A Virtual Private Cloud (VPC) network that uses the Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) network profile is called an RoCE VPC network. This page shows you how to create an RoCE VPC network and configure firewall rules that apply to the network. Before you begin, review the following information:
Because the rules in a regional network firewall policy used by an RoCE VPC network rely heavily on target secure tags and source secure tags, ensure that you're familiar with how to create and manage secure tags and bind secure tags to the VM instances.
This section describes how to perform the following tasks:
- Create an RoCE VPC network
- Create a regional network firewall policy that works with the RoCE VPC network
- Create rules in the regional network firewall policy
- Associate the regional network firewall policy with the RoCE VPC network
Before you begin
Make sure that you review the supported and unsupported features in VPC networks with the RDMA network profile. If you attempt to configure unsupported features, Google Cloud returns an error.
Create a network with the RDMA network profile
To create a VPC network with the RDMA network profile, do the following.
Console
In the Google Cloud console, go to the VPC networks page.
Click Create VPC network.
In the Name field, enter a name for the network.
Select Configure network profile and do the following:
- In the Zone field, select the zone of the network profile that you want to use. The VPC network that you create is constrained to this zone, which means that you can only create resources in the network in this zone.
- Select the RDMA network profile for the zone that you selected
previously, such as
europe-west1-b-vpc-roce
. - To view the set of supported features for the network profile that you selected, click Preview network profile features.
In the New subnet section, specify the following configuration parameters for a subnet:
- In the Name field, enter a name for the subnet.
- In the Region field, select the region in which to create the
subnet. This region must correspond to the zone of the network
profile that you configured. For example, if you configured the
network profile for
europe-west1-b
, then you must create the subnet ineurope-west1
. Enter an IPv4 range. This range is the primary IPv4 range for the subnet.
If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.
Click Done.
To add more subnets, click Add subnet and repeat the previous steps. You can also add more subnets to the network after you have created the network.
Click Create.
gcloud
To create the network, use the
gcloud compute networks create
command and specify the--network-profile
flag.gcloud compute networks create NETWORK \ --subnet-mode=custom \ --network-profile=NETWORK_PROFILE
Replace the following:
NETWORK
: a name for the VPC networkNETWORK_PROFILE
: the zone-specific name of the network profile, such aseurope-west1-b-vpc-roce
The RDMA network profile isn't available in all zones. To view the zone-specific instances of the network profile that are available, follow the instructions to list network profiles.
To add subnets, use the
gcloud compute networks subnets create
command.gcloud compute networks subnets create SUBNET \ --network=NETWORK \ --range=PRIMARY_RANGE \ --region=REGION
Replace the following:
SUBNET
: a name for the new subnetNETWORK
: the name of the VPC network that contains the new subnetPRIMARY_RANGE
: the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges.REGION
: the Google Cloud region in which the new subnet is created. This must correspond to the zone of the network profile that you configured. For example, if you configured the network profile in theeurope-west1-b
zone by using the network profile namedeurope-west1-b-vpc-roce
, then you must create the subnet in theeurope-west1
region.
API
To create the network, make a
POST
request to thenetworks.insert
method and specify thenetworkProfile
property.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks { "autoCreateSubnetworks": false, "name": "NETWORK", "networkProfile": "NETWORK_PROFILE" }
Replace the following:
PROJECT_ID
: the ID of the project where the VPC network is createdNETWORK
: a name for the VPC networkNETWORK_PROFILE
: the zone-specific name of the network profile, such aseurope-west1-b-vpc-roce
The RDMA network profile isn't available in all zones. To view the zone-specific instances of the network profile that are available, follow the instructions to list network profiles.
