Stay organized with collections
Save and categorize content based on your preferences.
Create a Cloud Router to connect a VPC network to a peer network
This page outlines the Cloud Router configuration process necessary to
exchange routes between a Virtual Private Cloud (VPC) network or
NCC Gateway and a peer network. The peer network can be an
on-premises network, a network hosted by another cloud provider such as AWS
or Azure, or even another VPC network in Google Cloud.
The Cloud Router configuration process consists of these three high-level
tasks:
Create a Cloud Router.
Set up a network connectivity product in Google Cloud.
Establish Border Gateway Protocol (BGP) sessions with a router on the peer
network.
If you want to create a Cloud Router that's associated
with an NCC Gateway spoke, you must use either the
Google Cloud CLI or the Cloud Router API instructions in this section.
For more information, see Add hybrid connections to
NCC Gateway.
Console
In the Google Cloud console, go to the Create a Cloud Router
page.
Name: The name of the Cloud Router. This name is
displayed in the Google Cloud console and is used by the
Google Cloud CLI to reference the Cloud Router—for
example, my-router.
Description: Optional. A description of the
Cloud Router.
Network: The VPC network that contains
the instances that you want to reach—for example,
my-network.
Region: The region where you want to locate the
Cloud Router—for example, asia-east1.
Google ASN: Any
private ASN
(64512-65534,
4200000000-4294967294) that you aren't already
using in the on-premises network. Cloud Router requires that
you use a private ASN, but your on-premises ASN can be public or
private.
BGP peer keepalive interval: The interval between two successive
BGP keepalive messages that are sent to the peer router. This value
must be an integer between 20 and 60 that specifies the number of
seconds for the interval. The default is 20 seconds. For more
information, see
Manage BGP
timers.
BGP identifier: Optional. The BGP identifier, sometimes called a
router ID, that uniquely identifies a Cloud Router in a
network. If omitted, Cloud Routers with IPv4 BGP sessions use
one of the IPv4 BGP addresses as the BGP identifier, and adding the
first IPv6 interface to this Cloud Router populates the field
automatically.
Optional: To specify custom advertised routes, go to the
Advertised routes section. For more information, see
Advertised routes.
To specify custom Routes, select Create custom routes.
Choose whether to advertise the subnets visible to the
Cloud Router. Enabling this option mimics the
Cloud Router's default behavior.
To add an advertised route, select Add a custom route, and then
configure it.
To save your settings and create a Cloud Router, click
Create. Your new Cloud Router appears on the
Cloud Router listing page. To view its details and
to configure a BGP session, select it.
gcloud
The gcloud compute routers create command
creates a new Cloud Router. A Cloud Router is associated
either with a VPC network or an NCC Gateway
spoke. Once created, you can't change the region, the associated
VPC network, or the associated NCC Gateway spoke.
The --set-advertisement-groups=ALL_SUBNETS flag is valid only when the
--advertisement-mode=CUSTOM flag is set. When this flag and value are
specified, the router-level advertisements include local subnet ranges
according to the dynamic routing mode of the VPC network.
PROJECT_ID: the project ID for the project that
contains the Cloud Router
NETWORK: the VPC network that
contains the Cloud Router
REGION: the region that contains the Cloud Router
ASN_NUMBER: any private
ASN (64512-65534,
4200000000-4294967294) that you aren't already using in the
on-premises network
Cloud Router requires you to use a
private ASN, but your on-premises ASN can be public or private.
ADVERTISEMENT_MODE: specifies the router-level
advertisement mode
Valid values are CUSTOM or DEFAULT. If you omit the
--advertisement-mode flag, Google Cloud uses the DEFAULT
advertisement mode at the router level. For information about the
meaning of the router-level advertisement mode and its
effect on individual BGP session advertisements, see Advertisement
modes
and Effective
advertisements.
CUSTOM_ADVERTISED_RANGES: valid only when --advertisement-mode=CUSTOM,
an optional list of custom IP address ranges in CIDR format or individual IP addresses
to be included in the router-level advertisements
Individual IPv4 addresses are interpreted as a CIDR with a
/32 subnet mask, and individual IPv6 addresses are interpreted as
a CIDR with a /128 subnet mask. For information about the
maximum number of custom route
advertisements, see Limits.
ROUTER_IDENTIFIER_RANGE: an optional IPv4 address range that serves as
a unique identifier for the Cloud Router
KEEPALIVE_TIMER: an optional time, in seconds,
that defines the BGP keepalive timer
Valid values are between 20 and 60, inclusive. If you omit the
--keepalive-interval flag, Cloud Router uses a 20 second
BGP keepalive timer.
