Set up and manage VPC Network Peering
Google Cloud VPC Network Peering enables internal IP address connectivity across two Virtual Private Cloud (VPC) networks, regardless of whether they belong to the same project or the same organization. Peering supports connectivity between networks having dual-stack subnets.
For more information, see VPC Network Peering.
Create a peering configuration
Before you begin, you must have the name of the VPC network to which you will peer with. If that network is located in another project, you must also have the project ID of that project. You can't list peering requests for your VPC network. If necessary, ask the administrator of the network that you intend to peer with for the network and project names.
A peering configuration establishes the intent to connect to another
VPC network. Your network and the other network are not connected
until each one has a peering configuration for the other. After the other
network has a corresponding configuration to peer with your network,
the peering state changes to ACTIVE
in both networks, and they are connected.
If there's no matching peering configuration in the other network, the peering
state remains INACTIVE
, indicating that your network is not connected to the
other one.
Google Cloud allows only one peering-related activity at a time across
peered networks. For example, if you set up peering with one network and
immediately try to set up another, the operation fails with the following:
Error: There is a peering operation in progress on the local or peer network. Try again later.
Once connected, the two networks always exchange subnet routes. You can optionally import both static and dynamic IPv4 custom routes and dynamic IPv6 custom routes from a peered network if it has been configured to export them. For more information, see import and export custom routes.
Console
- In the Google Cloud console, go to the VPC Network Peering page .
Go to VPC Network Peering - Click Create connection.
- Click Continue.
- In the Name field, enter a name for your peering configuration.
- Under Your VPC network, select a network you want to peer.
Select the network to peer with.
- If the network that you want to peer with is in the same project, select In project [NAME-OF-YOUR-PROJECT] and then the network to peer with.
- If the network that you want to peer with is in a different project, select In another project. Specify the project ID that includes the network you want to peer with and the name of the VPC network.
Under IP stack type, specify which subnet routes should be exchanged between the peered networks:
- IPv4 (single-stack): Exchange IPv4 routes only.
- IPv4 and IPv6 (dual-stack): Exchange both IPv4 and IPv6 routes.
To import or export IPv4 and IPv6 custom routes, choose one or both of the following options:
- Import custom routes: Import custom routes from the peer network. The peer network must enable custom route export for routes to be imported.
- Export custom routes: Export custom routes to the peer network. The peer network must enable custom route import for routes to be exported.
If your network or the peer network uses privately used public IPv4 ranges in their subnets, these routes are exported by default, but not imported by default. To import privately used public IPv4 subnet routes, select:
- Import subnet routes with public IP to import privately used public IP subnet routes exported by the other network
Click Create.
gcloud
Create a VPC Network Peering connection.
gcloud compute networks peerings create PEERING_NAME \ --network=NETWORK \ --peer-project=PEER_PROJECT_ID \ --peer-network=PEER_NETWORK_NAME \ [--stack-type=STACK_TYPE] \ [--import-custom-routes] \ [--export-custom-routes] \ [--import-subnet-routes-with-public-ip] \ [--export-subnet-routes-with-public-ip]
Replace the following:
PEERING_NAME
: The name of the peering configuration.NETWORK
: The name of the network in your project that you want to peer.PEER_PROJECT_ID
: The ID of the project containing the network that you want to peer with.PEER_NETWORK_NAME
: The name of the network that you want to peer with.STACK_TYPE
: The stack type for the peering connection. SpecifyIPV4_ONLY
to exchange only IPv4 routes. Alternatively, specifyIPV4_IPV6
to exchange both IPv4 and IPv6 routes.IPV4_ONLY
is the default value.- --import-custom-routes tells the network to accept custom routes from the peered network. The peered network must export the routes first.
- --export-custom-routes tells the network to export custom routes to the peered network. The peered network must be set to import the routes.
- --import-subnet-routes-with-public-ip tells the network to accept subnet routes from the peered network if that network is using privately used public IPv4 addresses in its subnets. The peered network must export the routes first.
- --export-subnet-routes-with-public-ip tells the network to export subnet routes that contain privately used public IP addresses. The peered network must be set to import the routes.
Terraform
You can use a Terraform module to create a peering configuration.
