Prepare for Hybrid Subnets connectivity

This page describes the tasks that you need to complete before you can use Hybrid Subnets. Ensure that your Virtual Private Cloud (VPC) network and on-premises network are ready for Hybrid Subnets connectivity by completing the following steps.

Connect a VPC network to an on-premises network

A hybrid subnet requires connectivity between a VPC network and an on-premises network. The connection must be one of the following types:

  • A pair of HA VPN tunnels
  • VLAN attachments for Dedicated Interconnect
  • VLAN attachments for Partner Interconnect

To configure hybrid connectivity, see the following:

For help in choosing a connection type, see Choosing a Network Connectivity product.

Configure firewall rules

To ensure that Google Cloud virtual machine (VM) instances can communicate with on-premises workloads and VMs that use the hybrid subnet's IP address range, do the following:

  • In Google Cloud, create ingress allow firewall rules or rules in firewall policies to allow all packets from the IP address range that is associated with the hybrid subnet.

    The implied allow egress firewall rule allows egress from Google Cloud VMs. If you've created egress deny firewall rules or egress deny rules in firewall policies, you'll need to create egress allow rules to permit packets to the IP address range that is associated with the hybrid subnet.

    You can scope firewall rules to specific VMs by using the target parameter of the rule. For more information, see:

  • Configure on-premises firewalls in a similar way.

Enable proxy ARP for the on-premises router

Proxy ARP must be enabled on your on-premises router. This allows the router to respond with its own MAC address when it receives ARP requests for VMs that are in the Google Cloud part of a hybrid subnet. The on-premises router can then forward packets to VMs in the Google Cloud subnet by using the CIDR blocks that the on-premises router has learned from the custom route advertisements of the Border Gateway Protocol (BGP) session on the Cloud Router.

For information on enabling proxy ARP for your on-premises router, see the router's public documentation.

What's next