External IP addresses can be static or ephemeral. If a virtual machine (VM) instance requires a fixed external IP address that does not change, you can obtain a static external IP address. You can reserve new external IP addresses, or promote existing ephemeral external IP addresses.
To reserve one of the following external IP addresses, see Static external IP addresses.
A global IPv4 or IPv6 address which can be used for global load balancers.
A regional IPv4 address that can be used by VM instances with one or more network interfaces or by regional load balancers.
For a list of regional and global load balancers, see the Summary of Google Cloud load balancers.
To reserve a regional external IPv6 addresses (Preview) for VM instances, see Static regional external IPv6 address.
If you require a static IP address on your internal Compute Engine network, read Reserving a static internal address instead.
In Compute Engine, each VM instance can have multiple network interfaces. Each interface can have both internal and external IP addresses. Forwarding rules can have external IP addresses for external load balancing or internal addresses for internal load balancing. To learn more about static IP addresses, see External IP addresses.
Before you begin
- If you want to use the command-line examples in this guide, do the following:
- Install or update to the latest version of the Google Cloud CLI.
- Set a default region and zone.
- If you want to use the API examples in this guide, set up API access.
- Read about IP addresses.
- Read about quotas and limits for static external IP addresses.
- Read about external IP address pricing.
Specifications
Only one resource at a time can use a static external IP address.
There is no way to check whether an IP address is static or ephemeral after it has been assigned to a resource. You can compare the IP address against the list of static external IP addresses reserved to that project. Use the
compute addresses list
sub-command to see a list of static external IP addresses available to the project.Each VM instance can have multiple network interfaces, but each network interface can have only one external IP address that is either ephemeral or static.
You cannot change the name of a static IP address.
Assigned external IP addresses exist on the same physical host as the VM instance and exist in the same region as the VM for all purposes, including routing, latency, and pricing. This is true regardless of Internet geolocation lookup information.
Note: Network interfaces can receive traffic from multiple forwarding rules, which might serve other external IP addresses. Any number of external IP addresses can reference a network interface through these forwarding rules, but each network interface can have only one external IP address.
For more information about load balancing and forwarding rules, read the load balancing documentation.
Static external IP addresses
A static external IP address is the IP address that is reserved for your project until you decide to release it. If you have an IP address that your customers or users rely on to access your service, you can reserve that IP address so that only your project can use it. You can also promote an ephemeral external IP address to a static external IP address.
Use these instructions to reserve one of the following external IP addresses:
A global IPv4 or IPv6 address which can be used for global load balancers.
A regional IPv4 address that can be used by VM instances with one or more network interfaces or by regional load balancers.
For a list of regional and global load balancers, see the Summary of Google Cloud load balancers.
To reserve a regional external IPv6 addresses (Preview) for VM instances, see Static regional external IPv6 address.
Reserve a new static external IP address
After reserving the address, assign it to a new instance while creating it or to an existing instance.
Console
Go to the Reserve a static address page.
Choose a name for the new address.
Specify whether it is an
IPv4
orIPv6
address. GlobalIPv6
addresses can only be used with global load balancers.Specify whether this IP address is regional or global. If you are reserving a static IP address for an instance or for a regional load balancer, choose Regional. If you are reserving a static IP address for a global load balancer, choose Global.
If this is a regional IP address, select the region to create the address in.
Optional: Select a resource to attach the IP.
Click Reserve to reserve the IP.
gcloud
To reserve a static external IP address using gcloud compute
, use the
compute addresses create
command.
If you want to reserve a global IP address, use the --global
and
--ip-version
fields. For the --ip-version
field, specify either IPV4
or IPV6
. Global IPv6
addresses can only be used with
global load balancers.
Replace the ADDRESS_NAME
with the name you want to
call this address.
gcloud compute addresses create ADDRESS_NAME \ --global \ --ip-version [IPV4 | IPV6]
If you want to reserve a regional IP address, use the --region
field:
gcloud compute addresses create ADDRESS_NAME \ --region=REGION
Replace the following:
ADDRESS_NAME
: the name you want to call this address.REGION
: the region where you want to reserve this address. This region should be the same region as the resource you want to attach the IP address to. All regional IP addresses areIPv4
.
