Cloud Interconnect overview
Cloud Interconnect provides low-latency, high-availability connections thatenable you to reliably transfer data between your networks.
Cloud Interconnect offers the following options for extending yournetwork:
| Cloud Interconnect type | Description |
|---|---|
| Dedicated Interconnect | Provides connectivity between your on-premises and VPC networks through a direct physical connection between your on-premises network and the Google network. For more information, see theDedicated Interconnect overview. |
| Partner Interconnect | Provides connectivity between your on-premises and VPC networks through a supported service provider. For more information, see thePartner Interconnect overview. |
| Cross-Cloud Interconnect | Provides connectivity between your network in another cloud and VPC networks through a direct physical connection between the Google network and that of another cloud service provider. For more information, see theCross-Cloud Interconnect overview. |
| Cross-Site Interconnect | Provides connectivity between your on-premises network sites through direct physical connections between your on-premises networks and the Google network. For more information, see theCross-Site Interconnect overview. |
For a comparison to help you choose betweenDedicated Interconnect and Partner Interconnect,see the Cloud Interconnect section inChoosing a Network Connectivity product.
In addition, you can mix and match Cloud Interconnect connectionoptions to fit your use case. For example, if you primarily use Google Cloudbut host some services on another cloud service provider, you might create bothDedicated Interconnect connections andCross-Cloud Interconnect connections.
For definitions of terms used on this page, seeCloud Interconnect key terms.
Benefits
Using Cloud Interconnect provides the following benefits:
Traffic between your networksdoesn't traverse the public internet. Traffic traverses a dedicated connectionor goes through a service provider with a dedicated connection. By bypassingthe public internet, your traffic takes fewer hops, so there are fewer pointsof failure where your traffic might get dropped or disrupted.
You can scale your connection capacity to meet your particular requirements.
For Dedicated Interconnect, connection capacity is deliveredover one or more 10-Gbps or 100-Gbps Ethernet connections, with the followingmaximum capacities supported per Cloud Interconnect connection:
- 8 x 10-Gbps connections (80 Gbps total)
- 2 x 100-Gbps connections (200 Gbps total)
For Partner Interconnect, the following connection capacitiesfor each VLAN attachment are supported:
- 50-Mbps to 50-Gbps VLAN attachments. The maximum supportedattachment size is 50 Gbps, but not all sizes might be available, dependingon what's offered by your chosen partner in the selected location.
Other Cloud Interconnect types have different connection capacityoptions. For more information, see the documentation for yourCloud Interconnect type.
You can request 100-Gbps connections at any of the locations listed inAll colocation facilities.
For more information about the locations available for a specific Cloud Interconnect type, see its corresponding documentation.
The following benefits apply to Cloud Interconnect types thatprovide connectivity between your VPC networks and othernetworks:
Your VPC network's internal IP addresses are directlyaccessible from your on-premises network. You don't need to use a NAT deviceor VPN tunnel to reach internal IP addresses. Fordetails, seeIP addressing, IPv6 and dynamic routes.
Dedicated Interconnect, Partner Interconnect,Direct Peering, andCarrier Peeringcan all help you optimize egress traffic from your VPC networkand reduce your egress costs. Cloud VPN by itself does notreduce egress costs.
You can use Cloud Interconnect withPrivate Google Access for on-premises hosts so that on-premises hosts canuse internal IP addresses rather than external IP addresses to reach GoogleAPIs and services. For more information,seePrivate access options for servicesin the VPC documentation.
You can apply IPsec encryption to your Cloud Interconnecttraffic by deploying HA VPN over Cloud Interconnect.
Resiliency and SLA options
When you configure a Cloud Interconnect connection, you can do so ata specific level of reliability. You can choose between the followingreliability options:
- Critical production. Choose this option for critical production workloadsthat require maximum resiliency. This option provides a 99.99% uptime SLA.
- Non-critical production. Choose this option for non-critical productionand development workloads. This option provides a 99.9% uptime SLA.
- No SLA. You can configure your connection group without specifying anintended level of reliability. We recommend that you avoid using this optionfor resources in which extended downtime is undesirable. This option doesn'tprovide an uptime SLA.
For more information about Cloud Interconnect SLAs, seeDedicated Interconnect and Partner Interconnect SLA.
Considerations
Use Cloud VPN by itself
If you don't require an entireCloud Interconnect connection, you can useCloud VPN on its own to set up IPsec VPNtunnels between your VPC networks and other networks. IPsec VPN tunnels encrypt data by usingindustry-standard IPsec protocols. The encrypted traffic traverses the public internet.
Cloud VPN requires that you configure a peer VPN gateway in your on-premises network.
IP addressing, IPv6 and dynamic routes
Note: The information in this section applies to Cloud Router.Cloud Router provides dynamic (BGP) routing forCloud VPN, Dedicated Interconnect, andPartner Interconnect.When you connect your VPC network to your on-premises network,you allow communication between the IP address space of your on-premises networkand some or all of the subnets in your VPC network. WhichVPC subnets are available depends on thedynamic routingmode of your VPCnetwork.Subnet IP ranges in VPCnetworks are always internalIP addresses.