For the two peered VPC networks, each self link includes a project ID and
the name of the VPC network. To get the self link for a VPC network, you can
use the gcloud compute networks
describe
command or the
networks.get
method in each
VPC network's project.
When you create a peering from the local_network
to the peer_network
,
the peering relationship is bidirectional. The peering from the
peer_network
to the local_network
gets created automatically.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
Verify that traffic is passing between peered VPC networks
You can use VPC Flow Logs to view network flows sent from and received by VM instances. You can also use Firewall Rules Logging to verify that traffic is passing between the networks. Create VPC firewall rules that allow (or deny) traffic between the peered networks, and turn on Firewall Rules Logging for those rules. You can then view which firewall rules were hit using Cloud Logging.
Update a peering connection
When you update an existing VPC Network Peering connection, you can do the following:
- Change whether your VPC network exports or imports custom routes or privately used public IPv4 subnet routes to or from the peer VPC network.
- Update an existing peering connection to enable or disable the exchange of IPv6 routes between the peering networks.
Your network imports routes only if the peer network is also exporting the routes, and the peer network receives routes only if it imports them.
Console
- In the Google Cloud console, go to the VPC Network Peering page.
Go to VPC Network Peering - Select the peering connection to update.
- Click Edit.
- Update the IP stack type selection to specify which subnet routes should be exchanged between the peered networks:
- IPv4 (single-stack): Stop the existing exchange of IPv6 routes over the peering and continue exchanging only IPv4 routes.
- IPv4 and IPv6 (dual-stack): Start exchanging both IPv4 and IPv6 routes, provided that the matching peering connection also has IP stack type set to IPv4 and IPv6 (dual-stack).
- To import or export IPv4 and IPv6 custom routes, choose one or both of the following
options:
- Import custom routes to import custom routes exported by the other network
- Export custom routes to export custom routes to the other network. The other network must import the routes to see them.
- If your network or the peer network uses privately used public IPv4
ranges in their subnets, these routes are exported by default, but not
imported by default. To import privately used public IPv4 subnet routes,
select:
- Import subnet routes with public IP to import privately used public IP subnet routes exported by the other network
- Click Save.
gcloud
gcloud compute networks peerings update PEERING_NAME \ --network=NETWORK \ [--stack-type=STACK_TYPE] \ [--import-custom-routes] \ [--export-custom-routes] \ [--export-subnet-routes-with-public-ip] \ [--import-subnet-routes-with-public-ip]
Update the following:
PEERING_NAME
: The name of the existing peering connection.NETWORK
: The name of the network in your project that is peered.STACK_TYPE
: The stack type for the peering connection.- Specify
IPV4_ONLY
to stop the existing exchange of IPv6 routes over the peering and continue exchanging only IPv4 routes. - Specify
IPV4_IPV6
to start exchanging both IPv4 and IPv6 routes, provided the matching peering connection also hasstack_type
set toIPV4_IPV6
.
- Specify
- --import-custom-routes tells the network to accept custom routes from the peered network. The peered network must export the routes first.
- --export-custom-routes tells the network to export custom routes to the peered network. The peered network must be set to import the routes.
- --import-subnet-routes-with-public-ip tells the network to accept subnet routes from the peered network if that network is using privately used public IPv4 addresses in its subnets. The peered network must export the routes first.
- --export-subnet-routes-with-public-ip tells the network to export subnet routes that contain privately used public IP addresses. The peered network must be set to import the routes.
List peering connections
List existing peering connections to view their status and whether they're importing or exporting custom routes.
Console
- In the Google Cloud console, go to the VPC Network Peering page.
Go to VPC Network Peering - Select the peering connection to view its details.
gcloud
gcloud compute networks peerings list
List routes from peering connections
You can list the dynamic routes that your VPC network is importing from or exporting to a peered VPC network. For exported routes, you can check whether a peer network is accepting or rejecting your custom routes. For imported routes, you can check whether your network is accepting or rejecting custom routes from a peer network.
You might not see the same number of routes for each region. For more information, see Troubleshooting.
Console
- In the Google Cloud console, go to the VPC Network Peering page.
Go to VPC Network Peering - Select the peering connection to view its details.
View customs routes that your network is importing or exporting. Use the region selector to view dynamic routes in a particular region. Subnet and static routes are global and are shown for all regions.
