Configuring Alias IP Ranges

This document contains instructions for configuring alias IP addresses and alias IP ranges using the Google Cloud Platform Console and gcloud command line tool. Please review the Alias IP overview page before executing these commands.

Limitations

  • The add and delete methods are not supported. You can add alias IP ranges only during VM creation.
  • Up to five secondary IP ranges are permitted per subnet.
  • Only one alias IP range per VM is permitted.
  • Cloud DNS will resolve VM name to the primary IPs. Additional names for alias IPs will not be configured automatically, but may be added manually.
  • Firewall source tags are not supported for alias IP addresses. This means that when you configure source tags in firewall rules, the source tags match the VM primary IP address, but not the alias IP addresses. Use source ranges to allow or deny ingress traffic from alias IP addresses.
  • In a static route, the next-hop IP address must be the primary IP address of the VM. Alias IP addresses are not supported as next-hop IP addresses.
  • IPv6 addresses are not supported.

Subnet Commands

When you assign an alias IP range to a VM, you must specify a range owned by the subnet the VM is in. All subnets have a primary range, which is the standard range of internal IP addresses that defines the subnet. A subnet may also have one or more secondary IP ranges of internal IP addresses. You can assign alias IP ranges from either the primary or secondary ranges of the subnet.

Creating a subnet with one or more secondary CIDR ranges

This command assumes you have a VPC network already. If you do not, create one.

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name of an existing network.
  3. Click Add subnet.
  4. Enter a Name for the new subnet.
  5. Specify the Region.
  6. Enter an IP address range in CIDR notation. (Example: 10.65.61.0/24)
  7. Click Create secondary IP range.
  8. Enter a Subnet range name.
  9. Enter a Secondary IP range in CIDR notation. (Example: 10.9.0.0/24)
  10. To add additional secondary IP ranges, for each range click Add IP range, then provide a name and range.
  11. Click Add.

gcloud

gcloud compute networks subnets create s1 \
    --network [NETWORK_NAME] \
    --region [REGION] \
    --range 10.65.61.0/24 \
    --secondary-range [RANGE_NAME]=[RANGE][,[RANGE_NAME]=[RANGE]...]

where

  • [NETWORK_NAME] is the name of the network where you want to create the the subnet.
  • [REGION] the region where you are creating the subnet.
  • [RANGE_NAME]=[RANGE] is the name of the secondary range and the IP range, like `range1=10.9.0.0/24'. You can enter up to 5 secondary ranges in a comma-separated list.

See the gcloud documentation for complete syntax.

VM instance commands

Creating a VM with an alias IP range in the primary CIDR range

Console

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Click Create instance.
  3. Enter a Name for the new instance.
  4. Specify a Zone.
  5. Click Management, disks, networking, SSH keys.
  6. Click the Networking tab.
  7. Click the edit (pencil icon) button next to the primary interface in the Network interfaces section.
  8. Click Show alias IP ranges.
  9. Leave Subnet range set to Primary.
  10. Enter an Alias IP range in CIDR notation. This range must be an unused subrange of the primary range.
  11. Click Create.

gcloud

gcloud compute instances create vm1 [...] \
    --network-interface subnet=s1,aliases=/32

See the gcloud documentation for complete syntax.

Creating a VM with a alias IP range in the secondary CIDR range

Console

  1. Go to the VM instances page in the Google Cloud Platform Console.
    Go to the VM instances page
  2. Click Create instance.
  3. Enter a Name for the new instance.
  4. Specify a Zone.
  5. Click Management, disks, networking, SSH keys.
  6. Click the Networking tab.
  7. Click the edit (pencil icon) button next to the primary interface in the Network interfaces section.
  8. Click Show alias IP ranges.
  9. Select the Subnetwork that has the secondary range.
  10. Under Subnet range, select the Secondary IP range you wish to use.
  11. Enter an Alias IP range in CIDR notation. This range must be an unused range of the secondary IP range.
  12. Click Create.

gcloud

gcloud compute instances create vm3 [...] \
    --network-interface subnet=s1,aliases=r1:10.9.9.0/24
 

See the gcloud documentation for complete syntax.

Troubleshooting

Cannot create VM instance with alias IP

  1. Verify that the VM has only one network interface. Alias IPs are not supported on VMs with multiple network interfaces.
        gcloud compute instances describe [INSTANCE_NAME] --zone=[ZONE]
    Only a single network interface should be listed under the networkInterfaces field in the output.
  2. Verify that the network is a VPC network. Alias IPs are not supported on legacy networks.
        gcloud compute networks list --filter="name=[NETWORK_NAME]"
    The network MODE should be "auto" or "custom".
  3. If a subnet range name is specified, verify the following:

        gcloud beta compute networks subnets describe [SUBNET_NAME] --region=[REGION]

    • the subnet has a secondary range with the corresponding name
    • the requested alias IP range is inside this secondary range or, if using netmask, is smaller than the primary range if using netmask.
  4. If subnet range name is not specified, verify that the requested alias IP range is inside the primary subnet range or, if using netmask, is smaller than the primary range.

Cannot connect to alias IP

  1. Verify firewall rules.

    a. List all firewall-rules:

        gcloud beta compute firewall-rules list --format=json
        

    b. Verify that traffic to and from alias IP is allowed.

    c. If necessary, add firewall rules to allow pinging alias IP:

        gcloud beta compute firewall-rules create [FIREWALL_NAME1] \
        --network [NETWORK_NAME] --priority 0 --source-ranges [ALIAS_IP] \
        --allow icmp
        
        gcloud beta compute firewall-rules create [FIREWALL_NAME2] \
        --network [NETWORK_NAME] --priority 0 --direction out \
        --destination-ranges [ALIAS_IP] --allow icmp
        

  2. Ensure that the VM recognizes the IP alias ranges as being local. On Linux distributions such as Debian, this can typically be done as follows.

    a. Connect to the instance and run this command:

      ip route show table local
      

    The output should contain the following:

      local [ALIAS_IP_RANGE] dev eth0  proto 66  scope host
      

    b. If local route is not present, configure it using this command:

      ip route add to local [ALIAS_IP_RANGE] dev eth0 proto 66
      

Firewall rule source tags and source service accounts

Firewall source service account and source tags only expand to primary network IPs of matching instances and do not apply to alias IPs of matching instances. So, a firewall rule based on source tags will not affect traffic from an instance alias IP address. Alias IP addresses can be added to firewall rules as source or destination ranges.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Compute Engine Documentation