To perform this task, you must have been granted the following permissions
or the following IAM roles.
Permissions
compute.routers.create to configure the Cloud Router
networkconnectivity.spokes.use on the
NCC Gateway resource
Follow these steps to create a Cloud Router:
gcloud
Use the gcloud compute routers create
command. To specify
router-level custom route advertisements, set the --advertisement-mode=CUSTOM
flag to CUSTOM. For information about the effect of the router-level
advertisement mode on individual BGP session advertisements, see Effective
advertisements.
PROJECT_ID: the project ID for the project that contains the
Cloud Router
NCC_GATEWAY_URI: the full URI of the NCC Gateway
associated with the router. The format of the URI follows this pattern:
https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/spokes/GATEWAY_SPOKE_NAME
REGION: the region that contains the Cloud Router
ASN_NUMBER: any private
ASN (64512-65534,
4200000000-4294967294) that you aren't already using in the on-premises
network
Cloud Router requires you to use a private ASN, but your on-premises
ASN can be public or private.
CUSTOM_ADVERTISED_RANGES: the list of custom IP address ranges
in CIDR format or individual IP addresses to be included in the router-level
advertisements
Individual IPv4 addresses are interpreted as a CIDR with a /32 subnet mask,
and individual IPv6 addresses are interpreted as a CIDR with a /128 subnet
mask. For information about the maximum number of custom route advertisements,
see Limits.
ROUTER_IDENTIFIER_RANGE: an optional IPv4 address range that
serves as a unique identifier for the Cloud Router
KEEPALIVE_TIMER: an optional time, in seconds, that defines
the BGP keepalive timer.
Valid values are between 20 and 60, inclusive. If you omit the
--keepalive-interval flag, Cloud Router uses a 20 second BGP
keepalive timer. For more information, see Keepalive
timer.
API
Use the compute.router.insert method
with NCC Gateway specified in the payload. To specify
router-level custom route advertisements, set the bgp.advertiseMode
flag to CUSTOM. For information about the effect of the router-level
advertisement mode on individual BGP session advertisements, see Effective
advertisements.
PROJECT_ID: the project ID for the project that contains
the Cloud Router
REGION: the region that contains the Cloud Router
ROUTER_NAME: the name of the Cloud Router
NCC_GATEWAY_URI: the full URI of the NCC Gateway
associated with the router. The format of the URI follows this pattern:
https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/spokes/GATEWAY_SPOKE_NAME
ASN_NUMBER: any private
ASN (64512-65534,
4200000000-4294967294) that you aren't already using in the on-premises
network
Cloud Router requires you to use a private ASN, but your on-premises
ASN can be public or private.
CUSTOM_ADVERTISED_RANGE and
CUSTOM_ADVERTISED_RANGE_DESCRIPTION: keys in a dictionary
that specify a router-level custom route advertisement
The bgp.advertisedIpRanges list contains each custom route advertisement
dictionary. Specifying bgp.advertisedIpRanges requires
bgp.advertiseMode: CUSTOM. Each CUSTOM_ADVERTISED_RANGE
is an IP address range in CIDR format or an individual IP address. Individual
IPv4 addresses are interpreted as a CIDR with a /32 subnet mask, and
individual IPv6 addresses are interpreted as a CIDR with a /128 subnet mask.
For information about the maximum number of custom route advertisements, see
Limits. Each
CUSTOM_ADVERTISED_RANGE_DESCRIPTION is a string to describe
the advertisement.
ROUTER_IDENTIFIER_RANGE: defines an IPv4 address range that
serves as a unique identifier for the Cloud Router
KEEPALIVE_TIMER: an optional time, in seconds, that defines
the BGP keepalive timer
Valid values are between 20 and 60, inclusive. If you omit
bgp.keepaliveInterval, Cloud Router uses a 20 second BGP keepalive
timer. For more information, see Keepalive
timer.
Create VLAN attachments
VLAN attachments for Dedicated Interconnect or
Partner Interconnect provide the connectivity path between the
NCC Gateway and an on-premises network.
The VLAN attachment traffic goes through the NCC Gateway before
it reaches the partner service and the hub.
