In Google Cloud, a VPC is a global resource, whereas a subnet is regional and spans every availability zone in the region, but a subnet cannot
overlap with other subnets in the same VPC or in peered VPCs.
Each subnet must have exactly one primary CIDR block (IP range) and can have up to 30 secondary CIDR blocks. There can be
up to 300 primary and secondary CIDRs in a VPC. The NIC for each VM gets its primary internal IP address from the primary
CIDR block, whereas secondary IP ranges can only be used for alias IP ranges, which is a Google Cloud organizational tool to assign address pools to containers or applications running inside the VM.
The following provides more information on the associations between Cisco Cloud APIC objects and Google Cloud objects:
-
One-to-one mapping of Google Cloud VPC to Cisco Cloud APIC VRF: A Google Cloud VPC is deployed for each Cisco Cloud APIC VRF (fvCtx
object). Cloud context profiles (cloudCtxProfile
object) define the set of regional subnets to deploy. Every cloud context profile in the same VRF maps to the same VPC.
-
Google Cloud subnets and their secondary IP ranges: Cisco Cloud APIC deploys a subnet with primary and secondary IP ranges using Cisco Cloud APIC CIDR and subnet objects. The
Cisco Cloud APIC subnet object is used to represent an IP range and the Cisco Cloud APIC CIDRs’s primary property tells whether
it is primary or secondary. Secondary Cisco Cloud APIC subnet objects are associated with the corresponding primary one, because
only the latter deploys the actual subnet in Google Cloud.
Understanding VPC Groups
The cloud context profile is used within Cisco Cloud APIC as a mapping tool for a VPC, where one cloud context profile is
associated with one VPC. The cloud context profile also contains information on the region association, where the cloud context
profile is used to determine which region a VPC gets deployed to.
In Google Cloud, when you want to create a VPC, you might have to create multiple cloud context profiles through Cisco Cloud APIC if you
want to deploy subnets in multiple regions. However, VPCs are global in nature with Google Cloud, where a VPC spans all the regions.
Therefore, a property called VPC group (vpcGroup
) is available within the cloud context profile that allows Cisco Cloud APIC to group multiple cloud context profiles together
to form one VPC. Multiple cloud context profiles that are associated with each other using the VPC group feature form the
VPC construct within Google Cloud, where the VPC group name is shown in Google Cloud.
Since only one Google Cloud VPC is allowed within one Cisco Cloud APIC VRF for release 25.0(1), you must use the same name for the VPC group property
for each cloud context profile listed in a VRF. Profiles having the same VPC group name reside in the same VPC.
The scope of this matching mechanism is at the tenant level. The same values can be reused across tenants, but they implicitly
define different groups, since they are also part of different Google Cloud Projects.
Cisco Cloud APIC deploys a VPC for each distinct fvCtx
, cloudRsToCtx
and vpcGroup
tuple, as long as there is at least one cloudSubnet
defined. The cloud context profile becomes a container of regional resources, such as subnets, associated to a VRF, and it
no longer maps to a VPC.
The example below defines two context profiles (c1 and c2) inside the same VRF (v1) with one VPC group (vpc-1). This configuration
deploys one VPC, where the subnets defined in profiles c1 and c2 are deployed in that VPC because they are part of the same
VPC group.
<fvTenant name="t1">
<fvCtx name="v1"/>
<cloudCtxProfile name="c1" vpcGroup="vpc-1">
<cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-gcp/region-us-west1" />
<cloudRsToCtx tnFvCtxName="v1"/>
<cloudCidr addr="10.0.0.0/16" primary="yes" >
<cloudSubnet ip="10.0.1.0/24">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-west1/zone-default"/>
</cloudSubnet>
</cloudCidr>
</cloudCtxProfile>
<cloudCtxProfile name="c2" vpcGroup="vpc-1">
<cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-gcp/region-us-east1" />
<cloudRsToCtx tnFvCtxName="v1"/>
<cloudCidr addr="20.0.0.0/16" primary="yes" >
<cloudSubnet ip="20.0.1.0/24">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-east1/zone-default"/>
</cloudSubnet>
</cloudCidr>
</cloudCtxProfile>
</fvTenant>
Understanding Primary and Secondary Subnets and Subnet Groups
Cisco Cloud APIC deploys every subnet (cloudSubnet
) in the VPC (which is identified by the tuple fvCtx
, cloudRsToCtx
, and vpcGroup
) in the region that is pointed to by the cloudRsCtxProfileToRegion
relation.
In Google Cloud, there is no concept of a primary CIDR for the VPC, but the primary flag in the CIDR (cloudCidr
) field in the cloud context profile is available for Cisco Cloud APIC to support secondary IP ranges. Every subnet configured
under a primary CIDR will be deployed as an actual Google Cloud subnet with the specified primary IP range (named primary subnets). For release 25.0(1) for Google Cloud, having multiple CIDRs set as primary under a given cloud context profile (cloudCtxProfile
) is supported. Therefore, you can have more than one primary CIDR under a given cloud context profile with multiple primary
subnets.
The following POST shows an example where one VPC and three subnets are deployed in Google Cloud.
<polUni>
<fvTenant name="t1">
<fvCtx name="v1"/>
<cloudCtxProfile name="c1" vpcGroup="vpc-1">
<cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-gcp/region-us-west1" />
<cloudRsToCtx tnFvCtxName="v1"/>
<cloudCidr addr="10.0.0.0/16" primary="yes" >
<cloudSubnet ip="10.0.1.0/24">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-west1/zone-default"/>
</cloudSubnet>
<cloudSubnet ip="10.0.2.0/24">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-west/zone-default"/>
</cloudSubnet>
</cloudCidr>
<cloudCidr addr="20.0.0.0/16" primary="yes" >
<cloudSubnet ip="20.0.1.0/24">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-west/zone-default"/>
</cloudSubnet>
</cloudCidr>
</cloudCtxProfile>
</polUni>
In the example above, one VPC is configured for the VRF v1
with three primary subnets (10.0.1.0/24, 10.0.2.0/24, and 20.0.1.0/24) deployed in the us-west region.
A secondary CIDR contains the secondary IP ranges (called secondary subnets) that are configured in the existing primary subnets. When designating a CIDR as either primary or secondary, it's helpful
to consider these differences between the two:
You can group together primary and secondary subnets into a subnet group. This grouping mechanism assigns secondary subnets (for example, IP ranges) to a primary subnet, which is mapped to an actual
Google Cloud subnet. The scope of the subnet group is at the cloud context profile level. While you can have multiple cloud context profiles
within the same tenant, subnets are part of a subnet group only within the same cloud context profile.
You will use the subnet group label to assign a unique label to a specific subnet group. If you have multiple subnets that have the same subnet group label,
then those subnets all belong to the same subnet group as long as they are all within the same cloud context profile. Note
that while the subnet group label is used within Cisco Cloud APIC to group primary and secondary subnets, it is not used in
Google Cloud.
Note the following guidelines for the primary and secondary CIDRs:
The following POST shows an example where two VPCs with two subnets each in different regions and having secondary CIDRs are
deployed in Google Cloud.
<polUni>
<fvTenant name="t1">
<fvCtx name="v1"/>
<fvCtx name="v2"/>
<cloudCtxProfile name="c1" vpcGroup="vpc-1">
<cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-gcp/region-us-west1" />
<cloudRsToCtx tnFvCtxName="v1"/>
<cloudCidr addr="10.0.0.0/16" primary="yes" >
<cloudSubnet ip="10.0.1.0/24" subnetGroup="subnet-1">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-west1/zone-default"/>
</cloudSubnet>
<cloudSubnet ip="10.0.2.0/24" subnetGroup="subnet-2">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-west1/zone-default"/>
</cloudSubnet>
</cloudCidr>
<cloudCidr addr="40.0.0.0/16" primary="no">
<cloudSubnet ip="40.0.1.0/24" subnetGroup="subnet-1">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-west1/zone-default"/>
</cloudSubnet>
</cloudCidr>
</cloudCtxProfile>
<cloudCtxProfile name="c2" vpcGroup="vpc-2">
<cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-gcp/region-us-east1" />
<cloudRsToCtx tnFvCtxName="v2"/>
<cloudCidr addr="20.0.0.0/16" primary="yes">
<cloudSubnet ip="20.0.1.0/24" subnetGroup="subnet-1">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-east1/zone-default"/>
</cloudSubnet>
</cloudCidr>
<cloudCidr addr="30.0.0.0/16" primary="no">
<cloudSubnet ip="30.0.1.0/24" subnetGroup="subnet-1">
<cloudRsZoneAttach tDn="uni/clouddomp/provp-gcp/region-us-east1/zone-default"/>
</cloudSubnet>
</cloudCidr>
</cloudCtxProfile>
</fvTenant>
</polUni>
Note that the subnet group subnet-1
in the cloud context profile c2
is not the same subnet group in the cloud context profile c1
, because the scope of the subnet group is at the cloud context profile level.
The intent of the example above is summarized as follows:
-
Tenant t1
defines VRF v1
and v2
.
-
Cloud context profile c1
defines the subnets in region us-west1 for VRF v1
and VPC group vpc-1
. This deploys VPC vpc-1
.
-
Cloud context profile c2
defines the subnets in region us-east1 for VRF v2
and VPC group vpc-2
. This deploys VPC vpc-2
.
-
The following subnets are deployed in VPC vpc-1
in region us-west1:
-
Subnet-1
subnet group:
-
Subnet-2
subnet group:
-
The following subnets are deployed in VPC vpc-2
in region us-east1: