Console
    Contact Us Start free

    Configure address groups for firewall policies

    This tutorial describes how to create and configure address groups for firewall policies in your network. It walks through an example of creating a Virtual Private Cloud (VPC) network with subnets, creating a project-scoped address group, setting up a firewall policy that uses the address group with firewall rules, and then testing the firewall rules. For more information, see Address groups for firewall policies .

    Objectives

    This tutorial shows you how to complete the following tasks:

    • Create two custom VPC networks with subnets.
    • Create three virtual machine (VM) instances (two consumer VMs in separate subnets of one VPC network and a producer VM in a second VPC network). All VMs are created without an external IP address.
    • Install the Apache server on the producer VM.
    • Create VPC Network Peering.
    • Create a Cloud Router and a Cloud NAT gateway, which let the producer VM access the public internet.
    • Create a project-scoped address group.
    • Create a global network firewall policy with the following rules:
      • Allow Identity-Aware Proxy (IAP) SSH connectivity to the VMs.
      • Allow traffic from the allowed consumer VM to the producer VM using the project-scoped address group.
    • Test the connection.

    The following diagram shows the traffic between producer and consumer VMs in the us-central1 region within two custom VPC networks. A global network firewall policy uses a project-scoped address group rule to allow ingress traffic between the vm-consumer-allowed and vm-producer VMs. Traffic between the vm-consumer-blocked VM and vm-producer VM is denied because every VM has an implicit ingress firewall rule that denies all traffic.

    A global network firewall policy allowing ingress traffic from a subnet to a target VM in another VPC network.
    A global network firewall policy allowing ingress traffic from a subnet to a target VM in another VPC network (click to enlarge).

    Before you begin

    1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

    2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

      Roles required to select or create a project

      • Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
      • Create a project : To create a project, you need the Project Creator ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

      Go to project selector

    3. Verify that billing is enabled for your Google Cloud project .

    4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

      Roles required to select or create a project

      • Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
      • Create a project : To create a project, you need the Project Creator ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

      Go to project selector

    5. Verify that billing is enabled for your Google Cloud project .

      6.
    6. Enable the Compute Engine API for your project.
    7. Make sure that you have the Compute Network Admin role ( roles/compute.networkAdmin ).
    8. Enable the Identity-Aware Proxy API for your project.
    9. If you prefer to work from the command line, install the Google Cloud CLI. For the conceptual and installation information about the tool, see gcloud CLI overview .

      Note: If you haven't run the Google Cloud CLI previously, initialize your gcloud CLI directory by running the gcloud init command.

    Create a consumer VPC network with subnets

    In this section, you create a consumer VPC network with two IPv4 subnets: subnet-consumer-allowed and subnet-consumer-blocked .

    Console

    1. In the Google Cloud console, go to the VPC networkspage.

      Go to VPC networks

    2. Click Create VPC network.

    3. For Name, enter vpc-consumer .

    4. For Subnet creation mode, select Custom.

    5. In the New subnetsection, specify the following configuration parameters for a subnet:

      • Name: subnet-consumer-allowed
      • Region: us-central1
      • IPv4 range: 192.168.10.0/29

    6. Click Done.

    7. Click Add subnetand specify the following configuration parameters:

      • Name: subnet-consumer-blocked
      • Region: us-central1
      • IPv4 range: 192.168.20.0/29

    8. Click Done.

    9. Click Create.

    gcloud

    1. In the Google Cloud console, activate Cloud Shell.

      Activate Cloud Shell

    2. To create a VPC network, run the following command:

      gcloud compute networks create vpc-consumer \
  --subnet-mode=custom

    3. In the Authorize cloud shelldialog, click Authorize.

    4. To create a subnet, run the following command:

      gcloud compute networks subnets create subnet-consumer-allowed \
  --network=vpc-consumer \
  --region=us-central1 \
  --range=192.168.10.0/29

    5. To create another subnet, run the following command:

      gcloud compute networks subnets create subnet-consumer-blocked \
  --network=vpc-consumer \
  --region=us-central1 \
  --range=192.168.20.0/29

    Create a producer VPC network with subnet

    In this section, you create a producer VPC network with an IPv4 subnet.