For detailed information about how to create VLAN attachments and set up
interface and BGP peering, see
Create VLAN attachments.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Add hybrid connections to NCC Gateway\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes how to create a Cloud Router and a VLAN attachment and\nconnect them to NCC Gateway.\n\nCreate a Cloud Router\n---------------------\n\nBefore you create and connect the Cloud Router, keep the following\nconsiderations in mind:\n\n- The Cloud Router must be associated with an NCC Gateway in the same region.\n- At the most, one service can be attached to an NCC Gateway at a time\n- Only the VLAN attachments whose BGP sessions are managed by the Cloud Router that's associated with the NCC Gateway are part of the NCC Gateway spoke.\n\nFor detailed information about Cloud Router, see\n[Cloud Router overview](/network-connectivity/docs/router/concepts/overview).\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* the following IAM roles.\n\n**Permissions**\n\n- `compute.routers.create` to configure the Cloud Router\n- `networkconnectivity.spokes.use` on the NCC Gateway resource\n\n\u003cbr /\u003e\n\nFollow these steps to create a Cloud Router: \n\n### gcloud\n\nUse the [`gcloud compute routers create`\ncommand](/sdk/gcloud/reference/compute/routers/create). To specify\nrouter-level custom route advertisements, set the `--advertisement-mode=CUSTOM`\nflag to `CUSTOM`. For information about the effect of the router-level\nadvertisement mode on individual BGP session advertisements, see [Effective\nadvertisements](/network-connectivity/docs/router/concepts/advertised-routes#effective-adv-prefixes). \n\n```\ngcloud compute routers create ROUTER_NAME \\\n --project=PROJECT_ID \\\n --ncc-gateway=NCC_GATEWAY_URI \\\n --region=REGION\\\n --asn=ASN_NUMBER \\\n --advertisement-mode=CUSTOM \\\n --set-advertisement-ranges=CUSTOM_ADVERTISED_RANGES \\\n [--bgp-identifier-range=ROUTER_IDENTIFIER_RANGE] \\\n [--keepalive-interval=KEEPALIVE_TIMER] \\\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eROUTER_NAME\u003c/var\u003e: the name of the Cloud Router\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID for the project that contains the\n Cloud Router\n\n- \u003cvar translate=\"no\"\u003eNCC_GATEWAY_URI\u003c/var\u003e: the full URI of the NCC Gateway\n associated with the router. The format of the URI follows this pattern:\n `https://networkconnectivity.googleapis.com/v1/projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/locations/`\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e`/spokes/`\u003cvar translate=\"no\"\u003eGATEWAY_SPOKE_NAME\u003c/var\u003e\n\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the region that contains the Cloud Router\n\n- \u003cvar translate=\"no\"\u003eASN_NUMBER\u003c/var\u003e: any [private\n ASN](https://tools.ietf.org/html/rfc6996) (`64512`-`65534`,\n `4200000000`-`4294967294`) that you aren't already using in the on-premises\n network\n\n Cloud Router requires you to use a private ASN, but your on-premises\n ASN can be public or private.\n | **Note:** If you are using Cloud Router with Partner Interconnect, you must specify ASN `16550`.\n\n \u003cbr /\u003e\n\n- \u003cvar translate=\"no\"\u003eCUSTOM_ADVERTISED_RANGES\u003c/var\u003e: the list of custom IP address ranges\n in CIDR format or individual IP addresses to be included in the router-level\n advertisements\n\n Individual IPv4 addresses are interpreted as a CIDR with a `/32` subnet mask,\n and individual IPv6 addresses are interpreted as a CIDR with a `/128` subnet\n mask. For information about the maximum number of custom route advertisements,\n see [Limits](/network-connectivity/docs/network-connectivity-center/quotas#ncc-limits).\n- \u003cvar translate=\"no\"\u003eROUTER_IDENTIFIER_RANGE\u003c/var\u003e: an optional IPv4 address range that\n serves as a unique identifier for the Cloud Router\n\n For more information, see [Configure the BGP identifier range for a\n Cloud Router](/network-connectivity/docs/router/how-to/configure-bgp-identifier).\n- \u003cvar translate=\"no\"\u003eKEEPALIVE_TIMER\u003c/var\u003e: an optional time, in seconds, that defines\n the BGP keepalive timer.\n\n Valid values are between `20` and `60`, inclusive. If you omit the\n `--keepalive-interval` flag, Cloud Router uses a 20 second BGP\n keepalive timer. For more information, see [Keepalive\n timer](/network-connectivity/docs/router/how-to/managing-bgp-timers#keepalive_timer).