthat you want to peer.
  • PEER_PROJECT_ID: the ID of the project that containsthe network that you want to peer with. If the peer network is inthe same project as your network, this flag is optional.
  • PEER_NETWORK_NAME: the name of the network thatyou want to peer with.

For example, to peernetwork-a inproject-a withnetwork-binproject-b, do the following:

  1. Create a peering configuration fornetwork-a. This step isusually performed by a network administrator ofnetwork-a.

    gcloud compute networks peerings create peering-a \    --network=network-a \    --peer-project=project-b \    --peer-network=network-b

  2. Create a peering configuration fornetwork-b. This step isusually performed by a network administrator ofnetwork-b.

    gcloud compute networks peerings create peering-b \    --network=network-b \    --peer-project=project-a \    --peer-network=network-a

The peering state changes toACTIVE in both networks.

Customize a peering configuration

To customize a peering configuration, you can use the following optionalparameters:

  • --stack-type sets the stack type for the peering connection. Bydefault, only IPv4 routes are exchanged, and the stack type is set toIPV4_ONLY. To exchange both IPv4 and IPv6 routes, specifyIPV4_IPV6.
  • --import-custom-routes tells the network to acceptcustom routes from the peered network.The peered network must export the routes first.
  • --export-custom-routes tells the network to exportcustom routes to the peered network.The peered network must be set to import the routes.
  • --import-subnet-routes-with-public-ip tells the network to acceptsubnet routes from the peered network ifthat network has privately used public IPv4 addresses in itssubnets. The peered network must export the routes first.
  • --export-subnet-routes-with-public-ip tells the network to exportsubnet routes that contain privatelyused public IPv4 addresses. The peered network must be set to import theroutes.
  • --update-strategy sets the update strategy for the peeringconnection. By default, the update strategy is set toINDEPENDENT. Toconfigure the connection to use consensus mode, specifyCONSENSUS.The update strategy must be the same for both sides of the connection.For more information, seeConnection mode.
Example: Exchange custom routes in a peering connection

To enablenetwork-a inproject-a andnetwork-b inproject-b toexchange custom routes, do the following when creating thepeering connection:

  1. Create a peering configuration fornetwork-a. This step isusually performed by a network administrator ofnetwork-a.

    gcloud compute networks peerings create peering-a \    --network=network-a \    --peer-project=project-b \    --peer-network=network-b \    --import-custom-routes \    --export-custom-routes

  2. Create a peering configuration fornetwork-b. This step isusually performed by a network administrator ofnetwork-b.

    gcloud compute networks peerings create peering-b \    --network=network-b \    --peer-project=project-a \    --peer-network=network-a \    --import-custom-routes \    --export-custom-routes

The peering state changes toACTIVE in both networks. For more informationabout this example, see thePeer two VPC networks quickstart.

Example: Create a peering connection in consensus mode

To create a peering connection in consensus mode, set the updatestrategy toCONSENSUS. In this example, you configurenetwork-a inproject-a to peer withnetwork-b inproject-b.

  1. Create a peering configuration fornetwork-a. This step isusually performed by a network administrator ofnetwork-a.

    gcloud compute networks peerings create peering-a \    --network=network-a \    --peer-project=project-b \    --peer-network=network-b \    --update-strategy=CONSENSUS

  2. Create a peering configuration fornetwork-b. This step isusually performed by a network administrator ofnetwork-b.

    gcloud compute networks peerings create peering-b \    --network=network-b \    --peer-project=project-a \    --peer-network=network-a \    --update-strategy=CONSENSUS

The peering state changes toACTIVE in both networks.

Terraform

You can use aTerraform module to create a peering configuration.

module "peering1" {  source        = "terraform-google-modules/network/google//modules/network-peering"  version       = "~> 13.0"  local_network = var.local_network # Replace with self link to VPC network "foobar" in quotes  peer_network  = var.peer_network  # Replace with self link to VPC network "other" in quotes}

For the two peered VPC networks, each self link includes a project ID andthe name of the VPC network. To get the self link for a VPC network, you canuse thegcloud compute networksdescribe command or thenetworks.get method in eachVPC network's project.

When you create a peering from thelocal_network to thepeer_network,the peering relationship is bidirectional. The peering from thepeer_network to thelocal_network gets created automatically.

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Verify that traffic is passing between peered VPC networks

You can useVPC Flow Logs to view network flows sentfrom and received by VM instances. You can also useFirewall Rules Logging toverify that traffic is passing between the networks.CreateVPC firewall rulesthat allow (or deny) traffic between the peered networks, and turn onFirewall Rules Logging for those rules. You can then view whichfirewall rules were hit using Cloud Logging.

Update a peering connection

When you update an existing peering connection, you can do thefollowing:

  • Change whether your VPC network exports or imports customroutes or privately used public IPv4 subnet routes to or from the peerVPC network.
  • Update the peering connection to enable or disable the exchange ofIPv6 routes between the peered networks.
  • Update the peering connection mode from independent (default) toconsensus, bychanging the update strategy for the connection.

Your network imports routes only if the peer network is also exportingthe routes, and the peer network receives routes only if it importsthem.

Important: Even if the dynamic routing mode of the VPC network is set to global,IPv6 routes learned from the Cloud Router are regional. For more information,seeLimitations.

Update a connection (independent mode)

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. Select the peering connection to update.

  3. ClickEdit.

  4. To update the IP version of routes that you want to exchange between thepeered networks, select one of the following:

    • IPv4 (single-stack): stop the existing exchange of IPv6 routesand continue exchanging only IPv4 routes.
    • IPv4 and IPv6 (dual-stack): start exchanging both IPv4 and IPv6routes, provided the matching peering configuration also has thisoption enabled.

  5. To exchange IPv4 custom routes, in theExchange IPv4 custom routessection, choose one or both of the following options:

    • Import custom routes: import custom routes from the peer network.The peer network must enable custom route export for routes to beimported.
    • Export custom routes: export custom routes to the peernetwork. The peer network must enable custom route import forroutes to be exported.

  6. If your network or the peer network has privately used public IPv4ranges in their subnets, these routes are exported by default, but notimported by default.

    To import privately used public IPv4 subnet routes, in theExchange subnet routes with privately used public IPv4 addresses section, selectImport subnet routes with public IP.

  7. ClickSave.

gcloud

Use thegcloud compute networks peerings update command.The square brackets[] in the following command indicate optionalflags:

  • --stack-type sets the stack type for the peering connection. Bydefault, only IPv4 routes are exchanged, and the stack type is set toIPV4_ONLY. To exchange both IPv4 and IPv6 routes, specifyIPV4_IPV6.
  • --import-custom-routes tells the network to acceptcustom routes from the peered network.The peered network must export the routes first.
  • --export-custom-routes tells the network to exportcustom routes to the peered network.The peered network must be set to import the routes.
  • --import-subnet-routes-with-public-ip tells the network to acceptsubnet routes from the peered network ifthat network is using privately used public IPv4 addresses in itssubnets. The peered network must export the routes first.
  • --export-subnet-routes-with-public-ip tells the network to exportsubnet routes that contain privatelyused public IPv4 addresses. The peered network must be set to import theroutes.
  • --update-strategy sets the update strategy for the peeringconnection. By default, the update strategy is set toINDEPENDENT. Toconfigure the connection to use consensus mode, specifyCONSENSUS.The update strategy must be the same for both sides of the connection.For more information, seeConnection mode.
gcloud compute networks peerings updatePEERING_NAME \    --network=NETWORK \    [--stack-type=STACK_TYPE] \    [--import-custom-routes] \    [--export-custom-routes] \    [--export-subnet-routes-with-public-ip] \    [--import-subnet-routes-with-public-ip] \    [--update-strategy=UPDATE_STRATEGY]

Replace the following:

  • PEERING_NAME: the name of the existing peeringconfiguration.
  • NETWORK: the name of the network in your project thatis peered.
  • STACK_TYPE: the stack type for the peeringconnection.
    • SpecifyIPV4_ONLY to stop the existing exchange of IPv6 routesand continue exchanging only IPv4 routes.
    • SpecifyIPV4_IPV6 to start exchanging both IPv4 and IPv6 routes,provided the matching peering connection also hasstack_type settoIPV4_IPV6.
  • UPDATE_STRATEGY: the update strategy for thepeering connection—eitherINDEPENDENT (default) orCONSENSUS.To use this option, seeUpdate a connection to consensus mode.

Update a connection to consensus mode

You update a peering connection from independent (default) to consensus mode bychanging the update strategy for the connection. Before changing the updatestrategy, review the requirements forconsensus mode.

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. Click the peering connection to update.

  3. ClickEdit.

  4. In theAdvanced options section, selectConsensus.

  5. ClickSave.

    The update strategy changes toConsensus for the local configuration.To complete the update request, a network administrator for the peernetwork must accept the request by performing steps 1-4 for the peerconfiguration.

    After both configurations are updated, the effectiveupdate strategy of the peering connection changes to Consensus.

gcloud

Use thegcloud compute networks peerings update command.

  1. Update the local peering configuration:

    gcloud compute networks peerings updatePEERING_NAME \    --network=NETWORK \    --update-strategy=CONSENSUS

    Replace the following:

    • PEERING_NAME: the name of the existing peeringconfiguration.
    • NETWORK: the name of the network in your projectthat is peered.

  2. View the status of the update request:

    gcloud compute networks describeNETWORK

    ReplaceNETWORK with the name of the network in yourproject that is peered.

    In the output, theconsensusState field must display the followingstatus:

    • In the configuration for the local network,PENDING_PEER_ACKNOWLEDGMENT
    • In the matching configuration for the peer network,PENDING_LOCAL_ACKNOWLEDGMENT

  3. Accept the update request by running the command in step 1 for thepeer side of the connection.

    This step is usually performed by a network administrator for the peernetwork. After the request is complete, theconsensusState fieldchanges toIN_SYNC for both configurations.

To revert an update request that is waiting for approval by the peernetwork, reset the update strategy to independent.

List peering connections

List existing peering connections to view their status and whether they'reimporting or exporting custom routes.

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. Select the peering connection to view its details.

gcloud

gcloud compute networks peerings list

View a peering connection

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. In theStatus column, view the status of your connection.

gcloud

Use thegcloud compute networks describe command.

gcloud compute networks describeNETWORK

ReplaceNETWORK with the name of the network in yourproject that is peered.

In the output, thepeerings.connectionStatus field describes theeffective status of the peering connection. For more information, seeConnection status.

List peering routes

Console

Use theEffective routes tab to view all applicableroutetypes in a VPC network,including imported peering subnet, peering static, and peering dynamicroutes.

  1. In the Google Cloud console, go to theRoutes page.

    Go to Routes

  2. On theEffective routes tab, do the following:

    • Select aVPC network.
    • Select aRegion.

  3. ClickView.

  4. Click theFilter text field, and do the following:

    • ChooseType from theProperties menu.
    • Choose one of the following from theValues menu.
      • Peering subnet: to see subnet routes from peerVPC networks.
      • Peering static: to see imported static routes from peerVPC networks.
      • Peering dynamic: to see imported dynamic routes from peerVPC networks.

  5. Optionally, clickShow suppressed routes to view routes that aresuppressed. Place your pointer over the icon in theStatus column toview the reason why a route has been suppressed. The reason includes alink to therouting orderdocumentation with an explanation.

gcloud

Use the following Google Cloud CLI command to:

  • Listroute exports sent from your VPC network to peerVPC networks.
  • Listroute import candidates for your VPC network.
Important: Route exports from your VPC network always becomeroute import candidates in each peer VPC network, but neitherlist takes into consideration conflict resolution in the importingVPC network. To see which routes are actually imported andwhich routes are omitted, use theEffective routes tab in theGoogle Cloud console.
gcloud compute networks peerings list-routesPEERING_NAME \    --network=NETWORK \    --region=REGION \    --direction=DIRECTION

Replace the following:

  • PEERING_NAME: the name of an existing peeringconnection.
  • NETWORK: the name of the network in your project thatis peered.
  • REGION: the region where you want to list all dynamicroutes. Subnet and static routes are global and are shown for all regions.
  • DIRECTION: specifies whether to list imported(incoming) or exported (outgoing) routes.

Delete a peering connection

When a peering configuration is deleted in your network, the peering connectionbecomes inactive in the other network, and all routes shared among the networksare removed.

The procedure for deleting a peering connection depends on the update strategyconfigured for the connection:

Warning: Don't delete a VPC Network Peering connection that is already in use by Google Cloud resources. Deleting an in-use peering connection can cause problems, including the following:

Delete a connection (independent mode)

To delete a peering connection in independent mode (default), do the following.

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. Select the checkbox next to the peering connection that you want toremove.

  3. ClickDelete.

    The status of the connection changes toInactive for the peernetwork. To remove the inactive configuration, a network administratorfor the peer network performs these steps for the peer side of theconnection.

gcloud

Use thegcloud compute networks peerings delete command.

gcloud compute networks peerings deletePEERING_NAME \    --network=NETWORK

Replace the following:

  • PEERING_NAME: the name of the peering configuration todelete.
  • NETWORK: the name of the network in your project thatis peered.

The status of the connection changes toINACTIVE for the peer network.To remove the inactive configuration, a network administratorfor the peer network performs this step for the peer side of theconnection.

Delete a connection (consensus mode)

To delete a peering connection in consensus mode, do the following.

Console

  1. In the Google Cloud console, go to theVPC Network Peering page.

    Go to VPC Network Peering

  2. Click the peering connection that you want to remove.

  3. On thePeering connection details page, clickRequest deleteand thenConfirm.

  4. Accept the deletion request by performing steps 1-3 for the peer side ofthe connection.

    These steps are usually performed by a network administrator for the peernetwork. After both sides of the peering connection submit thedeletion request, the status of the connectionchanges toActive, delete acknowledged for both configurations.

  5. Select the peering connection that you want to remove and thenclickDelete.

    The status of the connection changes toInactive for the peernetwork. To remove the inactive configuration, the network administratorfor the peer network performs this step for the peer side of theconnection.

gcloud

Use thegcloud compute networks peerings request-delete andgcloud compute networks peerings delete commands.

  1. Initiate a deletion request:

    gcloud compute networks peerings request-deletePEERING_NAME \    --network=NETWORK

    Replace the following:

    • PEERING_NAME: the name of the peering connection todelete.
    • NETWORK: the name of the network in your projectthat is peered.

  2. View the status of the deletion request:

    gcloud compute networks describeNETWORK

    ReplaceNETWORK with the name of the network in yourproject that is peered.

    In the output, thedeleteStatus field must display the followingstatus:

    • In the configuration for the local network,LOCAL_DELETE_REQUESTED
    • In the matching configuration for the peer network,PEER_DELETE_REQUESTED

  3. Accept the deletion request by running the command in step 1 for thepeer side of the connection.

    This step is usually performed by a network administrator for the peernetwork. After both sides of the connection submit thedeletion request, the status of thedeleteStatus fieldchanges toDELETE_ACKNOWLEDGED for both configurations.

  4. Delete the peering connection:

    gcloud compute networks peerings deletePEERING_NAME \    --network=NETWORK

    Replace the following:

    • PEERING_NAME: the name of the peering configurationto delete.
    • NETWORK: the name of the network in your projectthat is peered.

    The status of the connection changes toINACTIVE for the peer network.To remove the inactive configuration, the network administrator for thepeer network performs this step for the peer side of the connection.

Troubleshooting

The following sections describe how to troubleshoot issues withVPC Network Peering.

Peer VMs are unreachable

After the peering connection is ACTIVE, it may take up to a minute for allthe traffic flows to be set up between the peered networks. This timedepends on the size of the networks that are peering. If you have recentlyset up the peering connection, wait up to a minute and try again.Also, ensure that there are no firewall rules blocking access to or from peerVPC network subnet CIDRs.

Custom routes are missing

This section describes how to troubleshoot missing custom routes.

Check the peering connection state

To check the state of your peering connection, do the following:

  1. List peering connections.
  2. Identify the peering connection to troubleshoot, and review its peeringstate.
    1. If the state isACTIVE, follow the steps in the next section.
    2. If the peering state isINACTIVE, a networkadministrator for the other network needs tocreate a peering configuration to yourVPC network.

Troubleshoot anACTIVE connection

To troubleshoot missing custom routes in anACTIVE peering connection:

  1. List peering routes in your VPC network.In theEffective routes tab, do the following:

    1. Consider that the regions in which dynamic routes are programmed depends onthe dynamic routing mode of the VPC network that exportscustom routes. For more details, seeEffects of the dynamic routingmode. In globaldynamic routing mode, only the highest ranked dynamic route is programmedin regions that don't match the region of the next hop.

    2. Click theShow suppressed routes toggle to the on position, then checkfor your route. To view the reason why a route has been suppressed, pointto the icon in theStatus column. Google Cloud provides routeconflict resolution on a region-by-region basis in the VPCnetwork that imports routes using VPC Network Peering.

    3. Look for a warning indicating that your VPC network hasreached the limit for thedynamic routes per region per peeringgroup quota. If your VPCnetwork has reached the limit for this quota, one or more peering dynamicroutes aren't programmed. Because it's not possible to show exactly whichpeering dynamic routes aren't programmed, request a quota limitincrease for the dynamic routes per region per peering group quota.

  2. If you still don't see the route you expect, do the following:

    1. Review your peering configuration, andupdate your peering configuration ifnecessary so that it imports custom routes.

    2. Ensure that the route is not one of the following route types that can'tbe exchanged using VPC Network Peering:

      • Peering subnet, peering static, and peering dynamic routes in a peeredVPC networkthat are received from its other peer networkscannot be exchanged to your VPC network usingVPC Network Peering.

      • Static routes that use the default internet gateway next hop and staticroutes with network tagscannot beexchanged usingVPC Network Peering.

      For more information, seeRoute exchange options.

    3. Ask a network administrator of the peered VPC network to:

      1. List routes in their VPCnetwork, looking for the routeyou expect.

      2. Review their peering configuration, andupdate the peering configuration ifnecessary so that it exports custom routes.

Traffic destined for a peer network is being dropped

You can useConnectivity Teststo help determine why traffic destined for a peer network is being dropped. Iftraffic should be sent using custom routes, seeCustom routes are missing.

Traffic is being sent to an unexpected next hop

You can useConnectivity Teststo help determine why traffic is being sent to an unexpected next hop. Iftraffic should be sent using custom routes, seeCustom routes are missing.

Unable to peer with a particular VPC network

If you cannot create a peering configuration with certain VPCnetworks, an organization policy might be constraining the VPCnetworks that your network can peer with. In the organization policy, add thenetwork to the list of allowed peers or contact your organization administrator.For more information, refer to theconstraints/compute.restrictVpcPeeringconstraint.

IPv6 routes are not exchanged

First, verify that both your peering connection and the peering connection ofthe peered VPC network have their stack types set toIPV4_IPV6.If necessary:

  • Update your peering connection to set its stacktype toIPV4_IPV6.
  • Ask a network administrator of the peered VPC network to updatetheir peering connection, setting its stack type toIPV4_IPV6.

After both peering connections have their stack types set toIPV4_IPV6, IPv6subnet routes (both internal and external) are exchanged. IPv6 subnet routes areunique among all Google Cloud VPC networks.

To exchange IPv6 custom routes:

  • Update your peering connection to import and exportcustom routes.
  • Ask a network administrator of the peered VPC network to updatetheir peering connection to import and export custom routes.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.