You can enable IPv6 traffic exchange between your IPv6-enabledVPC network and your on-premises network. For more information,seeIPv6 support forDedicated InterconnectandIPv6 support forPartner Interconnect.
The IP address space on your on-premises network and on your VPCnetwork must not overlap, or traffic is not routed properly. Remove anyoverlapping addresses from either network.
Your on-premises router shares the routes of your on-premises network with theCloud Router in your VPC network. This action createscustom dynamic routes in yourVPC network, each with a next hop set to the appropriate VLANattachment.
Unless modified by custom advertisements, Cloud Routers inyour VPC network share VPC network subnet IPaddress ranges with your on-premises routers according to the dynamic routingmode of your VPC network.
The following configurations require that you createcustom advertisedroutes on yourCloud Router to direct traffic from your on-premises network tocertain internal IP addresses by using a Cloud Interconnect connection:
- Configure Private Google Access for on-premiseshosts
- Create a Cloud DNS forwardingzone
- Alternative name server networkrequirements
Cloud Interconnect as a data transfer network
Before you use Cloud Interconnect, carefully reviewSection 2 of the General Service Terms forGoogle Cloud.Google Cloud provides several options for connecting your on-premisesnetworks to each other including Cross-Site Interconnect,Network Connectivity Center, and Router appliance.For more information, seeConnecting your sites by using Google Cloud.Encrypt Cloud Interconnect traffic
Cloud Interconnect doesn't encrypt traffic by default. You can useMACsec for Cloud Interconnect to help secure traffic between your on-premisesrouter and Google's edge routers on supported Cloud Interconnectcircuits. For more information, seeMACsec for Cloud Interconnectoverview.
You can also deploy HA VPN over Cloud Interconnect if you need to encryptthe traffic carried by your VLAN attachments. HA VPN over Cloud Interconnectis supported for both Dedicated Interconnect andPartner Interconnect. You might be required to encrypt yourCloud Interconnect traffic to address certain regulatory or securityrequirements. For more information, seeHA VPN over Cloud Interconnectoverview.Restrict Cloud Interconnect usage
By default, any VPC network can use Cloud Interconnect.To control which VPC networks can use Cloud Interconnect, you can set anorganization policy. For more information, seeRestrict Cloud Interconnect usage.Cloud Interconnect MTU
See the MTU information for your use case:
If you are connecting your VPC networks to other networks,Cloud Interconnect VLAN attachments support the following four MTUsizes:
- 1,440 bytes
- 1,460 bytes
- 1,500 bytes
- 8,896 bytes
For information about MTU best practices for VLAN attachments, seeUse the sameMTU for all VLAN attachments.
If you are connecting your on-premises networks to each other, cross-sitenetworks support an MTU size of 9,000 bytes.
Custom IP address ranges
When you create a VLAN attachment for Dedicated Interconnect,Partner Interconnect, or Cross-Cloud Interconnect,you can configure custom IP address ranges for the Cloud Router andcustomer router ends of the attachment. When you specify a custom IP addressrange, Cloud Interconnect creates an internal range resource thatreserves the exact IP address for use within your VPC, ratherthan the IP address range. If you use that IP address elsewhere in yourVPC, the internal range resource creation fails.
For example, if you specify192.0.2.1/29 as your Cloud Routeraddress, the internal range resource reserves192.0.2.1/32. This means that inorder to configure custom IP address ranges with Cloud Interconnect,you must enable the Network Connectivity API and relevant permissions. Werecommend that you use the Compute Network Admin role(roles/compute.networkAdmin). For more information about internal IP addressranges, seeCreate and use internal ranges.
Before you begin
Keep the following considerations in mind before you configure custom IP addressranges:
- Legal notice
- Custom IP Ranges. Customer is responsible for any consents and notices required to permit Google's accessing, storing, and processing of data provided by Customer. Customer is responsible for the accuracy of any IP addresses it provides to Google in connection with Customer's use of this offering.
- API and permissions
- Before you specify a custom IP address, you mustenable theNetwork Connectivity API in your project. In addition, you need the
networkconnectivity.internalRanges.createpermission, which you can get by using the Compute Network Admin role (roles/compute.networkAdmin). - Prefix length
- The prefix lengths for the IPv4 address ranges that you specify with the
--candidate-customer-router-ip-addressand--candidate-cloud-router-ip-addressflags must be/29or/30, and they must be in the same subnet. In addition, if you use link-local IPv4 addresses you can only use the/29prefix length. - The prefix lengths for the IPv6 address ranges that you specify with the
--candidate-customer-router-ipv6-addressand--candidate-cloud-router-ipv6-addressflags must be/125or/126, and they must be in the same subnet. In addition, you can't use link-local or unique local address (ULA) IPv6 addresses. - IP address requirements
- The ranges that you use when you configure any of the previously mentioned flags must meet the following requirements:
- The ranges can't overlap with another range that you use within your customer VPC.
- You can't use the first or last IP address within the IP address ranges that you specify because they are the network and broadcast addresses.
- You can't use ranges that contain private IPv4 addresses with the
--candidate-customer-router-ip-addressand--candidate-cloud-router-ip-addressflags.
