Peer two VPC networks

Learn how to peer two Virtual Private Cloud (VPC) networks by using the Google Cloud console.

Consider an organization organization-a that needs VPC Network Peering to be established between network-a in project-a and network-b in project-b. In order for VPC Network Peering to be established successfully, administrators of network-a and network-b must separately configure the peering association.

By completing the steps in this document, you create the following configuration:

Peering active.
Two networks with an active peering connection (click to enlarge).

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Compute Engine API.

    Enable the API

  5. Make sure that you have the following role or roles on the project: Compute Network Admin or Project Editor

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.
    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.
  6. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  7. Make sure that billing is enabled for your Google Cloud project.

  8. Enable the Compute Engine API.

    Enable the API

  9. Make sure that you have the following role or roles on the project: Compute Network Admin or Project Editor

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.
    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.
  10. Repeat these steps for a second project. This quickstart describes how to peer VPC networks that are in separate projects.

Create two VPC networks

In this section, you create two VPC networks, each in different projects.

Create network-a and subnet-a in your first project

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click Create VPC network.

  3. In the Name field, enter network-a.

  4. In the New subnet section, specify the following:

    1. In the Name field, enter subnet-a.
    2. Select any Region.
    3. In the IPv4 range field, enter 10.0.1.0/24.
    4. Click Done.
  5. In the IPv4 firewall rules tab, on the right side of the row that contains the predefined ingress firewall rule named NETWORK-allow-custom, click Edit.

    1. Deselect Use subnets' IPv4 ranges.
    2. In Other IPv4 ranges, enter 10.0.0.0/20. Entering this range ensures that the resources in your peered networks can communicate with each other and lets you add more subnets in the future without having to update firewall rules.
    3. Click Confirm.
  6. Click Create.

Create network-b and subnet-b in your second project

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click Create VPC network.

  3. In the Name field, enter network-b.

  4. In the New subnet section, specify the following:

    1. In the Name field, enter subnet-b.
    2. Select any Region.
    3. In the IPv4 range field, enter 10.0.8.0/24.
    4. Click Done.
  5. In the IPv4 firewall rules tab, on the right side of the row that contains the predefined ingress firewall rule named NETWORK-allow-custom, click Edit.

    1. Deselect Use subnets' IPv4 ranges.
    2. In Other IPv4 ranges, enter 10.0.0.0/20. Entering this range ensures that the resources in your peered networks can communicate with each other and lets you add more subnets in the future without having to update firewall rules.
    3. Click Confirm.
  6. Click Create.

Peer network-a with network-b

In this section, you configure network-a to peer with network-b.

Console

  1. In the Google Cloud console, go to the VPC Network Peering page.

    Go to VPC Network Peering

  2. Click Create connection.

  3. Click Continue.

  4. Enter a Name of peer-ab for this side of the connection.

  5. Under Your VPC network, select network-a.

  6. Set the Peering VPC network radio buttons to In another project.

  7. Specify the Project ID of the other project.

  8. Specify the VPC network name of the other network, network-b.

  9. Select Import custom routes and Export custom routes.

  10. Click Create.

At this point, the peering state remains INACTIVE because of the absence of a matching configuration in network-b in project-b.

When the peering state becomes ACTIVE, VPC Network Peering automatically exchanges subnet routes. Google Cloud also exchanges custom routes (static routes and dynamic routes) by importing or exporting them over the peering connection. Both networks must be configured to exchange custom routes before they are shared. For more information, see Importing and exporting custom routes.

To see the current peering state, view the peering connection:

Console

  1. In the Google Cloud console, go to the VPC Network Peering page.

    Go to VPC Network Peering

  2. Select peer-ab. On the Peering connection details page, the status says Inactive. Waiting for the connection to be created by network-b.

Peer network-b with network-a

In this section, you create a matching peering configuration from network-b to network-a so that the peering becomes ACTIVE on both ends.

Console

  1. In the Google Cloud console, go to the VPC Network Peering page.

    Go to VPC Network Peering

  2. Click Create connection.

  3. Click Continue.

  4. Enter a Name of peer-ba for this side of the connection.

  5. Under Your VPC network, select the network-b.

  6. Set the Peering VPC network radio buttons to In another project.

  7. Specify the Project ID of the other project.

  8. Specify the VPC network name of the other network, network-b.

  9. Select Import custom routes and Export custom routes.

  10. Click Create.

VPC Network Peering becomes ACTIVE

As soon as the peering moves to an ACTIVE state, subnet routes and custom routes are exchanged, which allows traffic to flow between resources in the networks.

Console

  1. In the Google Cloud console, go to the VPC Network Peering page.

    Go to VPC Network Peering

  2. On the VPC Network Peering page, the status for the connection that you created says ACTIVE.

  3. Go to the VPC Network Peering page in the other project to see that it also says ACTIVE.

The routes to peered network CIDR prefixes are now visible across the VPC network peers. These routes are implicit routes that are generated for active peering connections. They don't have corresponding route resources. The following procedure shows routes for all VPC networks for project-a.

Console

  1. In the Google Cloud console, go to the Routes page.

    Go to Routes

  2. For Network and Region, select network-a and the region in which you created subnet-a, then click View.

  3. In the list of routes, there is a Peering subnet route for subnet-b.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Delete the projects

To delete the projects that you created:

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Delete individual resources

If you don't want to delete the entire project, delete the VPC Network Peering connections and the VPC networks that you created.

Before you can delete a network, you must delete its VPC Network Peering connection.

Delete VPC Network Peering connections

To delete a VPC Network Peering connection:

Console

  1. In the Google Cloud console, go to the VPC Network Peering page.

    Go to VPC Network Peering

  2. Select the checkbox next to the peering you want to remove.

  3. Click Delete.

Delete VPC networks

To delete a VPC network:

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Click Delete VPC network.

  4. In the message that appears, click Delete to confirm.

What's next

For more information about VPC Network Peering, see: