Reserve a static external IP address


You can reserve static external IP addresses for your virtual machine (VM) instance. You can also change, list, and release static IP addresses for your VM.

External IP addresses can be static or ephemeral. If a VM requires a fixed external IP address that does not change, you can obtain a static external IP address. You can reserve new external IP addresses or promote existing ephemeral external IP addresses.

If you require a static IP address on your internal Compute Engine network, see Reserving a static internal address instead.

Before you begin

  • Read about IP addresses.
  • Read about quotas and limits for static external IP addresses.
  • Read about external IP address pricing.
  • If you haven't already, set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine as follows.

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    1. Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init
    2. Set a default region and zone.

    Terraform

    To use the Terraform samples on this page from a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

    1. Install the Google Cloud CLI.
    2. To initialize the gcloud CLI, run the following command:

      gcloud init
    3. Create local authentication credentials for your Google Account:

      gcloud auth application-default login

    For more information, see Set up authentication for a local development environment.

    REST

    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init

Permissions

Reserving static regional external IPv6 addresses by using the Google Cloud console requires you to select a network and subnetwork. However, to view a list of available networks and subnetworks, you need to be granted the following IAM permissions:

  • compute.networks.list
  • compute.subnetworks.list

About static external IP addresses

A static external IP address is the IP address that is reserved for your resource until you decide to release it. If you have an IP address that your customers or users rely on to access your service, you can reserve that IP address so that only your resource can use it. You can also promote an ephemeral external IP address to a static external IP address.

For more information, see IP addresses.

The following table lists the static external IP addresses supported by Google Cloud.

IP address type Resource IP range Source Associated with
Regional external IPv4 addresses VMs and regional load balancers /32 Google's pool of external IP addresses Project
Regional external IPv6 addresses VMs and supported regional load balancers /96 Subnet's external IPv6 address range Subnet
Global external IPv4 addresses Global load balancers /32 Google's pool of external IP addresses Project
Global external IPv6 addresses Global load balancers /64 Google's pool of external IP addresses Project

For a list of regional and global load balancers, see the Summary of load balancer types.

Specifications for using static external IP addresses

  • Only one resource at a time can use a static external IP address.

  • There is no way to check whether an IP address is static or ephemeral after it has been assigned to a resource. You can compare the IP address against the list of static external IP addresses reserved to that project. Use the compute addresses list sub-command to see a list of static external IP addresses available to the project.

  • Each VM can have multiple network interfaces, but each network interface can have only one external IP address that is either ephemeral or static.

  • You cannot change the name of a static IP address.

  • Assigned external IP addresses exist on the same physical host as the VM and exist in the same region as the VM for all purposes, including routing, latency, and pricing. This is true regardless of Internet geolocation lookup information.

Note: Network interfaces can receive traffic from multiple forwarding rules, which might serve other external IP addresses. Any number of external IP addresses can reference a network interface through these forwarding rules, but each network interface can have only one external IP address.

For more information about load balancing and forwarding rules, read the load balancing documentation.

Reserve a new static external IP address

After reserving the address, assign it to a new VM while creating it or to an existing VM.

Console

  1. In the Google Cloud console, go to the Reserve a static address page.

    Go to Reserve a static address

  2. Choose a name for the new address.

  3. Specify whether the network service tier is Premium or Standard. IPv6 static address reservation is supported only in the Premium tier.

  4. Specify whether it is an IPv4 or IPv6 address.

  5. Specify whether this IP address is Regional or Global.

    • If you are reserving a static IP address for a global load balancer, choose Global and then click Reserve.
    • If you are reserving a static IP address for a VM or for a regional load balancer, choose Regional, and then select the region to create the address in.
  6. If you are reserving a regional external IPv6 address, then also choose the following:

    • Network: the VPC network
    • Subnetwork: the subnet from which to assign the static regional IPv6 address
    • Endpoint type: choose VM instance or Network Load Balancer
  7. Optional: If you are reserving the static external IP address for a VM, then in the Attached to list, select a VM to attach the IP address to.

  8. Click Reserve to reserve the IP address.

gcloud

To reserve a static external IP address, use the gcloud compute addresses create command.

Use the following instructions to reserve a static external IPv4 or IPv6 address:

  • To reserve a global IP address, use the --global and --ip-version fields. For the --ip-version field, specify either IPv4 or IPv6. Global IP addresses can be used only with global load balancers.

    gcloud compute addresses create ADDRESS_NAME \
      --global \
      --ip-version [IPV4 | IPV6]
    

    Replace ADDRESS_NAME with the name that you want to associate with this address.