Use the compute addresses describe
command
to view the result:
gcloud compute addresses describe ADDRESS_NAME
API
To create a regional IPv4 address, call the
regional addresses.insert
method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses
Your request body should contain the following:
{ "name": "ADDRESS_NAME" }
Replace the following:
ADDRESS_NAME
: the name you want to call the addressREGION
: the name of the region for this requestPROJECT_ID
: the project ID for this request
For global static IPv4 addresses, call the
globalAddresses.insert
method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses
Your request body should contain the following:
{ "name": "ADDRESS_NAME" }
For global static IPv6 addresses, call the
globalAddresses.insert
method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses
Your request body should contain the following:
{ "name": "ADDRESS_NAME", "ipVersion": "IPV6" }
Use the addresses.get
method
to see the result.
Terraform
You can use a Terraform module to create an external IP address.
In the following example, the Terraform arguments have example values that you can change. The example creates three regional external IPv4 addresses.
The following example creates a global external IPv6 address:
Assign a static external IP address to a new VM instance
When you create a VM instance, it is automatically assigned an ephemeral external IP address. If you don't want an ephemeral external IP address, you can explicitly assign a static external IP address to the instance instead.
Console
Go to the Create an instance page.
Specify the VM details.
Expand the Networking, disks, security, management, sole tenancy section.
Expand the Networking section, and do the following:
- In the Network interfaces section, expand a network interface to edit it.
- In the External IP list, select the static external IP address that you reserved.
- To finish modifying the default network interface, click Done.
Continue with the VM creation process.
gcloud
To assign a static external IP address, use the --address
flag
during instance creation and provide the static external IP address:
gcloud compute instances create VM_NAME --address=IP_ADDRESS
Replace the following:
VM_NAME
: the name of the VM instance.IP_ADDRESS
: the IP address to assign to the instance. Use the reserved static external IP address, not the address name.
API
In your request to
create a new instance,
explicitly provide the
networkInterfaces[].accessConfigs[].natIP
property and the external IP you want to use. For example:
{ "name": "VM_NAME", "machineType": "zones/ZONE/machineTypes/MACHINE_TYPE", "networkInterfaces": [{ "accessConfigs": [{ "type": "ONE_TO_ONE_NAT", "name": "External NAT", "natIP": "IP_ADDRESS" }], "network": "global/networks/default" }], "disks": [{ "autoDelete": "true", "boot": "true", "type": "PERSISTENT", "initializeParams": { "sourceImage": "projects/debian-cloud/global/images/v20150818" } }] }
Change or assign an external IP address to an existing instance
You can change or assign an external IP address, either ephemeral or static, to an existing instance by modifying the instance's access configuration.
An instance can have multiple interfaces and each interface can have an external IP address. If the instance already has an external IP address, you must remove that address first by deleting the old access configuration. Then, you can add a new access configuration with the new external IP address.
Console
- Go to the VM instances page.
- Click the name of the instance that you want to assign an external IP to. The instance details page displays.
From the instance details page, complete the following steps:
- Click Edit.
Under Network interfaces, click the edit button.
Under External IP, select either an ephemeral or static external IP address to assign to the instance.
Click Done.
Click Save.
gcloud
[Optional] Reserve a static external IP address.
If you want to assign a static external IP address, you must reserve an address and make sure the address is not currently in use by another resource. If necessary, follow the instructions to reserve a new static external IP address or to unassign a static external IP address.
If you intend to use an ephemeral external IP address, you can skip this step, and Compute Engine randomly assigns an ephemeral external IP address.
Delete existing access configs.
You can set one access configuration for each instance. Before you attempt to assign a new access configuration to an instance, check to see if your instance has an access configuration by making a
gcloud compute instances describe
request:gcloud compute instances describe VM_NAME
If there is an existing access configuration, the access configuration appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: external-nat natIP: 203.0.113.1 type: ONE_TO_ONE_NAT
Before you add a new access config, you must delete the existing access config using the
instances delete-access-config
sub-command:gcloud compute instances delete-access-config VM_NAME \ --access-config-name="ACCESS_CONFIG_NAME"
Replace the following:
VM_NAME
: the name of the VM instance.ACCESS_CONFIG_NAME
: the access config to delete. Make sure to include the full name between quotes.