- To view the imported custom routes, select the Imported routes tab.
- To view the exported custom routes, select the Exported routes tab.
gcloud
gcloud compute networks peerings list-routes PEERING_NAME \ --network=NETWORK \ --region=REGION \ --direction=DIRECTION
Update the following:
PEERING_NAME
: The name of an existing peering connection.NETWORK
: The name of the network in your project that is peered.REGION
: The region where you want to list all dynamic routes. Subnet and static routes are global and are shown for all regions.DIRECTION
: Specifies whether to list imported (incoming
) or exported (outgoing
) routes.
Delete a VPC Network Peering connection
You or a network administrator for the peer VPC network can
delete a peering configuration. When a peering configuration has been deleted,
the peering connection switches to INACTIVE
in the other network, and all
routes shared among the networks are removed.
Console
- Go to the VPC Network Peering page in the Google Cloud console.
Go to VPC Network Peering - Select the checkbox next to the peering you want to remove.
- Click Delete.
gcloud
gcloud compute networks peerings delete PEERING_NAME \ --network=NETWORK
Update the following:
PEERING_NAME
: The name of the peering connection to delete.NETWORK
: The name of the network in your project that is peered.
Quotas and limits
See VPC Network Peering quotas and limits.
Troubleshooting
The following sections describe how to troubleshoot issues with VPC Network Peering.
Peer VMs are unreachable
After the peering connection is ACTIVE, it may take up to a minute for all the traffic flows to be set up between the peered networks. This time depends on the size of the networks that are peering. If you have recently set up the peering connection, wait up to a minute and try again. Also, ensure that there are no firewall rules blocking access to/from peer VPC network subnet CIDRs.
Custom routes not exchanged between peered networks
First, list the routes from your peering connections. If you don't see routes to destinations that you expect, check the following:
List peering connections. Find the network with the desired destination ranges, and ensure that its peering state is
ACTIVE
. If the peering connection isINACTIVE
, a peering configuration for your network does not exist in the other network. If you don't manage the other network, you'll need to coordinate with a network administrator who does.Update the peering configuration in your network so that it is configured to import custom routes from the other network. Ensure that the other network has been configured to export its custom routes.
Traffic destined for a peer network is being dropped
First, list peering connections to make sure your
network is still connected to the other one. If the peering state is INACTIVE
,
a peering configuration for your network does not exist in the other network. If
you don't manage the other network, you'll need to contact a network
administrator who does.
Next, list routes from peer connections. You can only import as many routes as are allowed by the VPC Network Peering limits.
Traffic is being sent to an unexpected next hop
Review the routing order to see if another route was chosen instead.
Unable to peer with a particular VPC network
If you cannot create a peering configuration with certain VPC
networks, an organization policy might be constraining the VPC
networks that your network can peer with. In the organization policy, add the
network to the list of allowed peers or contact your organization administrator.
For more information, refer to the
constraints/compute.restrictVpcPeering
constraint.
IPv6 subnet routes not exchanged after updating stack_type
of the peering to IPV4_IPV6
Ensure that the value of stack_type
for the matching peering connection is also set to IPV4_IPV6
. Both sides of a peering connection must have stack_type
set to IPV4_IPV6
before IPv6 routes and traffic can be exchanged.
IPv6 dynamic routes not exported after updating stack_type
of the peering to IPV4_IPV6
To export dynamic and static IPv6 routes, you must enable the –export-custom-route
and the –import-custom-route
flags on the matching peering connections.
IPv6 static and dynamic routes not exchanged after enabling the import and export of custom routes
Ensure that both the peerings have stack_type
set to IPV4_IPV6
.
Some dynamic routes are imported, but I don't see all of them
Consider the following:
You might not see the same number of routes for each region. If multiple routes with the same IP address ranges are exchanged across regions, only the routes with the highest priority are imported. If these routes are exchanged across the same region, all routes are imported.
When a network reaches the per-peering-group limit of dynamic routes, no more routes are imported. However, it's not possible to determine which routes are omitted.
What's next
- For more information about VPC routing, see Routes.
- For limits related to VPC Network Peering, see VPC Network Peering limits.
- For information about how to use an internal passthrough Network Load Balancer as the next hop for a custom static route, see Use an internal passthrough Network Load Balancer as a next hop.