  • To reserve a regional external IPv4 address, use the --region field.

    gcloud compute addresses create ADDRESS_NAME \
       --region=REGION
    

    Replace the following:

    • ADDRESS_NAME: the name that you want to associate with this address.
    • REGION: the region where you want to reserve this address. This region should be the same region as the resource that you want to attach the IP address to.
  • To reserve a regional external IPv6 address, use the --region, --subnet, --ip-version, and --endpoint-type fields. A /96 IPv6 range is assigned from the specified subnet.

    gcloud compute addresses create IPV6_ADDRESS_NAME \
       --region=REGION \
       --subnet=SUBNET_NAME \
       --ip-version=IPV6 \
       --endpoint-type=[VM | NETLB]
    

    Replace the following:

    • IPV6_ADDRESS_NAME: a name for the address.
    • REGION: the region for the address.
    • SUBNET_NAME: the subnet to assign the static regional IPv6 address from. The subnet must have an assigned external IPv6 address range.
    • VM | NETLB: the endpoint type; whether it's a VM or a network load balancer.

To view the result, use the gcloud compute addresses describe command:

gcloud compute addresses describe ADDRESS_NAME

Terraform

You can use the google_compute_address resource to create a regional external IP address.

resource "google_compute_address" "default" {
  name   = "my-test-static-ip-address"
  region = "us-central1"
}

The following sample shows how to use the google_compute_global_address resource to create a global external IPv6 address:

resource "google_compute_global_address" "default" {
  project      = var.project_id # Replace this with your service project ID in quotes
  name         = "ipv6-address"
  address_type = "EXTERNAL"
  ip_version   = "IPV6"
}

REST

  • To create a regional IPv4 address, call the regional addresses.insert method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses
    

    Your request body should contain the following:

    {
      "name": "ADDRESS_NAME"
    }
    

    Replace the following:

    • PROJECT_ID: the project ID for this request
    • REGION: the name of the region for this request
    • ADDRESS_NAME: the name that you want to associate with the address
  • For global static IPv4 addresses, call the globalAddresses.insert method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses
    

    Your request body should contain the following:

    {
      "name": "ADDRESS_NAME"
    }
    
  • For global static IPv6 addresses, call the globalAddresses.insert method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses
    

    Your request body should contain the following:

    {
      "name": "ADDRESS_NAME",
      "ipVersion": "IPV6"
    }
    

    To see the result, use the addresses.get method.

  • For regional static IPv6 addresses, call the addresses.insert method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses
    

    Your request body should contain the following:

    {
      "name": "ADDRESS_NAME",
      "ipVersion": "IPV6",
      "ipv6EndpointType": "VM|LB",
      "networkTier": "PREMIUM",
      "subnetwork": "SUBNET"
    }
    

    Replace SUBNET with the subnet for this project.

    To see the result, use the addresses.get method.

Assign a static external IP address to a new VM

After you have reserved a static external IP address, you can assign it to a VM.

Console

  1. In the Google Cloud console, go to the Create an instance page.

    Go to Create an instance

  2. Specify the VM details.

  3. Expand the Advanced options section.

  4. Expand the Networking section.

  5. In the Network interfaces section, expand a network interface to edit it.

  6. To assign an IPv4 address, do the following:

    1. Select a network.
    2. Select the IP address from the External IPv4 address list.
  7. To assign an IPv6 address, do the following:

    1. Select a network that contains an IPv6 subnet.
    2. Select a dual-stack subnet from the Subnetwork list.
    3. For IP stack type, select IPv4 and IPv6 (dual-stack).
    4. Select the newly reserved external IPv6 address from the External IPv6 address list. Alternatively, select CREATE IP ADDRESS and reserve a new static external IPv6 address.
    5. For Network Service Tier, select Premium.
  8. To finish modifying the default network interface, click Done.

  9. Continue with the VM creation process.

gcloud

You can create a VM and assign a static regional external IP address that you have already reserved.

  • To assign a static external IPv4 address, do the following:

    gcloud compute instances create VM_NAME --address=IP_ADDRESS
    

    Replace the following:

    • VM_NAME: the name of the VM.
    • IP_ADDRESS: the IP address to assign to the VM. Use the reserved static external IP address, not the address name.
  • To assign a static external IPv6 address, do the following:

    gcloud compute instances create VM_NAME \
        --subnet=SUBNET \
        --stack-type=IPV4_IPV6 \
        --external-ipv6-address=IPV6_ADDRESS \
        --external-ipv6-prefix-length=96 \
        --ipv6-network-tier=PREMIUM \
        --zone=ZONE
    

Terraform

You can use the google_compute_instance resource to assign an external IP address.

resource "google_compute_instance" "default" {
  name         = "dns-proxy-nfs"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "ubuntu-1404-trusty-v20160627"
    }
  }

  network_interface {
    network = "default"
    access_config {
      nat_ip = google_compute_address.default.address
    }
  }
}