Add the new external IP address.
Using the
instances add-access-config
sub-command, add a new external IP address:Note: Don't replaceIP_ADDRESS
with the name of the static IP. You must use the actual IP address.gcloud compute instances add-access-config VM_NAME \ --access-config-name="ACCESS_CONFIG_NAME" --address=IP_ADDRESS
Replace the following:
VM_NAME
: the name of the VM instance.ACCESS_CONFIG_NAME
: the name to call this access config. Make sure to include the full name between quotes.IP_ADDRESS
: the IP address to add.
If you want Compute Engine to assign an ephemeral external IP address rather than using a static external IP address, omit the
--address IP_ADDRESS
property:gcloud compute instances add-access-config VM_NAME \ --access-config-name="ACCESS_CONFIG_NAME"
API
You can change the external IP address of a VM by adding a new access configuration for that VM.
Check if your VM has an existing access configuration. To check the VM details, make a GET request to the
instances.get
method.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
Replace the following:
PROJECT_ID
: the project ID for this requestZONE
: the zone where the VM is locatedVM_NAME
: the name of the VM If there is an existing access configuration, the response is similar to the following:
"networkInterfaces": [ { "network": ... "networkIP": "192.0.2.1", "name": "nic0", "accessConfigs": [ { "type": "ONE_TO_ONE_NAT", "name": "External NAT", "natIP": "203.0.113.1", "networkTier": "PREMIUM", "kind": "compute#accessConfig" } ], ... } ]
The
networkInterfaces[].accessConfigs[].natIP
field returns the static external IP address of the VM instance.Delete the existing access configuration by making a POST request to the
instances.deleteAccessConfig
method.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/deleteAccessConfig
Add a new access configuration to the network interface of the VM instance by making a POST request to the
instances.addAccessConfig
method.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/addAccessConfig { "natIP": "IP_ADDRESS", "name": "ACCESS_CONFIG_NAME" }
Replace the following:
IP_ADDRESS
: the external IP address to be associated with the instance. Specify an unused reserved static external IP address available to the project.ACCESS_CONFIG_NAME
: the name of the access configuration. The default and recommended name is External NAT.
Promote an ephemeral external IP address
If your instance has an ephemeral external IP address and you want to permanently assign the IP to your project, promote the ephemeral external IP address to a static external IP address. Promoting an ephemeral external IP address to reserved does not cause Google Cloud to drop packets sent to the instance. This includes packets sent to the instance directly or by means of a load balancer.
Console
- Go to the External IP addresses page.
- In the same row as the IP address that you want to promote to static, click Reserve.
- Provide a name for the new static IP address and click Reserve.
gcloud
To promote an ephemeral external IP address to a static external IP address,
provide the ephemeral external IP address using the --addresses
flag with
the compute addresses create
command.
Use the region
flag to promote an ephemeral
regional IP address or the global
flag to promote an ephemeral global IP
address.
gcloud compute addresses create ADDRESS_NAME --addresses=IP_ADDRESS \ [--region=REGION | --global]
Replace the following:
ADDRESS_NAME
: the name you want to call this addressIP_ADDRESS
: the IP address you want to promoteREGION
: the region the regional IP address belongs to
API
To promote an ephemeral regional IP address, call the
addresses.insert
method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses
To promote an ephemeral global IP address, make a POST
request to the
following URI:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addressesYour request body should contain the following:
{ "name": "ADDRESS_NAME", "address": "IP_ADDRESS" }
Replace the following:
ADDRESS_NAME
: the name you want to call this addressIP_ADDRESS
: the IP address you want to promoteREGION
: the region the IP address belongs toPROJECT_ID
: the project ID for this request
The external IP address remains attached to the instance even after it has been promoted to a static external IP address. If you need to assign the newly promoted static external IP address to another resource, unassign the static external IP address from the existing instance.
List static external IP addresses
To list static external IP addresses that you have reserved for your
project, use the console, run compute addresses list
or make a GET
request to the API.
