Legacy networks are not recommended and can no longer be created. Many newerGoogle Cloud features are not supported in legacy networks. Instead, useVirtual Private Cloud (VPC) networks. For more information, seeVPC networks. For more information aboutreplacing legacy networks, see Replace legacy networks.
About legacy networks
Legacy networks have a singleRFC 1918 range, which you specify when you create the network.The network is global in scope and spans all cloud regions.
In a legacy network, instance IP addresses are not grouped by region or zone.One IP address can appear in one region, and the following IP address can be ina different region. Any given range of IPs can be spread across all regions, andthe IP addresses of instances created within a region are not necessarilycontiguous.
The following figure shows a legacy (non-VPC) network. Trafficfrom the internet passes through a global switching function in the network(shown in the diagram as a virtual switch), then down to individual instances.
Instances in a region can have IP addresses that are not grouped in any way.As shown in the example, instances from 10.240.0.0/16 are spread unpredictablyacross regions 1 and 2. For example, 10.240.1.4 is in region 2, 10.240.1.5is in region 1, and 10.240.1.6 is in region 2.
Differences between legacy and VPC networks
Legacy networks can no longer be created.
Legacy networks have a single global IP address range that cannot be dividedinto subnets. VPC networks are divided into subnets.
With VPC networks, each Google Cloud region can have zeroor more subnets. It is not possible to create regional subnets with a legacynetwork.
Some Google Cloud networking features are notavailable in legacy networks.
Routes
Legacy networks start with only two routes, the default route to outside thenetwork and the route to the overall legacy network IP range. SeeUsing Routes for instructions on creatingroutes.
Firewall rules
User-created networks have a default Allow-all firewall rule for outboundtraffic and a default Deny-all firewall rule for inbound traffic. SeeUse VPC firewall rules for instructions oncreating firewall rules.
Replace legacy networks
If you want to move individual VM instances out of your legacynetwork, see Migrating a VM betweennetworks.
If you have an existing legacy network, you can replace it with aVPC network in one of two ways:
Single-region conversion tool: Use the
gcloudor API single-regionconversion tool. This tool converts a legacy network to a custom modeVPC network. Before starting the conversion, allGoogle Cloud resources in the legacy network must be in a single region.If the legacy network contains resources in multiple regions, including stoppedVMs, the conversion fails. After the conversion, the subnet in the new networkhas the same internal IP address range as the entire legacy network. After theconversion is complete, you can use all features that VPCnetworks offer, such as creating regional subnets. For more information aboutthe conversion, see Converting a single-region legacy network to aVPC network.Manual migration: Recreate resources in your legacy network in aVPC network. For more information, see Manually migrating to aVPC network.
Single-region conversion tool
You can convert a legacy network to a custom mode VPC networkby using the single-region conversion tool.During the conversion, the legacy network's IP address range is used toconfigure a subnet in the converted VPC network. Because a givensubnet can be associated with only one region, the conversion tool works only ifall resources in the legacy network are in a single region.
Using the tool to convert from a legacy network to a VPC networkdoes not disrupt network traffic; your resources continue to operate normally.The conversion is one way, so you cannot revert to a legacy network afterconverting to a VPC network.
If your legacy network contains Google Kubernetes Engine clusters, your GKEclusters must be upgraded after the conversion to ensure that componentsoperate correctly. For more information, see Converting a legacy network thatcontains GKEclusters.
After the conversion is complete, the new VPC network operates asany other VPC network. You can add newsubnets and use other VPC-relatedfeatures. However, the converted subnet has the same internal IP address rangeas the entire legacy network, so new subnets must be created from other validranges.
The following descriptions detail what happens to resources during theconversion. Most resources remain unchanged and refer to theVPC subnet instead of the legacy network.
- Legacy network
- The legacy network isn't deleted; it's converted to a VPCnetwork. The legacy network's IPv4 range is converted to the primary range of asingle subnet in a VPC network.
- VPC network
- Google Cloud converts the legacy network to a custom modeVPC network with a single subnet inthe region where your VM instances are located. The VPC networkand subnet both have the same name as the original legacy network.
- Subnet
- Google Cloud creates a subnet and its subnet route during theconversion. The subnet is created in the region where your VM instances arelocated. Google Cloud automatically converts resources such as VMinstances, regional forwarding rules, and instance group managers to the subnet.The subnet has the same name as the original legacy network.If the legacy network didn't contain any resources, Google Cloud doesn'tcreate a subnet.
- VM instances
- All instances with a network interface in the converted network will referencethe newly created subnet.
- Forwarding rules
- All internal forwarding rules in the VPC network will referencethe newly created subnet.
- Routes
- All custom static routes stay the same when the network is converted to aVPC network. If Google Cloud creates a new subnet, it doesadd one system-generated route called a subnet route. For more information,see Route types.
- Firewall rules
- All existing firewall rules stay the same when the network is converted to aVPC network. All VPC networks also have twoimplied firewall rules that cannot be removed. For more information, seeImplied rules.
- Instance group managers and instance templates
- All instance templates that have a primary network interface (nic0)referencing the legacy network will reference the newly created subnet.
- VPN tunnels and gateways
- VPN tunnels and gateways stay the same and continue to function when thenetwork is converted to a VPC network.
- Cloud Router
- Cloud Routers stay the same and continue to function when thenetwork is converted to a VPC network.
- Load balancers
- Existing load balancers stay the same and continue to function when thenetwork is converted to a VPC network.
What's next
To migrate, convert, or delete a legacy network, see Manage legacy networks.
To learn more about Google Cloud VPC networks, see theVirtual Private Cloud (VPC) overview.
To learn how to create and modify VPC networks, seeCreate and manage VPC networks.