REST

To assign a static external IPv4 address to a new VM, do the following:

In your request to create a new VM, explicitly provide the networkInterfaces[].accessConfigs[].natIP property and the external IPv4 address that you want to use. For example:

{
  "name": "VM_NAME",
  "machineType": "zones/ZONE/machineTypes/MACHINE_TYPE",
  "networkInterfaces": [{
    "accessConfigs": [{
      "type": "ONE_TO_ONE_NAT",
      "name": "External NAT",
      "natIP": "IPV4_ADDRESS"
     }],
    "network": "global/networks/default"
  }],
  "disks": [{
      "autoDelete": "true",
      "boot": "true",
      "type": "PERSISTENT",
      "initializeParams": {
          "sourceImage": "SOURCE_IMAGE"
      }
}]
}

To assign a static external IPv6 address to a new VM, do the following:

In your request to create a new VM, explicitly provide the networkInterfaces[].ipv6AccessConfigs[].externalIpv6 property and the external IPv6 address that you want to use. For example:

{
  "name": "VM_NAME",
  "machineType": "zones/ZONE/machineTypes/MACHINE_TYPE",
  "networkInterfaces": [{
          "accessConfigs": [{
              "name": "external-nat",
              "type": "ONE_TO_ONE_NAT"
          }],
          "ipv6AccessConfigs": [{
        "externalIpv6": "IOV6_ADDRESS",
        "externalIpv6PrefixLength": 96,
        "name": "external-ipv6-access-config",
        "networkTier": "PREMIUM",
        "type": "DIRECT_IPV6"
          }],
      "stackType": "IPV4_IPV6",
      "subnetwork":"SUBNETWORK
  }],
  "disks": [{
    "autoDelete": "true",
    "boot": "true",
    "mode": "READ_WRITE",
    "type": "PERSISTENT",
    "initializeParams": {
        "sourceImage": "SOURCE_IMAGE"
    },
  }],
 }

Change or assign an external IP address to an existing VM

You can change or assign an external IP address, either ephemeral or static, to an existing VM.

A VM can have multiple interfaces and each interface can have an external IP address. If the VM already has an external IP address, you must remove that address first. Then, you can assign a new external IP address to the existing VM.

Console

  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Click the name of the VM that you want to assign an external IP to. The Instance details page displays.
  3. From the Instance details page, complete the following steps:

    1. Click Edit.
    2. Expand Network interfaces.
    3. Select the required external IP address to assign to the VM:
      1. For External IPv4 address, select either Ephemeral or a static external IPv4 address.
      2. For External IPv6 address, select either Ephemeral or a static external IPv6 address.
    4. Click Done.
  4. Click Save.

gcloud

  1. Optional: Reserve a static external IP address.

    If you want to assign a static external IP address, you must reserve an address and make sure that the address is not in use by another resource. If necessary, follow the instructions to reserve a new static external IP address or to unassign a static external IP address.

    If you intend to use an ephemeral external IP address, you can skip this step, and Compute Engine randomly assigns an ephemeral external IP address.

  2. Remove the existing IP address assignment.

    • To remove an IPv4 address from a VM, delete the existing access configs.

      You can set one access configuration for each VM. Before you attempt to assign a new access configuration to a VM, check to see if your VM has an access configuration by making a request using the gcloud compute instances describe command:

      gcloud compute instances describe VM_NAME
      

      If there is an existing access configuration, the access configuration appears in the following format:

      networkInterfaces:
      - accessConfigs:
        - kind: compute#accessConfig
          name: external-nat
          natIP: 203.0.113.1
          type: ONE_TO_ONE_NAT
      

      Before you add a new access config, you must delete the existing access config by using the instances delete-access-config sub-command:

      gcloud compute instances delete-access-config VM_NAME \
          --access-config-name="ACCESS_CONFIG_NAME"
      

      Replace the following:

      • VM_NAME: the name of the VM.
      • ACCESS_CONFIG_NAME: the access config to delete. Make sure to include the full name between quotes.
    • To remove an IPv6 address from a VM, change the stack type.

      Check if your VM has an IPv6 configuration by making a request using the gcloud compute instances describe command:

      gcloud compute instances describe VM_NAME \
          --zone=ZONE
      

      Replace the following:

      • VM_NAME: the name of the VM.
      • ZONE: the zone of the VM.