Console
To see a list of IP addresses for your project, go to the External IP addresses page.
gcloud
Use the compute addresses list
command
gcloud compute addresses list
API
Call the addresses.list
method:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses
Replace the following:
REGION
: the name of the region for this requestPROJECT_ID
: the project ID for this request
To list all addresses in all regions, call the
aggregatedList
method.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/addresses
Describe a static external IP address
To get information about a static external IP address, use the console, the gcloud CLI, or the API.
Console
- Go to the External IP addresses page.
- Click the IP address you want to get more information about.
gcloud
Use the addresses describe
command and replace ADDRESS_NAME
with the name of
the external IP address that you want to describe.
gcloud compute addresses describe ADDRESS_NAME
API
Call the addresses.get
method:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses/ADDRESS_NAME
Replace the following:
ADDRESS_NAME
: the name of the IP addressREGION
: the name of the region for the requestPROJECT_ID
: the project ID for the request
Unassign a static external IP address
You can unassign a static external IP address by changing the IP address assignment using the Cloud console or by deleting the access configuration attached to the VM that's using the address. You can also unassign the IP address by deleting the instance. Unassigning a static external IP address allows you to reassign the static external IP address to another resource.
Unassigning an IP address removes it from the resource but keeps the IP address reserved for your project.
Console
- Go to the External IP addresses page.
- Select the static IP address that you want to unassign.
- Click Change to open the Attach IP address dialog.
- From the Attach to drop-down list, select None.
- Click Ok.
gcloud
You can check if a static IP address is in use by
running the gcloud compute addresses list
command:
gcloud compute addresses list
The output is similar to the following:
NAME REGION ADDRESS STATUS example-address REGION 198.51.100.1 RESERVED example-address-new REGION 203.0.113.1 IN_USE
In this example, example-address-new
is currently in use.
To delete an instance's access config and unassign a static external IP address, follow these steps:
Get the name of the access config to delete. To get the name, use the
gcloud compute instances describe
command. ReplaceVM_NAME
with the name of the VM.gcloud compute instances describe VM_NAME
The access config appears in the following format:
networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: external-nat natIP: 203.0.113.1 type: ONE_TO_ONE_NAT
Delete the access config.
Use the
gcloud compute instances delete-access-config
command:gcloud compute instances delete-access-config VM_NAME \ --access-config-name="ACCESS_CONFIG_NAME"
Replace the following:
VM_NAME
: the name of the virtual machine instance.ACCESS_CONFIG_NAME
: the name of the access config to delete. Be sure to include the full name between quotes.
Check that your static external IP address is now available and marked as
RESERVED
instead ofIN_USE
.gcloud compute addresses list
For example:
NAME REGION ADDRESS STATUS example-address REGION 198.51.100.1 RESERVED example-address-new REGION 203.0.113.1 RESERVED
Now that your static external IP address is available, you can choose to assign it to another instance.
API
You can unassign a static external IP address by deleting the access configuration attached to the VM that's using the address.
To check the access configuration details of a VM, make a GET request to the
instances.get
method.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
Delete the existing access configuration by making a POST request to the
instances.deleteAccessConfig
method.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/deleteAccessConfig
Replace the following:
PROJECT_ID
: the project ID for this requestZONE
: the zone where the VM is locatedVM_NAME
: the name of the VM
Release a static external IP address
If you no longer need a static external IP address, you can release the address so that it is returned to the general IP pool for other Compute Engine users.
Console
- Go to the External IP addresses page.
- Check the box next to the IP address to release.
- Click Release IP address.
gcloud
Use the compute addresses delete
command.
gcloud compute addresses delete ADDRESS_NAME
Replace ADDRESS_NAME
with the name of the IP
address to release.
API
Call the addresses.delete
method:
DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses/ADDRESS_NAME
Replace the following:
ADDRESS_NAME
: the name of the IP addressREGION
: the name of the region for this requestPROJECT_ID
: the project ID for this request
Static regional external IPv6 addresses
If you have a dual-stack subnet with an external IPv6 range, you can reserve static IPv6 addresses from that subnet.
When you reserve a regional external IPv6 address, a
/96
IPv6 address range is allocated from the specified subnet. You can then
use the reserved address to configure a dual-stack
VM with a static regional IPv6 address.
Configuring static IPv6 addresses is supported on nic0
only.
When you configure a VM with a static IPv6 address, the following applies:
The VM interface is configured with the first IPv6 address (
/128
) from the allocated/96
range.The VM is configured with a link local IP addresses, which is assigned from the
fe80::/10
range, but it is used only for neighbor discovery.The MTU configuration on the VM's network interface applies to both IPv4 and IPv6 packets.
The following procedures let you configure and manage static regional external IPv6 addresses:
- Reserve a new static regional external IPv6 address
- List static regional external IPv6 addresses
- Describe static regional external IPv6 addresses
- Assign a static regional external IPv6 address to a new VM instance
- Promote an ephemeral regional external IPv6 address
- Change the external IPv6 address configuration for existing instances
- Unassign a static regional external IPv6 address
Limitations
If your VPC network is in a Shared VPC service project, you can't reserve a static regional external IPv6 address that comes from a shared subnet in the host project. You can only reserve a static regional external IPv6 address from a subnet in your own VPC network.
Reserve a new static regional external IPv6 address
When you reserve a regional external IPv6 address, a /96
range is assigned
from the specified subnet.
gcloud alpha compute addresses create ADDRESS_NAME \ --region=REGION \ --subnet=SUBNET \ --ip-version=IPV6 \ --endpoint-type=VM
Replace the following:
ADDRESS_NAME
: a name for the address.REGION
: the region for the address.SUBNET
: the subnet to assign the static regional IPv6 address from. The subnet must have an assigned external IPv6 address range.
List static regional external IPv6 addresses
Static regional external IPv6 addresses do not appear in the Cloud console as reserved addresses. Use the Google Cloud CLI to view the addresses.
gcloud compute addresses list \ --regions=REGION
Replace REGION
with the region you want to list
addresses for.
Describe static regional external IPv6 addresses
Static regional external IPv6 addresses do not appear in the
Cloud console as reserved addresses. Use the Google Cloud CLI to view
the assigned /96
IPv6 address range.
gcloud compute addresses describe ADDRESS_NAME \ --region=REGION
Replace the following:
ADDRESS_NAME
: the name of the address.REGION
: the region of the address.
Assign a static regional external IPv6 address to a new VM instance
You can create a VM and assign a static regional external IPv6 address that you have already reserved. The VM must be configured with the same region and subnet as the reserved IPv6 address.
gcloud alpha compute instances create VM_NAME \ --subnet=SUBNET \ --stack-type=IPV4_IPV6 \ --ipv6-address=IPV6_ADDRESS \ --ipv6-prefix-length=96 \ --ipv6-network-tier=PREMIUM \ --zone=ZONE
Replace the following:
VM_NAME
: the name of the VM instance.SUBNET
: the subnet that contains the reserved address.IPV6_ADDRESS
: the IPv6 address to assign to the VM. Specify the first IPv6 address in the/96
range.ZONE
: the zone for the VM.
Promote an ephemeral regional external IPv6 address
To promote an ephemeral regional external IPv6 address to a static regional
external IPv6 address, provide the ephemeral external IP address using the
--addresses
flag with the compute addresses create
command.
gcloud alpha compute addresses create ADDRESS_NAME \ --region=REGION \ --addresses=IPV6_ADDRESS \ --prefix-length=96
Replace the following:
ADDRESS_NAME
: a name for the IP address resource.REGON
: the region for the IPv6 address resource.IPV6_ADDRESS
: the IPv6 address that you are promoting.
Change the external IPv6 address configuration for existing instances
You can modify an existing VM to add or remove an external IPv6 address configuration.
To view the current IPv6 configuration, describe the VM:
Check if your instance has an IPv6 configuration by making a
gcloud compute instances describe
request:gcloud compute instances describe VM_NAME \ --region=REGION
Replace the following:
VM_NAME
: the name of the VM instance.ZONE
: the zone of the VM instance.
If an external IPv6 address has already been assigned to
nic0
, the configuration in displayed in the following format:networkInterfaces: ... ipv6AccessConfigs: - externalIpv6: 2001:db8:4000:15:0:0:0:0 externalIpv6PrefixLength: 96 kind: compute#accessConfig name: external-ipv6 networkTier: PREMIUM type: DIRECT_IPV6 ipv6AccessType: EXTERNAL kind: compute#networkInterface name: nic0
To remove the external IPv6 configuration, change the stack type from dual-stack to single-stack.
Remove the existing IPv6 address configuration using the
instance network-interfaces update
sub-command:gcloud alpha compute instances network-interfaces update VM_NAME \ --network-interface=nic0 \ --stack-type=IPV4_ONLY \ --zone=ZONE
Replace the following:
VM_NAME
: the name of the VM instance.ZONE
: the zone of the VM instance.
To assign a static regional external IPv6 address, change the stack type from single-stack to dual-stack. Verify that your VM does not already have an external IPv6 configuration before you assign the address.
Reserve a static external IPv6 address.
If you want to assign a static regional external IPv6 address, you must reserve an address and make sure the address is not currently in use by another resource. The reserved IPv6 address must be in the same region and subnet as the VM.
- To reserve a regional external IP address, see Reserve a new static regional external IPv6 address.
- To check if the regional external IPv6 address is in use, see Unassign a static regional external IPv6 address.
To add a static regional IPv6 address, do the following:
Using the
instance network-interfaces update
sub-command, add a new external IPv6 address:gcloud alpha compute instances network-interfaces update VM_NAME \ --network-interface=nic0 \ --ipv6-network-tier=PREMIUM \ --stack-type=IPV4_IPV6 \ --ipv6-address=IPV6_ADDRESS \ --ipv6-prefix-length=96 \ --zone=ZONE
Replace the following:
VM_NAME
: the name of the VM instance.IPV6_ADDRESS
: the IPv6 address to assign to the VM. Specify the first IPv6 address in the/96
range.ZONE
: the zone of the VM instance.
Unassign a static regional external IPv6 address
You can unassign a static regional external IPv6 address by deleting the instance or changing the instance's stack type to IPv4 only. Unassigning a static IP address removes the address from the resource but keeps the IP address reserved.
If you want to remove the reservation, you can Release a static regional external IPv6 address.
Check the status of the IP address resource using the
compute addresses describe
command.gcloud compute addresses describe ADDRESS_NAME \ --region=REGION
Replace the following:
ADDRESS_NAME
: the name of the IPv6 address resource.REGION
: the region of the IPv6 address resource.
The output is similar to the following:
address: IPV6_ADDRESS addressType: EXTERNAL creationTimestamp: 'TIMESTAMP' description: 'DESCRIPTION' id: ID ipVersion: IPV6 kind: compute#address name: ADDRESS_NAME networkTier: PREMIUM prefixLength: 96 region: https://www.googleapis.com/compute/v1/projects/PROJECT/regions/REGION selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT/regions/REGION/addresses/ADDRESS_NAME status: IN_USE subnetwork: https://www.googleapis.com/compute/v1/projects/PROJECT/regions/REGION/subnetworks/SUBNET users: - https://www.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances/VM_NAME
- If the IP address is not in use, the
status
isRESERVED
. - If the IP address is in use, the
status
isIN_USE
and theusers
field displays the VM that is using the IP address.
If the IP address is in use, unassign the static regional external IPv6 address from the VM using the
instance network-interfaces update
command.gcloud alpha compute instances network-interfaces update VM_NAME \ --network-interface=nic0 \ --ipv6-network-tier=PREMIUM \ --stack-type=IPV4_ONLY \ --zone=ZONE
Replace the following:
VM_NAME
: the name of the virtual machine instance that is using the IP address.ZONE
: the zone of the instance.
Check that your static external IPv6 address is now available and marked as
RESERVED
instead ofIN_USE
.gcloud compute addresses list \ --filter="ADDRESS_NAME AND region=REGION"
Replace the following:
ADDRESS_NAME
: the name of the IPv6 address resource.REGION
: the region of the IPv6 address resource.
Release a static regional external IPv6 address
If you no longer need the reserved IPv6 address, you can release it. The released address is returned to the pool of ephemeral addresses in the subnet, and is available for other resources to use.
Use the compute addresses delete
command.
gcloud compute addresses delete ADDRESS_NAME
Replace ADDRESS_NAME
with the name of the IPv6 address
to release.