    Console

    1. In the Google Cloud console, go to the VPC networkspage.

      Go to VPC networks

    2. Click Create VPC network.

    3. For Name, enter vpc-producer .

    4. For Subnet creation mode, select Custom.

    5. In the New subnetsection, specify the following configuration parameters for a subnet:

      • Name: subnet-vpc-producer
      • Region: us-central1
      • IPv4 range: 172.16.10.0/29

    6. Click Done.

    7. Click Create.

    gcloud

    1. To create a VPC network, run the following command:

      gcloud compute networks create vpc-producer \
  --subnet-mode=custom

    2. To create the subnet, run the following command:

      gcloud compute networks subnets create subnet-vpc-producer \
  --network=vpc-producer \
  --region=us-central1 \
  --range=172.16.10.0/29

    Create a Cloud Router and a Cloud NAT gateway

    To let the vm-producer VM access the public internet, you create a Cloud Router and a Cloud NAT gateway.

    Console

    1. In the Google Cloud console, go to the Cloud NATpage.

      Go to Cloud NAT

    2. Click Get startedor Create Cloud NAT gateway.

    3. For Gateway name, enter nat-gateway-addressgrp .

    4. For NAT type, select Public.

    5. In the Select Cloud Routersection, specify the following configuration parameters:

      • Network: vpc-producer
      • Region: us-central1 (lowa)
      • Cloud Router: Click Create new router.
        1. For Name, enter router-addressgrp .
        2. Click Create.

    6. Click Create.

    gcloud

    1. To create a Cloud Router, run the following command:

      gcloud compute routers create router-addressgrp \
  --network=vpc-producer \
  --region=us-central1

    2. To create a Cloud NAT gateway, run the following command:

      gcloud compute routers nats create nat-gateway-addressgrp \
  --router=router-addressgrp \
  --region=us-central1 \
  --auto-allocate-nat-external-ips \
  --nat-all-subnet-ip-ranges

    Create VMs

    In each subnet of the VPC network you created in the preceding section, create VMs without an external IP address.

    Create a VM for the consumer-allowed VPC network

    Create a VM in the subnet-consumer-allowed subnet.

    Console

    1. In the Google Cloud console, go to the Create an instancepage.

      Go to Create an instance

    2. In the Machine configurationpane, do the following:

      1. For Name, enter vm-consumer-allowed .
      2. For Region, select us-central1 (Iowa) .

    3. In the navigation menu, click Networking.

      1. In the Network interfacessection, click default and specify the following configuration parameters:
        • Network: vpc-consumer
        • Subnetwork: subnet-consumer-allowed IPv4 (192.168.10.0/29)
        • External IPv4 address: None
      2. Click Done.

    4. Click Create.

    gcloud

    gcloud compute instances create vm-consumer-allowed \
     --network=vpc-consumer \
     --zone=us-central1-a \
     --stack-type=IPV4_ONLY \
     --no-address \
     --subnet=subnet-consumer-allowed

    Create a VM for the consumer blocked VPC network

    In this section, you create a VM in the subnet-consumer-blocked subnet.

    Console

    1. In the Google Cloud console, go to the Create an instancepage.

      Go to Create an instance

    2. In the Machine configurationpane, do the following:

      1. For Name, enter vm-consumer-blocked .
      2. For Region, select us-central1 (Iowa) .

    3. In the navigation menu, click Networking.

      1. In the Network interfacessection, click default and specify the following configuration parameters:
        • Network: vpc-consumer
        • Subnetwork: subnet-consumer-blocked IPv4 (192.168.20.0/29)
        • External IPv4 address: None
      2. Click Done.