For more information, see Keepalive
timer.
To create a Cloud Router that's associated with an
NCC Gateway spoke, use the following command.
Use the --advertisement-mode=CUSTOM flag to set the router-level advertisement
mode to CUSTOM so that you can specify router-level custom
route advertisements.
For information about the effect of
the router-level advertisement mode on individual BGP session
advertisements, see Effective
advertisements.
PROJECT_ID: the project ID for the project that
contains the Cloud Router
NCC_GATEWAY_URI: the full URI of the
NCC Gateway associated with the router. The format of
the URI follows this pattern:
https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/spokes/GATEWAY_SPOKE_NAME
REGION: the region that contains the Cloud Router
ASN_NUMBER: any private
ASN (64512-65534,
4200000000-4294967294) that you aren't already using in the
on-premises network
Cloud Router requires you to use a
private ASN, but your on-premises ASN can be public or private.
--advertisement-mode=CUSTOM: sets the router-level advertisement
mode to CUSTOM so that you can specify router-level custom
route advertisements.
For information about the effect of
the router-level advertisement mode on individual BGP session
advertisements, see Effective
advertisements.
CUSTOM_ADVERTISED_RANGES: the list of custom IP
address ranges in CIDR format or individual IP addresses to be
included in the router-level advertisements
Individual IPv4 addresses are interpreted as a CIDR with a /32
subnet mask, and individual IPv6 addresses are interpreted as a
CIDR with a /128 subnet mask. For information about the
maximum number of custom route advertisements, see Limits.
ROUTER_IDENTIFIER_RANGE: an optional IPv4 address
range that serves as a unique identifier for the
Cloud Router
KEEPALIVE_TIMER: an optional time, in seconds,
that defines the BGP keepalive timer
Valid values are between 20 and 60, inclusive. If you omit the
--keepalive-interval flag, Cloud Router uses a 20
second BGP keepalive timer.
For more information, see Keepalive
timer.
module "cloud_router" {
source = "../.."
name = "my-router"
region = "us-central1"
bgp = {
# The ASN (16550, 64512 - 65534, 4200000000 - 4294967294) can be any private ASN
# not already used as a peer ASN in the same region and network or 16550 for Partner Interconnect.
asn = "65001"
}
project_id = var.project_id
network = module.vpc.network_name
}
The routers.insert method
creates a new Cloud Router. A Cloud Router is associated
either with a VPC network or an NCC Gateway
spoke. Once created, you can't change the region, the associated
VPC network, or the associated NCC Gateway spoke.
The "advertisedGroups": [ALL_SUBNETS] flag is valid only when
bgp.advertiseMode: CUSTOM, when bgp.advertisedGroups: [ALL_SUBNETS],
the router-level advertisements include local
subnet ranges according to the dynamic routing mode of the
VPC network. For more information, see Subnet range
advertisement.
The encryptedInterconnectRouter flag is a boolean parameter to indicate
whether the Cloud Router manages BGP sessions for
HA VPN over Cloud Interconnect.
To create a Cloud Router that's associated with a region of a
VPC network, use the following request:
PROJECT_ID: the project ID for the project that
contains the Cloud Router
NETWORK: the VPC network that
contains the Cloud Router
REGION: the region that contains the Cloud Router
ASN_NUMBER: any private
ASN (64512-65534,
4200000000-4294967294) that you aren't already using in the
on-premises network
Cloud Router requires you to use a
private ASN, but your on-premises ASN can be public or private.
ADVERTISEMENT_MODE: specifies the router-level
advertisement mode
Valid values are CUSTOM or DEFAULT. If you omit
bgp.advertiseMode, Google Cloud uses the DEFAULT
advertisement mode at the router level. For information about the
meaning of the router-level advertisement mode and its effect on
individual BGP session advertisements, see Advertisement
modes
and Effective
advertisements.
CUSTOM_ADVERTISED_RANGE and
CUSTOM_ADVERTISED_RANGE_DESCRIPTION:
keys in a dictionary that specify a router-level custom route
advertisement
bgp.advertisedIpRanges is the list containing each custom route
advertisement dictionary. Specifying bgp.advertisedIpRanges
requires bgp.advertiseMode: CUSTOM. Each CUSTOM_ADVERTISED_RANGE
is an IP address range in CIDR format or an individual IP address.
Individual IPv4 addresses are interpreted as a CIDR with a /32
subnet mask, and individual IPv6 addresses are interpreted as a CIDR
with a /128 subnet mask. For information about the maximum number of custom route
advertisements, see Limits. Each
CUSTOM_ADVERTISED_RANGE_DESCRIPTION is a string
to describe the advertisement.
ROUTER_IDENTIFIER_RANGE: defines an IPv4 address
range that serves as a unique identifier for the
Cloud Router
KEEPALIVE_TIMER: an optional time, in seconds,
that defines the BGP keepalive timer
Valid values are between 20 and 60, inclusive. If you omit
bgp.keepaliveInterval, Cloud Router uses a 20 second
BGP keepalive timer. For more information, see Keepalive
timer.
encryptedInterconnectRouter: a boolean parameter to indicate
whether the Cloud Router manages BGP sessions for
HA VPN over Cloud Interconnect
To create a Cloud Router that's associated with an
NCC Gateway spoke, use the following request.
The bgp.advertiseMode: CUSTOM flag sets the router-level advertisement
mode to CUSTOM so that you can specify router-level custom
route advertisements. For information about the effect of
the router-level advertisement mode on individual BGP session
advertisements, see Effective
advertisements.
PROJECT_ID: the project ID for the project that
contains the Cloud Router
NCC_GATEWAY_URI: the full URI of the
NCC Gateway associated with the router. The format of
the URI follows this pattern:
https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/spokes/GATEWAY_SPOKE_NAME
REGION: the region that contains the Cloud Router
ASN_NUMBER: any private
ASN (64512-65534,
4200000000-4294967294) that you aren't already using in the
on-premises network
Cloud Router requires you to use a
private ASN, but your on-premises ASN can be public or private.
CUSTOM_ADVERTISED_RANGE and
CUSTOM_ADVERTISED_RANGE_DESCRIPTION:
keys in a dictionary that specify a router-level custom route
advertisement
bgp.advertisedIpRanges is the list containing each custom route
advertisement dictionary. Specifying bgp.advertisedIpRanges
requires bgp.advertiseMode: CUSTOM. Each
CUSTOM_ADVERTISED_RANGE is an IP address range
in CIDR format or an individual IP address.
Individual IPv4 addresses are interpreted as a CIDR with a /32
subnet mask, and individual IPv6 addresses are interpreted as a CIDR
with a /128 subnet mask. For information about the maximum number
of custom route advertisements, see
Limits. Each
CUSTOM_ADVERTISED_RANGE_DESCRIPTION is a string
to describe the advertisement.
ROUTER_IDENTIFIER_RANGE: defines an IPv4 address
range that serves as a unique identifier for the Cloud Router
KEEPALIVE_TIMER: an optional time, in seconds,
that defines the BGP keepalive timer
Valid values are between 20 and 60, inclusive. If you omit
bgp.keepaliveInterval, Cloud Router uses a 20 second
BGP keepalive timer. For more information, see keepalive
timer.
Set up the network connectivity product
A Cloud Router that's associated with a region of a VPC network
can manage BGP sessions for the following connectivity products:
A Cloud Router that's associated with an NCC Gateway spoke can manage
BGP sessions for VLAN attachments associated with the NCC Gateway spoke.
Cloud Interconnect
To connect a VPC network to an on-premises network by using
Cloud Interconnect and Cloud Router, you must first provision
a Cloud Interconnect connection.
If you are deploying HA VPN over Cloud Interconnect, you must deploy two
Cloud Routers:
A special Cloud Router for Cloud Interconnect that you
configure for the VLAN attachments. This Cloud Router makes sure
that only traffic encrypted by the HA VPN gateways can be
sent to the VLAN attachment.
A regular Cloud Router that you configure for
HA VPN tunnels.
When you set up a network connectivity product with Cloud Router, you
establish Border Gateway Protocol (BGP) sessions between the
Cloud Router and the router on the peer network.
You can reuse the same Cloud Router with different network connectivity
products. However, each BGP session is unique to the network connectivity
product (VLAN attachment, Cloud VPN tunnel, or Router appliance
instance) that you configure to use with Cloud Router. Different
network connectivity products cannot use the same BGP session. Sometimes, you
might need to set up multiple BGP sessions for a network connectivity product to
achieve sufficient redundancy. For example, you set up multiple BGP sessions
when using Cloud Router with HA VPN.
To establish BGP sessions between your Cloud Router and the router on
your peer network, see Establish BGP
sessions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2026-06-09 UTC."],[],[]]