Restricting external IP addresses to specific VM instances
For certain workloads, you might have essential requirements that include security and network restrictions. For example, you might want to restrict external IP address so that only specific VM instances can use them. This option can help to prevent data exfiltration or maintain network isolation. Using an Organization Policy, you can restrict external IP addresses to specific VM instances with constraints to control use of external IP addresses for your VM instances within an organization or a project.
The constraint for controlling external IP address on VMs is:
constraints/compute.vmExternalIpAccess
To use the constraint, you specify a policy with an allowedList
of VMs that can have
external IP addresses. If no policy is specified, all external IP addresses are allowed for all VMs. When the policy is in
place, only the VMs that are listed in the allowedValues
list can
be assigned an external IP address, either ephemeral or static, and other
Compute Engine VMs in the organization or project that are
not explicitly defined in the policy are prohibited from using external IP
addresses.
VM instances are identified in the allow and deny lists using the VM's URI:
projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
Specifications
- You can only apply this list constraint to VM instances.
- You cannot apply the constraint retroactively. All VM instances that have external IP addresses before the policy is enabled retain their external IP address.
- This constraint accepts either an
allowedList
or adeniedList
but not both in the same policy. - It is up to you or an administrator with the required permissions to manage and maintain the instance lifecycle and integrity. The constraint only verifies the instance's URI, and it does not prevent the allowlisted VMs from being altered, deleted, or recreated.
Permissions
To set a constraint on either the project or the organization level, you must
have been granted the orgpolicy.policyAdmin
role on the organization.
Set the policy constraint at the organization level
Console
- Go to the Organizational Policies page.
- If necessary, select the required organization from the project drop-down menu.
- Click Define allowed external IPs for VM instances.
- Click Edit to edit the external IP policy. If you can't access the Edit tool, you do not have the correct permissions.
Select Customize to set the org policy for specific VM instances.
Select the required Policy enforcement and Policy type.
Under Policy values, select Custom.
Enter a URI for a VM instance and press enter. The URI must be in the following format:
projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
Click New policy value and enter URIs for VM instances as needed.
Click Save to apply the constraint.
gcloud
To set a constraint for external IP access, you first need your organization ID.
You can find the organization ID by running the
organizations list
command and
looking for the numeric ID in the response:
gcloud organizations list
The gcloud CLI returns a list of organizations in the following format:
DISPLAY_NAME ID example-organization1 29252605212 example-organization2 1234567890
Use the gcloud resource-manager org-policies set-policy
command
to set the policy. You need to provide your policy as a JSON file.
Create a JSON file in the following format:
{ "constraint": "constraints/compute.vmExternalIpAccess", "listPolicy": { "allowedValues": [ "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME", "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME", "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME" ] } }
Replace the following:
PROJECT_ID
: the project ID for this request, such asexample-project
. Note that this is different than setting up organization policies, which require the organization numeric ID.ZONE
: the zone of the instance.VM_NAME
: the name of the virtual machine instance
Alternatively, you can specify a deniedValues
list to indicate
VM instances that you explicitly want to prohibit from having an external
IP address. Any instance not on the list would implicitly be allowed to
have an external IP address. You can only specify either allowedValues
or
deniedValues
but not both.
Then, pass in the file with your request:
gcloud resource-manager org-policies set-policy MY_POLICY.JSON --organization=ORGANIZATION_ID
Replace ORGANIZATION_ID
with the numeric ID of the
organization.
If you do not want any VMs to have external IP access, you can set a
policy with allValues
set to DENY
:
{ "constraint": "constraints/compute.vmExternalIpAccess", "listPolicy": { "allValues": "DENY" } }
API
Use the setOrgPolicy()
API to define your constraint. The VMs in the
allowedValue
list you specify are allowed to have external IP
addresses. Alternatively, you can specify a deniedValues
list to express
VM instances that you explicitly want to prohibit from having an external
IP address. Any instance not on the list would implicitly be allowed to
have an external IP address. You can only specify either allowedValues
or
deniedValues
but not both.