    4. Click Create.

    gcloud

    gcloud compute instances create vm-consumer-blocked \
    --network=vpc-consumer \
    --zone=us-central1-a \
    --stack-type=IPV4_ONLY \
    --no-address \
    --subnet=subnet-consumer-blocked

    Create a VM for the producer VPC network

    Create a VM in the subnet subnet-vpc-producer and install an Apache server on it.

    Console

    1. In the Google Cloud console, go to the Create an instancepage.

      Go to Create an instance

    2. In the Machine configurationpane, do the following:

      1. For Name, enter vm-producer .
      2. For Region, select us-central1 (Iowa) .

    3. In the navigation menu, click Networking.

      1. In the Network interfacessection, click default and specify the following configuration parameters:
        • Network: vpc-producer
        • Subnetwork: subnet-vpc-producer IPv4 (172.16.10.0/29)
      2. Click Done.

    4. In the navigation menu, click Advancedand enter the following script in the Startup scriptfield:

      #! /bin/bash
  apt-get update
  apt-get install apache2 -y
  a2ensite default-ssl
  a2enmod ssl
  # Read VM network configuration:
  md_vm="http://169.254.169.254/computeMetadata/v1/instance/"
  vm_hostname="$(curl $md_vm/name -H "Metadata-Flavor:Google" )"
  filter="{print \$NF}"
  vm_network="$(curl $md_vm/network-interfaces/0/network \
  -H "Metadata-Flavor:Google" | awk -F/ "${filter}")"
  vm_zone="$(curl $md_vm/zone \
  -H "Metadata-Flavor:Google" | awk -F/ "${filter}")"
  # Apache configuration:
  echo "Page on $vm_hostname in network $vm_network zone $vm_zone" | \
  tee /var/www/html/index.html
  systemctl restart apache2

      The preceding script deploys and starts an Apache web server in this VM.

    5. Click Create.

    gcloud

    To create a producer VM, run the following command:

    gcloud compute instances create vm-producer \
      --network=vpc-producer \
      --zone=us-central1-a \
      --stack-type=IPV4_ONLY \
      --no-address \
      --subnet=subnet-vpc-producer \
      --image-project=debian-cloud \
      --image-family=debian-10 \
      --metadata=startup-script='#! /bin/bash
        apt-get update
        apt-get install apache2 -y
        a2ensite default-ssl
        a2enmod ssl
        # Read VM network configuration:
        md_vm="http://169.254.169.254/computeMetadata/v1/instance/"
        vm_hostname="$(curl $md_vm/name -H "Metadata-Flavor:Google" )"
        filter="{print \$NF}"
        vm_network="$(curl $md_vm/network-interfaces/0/network \
        -H "Metadata-Flavor:Google" | awk -F/ "${filter}")"
        vm_zone="$(curl $md_vm/zone \
        -H "Metadata-Flavor:Google" | awk -F/ "${filter}")"
        # Apache configuration:
        echo "Page on $vm_hostname in network $vm_network zone $vm_zone" | \
        tee /var/www/html/index.html
        systemctl restart apache2'

    Create a VPC Network Peering connection

    To privately connect your vpc-consumer and vpc-producer VPC networks in the same project, use VPC Network Peering. The VPC Network Peering enables internal IP address connectivity across two VPC networks, regardless of whether the VPC networks belong to the same project or organization.

    Peer vpc-consumer with vpc-producer

    To successfully establish VPC Network Peering, you must separately configure the peering association for the vpc-consumer and the vpc-producer networks.

    Console

    To create VPC Network Peering between the vpc-consumer and the vpc-producer networks, follow these steps:

    1. In the Google Cloud console, go to the VPC network peeringpage.

      Go to VPC network peering

    2. Click Create connection.

    3. Click Continue.

    4. In the Namefield, enter peering-cp .

    5. Under Your VPC network, select vpc-consumer .

    6. Under VPC network name, select vpc-producer .

    7. Click Create.

    gcloud

    To create VPC Network Peering between vpc-consumer and vpc-producer , run the following command:

    gcloud compute networks peerings create peering-cp \
    --network=vpc-consumer \
    --peer-network=vpc-producer \
    --stack-type=IPV4_ONLY

    Peer the vpc-producer network with the vpc-consumer network

    Console

    To create VPC Network Peering between vpc-producer and vpc-consumer , follow these steps:

    1. In the Google Cloud console, go to the VPC network peeringpage .

      Go to VPC network peering

    2. Click Create connection.

    3. Click Continue.

    4. In the Namefield, enter peering-pc .

    5. Under Your VPC network, select vpc-producer .

    6. Under VPC network name, select vpc-consumer .

    7. Click Create.

    gcloud

    To create VPC Network Peering between vpc-producer and vpc-consumer , run the following command:

    gcloud compute networks peerings create peering-pc \
    --network=vpc-producer \
    --peer-network=vpc-consumer \
    --stack-type=IPV4_ONLY

    Create a global network firewall policy to enable IAP

    To enable IAP, create a global network firewall policy and add a firewall rule. IAP enables administrative access to the VM instances.

    The firewall rule includes the following characteristics.

    • Ingress traffic from IP range 35.235.240.0/20 . This range contains all IP addresses that IAP uses for TCP forwarding.

    • A connection to all ports that you want to be accessible by using IAP TCP forwarding, for example, port 22 for SSH.

    Console

    To allow IAP access to all VM instances in the vpc-consumer and the vpc-producer networks, follow these steps:

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. Click Create firewall policy.

    3. In the Configure policysection, for Policy name, enter fw-policy-addressgrp .

    4. For Deployment scope, select Globaland click Continue.

    5. To create rules for your policy, in the Add rulessection, click Add rule.

      1. For Priority, enter 100 .
      2. For Direction of traffic, select Ingress.
      3. For Action on match, select Allow.
      4. In the Targetsection, for Target type, select All instances in the network.
      5. In the Sourcesection, for IP ranges, enter 35.235.240.0/20 .
      6. In the Protocol and portssection, select Specified protocols and ports.
      7. Select the TCPcheckbox, and for Ports, enter 22 .
      8. Click Create.

    6. Click Continue.

    7. To associate a VPC network with the policy, in the Associate policy with VPC networkssection, click Associate.

    8. Select the checkboxes of vpc-producer and vpc-consumer , and then click Associate.

    9. Click Continue.

    10. Click Create.

    gcloud

    To let IAP access the VM instances in the vpc-producer network, run the following command:

    1. To create a firewall policy, run the following command:

      gcloud compute network-firewall-policies create fw-policy-addressgrp \
    --global

    2. To create a firewall rule that allows traffic to all destinations and enables logs, run the following command:

      gcloud compute network-firewall-policies rules create 100 \
    --firewall-policy=fw-policy-addressgrp \
    --direction=INGRESS \
    --action=ALLOW \
    --layer4-configs=tcp:22 \
    --src-ip-ranges=35.235.240.0/20 \
    --global-firewall-policy

    3. To associate the firewall policy with the producer VPC network, run the following command:

      gcloud compute network-firewall-policies associations create \
    --firewall-policy=fw-policy-addressgrp \
    --network=vpc-producer \
    --name=pol-association-vpc-producer \
    --global-firewall-policy

    4. To associate the firewall policy with the consumer VPC network, run the following command:

      gcloud compute network-firewall-policies associations create \
    --firewall-policy=fw-policy-addressgrp \
    --network=vpc-consumer \
    --name=pol-association-vpc-consumer \
    --global-firewall-policy

    Create a project-scoped address group

    Create a project-scoped address group that uses the IP address assigned to the subnet-consumer-allowed subnet of the vpc-consumer VPC network.

    For more information about the project-scoped address groups, see Use address groups in firewall policies .