To add subnets, make a
POST
request to thesubnetworks.insert
method.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks { "ipCidrRange": "IP_RANGE", "network": "NETWORK_URL", "name": "SUBNET" }
Replace the following:
PROJECT_ID
: the ID of the project that contains the VPC network to modifyREGION
: the name of the Google Cloud region where the subnet is added. This region must correspond to the zone of the network profile that you configured. For example, if you configured the network profile in theeurope-west1-b
zone by using the network profile namedeurope-west1-b-vpc-roce
, then you must create the subnet in theeurope-west1
region.IP_RANGE
: the primary IPv4 address range for the subnet. For more information, see IPv4 subnet ranges.NETWORK_URL
: the URL of the VPC network where you're adding the subnetSUBNET
: a name for the subnet
Create a regional network firewall policy
RoCE VPC networks only support regional network firewall
policies that have a policy type of RDMA_ROCE_POLICY
.
gcloud
To create a regional network firewall policy for a RoCE VPC
network, use the
gcloud beta compute network-firewall-policies create
command:
gcloud beta compute network-firewall-policies create FIREWALL_POLICY \ --region REGION \ --policy-type=RDMA_ROCE_POLICY
Replace the following:
FIREWALL_POLICY
: a name for the network firewall policyREGION
: a region you want to apply to the policy. The region must contain the zone of the RoCE network profile used by the RoCE VPC network.
Create rules in the regional network firewall policy
Regional network firewall policies that have a policy type of RDMA_ROCE_POLICY
only support ingress rules, and have constraints on valid source,
action, and Layer 4 configuration flags. For more information,
see Specifications.
gcloud
To create an ingress rule that uses the --src-ip-ranges=0.0.0.0/0
flag and applies to all network interfaces in the RoCE VPC
network, use the
gcloud compute network-firewall-policies rules create
command:
gcloud compute network-firewall-policies rules create PRIORITY \ --direction=ingress \ --layer4-configs=all \ --enable-logging \ --action ACTION \ --firewall-policy FIREWALL_POLICY_NAME\ --firewall-policy-region FIREWALL_POLICY_REGION \ --src-ip-ranges=0.0.0.0/0
To create an ingress rule that uses a source secure tag and applies to
specific network interfaces of VMs with an associated secure tag value,
use the
gcloud compute network-firewall-policies rules create
command:
gcloud compute network-firewall-policies rules create PRIORITY \ --direction=ingress \ --layer4-configs=all \ --enable-logging \ --action ALLOW \ --firewall-policy FIREWALL_POLICY_NAME\ --firewall-policy-region FIREWALL_POLICY_REGION \ --src-secure-tag SRC_SECURE_TAG[,SRC_SECURE_TAG,...] \ --target-secure-tag TARGET_SECURE_TAG[,TARGET_SECURE_TAG,...]
Replace the following:
PRIORITY
: the priority of the ruleACTION
: the action on match of the rule- If you use
--src-ip-ranges=0.0.0.0/0
, you can use eitherALLOW
orDENY
. - If you use
--src-secure-tag
, you can only useALLOW
.
- If you use
FIREWALL_POLICY_NAME
: a name of the regional network firewall policy in which the rule is created.FIREWALL_POLICY_REGION
: the region used by the regional network firewall policy in which the rule is created.SRC_SECURE_TAG
: defines the source parameter of the ingress rule using a comma-separated list of secure tag values. For more information, see Secure tags for firewalls.TARGET_SECURE_TAG
: defines the target parameter of the rule using a comma-separated list of secure tag values. For more information, see Secure tags for firewalls.
Associate the regional network firewall policy with an RoCE VPC network
Associate the regional network firewall policy with your RoCE
VPC network. This ensures that the policy's rules apply to the
MRDMA
network interfaces within that network.
gcloud
To associate a regional network firewall policy with an RoCE
VPC network, use the
gcloud compute network-firewall-policies associations create
command:
gcloud compute network-firewall-policies associations create \ --firewall-policy FIREWALL_POLICY \ --network NETWORK \ --firewall-policy-region FIREWALL_POLICY_REGION
Replace the following:
FIREWALL_POLICY
: a name of the regional network firewall policyThe regional network firewall policy must have a policy type of
RDMA_ROCE_POLICY
.NETWORK
: a name of the RoCE VPC networkFIREWALL_POLICY_REGION
: the region of the firewall policyThe region must contain the zone of the RoCE network profile used by the RoCE VPC network.