For example, the following is a request to apply the compute.vmExternalIpAccess
constraint to an organization where VM instances from certain projects
within the organization are allowed to have external IP addresses:
POST https://cloudresourcemanager.googleapis.com/v1/organizations/ORGANIZATION_ID:setOrgPolicy
where ORGANIZATION_ID
is the numeric ID of the
organization.
Now, in your request body, provide the desired policy for this constraint:
{ "policy": { "constraint": "constraints/compute.vmExternalIpAccess", "listPolicy": { "allowedValues": [ "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME", "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME", "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME" ] } } }
If you do not want any instances to have external IP access, you can set a
policy with allValues
set to DENY
:
{ "policy": { "constraint": "constraints/compute.vmExternalIpAccess", "listPolicy": { "allValues": "DENY" } } }
Set the policy at the project level
Setting a policy at the project level overrides the policy at the organization
level. For example, if the organization level has example-vm-1
on the
allowedValues
list but the policy at the project level has the same VM
on the deniedValues
list, the VM instance would not be allowed to have an
external IP address.
Console
Follow the same process documented under Set a policy constraint at the organization level but choose your desired project from the project selector instead of the organization.
gcloud
Use the gcloud resource-manager org-policies set-policy
command
to set the
policy. You need to provide your policy as a JSON file. Create a JSON
file in the following format:
{ "constraint": "constraints/compute.vmExternalIpAccess", "listPolicy": { "allowedValues": [ "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME" ] } }
Replace the following:
PROJECT_ID
: the project ID for this request, such asexample-project
. Note that this is different than setting up organization policies, which require the organization numeric ID.ZONE
: the zone of the instance.VM_NAME
: the name of the virtual machine instance.
Alternatively, you can specify a deniedValues
list of VM instances that
you explicitly want to prohibit from having an external IP address. Any
instance not on the list would implicitly be allowed to have an external IP
address. You can only specify either allowedValues
or deniedValues
but
not both.
Then, pass in the file with your request:
gcloud resource-manager org-policies set-policy MY_POLICY.JSON --project=example-project
API
Use the setOrgPolicy
API to define your constraint. The VMs in the
allowedValue
list you specify are allowed to have external IP
addresses. Alternatively, you can specify a deniedValues
list to express
VM instances that you explicitly want to prohibit from having an external
IP address. Any instance not on the list is implicitly allowed to have an
external IP address. You can only specify either allowedValues
or
deniedValues
but not both.
For example, the following is a request to set the compute.vmExternalIpAccess
constraint on a project to allow specific VM instances to have external IP
addresses:
POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setOrgPolicy
Replace PROJECT_ID
with the project ID for this request.
The request body contains the desired policy for this constraint:
{ "policy": { "constraint": "constraints/compute.vmExternalIpAccess", "listPolicy": { "allowedValues": [ "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME" ] } } }
Best practices
Avoid using the
deniedValues
list with this constraint. If you define values in thedeniedValues
list, it means that only the VM instances in thedeniedValues
list are restricted from using external IP addresses. This could be a security concern if you want control over exactly which VMs can have external IP addresses. If you want to remove certain VMs from theallowedValues
list, update the existing policy to remove the VMs from theallowedList
rather than putting the VMs into thedeniedValues
list at a lower hierarchy.If you want to set a policy over a large part of the resource hierarchy but exempt certain projects, restore the default policy by using the
setOrgPolicy
method by specifying therestoreDefault
object to allow all VMs in the projects to be associated with external IP addresses. The policies currently in place for projects are not affected by the default setting.Use the org policy together with IAM roles to better control your environment. This policy only applies to VM instances but if you want to better control and restrict external IP addresses on network devices, you can grant the
compute.networkAdmin
role to the appropriate parties.Any services and products that are running on Compute Engine within the organization or project with the policy enabled are subject to this org policy. Specifically, services such as Google Kubernetes Engine, Dataflow, Dataproc, and Cloud SQL are affected by this policy. If this is an issue, Google recommends that you set up other services and products in a different project that does not have the organization policy applied, and use Cross-Project Networking, if needed.
What's next
- Learn more about IP addresses.
- Learn more about networks and firewalls.
- Learn how to address VM instances using internal DNS.
- Review VPC pricing.