    Console

    1. In the Google Cloud console, go to the Address groupspage.

      Go to Address groups

    2. Click Create Address Group.

    3. In the Namefield, enter address-group-pc .

    4. For Scope, choose Global.

    5. For Type, select IPv4.

    6. In the Capacityfield, enter 1000 .

    7. In the IP Addressesfield, enter 192.168.10.0/29 .

    8. Click Create.

    gcloud

    1. If you are using the Cloud Shell terminal for the first time, clickalt='' Activate Cloud Shellin the Google Cloud console.

    2. To create an address group, run the following command:

      gcloud network-security address-groups create address-group-pc \
    --type IPv4 \
    --capacity 1000 \
    --location global

    3. In the Authorize cloud shelldialog, click Authorize.

    4. To add an item to an address group, run the following command:

      gcloud network-security address-groups add-items address-group-pc \
    --items 192.168.10.0/29 \
    --location global

      Remember, the IP range 192.168.10.0/29 is assigned to the subnet-consumer-allowed subnet of the vpc-consumer VPC network.

    Add a firewall rule to allow traffic to an address group

    To allow ingress connections from the vm-consumer-allowed VM, create a firewall rule that adds the project-scoped address group address-group-pc as the source IP address.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the Network firewall policiessection, click fw-policy-addressgrp .

    3. Click Create rule.

    4. For Priority, enter 150 .

    5. For Direction of traffic, select Ingress.

    6. For Action on match, select Allow.

    7. For Logs, select On.

    8. In the Targetsection, for Target type, select All instances in the network.

    9. In the Sourcesection, for Address group, select address-group-pc ( PROJECT_ID ) and click OK.

      Remember, the address-group-pc IP address group has an IP range of 192.168.10.0/29 which is assigned to the subnet subnet-consumer-allowed of the consumer VPC network.

    10. Click Create.

    gcloud

    To update the firewall policy, run the following command:

    gcloud compute network-firewall-policies rules create 150 \
    --firewall-policy=fw-policy-addressgrp \
    --direction=INGRESS \
    --action=ALLOW \
    --src-address-groups=projects/ PROJECT_ID 
/locations/global/addressGroups/address-group-pc \
    --layer4-configs=all \
    --global-firewall-policy \
    --enable-logging

    Test the connection

    Test the connection from the vm-consumer-allowed VM to the vm-producer VM, and from the vm-consumer-blocked VM to the vm-producer VM.

    Test the traffic from the vm-consumer-allowed VM to the vm-producer VM

    Console

    1. In the Google Cloud console, go to the VM instancespage.

      Go to VM instances

    2. From the Internal IPcolumn of the vm-producer VM, copy the internal IP address of the VM.

    3. In the Connectcolumn of the vm-consumer-allowed VM, click SSH.

    4. In the SSH-in-browserdialog, click Authorizeand wait for the connection to establish.

    5. To verify the connection, run the following command:

      curl INTERNAL_IP 
-m 2

      Replace INTERNAL_IP with the IP address of the vm-producer VM.

      The output is similar to the following:

      <!doctype html><html><body><h1>Hello World!</h1></body></html>

    6. Close the SSH-in-browserdialog.

    gcloud

    1. To view the internal IP address of the vm-producer VM, run the following command:

      gcloud compute instances describe vm-producer \
   --zone=us-central1-a \
   --format='get(networkInterfaces[0].networkIP)'

      When prompted, press n to confirm, and then press Enter . Make sure to note the internal IP address of your vm-producer VM.

    2. To use SSH to connect to the vm-consumer-allowed VM, run the following command:

      gcloud compute ssh vm-consumer-allowed \
   --zone=us-central1-a \
   --tunnel-through-iap

    3. To verify the connection, run the following command:

      curl INTERNAL_IP 
-m 2

      Replace INTERNAL_IP with the internal IP address of the vm-producer VM.

      The expected response message is as follows:

      <!doctype html><html><body><h1>Hello World!</h1></body></html>

    4. To exit the SSH connection, enter exit .

    Test the traffic from the vm-consumer-blocked VM to the vm-producer VM

    Console

    1. In the Google Cloud console, go to the VM instancespage.

      Go to VM instances

    2. From the Internal IPcolumn of the vm-producer VM, copy the internal IP address of the VM.

    3. In the Connectcolumn of the vm-consumer-blocked VM, click SSH.

    4. In the SSH-in-browserdialog, click Authorizeand wait for the connection to establish.

    5. To verify the connection, run the following command:

      curl INTERNAL_IP 
-m 2

      Replace INTERNAL_IP with the IP address of the vm-producer VM.

      The Connection timed out message is expected because every VM creates an implicit ingress firewall rule that denies all traffic. To allow traffic, you add an ingress rule to the firewall policy.

    6. Close the SSH-in-browserdialog.

    gcloud

    1. To view the internal IP address of the vm-producer VM, run the following command:

      gcloud compute instances describe vm-producer \
   --zone=us-central1-a \
   --format='get(networkInterfaces[0].networkIP)'

      When prompted, press n to confirm, and then press Enter . Make sure to note the internal IP address of your vm-producer VM.

    2. To use SSH to connect to the vm-consumer-blocked VM, run the following command:

      gcloud compute ssh vm-consumer-blocked \
   --zone=us-central1-a \
   --tunnel-through-iap

    3. To verify the connection, run the following command:

      curl INTERNAL_IP 
-m 2

      Replace INTERNAL_IP with the internal IP address of the vm-producer VM.

      The Connection timed out message is expected because every VM creates an implicit ingress firewall rule that denies all traffic. To allow traffic, you add an ingress rule to the firewall policy.

    4. To exit the SSH connection, enter exit .

    View the logs

    To verify that the address group firewall rules were applied to the ingress traffic, access the logs. To view the log details, follow these steps:

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the Network firewall policiessection, click the fw-policy-addressgrp name.

    3. In the Hit countcolumn, select the number for the rule you created during Add a firewall rule to allow traffic to an address group . The Logs explorerpage opens.

    4. To view the firewall rule applied to the ingress traffic, expand the individual log. You can view the rule details, disposition, and instance details.

    Clean up

    To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

    To delete the resources created in this tutorial, complete the following.

    Delete an address group

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the Network firewall policiessection, click fw-policy-addressgrp .

    3. In the Firewall rulessection, select the checkbox of the firewall rule 150 .

    4. Click Delete.

    5. In the Google Cloud console, go to the Address groupspage.

      Go to Address groups

    6. In the Address groupssection, select the checkbox next to address-group-pc .

    7. Click Delete, and then click Deleteagain to confirm.

    gcloud

    1. To delete the firewall rule associated with the address-group-pc IP address group, run the following command:

      gcloud compute network-firewall-policies rules delete 150 \
    --firewall-policy fw-policy-addressgrp \
    --global-firewall-policy

    2. To remove an existing item from an address group, run the following command:

      gcloud network-security address-groups remove-items address-group-pc \
    --items 192.168.10.0/29 \
    --location global

    3. To delete an IP address group, run the following command:

      gcloud network-security address-groups delete address-group-pc \
    --location global

      When prompted, press Y to confirm, and then press Enter .

    Delete the firewall policy

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the Network firewall policiessection, click the fw-policy-addressgrp name.

