This page describes the tasks that you need to complete before you can
use Hybrid Subnets. Ensure that your source network and
Virtual Private Cloud (VPC) network are ready for Hybrid Subnets
connectivity by completing the following steps.
Connect a VPC network to a source network
A hybrid subnet requires connectivity between a VPC network and
a source network. The connection must be one of the following types:
When you configure hybrid connectivity, you create a Cloud Router.
Configure the Cloud Router's BGP session to
only advertise custom routes. Don't add any routes now;
in a later step, you add custom routes for each migrated VM.
Configure firewall rules
To ensure that Trusted Cloud virtual machine (VM) instances can communicate
with workloads in your source network and Trusted Cloud VMs that use the
hybrid subnet's IP address range, do the following:
In Trusted Cloud, create ingress allow firewall rules or rules in
firewall policies to allow all packets from the IP address range that is
associated with the hybrid subnet.
The implied allow egress
firewall rule allows egress from Trusted Cloud VMs. If you've
created egress deny firewall rules or egress deny rules in firewall policies,
you'll need to create egress allow rules to permit packets to the IP address
range that is associated with the hybrid subnet.
You can scope firewall rules to specific VMs by using the target
parameter of the rule. For more information, see:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Prepare for Hybrid Subnets connectivity\n=======================================\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes the tasks that you need to complete before you can\nuse Hybrid Subnets. Ensure that your source network and\nVirtual Private Cloud (VPC) network are ready for Hybrid Subnets\nconnectivity by completing the following steps.\n\nConnect a VPC network to a source network\n-----------------------------------------\n\nA hybrid subnet requires connectivity between a VPC network and\na source network. The connection must be one of the following types:\n\n- A pair of HA VPN tunnels\n- VLAN attachments for Dedicated Interconnect\n- VLAN attachments for Partner Interconnect\n\nFor help choosing a connection type, see\n[Choosing a Network Connectivity product](/network-connectivity/docs/how-to/choose-product).\n\nTo configure hybrid connectivity, see the following:\n\n- [Create an HA VPN gateway to a peer VPN gateway](/network-connectivity/docs/vpn/how-to/creating-ha-vpn)\n- [Create Dedicated Interconnect VLAN attachments](/network-connectivity/docs/interconnect/how-to/dedicated/creating-vlan-attachments)\n- [Create Partner Interconnect VLAN attachments](/network-connectivity/docs/interconnect/how-to/partner/creating-vlan-attachments)\n\nConfigure custom route advertisement\n------------------------------------\n\nWhen you configure hybrid connectivity, you create a Cloud Router.\nConfigure the Cloud Router's BGP session to\n[only advertise custom routes](/network-connectivity/docs/router/how-to/advertising-subnets#bgp-session). Don't add any routes now;\nin a later step, you add custom routes for each migrated VM.\n\nConfigure firewall rules\n------------------------\n\nTo ensure that Google Cloud virtual machine (VM) instances can communicate\nwith workloads in your source network and Google Cloud VMs that use the\nhybrid subnet's IP address range, do the following:\n\n- In Google Cloud, create ingress allow firewall rules or rules in\n firewall policies to allow all packets from the IP address range that is\n associated with the hybrid subnet.\n\n The [implied allow egress](/vpc/docs/firewalls#default_firewall_rules)\n firewall rule allows egress from Google Cloud VMs. If you've\n created egress deny firewall rules or egress deny rules in firewall policies,\n you'll need to create egress allow rules to permit packets to the IP address\n range that is associated with the hybrid subnet.\n\n You can scope firewall rules to specific VMs by using the target\n parameter of the rule. For more information, see:\n - [VPC firewall rules](/vpc/docs/firewalls)\n - [Firewall policies](/vpc/docs/firewall-policies-overview)\n- Configure firewalls in your source network in a similar way.\n\nConfigure source network routing\n--------------------------------\n\nTo prepare your source network for Hybrid Subnets connectivity,\ndo the following.\n\n### Enable proxy ARP for the source network\n\nEnable [proxy ARP](https://en.wikipedia.org/wiki/Proxy_ARP) for your source\nnetwork. For more information, see\n[Proxy ARP and Hybrid Subnets](/vpc/docs/hybrid-subnets#proxy-arp).\n\nFor information on enabling proxy ARP, see the documentation of your\nproxy ARP solution.\n\n### Advertise your hybrid subnet's IP address range\n\nConfigure your source network to advertise the primary internal IPv4 address\nrange of the VPC part of your hybrid subnet.\n\nWhat's next\n-----------\n\n- To learn more about Hybrid Subnets, see\n [About Hybrid Subnets](/vpc/docs/hybrid-subnets).\n\n- To migrate workloads from a source subnet to a VPC\n subnet, see [Create a hybrid subnet](/vpc/docs/create-hybrid-subnets)."]]