\n\n### API\n\nUse the [`compute.router.insert` method](/compute/docs/reference/rest/v1/routers/insert)\nwith NCC Gateway specified in the payload. To specify\nrouter-level custom route advertisements, set the `bgp.advertiseMode`\nflag to `CUSTOM`. For information about the effect of the router-level\nadvertisement mode on individual BGP session advertisements, see [Effective\nadvertisements](/network-connectivity/docs/router/concepts/advertised-routes#effective-adv-prefixes). \n\n```\nPOST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers\n{\n\"name\": \"ROUTER_NAME\",\n\"ncc_gateway\": \"NCC_GATEWAY_URI\",\n\"bgp\": {\n \"asn\": \"ASN_NUMBER\",\n \"advertiseMode\": CUSTOM,\n \"advertisedIpRanges\": [\n {\n \"range\": CUSTOM_ADVERTISED_RANGE,\n \"description\": CUSTOM_ADVERTISED_RANGE_DESCRIPTION\n }, ...\n ],\n \"identifierRange\": ROUTER_IDENTIFIER_RANGE,\n \"keepaliveInterval\": KEEPALIVE_TIMER\n}\n}\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID for the project that contains the Cloud Router\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the region that contains the Cloud Router\n- \u003cvar translate=\"no\"\u003eROUTER_NAME\u003c/var\u003e: the name of the Cloud Router\n- \u003cvar translate=\"no\"\u003eNCC_GATEWAY_URI\u003c/var\u003e: the full URI of the NCC Gateway associated with the router. The format of the URI follows this pattern: `https://networkconnectivity.googleapis.com/v1/projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/locations/`\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e`/spokes/`\u003cvar translate=\"no\"\u003eGATEWAY_SPOKE_NAME\u003c/var\u003e\n- \u003cvar translate=\"no\"\u003eASN_NUMBER\u003c/var\u003e: any [private\n ASN](https://tools.ietf.org/html/rfc6996) (`64512`-`65534`,\n `4200000000`-`4294967294`) that you aren't already using in the on-premises\n network\n\n Cloud Router requires you to use a private ASN, but your on-premises\n ASN can be public or private.\n | **Note:** If you are using Cloud Router with Partner Interconnect, you must specify ASN `16550`.\n\n \u003cbr /\u003e\n\n- \u003cvar translate=\"no\"\u003eCUSTOM_ADVERTISED_RANGE\u003c/var\u003e and\n \u003cvar translate=\"no\"\u003eCUSTOM_ADVERTISED_RANGE_DESCRIPTION\u003c/var\u003e: keys in a dictionary\n that specify a router-level custom route advertisement\n\n The `bgp.advertisedIpRanges` list contains each custom route advertisement\n dictionary. Specifying `bgp.advertisedIpRanges` requires\n `bgp.advertiseMode: CUSTOM`. Each \u003cvar translate=\"no\"\u003eCUSTOM_ADVERTISED_RANGE\u003c/var\u003e\n is an IP address range in CIDR format or an individual IP address. Individual\n IPv4 addresses are interpreted as a CIDR with a `/32` subnet mask, and\n individual IPv6 addresses are interpreted as a CIDR with a `/128` subnet mask.\n For information about the maximum number of custom route advertisements, see\n [Limits](/network-connectivity/docs/network-connectivity-center/quotas#ncc-limits). Each\n \u003cvar translate=\"no\"\u003eCUSTOM_ADVERTISED_RANGE_DESCRIPTION\u003c/var\u003e is a string to describe\n the advertisement.\n- \u003cvar translate=\"no\"\u003eROUTER_IDENTIFIER_RANGE\u003c/var\u003e: defines an IPv4 address range that\n serves as a unique identifier for the Cloud Router\n\n For more information, see [Configure the BGP identifier\n range for a Cloud Router](/network-connectivity/docs/router/how-to/configure-bgp-identifier).\n- \u003cvar translate=\"no\"\u003eKEEPALIVE_TIMER\u003c/var\u003e: an optional time, in seconds, that defines\n the BGP keepalive timer\n\n Valid values are between `20` and `60`, inclusive. If you omit\n `bgp.keepaliveInterval`, Cloud Router uses a 20 second BGP keepalive\n timer. For more information, see [Keepalive\n timer](/network-connectivity/docs/router/how-to/managing-bgp-timers#keepalive_timer).\n\nCreate VLAN attachments\n-----------------------\n\nVLAN attachments for Dedicated Interconnect or\nPartner Interconnect provide the connectivity path between the\nNCC Gateway and an on-premises network.\n\nThe VLAN attachment traffic goes through the NCC Gateway before\nit reaches the partner service and the hub.\n\nFor detailed information about how to create VLAN attachments and set up\ninterface and BGP peering, see\n[Create VLAN attachments](/network-connectivity/docs/interconnect/tutorials/dedicated-creating-9999-availability#create_vlan_attachments)."]]
