Configuring IPv6 for instances and instance templates

You can configure external IPv6 addresses on virtual machine instances (VMs) if the subnet that they are connected to has external IPv6 addresses enabled. Enabling external IPv6 addresses on a subnet is supported in some regions.

See IPv6 addresses for more information about IPv6 support.

Specifications

  • IPv6 addresses are supported for a VM's primary network interface (nic0) only.

  • The primary network interface of a VM must always have an internal IPv4 address, even when you configure that interface to have an IPv6 address range. This configuration is sometimes called dual stack.

  • VMs can connect to the metadata server only over IPv4, using IP address 169.254.169.254.

Limitations

Connecting to Google APIs and services using external IPv6 addresses is currently not supported and will result in a destination unreachable ICMP response. Most applications will fallback to IPv4 transparently.

If the VM lacks an external IPv4 address, you can access Google APIs and services using Private Google Access. If the VM has an external IPv4 address, you can Access Google APIs from VMs with external IP addresses. VMs with or without external IPv4 addresses can also use Private Service Connect.

IPv6 address assignment

VMs are assigned an external IPv6 address using DHCPv6. The metadata server responds to the VM's DHCPv6 requests and sends the first IP address from the assigned /96 IP range in response. Applications can use any of the IP addresses in the /96 range to connect to the internet or other VMs.

The metadata server uses route advertisement to publish the default route to the VM. The VM can then use this default route for all IPv6 traffic.

On Linux VMs, AnyIP lets applications bind to any IP address within this range.

Windows supports assigning a single IP address (/128 IP range) to a network interface. You cannot assign an entire /96 IP range to a network interface in Windows; however, you can assign multiple single IPv6 addresses from that /96 IP range to the same interface.

You can see both IPv4 and IPv6 addresses on the VM primary interface. VMs can see link local IP addresses, which are assigned from the fe80::/10 range, but they are used only for neighbor discovery.

The MTU is the same as for IPv4.

Create a VM and enable IPv6

You can create a VM with an external IPv6 address only if the subnet that you are connecting it to has external IPv6 addresses enabled.

gcloud

gcloud compute instances create INSTANCE_NAME \
  --ipv6-network-tier=PREMIUM \
  --subnet=SUBNET_NAME \
  --stack-type=IPV4_IPV6 \
  --zone=ZONE

Replace the following:

  • INSTANCE_NAME: the name for the instance.
  • SUBNET_NAME: the subnet to connect the instance to. The subnet must have IPv6 enabled.
  • ZONE: the zone to deploy the instance in.

Enable IPv6 on an existing VM

You can configure an external IPv6 address on a VM only if the subnet that the VM is connected to has external IPv6 addresses enabled.

gcloud

gcloud compute instances network-interfaces update INSTANCE_NAME \
  --ipv6-network-tier=PREMIUM \
  --stack-type=IPV4_IPV6 \
  --zone=ZONE

Replace the following:

  • INSTANCE_NAME: the name for the instance.
  • ZONE: the zone to deploy the instance in.

Disable IPv6 on a VM

gcloud

gcloud compute instances network-interfaces update INSTANCE_NAME \
  --stack-type=IPV4_ONLY

Replace the following:

  • INSTANCE_NAME: the name for the instance.

Create an instance template with IPv6 addresses

You can create an instance template that will configure an external IPv6 addresses on VMs that are created using the template. See Creating instance templates for more information about creating instance templates.

gcloud

gcloud compute instance-templates create TEMPLATE_NAME \
  --ipv6-network-tier=PREMIUM \
  --stack-type=IPV4_IPV6

Replace the following:

  • TEMPLATE_NAME: the name for the template.

Accessing VMs using IPv6 addresses

The implied IPv6 deny ingress firewall rule protects instances by blocking incoming connections to their IPv6 addresses. To access VMs using their IPv6 addresses, you must have a higher priority rule that allows incoming access. For more information about firewall rules, see the VPC firewall overview and the the hierarchical firewall policies overview.