      If an external IPv6 address has already been assigned to nic0, the configuration is displayed in the following format:

      networkInterfaces:
        ...
        ipv6AccessConfigs:
        - externalIpv6: 2001:db8:4000:15:0:0:0:0
          externalIpv6PrefixLength: 96
          kind: compute#accessConfig
          name: external-ipv6
          networkTier: PREMIUM
          type: DIRECT_IPV6
        ipv6AccessType: EXTERNAL
        kind: compute#networkInterface
        name: nic0
      

      Remove the existing IPv6 address configuration by using the instance network-interfaces update sub-command:

      gcloud compute instances network-interfaces update VM_NAME \
        --network-interface=NIC \
        --stack-type=IPV4_ONLY \
        --zone=ZONE
      

      Replace the following:

      • NIC: the name of the network interface.
      • VM_NAME: the name of the VM.
      • ZONE: the zone of the VM.
  3. Assign the new external IP address.

    • To assign an IPv4 address, use the instances add-access-config sub-command:

      Note: Don't replace IP_ADDRESS with the name of the static IP address. You must use the actual IP address.
      gcloud compute instances add-access-config VM_NAME \
      --access-config-name="ACCESS_CONFIG_NAME" --address=IP_ADDRESS
      

      Replace the following:

      • VM_NAME: the name of the VM.
      • ACCESS_CONFIG_NAME: the name to call this access config. Make sure to include the full name between quotes.
      • IP_ADDRESS: the IP address to add.

      If you want Compute Engine to assign an ephemeral external IP address rather than using a static external IP address, omit the --address IP_ADDRESS property:

      gcloud compute instances add-access-config VM_NAME \
        --access-config-name="ACCESS_CONFIG_NAME"
      
    • To assign an IPv6 address range, use the instance network-interfaces update sub-command:

      gcloud compute instances network-interfaces update VM_NAME \
        --network-interface==NIC \
        --ipv6-network-tier=PREMIUM \
        --stack-type=IPV4_IPV6 \
        --external-ipv6-address=IPV6_ADDRESS \
        --external-ipv6-prefix-length=96 \
        --zone=ZONE
      

      Replace the following:

      • VM_NAME: the name of the VM.
      • NIC: the name of the network interface.
      • IPV6_ADDRESS: the IPv6 address to assign to the VM. Specify the first IPv6 address in the /96 range.
      • ZONE: the zone of the VM.

REST

You can change the external IPv4 or IPv6 address of a VM by adding a new access configuration for that VM.

  1. Check if your VM has an existing access configuration. To check the VM details, make a GET request to the instances.get method.

     GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
     

    Replace the following:

    • PROJECT_ID: the project ID for this request
    • ZONE: the zone where the VM is located
    • VM_NAME: the name of the VM

    If there is an existing IPv4 access configuration, the response is similar to the following:

    "networkInterfaces": [
      {
        "network":
        ...
        "name": "nic0",
        "accessConfigs": [
          {
            "type": "ONE_TO_ONE_NAT",
            "name": "External NAT",
            "natIP": "IPV4_ADDRESS",
            "networkTier": "PREMIUM",
            "kind": "compute#accessConfig"
          }
        ],
        ...
      }
    ]
    

    The networkInterfaces[].accessConfigs[].natIP field returns the static external IPv4 address of the VM.

    If there is an existing IPv6 access configuration, the response is similar to the following:

    "networkInterfaces": [
      {
        "network":
        ...
        "name": "nic0",
        "ipv6AccessConfigs": [
          {
            type: "DIRECT_IPV6",
            "name": "external-ipv6",
            "externalIpv6": "IPV6_ADDRESS",
            "externalIpv6PrefixLength": 96,
            "networkTier": "PREMIUM",
            "kind": "compute#accessConfig"
          }
        ],
        ...
      }
    ]
    

    The networkInterfaces[].ipv6AccessConfigs[].externalIpv6 field returns the static external IPv6 address of the VM.

  2. Delete the existing access configuration by making a POST request to the instances.deleteAccessConfig method.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/deleteAccessConfig
    
  3. Add a new access configuration to the network interface of the VM by making a POST request to the instances.addAccessConfig method.

Change the IP address of a forwarding rule

If you need to update the IP address in a forwarding rule, do the following:

  1. Unassign the IP address.

  2. Delete the forwarding rule using the gcloud compute forwarding-rules delete command or the forwardingRules.delete method.

  3. Recreate the forwarding rule using the gcloud compute forwarding-rules create command or the forwardingRules.insert method.

Promote an ephemeral external IP address

If your VM has an ephemeral external IP address and you want to permanently assign the IP address to your project, promote the ephemeral external IP address to a static external IP address. Promoting an ephemeral external IP address to reserved does not cause Google Cloud to drop packets sent to the VM. This includes packets sent to the VM directly or by means of a load balancer.

Console

  1. Go to the IP addresses page.

    Go to IP addresses

  2. Click External IP addresses.
  3. Optional: In the Filter field, search for the ephemeral IP address that you want to promote.
  4. In the More actions menu () of the IP address that you want to promote, select Promote to static IP address.
  5. Enter a name for the new static IP address, and then click Reserve.

gcloud

Use the following instructions to promote a static external IPv4 or IPv6 address:

  • To promote an ephemeral external IPv4 address to a static external IPv4 address, provide the ephemeral external IP address by using the --addresses flag with the compute addresses create command. Use the region flag to promote an ephemeral regional IP address or the global flag to promote an ephemeral global IP address.

    gcloud compute addresses create ADDRESS_NAME --addresses=IP_ADDRESS \
        [--region=REGION | --global]
    

    Replace the following:

    • ADDRESS_NAME: the name that you want to associate with this address.
    • IP_ADDRESS: the IP address that you want to promote.
    • REGION: the region that the regional IP address belongs to.

    • To promote an ephemeral regional external IPv6 address to a static regional external IPv6 address, provide the ephemeral external IP address by using the --addresses flag with the compute addresses create command.

    gcloud compute addresses create ADDRESS_NAME \
        --region=REGION \
        --addresses=IPV6_ADDRESS \
        --prefix-length=96
    

    Replace the following:

    • ADDRESS_NAME: a name for the IP address resource.
    • REGION: the region for the IPv6 address resource.
    • IPV6_ADDRESS: the IPv6 address that you're promoting.

REST

To promote an ephemeral regional IP address, call the addresses.insert method:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses

To promote an ephemeral global IP address, make a POST request to the following URI:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses

Specify the values for the required fields of the request body:

  • For IPv4 addresses, your request body should contain the following fields:

    {
      "name": "ADDRESS_NAME",
      "address": "IPV4_ADDRESS"
      "addressType": "EXTERNAL"
    }
    
  • For IPv6 addresses, your request body should contain the following fields:

    {
      "name": "ADDRESS_NAME",
      "address": "IPV6_ADDRESS"
      "prefixLength": 96
      "addressType": "EXTERNAL"
    }
    

    Replace the following:

    • ADDRESS_NAME: the name that you want to associate with this address
    • IPV4_ADDRESS|IPV6_ADDRESS: the IPv4 or IPv6 address that you want to promote
    • REGION: the region that the IPv4 or IPv6 address belongs to
    • PROJECT_ID: the project ID for this request

The external IP address remains attached to the VM even after it has been promoted to a static external IP address. If you need to assign the newly promoted static external IP address to another resource, unassign the static external IP address from the existing VM.

List static external IP addresses

To list static external IP addresses that you have reserved for your project, follow these steps.

Console

To see a list of IP addresses for your project, in the Google Cloud console, go to the External IP addresses page.

Go to External IP addresses

gcloud

Use the gcloud compute addresses list command:

  • To list all IP addresses, use the following command:

    gcloud compute addresses list
  • To list all global IP addresses, use the following command:

    gcloud compute addresses list --global
  • To list all regional IP addresses in a given region, use the following command:

    gcloud compute addresses list \
      --regions=REGION
    

    Replace REGION with the region that you want to list addresses for. You can list addresses of multiple regions by specifying comma-separated region names:

    gcloud compute addresses list \
      --regions=REGION1,REGION2,..REGION_n_
    

REST

  • To list regional IPv4 or IPv6 addresses, call the addresses.list method:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses
    

    Replace the following:

    • REGION: the name of the region for this request
    • PROJECT_ID: the project ID for this request
  • To list all addresses in all regions, call the aggregatedList method:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/addresses
    
  • To list global IPv4 or IPv6 addresses, call the globalAddresses.list method:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses
    

    Replace the following:

    PROJECT_ID: the project ID for this request

Describe a static external IP address

To get information about a static external IP address, follow these steps.

Console

  1. In the Google Cloud console, go to the External IP addresses page.

    Go to External IP addresses

  2. Click the IP address that you want to get more information about.

gcloud

Use the addresses describe command. Replace ADDRESS_NAME with the name of the external IP address that you want to describe.

  • For a global IPv4 or IPv6 address, use the following command:

    gcloud compute addresses describe ADDRESS_NAME --global
  • For a regional IPv4 or IPv6 address, use the following command:

    gcloud compute addresses describe ADDRESS_NAME --region=REGION

REST

  • To describe a regional IPv4 or IPv6 address, call the addresses.get method:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses/ADDRESS_NAME
    

    Replace the following:

    • ADDRESS_NAME: the name of the IP address
    • REGION: the name of the region for the request
    • PROJECT_ID: the project ID for the request
  • To describe a global IPv4 or IPv6 address, call the globalAddresses.get method:

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses/ADDRESS_NAME
    

    Replace the following:

    • ADDRESS_NAME: the name of the IP address
    • PROJECT_ID: the project ID for the request

Unassign a static external IP address

Unassigning an IP address removes it from the resource but keeps the IP address reserved. After the IP address is unassigned, you can reassign the IP address to another resource.

You can also unassign the IPv4 or IPv6 address by deleting the VM.

Console

  1. In the Google Cloud console, go to the External IP addresses page.

    Go to External IP addresses

  2. Select the static IP address that you want to unassign.
  3. Click Change to open the Attach IP address dialog.
  4. From the Attach to drop-down list, select None.
  5. Click OK.

gcloud

  1. Check if a static IP address is in use by using the gcloud compute addresses list command:

    gcloud compute addresses list
    

    The output is similar to the following:

    NAME                      REGION    ADDRESS                  STATUS
    example-address-ipv4      REGION    198.51.100.1             RESERVED
    example-address-new-ipv4  REGION    203.0.113.1              IN_USE
    example-address-ipv6      REGION    2001:db8:1:1:1:1:1:1     RESERVED
    example-address-new-ipv6  REGION    2001:db8:4:4:4:4:4:4     IN_USE
    
    • If the IP address is not in use, the status is RESERVED.
    • If the IP address is in use, the status is IN_USE.
  2. Retrieve the name of the VM that is using the IP address:

    gcloud compute addresses describe ADDRESS_NAME \
      --region=REGION
    

    Replace the following:

    • ADDRESS_NAME: the name of the IPv6 address resource.
    • REGION: the region of the IPv6 address resource.

    The output is similar to the following:

    address: IP_ADDRESS
    addressType: EXTERNAL
    ...
    region: https://www.googleapis.com/compute/v1/projects/PROJECT/regions/REGION
    selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT/regions/REGION/addresses/ADDRESS_NAME
    status: IN_USE
    subnetwork: https://www.googleapis.com/compute/v1/projects/PROJECT/regions/REGION/subnetworks/SUBNET
    users:
    - https://www.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances/VM_NAME
    

    The users field displays the name of the VM that is using the IP address.

  3. Unassign the IP address from the VM.

    • To unassign an IPv4 address, delete the VM's access config file:

      1. Get the name of the access config to delete. To get the name, use the gcloud compute instances describe command. Replace VM_NAME with the name of the VM.

        gcloud compute instances describe VM_NAME
        

        The access config appears in the following format:

        networkInterfaces:
          - accessConfigs:
            - kind: compute#accessConfig
              name: external-nat
              natIP: 203.0.113.1
              type: ONE_TO_ONE_NAT
        
      2. Delete the access config by using the gcloud compute instances delete-access-config command:

        gcloud compute instances delete-access-config VM_NAME \
          --access-config-name="ACCESS_CONFIG_NAME"
        

        Replace the following:

        • VM_NAME: the name of the VM.
        • ACCESS_CONFIG_NAME: the name of the access config to delete. Be sure to include the full name between quotes.
    • To unassign an IPv6 address range, use the instance network-interfaces update command:

      gcloud compute instances network-interfaces update VM_NAME \
        --network-interface=nic0 \
        --stack-type=IPV4_ONLY \
        --zone=ZONE
      

      Replace the following:

      • VM_NAME: the name of the VM that is using the IP address.
      • ZONE: the zone of the VM.
  4. Check that your static external IP address is now available and marked as RESERVED instead of IN_USE.

    gcloud compute addresses list \
      --filter="ADDRESS_NAME AND region=REGION"
    

    Replace the following:

    • ADDRESS_NAME: the name of the IP address resource.
    • REGION: the region of the IP address resource.

Now that your static external IP address is available, you can choose to assign it to another VM.

REST

To unassign a static external IPv4 or IPv6 address, perform the following steps:

  • For IPv4 addresses, delete the access configuration attached to the VM that's using the address.

    1. To check the access configuration details of a VM, make a GET request to the instances.get method.

      GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
      
    2. Delete the existing access configuration by making a POST request to the instances.deleteAccessConfig method.

      POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/deleteAccessConfig
      

      Replace the following:

      • PROJECT_ID: the project ID for this request
      • ZONE: the zone where the VM is located
      • VM_NAME: the name of the VM
  • For IPv6 addresses, update the stack type of the network interface for the VM where the IPv6 address is attached.

    1. Make a PATCH request to the instances.updateNetworkInterface method.

    2. In the request body, update the value of the stackType field to IPV4_ONLY.

      For example:

      PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/updateNetworkInterface
      
      {
        "networkInterfaces": [{
          ...
          "stackType" : "IPV4_ONLY"
          ...
          }]
      }
      

Release a static external IP address

If you no longer need a static external IPv4 or IPv6 address, you can release the IP address by deleting the IP address resource.

If you are using the Google Cloud console, you can release a static IP address only if it is not being used by another resource.

If you're using the gcloud CLI or REST, you can release an IP address whether or not it's being used by another resource.

  • If the IP address is not being used by a resource, the IP address is returned to the pool of available external IP addresses.

  • If the IP address is being used by a resource, it remains attached to the resource until the resource is deleted.

Console

  1. In the Google Cloud console, go to the External IP addresses page.

    Go to External IP addresses

  2. Select the IP address to release.
  3. Click Release IP address.

gcloud

Use the compute addresses delete command:

gcloud compute addresses delete ADDRESS_NAME

Replace ADDRESS_NAME with the name of the IPv4 or IPv6 address to release.

REST

  • To release a regional IPv4 or IPv6 address, call the addresses.delete method:

    DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses/ADDRESS_NAME
    

    Replace the following:

    • ADDRESS_NAME: the name of the IP address
    • REGION: the name of the region for this request
    • PROJECT_ID: the project ID for this request
  • To release a global IPv4 or IPv6 address, call the globalAddresses.delete method:

    DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses/ADDRESS_NAME
    

    Replace the following:

    • ADDRESS_NAME: the name of the IP address
    • PROJECT_ID: the project ID for this request

Restrict external IP addresses to specific VMs

For certain workloads, you might have essential requirements that include security and network restrictions. For example, you might want to restrict external IP addresses so that only specific VMs can use them. This option can help to prevent data exfiltration or maintain network isolation. Using an Organization Policy, you can restrict external IP addresses to specific VMs with constraints to control use of external IP addresses for your VMs within an organization or a project.

The constraint for controlling external IP address on VMs is:

constraints/compute.vmExternalIpAccess

To use the constraint, you specify a policy with an allowedList of VMs that can have external IP addresses. If you don't specify a policy, all external IP addresses are allowed for all VMs. When the policy is in place, only the VMs that are listed in the allowedValues list can be assigned an external IP address, either ephemeral or static, and other Compute Engine VMs in the organization or project that are not explicitly defined in the policy are prohibited from using external IP addresses.

VMs are identified in the allow and deny lists using the VM's URI:

projects/PROJECT_ID/zones/ZONE/instances/VM_NAME

Specifications for restricting external IP addresses

  • You can apply this list constraint only to VMs.
  • You cannot apply the constraint retroactively. All VMs that have external IP addresses before you enable the policy retain their external IP addresses.
  • This constraint accepts either an allowedList or a deniedList but not both in the same policy.
  • It is up to you or an administrator with the required permissions to manage and maintain the VM lifecycle and integrity. The constraint only verifies the VM's URI, and it does not prevent the VMs in the allowlist from being altered, deleted, or recreated.

Permissions needed for restricting external IP addresses

To set a constraint on either the project or the organization level, you must have been granted the orgpolicy.policyAdmin role on the organization.

Set the policy constraint at the organization level

Console

  1. Go to the Organizational Policies page.

    Go to Organizational Policies

  2. If necessary, select the required organization from the project drop-down menu.
  3. Click Define allowed external IPs for VM instances.
  4. Click Edit to edit the external IP policy. If you can't access the Edit tool, you don't have the correct permissions.
  5. Select Customize to set the org policy for specific VMs.

    Customize option on the edit organization policy page.

  6. Select the required Policy enforcement and Policy type.

  7. For Policy values, select Custom.

  8. Enter a URI for a VM and press enter. The URI must be in the following format:

    projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
    
  9. Click New policy value and enter URIs for VMs as needed.

  10. Click Save to apply the constraint.

gcloud

To set a constraint for external IP access, you first need your organization ID. You can find the organization ID by running the organizations list command and looking for the numeric ID in the response:

gcloud organizations list

The gcloud CLI returns a list of organizations in the following format:

DISPLAY_NAME               ID
example-organization1      29252605212
example-organization2      1234567890

Use the gcloud resource-manager org-policies set-policy command to set the policy. You need to provide your policy as a JSON file. Create a JSON file in the following format:

{
"constraint": "constraints/compute.vmExternalIpAccess",
"listPolicy": {
  "allowedValues": [
     "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME",
     "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME",
     "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME"
  ]
 }
}

Replace the following:

  • PROJECT_ID: the project ID for this request, such as example-project. Note that this is different than setting up organization policies, which require the organization numeric ID.
  • ZONE: the zone of the VM
  • VM_NAME: the name of the VM

Alternatively, you can specify a deniedValues list to indicate VMs that you explicitly want to prohibit from having an external IP address. Any VM not on the list would implicitly be allowed to have an external IP address. You can only specify either allowedValues or deniedValues but not both.

Then, pass in the file with your request:

gcloud resource-manager org-policies set-policy MY_POLICY.JSON --organization=ORGANIZATION_ID

Replace ORGANIZATION_ID with the numeric ID of the organization.

