Decommission a hybrid subnet

Preview

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This page describes how to decommission a hybrid subnet.

If you no longer need Hybrid Subnets functionality—forexample, because all workloads in the source network have either migrated toGoogle Cloud or been decommissioned—you can decommission a hybridsubnet. Decommissioning a hybrid subnet changes the hybrid subnet into aregular subnet and removes the unused components of the hybrid subnet.

While you can keep a hybrid subnet configured indefinitely, Google recommendsdecommissioning it to simplify your network architecture and remove complexitysuch as managing custom advertised routes.

Required roles

To get the permissions that you need to create a hybrid subnet, ask your administrator to grant you theCompute Network Admin (roles/compute.networkAdmin) IAM role on your project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Update Cloud Router custom advertised routes

The following sections describe how to replace the custom advertised routesthat youcreated for each migrated workload with a single advertisement for theentire subnet.

Create a custom advertised route for the entire subnet

Create a single custom advertised route for the entire IP address range ofthe hybrid subnet that you are decommissioning. For more information, seeAdvertise specific VPC subnets.

Remove custom advertised routes for migrated workloads

Remove the/32 and other custom advertised routes that you configured onyour Cloud Router for individual migrated workloads. For more information,seeRemove custom advertised routes on a Cloud Router.

Disable hybrid subnet routing

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network that contains the subnetthat you want to update.

  3. Click theSubnets tab.

  4. Click the subnet that you want to update.

  5. ClickEdit.

  6. In theHybrid subnet section, selectOff.

  7. ClickSave.

gcloud

Use thegcloud beta compute networks subnets update command.

gcloud beta compute networks subnets updateSUBNET \    --region=REGION \    --no-allow-cidr-routes-overlap

Replace the following:

  • SUBNET: the name of the subnet.
  • REGION: the region of the subnet.

API

  1. Find thefingerprint ID of your subnet.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the ID of your project
    • REGION: the region of your subnet
    • SUBNET_NAME: the name of your subnet

    HTTP method and URL:

    GET https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Execute the following command:

    curl -X GET \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         "https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method GET `
        -Headers $headers `
        -Uri "https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    {  "kind": "compute#subnetwork",  "id": "5514771331600183201",  "creationTimestamp": "2022-09-16T12:41:02.010-07:00",  "name": "subnet-name",  "network": "https://www.googleapis.com/compute/v1/projects/project-name/global/networks/network-name",  "ipCidrRange": "10.6.0.0/16",  "gatewayAddress": "10.6.0.1",  "region": "https://www.googleapis.com/compute/v1/projects/project-name/regions/us-central1",  "selfLink": "https://www.googleapis.com/compute/v1/projects/project-name/regions/us-central1/subnetworks/subnet-name",  "privateIpGoogleAccess": true,  "fingerprint": "YiItidAFRsA5",  "allowSubnetCidrRoutesOverlap": false,  "enableFlowLogs": true,  "privateIpv6GoogleAccess": "DISABLE_GOOGLE_ACCESS",  "purpose": "PRIVATE",  "stackType": "IPV4_ONLY"}

  2. DisableallowSubnetCidrRoutesOverlap.

    Before using any of the request data, replaceSUBNET_FINGERPRINTwith the fingerprint ID of your subnet that you found in the previousrequest—for example,YiItidAFRsA5.

    HTTP method and URL:

    PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME

    Request JSON body:

    {  "allowSubnetCidrRoutesOverlap": false,  "fingerprint": "SUBNET_FINGERPRINT"}

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    curl -X PATCH \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         -H "Content-Type: application/json; charset=utf-8" \
         -d @request.json \
         "https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method PATCH `
        -Headers $headers `
        -ContentType: "application/json; charset=utf-8" `
        -InFile request.json `
        -Uri "https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    {  "kind": "compute#operation",  "id": "5973660558170953708",  "name": "operation-1680288003494-5f8368991917a-59bf1c92-1897c7c6",  "operationType": "compute.subnetworks.patch",  "targetLink": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1/subnetworks/subnet-name",  "targetId": "5514771331600183201",  "status": "RUNNING",  "user": "user@gmail.com",  "progress": 0,  "insertTime": "2023-03-31T11:40:03.882-07:00",  "startTime": "2023-03-31T11:40:03.893-07:00",  "selfLink": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1/operations/operation-1680288003494-5f8368991917a-59bf1c92-1897c7c6",  "region": "https://www.googleapis.com/compute/beta/projects/test-project/regions/us-central1"}

  3. To verify thatallowSubnetCidrRoutesOverlap is disabled for yoursubnet,make anotherGET request and ensure that theresponse includes the following:

    • "allowSubnetCidrRoutesOverlap": false

Delete ingress firewall rules

Delete the ingress firewall rules or firewall policies that youconfigured for migrated VMs. For more information,see theCloud Next Generation Firewall documentation.

Remove unnecessary configuration

Consider the following:

  • If you don't need proxy ARP in your source network for anotherpurpose, you can disable proxy ARP. For information about disabling proxyARP, see the documentation of your proxy ARP solution.
  • If you don't need your source subnet for another purpose, you candecommission the source subnet.

  • If all your VMs have migrated to Google Cloud, and you no longerneed connectivity between your source and VPCnetworks, you can disconnect your source and VPCnetworks. To disconnect your source and VPC networks,complete the following steps:

    1. Do one of the following, depending on how you've configuredconnectivity:

    2. If you no longer need the Cloud Router that you configured forHybrid Subnets, you candelete the Cloud Router.

    3. If you no longer need the firewall configuration in your source networkthat you added for Hybrid Subnets, you can remove it.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.