- Limitations
- The following limitations apply to custom IP address ranges:
- You can't use the
--candidate-subnetsflag with the--candidate-customer-router-ip-addressand--candidate-cloud-router-ip-addressflags, but you can use--candidate-subnetsfor link-local IPv4 attachments with the--candidate-customer-router-ipv6-addressand--candidate-cloud-router-ipv6-addressflags. - You can use both Google-owned and custom IPv6 addresses on the same Cloud Router, but you can't use both Google-owned and custom IPv6 address ranges on the same VLAN attachment.
- You can't reuse custom IP address ranges anywhere in the same VPC, or in any other VPC that is connected to it with VPC spokes or with VPC Network Peering.
- You can use public IP address ranges from other cloud service providers, but you must possess a letter of authorization from the service provider on their company letterhead.
- If you want to use custom IP address ranges with a Layer 3 Partner Interconnect connection, you create a VLAN attachment and then your service provider configures the custom IP address ranges during their VLAN attachment configuration process. If you have a Layer 3 connection, contact your service provider for instructions.
- The following reserved IP address ranges are not supported:
- Reserved IPv4 address ranges:
0.0.0.0/810.0.0.0/8100.64.0.0/10127.0.0.0/8172.16.0.0/12192.0.0.0/24192.0.2.0/24192.88.99.0/24192.168.0.0/16198.18.0.0/15198.51.100.0/24203.0.113.0/24224.0.0.0/4240.0.0.0/4- Reserved IPv6 address ranges:
::ffff:0:0/9664:ff9b::/9664:ff9b:1::/48100::/642001:/322001:20::/282001:db8::/32fe80::/102002::/163fff::/205f00::/16fc00::/7fe80::/10ff00::/8
- You can't use the
Configure custom IP address ranges
To create VLAN attachments with custom IP address ranges, see the followingpages:
- Dedicated Interconnect:configure custom IP address ranges
- Layer 2 Partner Interconnect connections:use custom IP address ranges with Layer 2 connections
- Layer 3 Partner Interconnect connections:use custom IP address ranges with Layer 3 connections
- Cross-Cloud Interconnect:
- Alibaba Cloud:configure custom IP address ranges
- Amazon Web Services (AWS):configure custom IP address ranges
- Microsoft Azure:configure custom IP address ranges
- Oracle Cloud Infrastructure:configure custom IP address ranges
Support for GRE traffic
Cloud Interconnect supportsGREtraffic. Support for GRE lets you terminate GRE traffic on a VMfrom the internet (external IP address) and Cloud VPN orCloud Interconnect (internal IP address). The decapsulated traffic canthen be forwarded to a reachable destination. GRE lets you useservices such as Secure Access Service Edge (SASE) andSD-WAN. You mustcreate afirewall rule to allow GRE traffic.
Note: GRE support for Cloud Interconnect has been tested only with GRE version 0. Additionally, support for GRE traffic doesn't includesupport from Google Cloud for troubleshooting your overlay network.Differentiate network traffic
Dedicated Interconnect andCross-Cloud Interconnect support network traffic differentiationthrough application awareness on Cloud Interconnect. Applicationawareness lets you map your outbound traffic to different traffic classes andset either a bandwidth percentage policy or a strict priority policy, which canhelp ensure that business critical network traffic is prioritized over lowerpriority network traffic.
Application awareness on Cloud Interconnect usesdifferentiated services field codepoint (DSCP)in the IP header for traffic differentiation. It's not related to oraware of App Hub'sdata model forapplications.
For more information, see "Configure traffic differentiation" forDedicated InterconnectandCross-Cloud Interconnect.
Contact your account team to enable application awareness on yourCloud Interconnect.
Visualize and monitor Cloud Interconnect connections and VLAN attachments
Network Topology is a visualization tool that shows the topology of yourVPC networks, hybrid connectivity to and from your on-premises networks,and the associated metrics. You can view your Cloud Interconnectconnections and VLAN attachments as entities in the Network Topology view.
A base entity is the lowest level of a particular hierarchy and represents aresource that can directly communicate with other resources over a network.Network Topology aggregates base entities into hierarchical entities thatyou can expand or collapse. When you first view a Network Topology graph,it aggregates all the base entities into their top-level hierarchy.
For example, Network Topology aggregates VLAN attachments into theirCloud Interconnect connection, and you can view the hierarchy byexpanding or collapsing the icons that represent Cloud Interconnect connections.
For more information, see theNetwork Topology overview.
Frequently asked questions
For answers to common questions about Cloud Interconnect architectureand features, see theCloud InterconnectFAQ.
What's next?
To choose a connection type for Cloud Interconnect, seeChoosing a Network Connectivity product.
To learn about how to deploy Cloud Interconnect as part ofCross-Cloud Network that uses Network Connectivity Center, seeCross-Cloud Network inter-VPC connectivity using Network Connectivity Center.
To learn about how to deploy Cloud Interconnect as part ofCross-Cloud Network that uses VPC Network Peering, seeCross-Cloud Network inter-VPC connectivity using VPC Network Peering.
To learn about best practices when planning for and configuringCloud Interconnect, seeBest practices.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.