If you don't want any VMs to have external IP access, you can set a policy with allValues set to DENY:

{
  "constraint": "constraints/compute.vmExternalIpAccess",
  "listPolicy": {
    "allValues": "DENY"
  }
}

REST

Use the setOrgPolicy() API to define your constraint. The VMs in the allowedValue list you specify are allowed to have external IP addresses. Alternatively, you can specify a deniedValues list to express VMs that you explicitly want to prohibit from having an external IP address. Any VM not on the list would implicitly be allowed to have an external IP address. You can only specify either allowedValues or deniedValues but not both.

For example, the following is a request to apply the compute.vmExternalIpAccess constraint to an organization where VMs from certain projects within the organization are allowed to have external IP addresses:

POST https://cloudresourcemanager.googleapis.com/v1/organizations/ORGANIZATION_ID:setOrgPolicy

where ORGANIZATION_ID is the numeric ID of the organization.

Now, in your request body, provide the policy for this constraint:

{
  "policy": {
    "constraint": "constraints/compute.vmExternalIpAccess",
    "listPolicy": {
      "allowedValues": [
        "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME",
        "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME",
        "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME"
        ]
      }
    }
 }

If you don't want any VMs to have external IP access, you can set a policy with allValues set to DENY:

{
  "policy": {
    "constraint": "constraints/compute.vmExternalIpAccess",
    "listPolicy": {
      "allValues": "DENY"
      }
    }
 }

Set the policy at the project level

Setting a policy at the project level overrides the policy at the organization level. For example, if the organization level has example-vm-1 on the allowedValues list but the policy at the project level has the same VM on the deniedValues list, the VM wouldn't be allowed to have an external IP address.

Console

Follow the same process documented under Set a policy constraint at the organization level but choose your project from the project selector instead of the organization.

Project selector.

gcloud

Use the gcloud resource-manager org-policies set-policy command to set the policy. You need to provide your policy as a JSON file. Create a JSON file in the following format:

{
 "constraint": "constraints/compute.vmExternalIpAccess",
 "listPolicy": {
  "allowedValues": [
   "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME"
  ]
 }
}

Replace the following:

  • PROJECT_ID: the project ID for this request, such as example-project. Note that this is different than setting up organization policies, which require the organization numeric ID.
  • ZONE: the zone of the VM.
  • VM_NAME: the name of the VM.

Alternatively, you can specify a deniedValues list of VMs that you explicitly want to prohibit from having an external IP address. Any VM not on the list would implicitly be allowed to have an external IP address. You can only specify either allowedValues or deniedValues but not both.

Then, pass in the file with your request:

gcloud resource-manager org-policies set-policy MY_POLICY.JSON --project=example-project

REST

Use the setOrgPolicy API to define your constraint. The VMs in the allowedValue list you specify are allowed to have external IP addresses. Alternatively, you can specify a deniedValues list to express VMs that you explicitly want to prohibit from having an external IP address. Any VM not on the list is implicitly allowed to have an external IP address. You can only specify either allowedValues or deniedValues but not both.

For example, the following is a request to set the compute.vmExternalIpAccess constraint on a project to allow specific VMs to have external IP addresses:

POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setOrgPolicy

Replace PROJECT_ID with the project ID for this request.

The request body contains the policy for this constraint:

{
  "policy": {
    "constraint": "constraints/compute.vmExternalIpAccess",
    "listPolicy": {
      "allowedValues": [
        "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME"
      ]
    }
  }
}

Best practices for restricting external IP addresses

  • Avoid using the deniedValues list with this constraint. If you define values in the deniedValues list, it means that only the VMs in the deniedValues list are restricted from using external IP addresses. This could be a security concern if you want control over exactly which VMs can have external IP addresses. If you want to remove certain VMs from the allowedValues list, update the existing policy to remove the VMs from the allowedList rather than putting the VMs into the deniedValues list at a lower hierarchy.

  • If you want to set a policy over a large part of the resource hierarchy but exempt certain projects, restore the default policy by using the setOrgPolicy method by specifying the restoreDefault object to allow all VMs in the projects to be associated with external IP addresses. The current policies for projects are not affected by the default setting.

  • Use the org policy together with IAM roles to better control your environment. This policy applies to only VMs but if you want to better control and restrict external IP addresses on network devices, you can grant the compute.networkAdmin role to the appropriate parties.

  • Any services and products that are running on Compute Engine within the organization or project with the policy enabled are subject to this org policy. Specifically, services such as Google Kubernetes Engine, Dataflow, Dataproc, and Cloud SQL are affected by this policy. If this is an issue, Google recommends that you set up other services and products in a different project that does not have the organization policy applied, and use Shared VPC, if needed.

What's next