    3. Click the Associationstab.

    4. Select the checkbox of the vpc-producer VM and the vpc-consumer VM, and then click Remove association.

    5. In the Remove a firewall policy associationdialog, click Remove.

    6. Next to the fw-policy-addressgrp title, click Delete.

    7. In the Delete a firewall policydialog, click Delete.

    gcloud

    1. Remove the association between the firewall policy and the VPC producer network.

      gcloud compute network-firewall-policies associations delete \
  --name=pol-association-vpc-producer \
  --firewall-policy=fw-policy-addressgrp \
  --global-firewall-policy

    2. Remove the association between the firewall policy and the VPC consumer network.

      gcloud compute network-firewall-policies associations delete \
  --name=pol-association-vpc-consumer \
  --firewall-policy=fw-policy-addressgrp \
  --global-firewall-policy

    3. Delete the firewall policy.

      gcloud compute network-firewall-policies delete fw-policy-addressgrp \
    --global

    Delete VPC Network Peering

    Console

    1. In the Google Cloud console, go to the VPC network peeringpage.

      Go to VPC network peering

    2. Select the checkboxes of peering-cp and peering-pc .

    3. Click Delete.

    4. In the Delete 2 peerings?dialog, click Delete.

    gcloud

    1. To delete the peering between consumer VPC and producer VPC, run the following command:

      gcloud compute networks peerings delete peering-cp \
    --network=vpc-consumer

    2. To delete the peering between producer VPC and consumer VPC , run the following command:

      gcloud compute networks peerings delete peering-pc \
    --network=vpc-producer

    Delete the Cloud NAT gateway and Cloud Router

    Console

    1. In the Google Cloud console, go to the Cloud routerspage.

      Go to Cloud routers

    2. Select the router-addressgrp checkbox.

    3. Click Delete.

    4. In the Delete router-addressgrpdialog, click Delete.

    When you delete a Cloud Router, the associated Cloud NAT gateway is also deleted.

    gcloud

    To delete the router-addressgrp Cloud Router, run the following command:

    gcloud compute routers delete router-addressgrp \
    --region=us-central1

    When prompted, press Y to confirm, and then press Enter .

    When you delete a Cloud Router, the associated Cloud NAT gateway is also deleted.

    Delete the VMs

    Console

    1. In the Google Cloud console, go to the VM instancespage.

      Go to VM instances

    2. Select the checkboxes of the vm-consumer-allowed , vm-consumer-blocked , and vm-producer VMs.

    3. Click Delete.

    4. In the Delete 3 instances?dialog, click Delete.

    gcloud

    1. To delete all of the VMs, run the following command:

      gcloud compute instances delete vm-consumer-allowed vm-consumer-blocked vm-producer \
    --zone=us-central1-a

      When prompted, press Y to confirm, and then press Enter .

    Delete the consumer VPC network and its subnets

    Console

    1. In the Google Cloud console, go to the VPC networkspage.

      Go to VPC networks

    2. In the Namecolumn, click vpc-consumer .

    3. Click Delete VPC network.

    4. In the Delete a networkdialog, click Delete.

    When you delete a VPC, its subnets are also deleted.

    gcloud

    1. To delete the subnets of the vpc-consumer VPC network, run the following command:

      gcloud compute networks subnets delete subnet-consumer-allowed subnet-consumer-blocked \
   --region=us-central1

      When prompted, press Y to confirm, and then press Enter .

    2. To delete the vpc-consumer VPC network, run the following command:

      gcloud compute networks delete vpc-consumer

      When prompted, press Y to confirm, and then press Enter .

    Delete the producer VPC network and its subnet

    Console

    1. In the Google Cloud console, go to the VPC networkspage.

      Go to VPC networks

    2. In the Namecolumn, click vpc-producer .

    3. Click Delete VPC network.

    4. In the Delete a networkdialog, click Delete.

    When you delete a VPC, its subnets are also deleted.

    gcloud

    1. To delete the subnet of the vpc-producer VPC network, run the following command:

      gcloud compute networks subnets delete subnet-vpc-producer \
   --region=us-central1

      When prompted, press Y to confirm and press Enter .

    2. To delete the vpc-producer VPC network, run the following command:

      gcloud compute networks delete vpc-producer

      When prompted, press Y to confirm, and then press Enter .

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: