IPv6 Termination for HTTP(S), SSL Proxy, and TCP Proxy Load Balancing

Google Cloud Platform (GCP) supports IPv6 clients with HTTP(S), SSL proxy, and TCP proxy load balancing. The load balancer accepts IPv6 connections from your users, then proxies those connections to your instances.

Overview

You can configure both IPv4 and IPv6 external addresses for HTTP(S), SSL proxy, and TCP proxy load balancers.

Global IPv6 load balancing (click to enlarge)
Global IPv6 load balancing (click to enlarge)

IPv6 termination for HTTP(S), SSL proxy, and TCP proxy load balancing enables you to handle IPv6 requests from your users and proxy them over IPv4 to your backend instances.

This user guide describes capabilities for, and configuration of, IPv6 termination for HTTP(S), SSL proxy, and TCP proxy load balancing.

IPv6 termination and proxy

Configuring IPv6 termination for your load balancers lets your backend instances appear as IPv6 applications to your IPv6 clients.

IPv6 termination for load balancing (click to enlarge)
IPv6 termination for load balancing (click to enlarge)

When a user connects to the load balancer via IPv6, the following happens:

  1. Your load balancer, with its IPv6 address and forwarding rule, waits for user connections.
  2. An IPv6 client connects to the load balancer via IPv6.
  3. The load balancer acts as a reverse proxy and terminates the IPv6 client connection. It places the request into an IPv4 connection to a backend instance.
  4. On the reverse path, the load balancer receives the IPv4 response from the backend instance, then places it into the IPv6 connection back to the original client.

Configuring IPv6 and IPv4 load balancing IPs for the same backend instances

If you need to serve both IPv6 and IPv4 clients with your IPv4 backend instances, you can create two forwarding rules, one with an IPv6 address and the other with an IPv4 address. You can then associate both forwarding rules with the same load balancer and backend instances.

Directing IPv4 and IPv6 traffic to the same backend instances (click to enlarge)
Directing IPv4 and IPv6 traffic to the same backend instances (click to enlarge)

IPv6 address allocation for load balancer forwarding rules

When you configure an HTTP(S), SSL proxy, or TCP proxy load balancer, you provide it with one or more global forwarding rules, each with an external, publicly routed IPv4 or IPv6 IP address. You can use this IP address in the DNS records for your site.

When you create a forwarding rule, you can either use a static IP address reserved for your project or you can have the forwarding rule automatically acquire an ephemeral IP address when you create the rule. A static IP address is reserved to your project, and you can keep it until you deliberately release it. An ephemeral address belongs to the forwarding rule as long as the forwarding rule exists. If you delete the forwarding rule, the ephemeral address is released back into the GCP pool.

If you need both an IPv4 and IPv6 address for your load balancer, you can create two forwarding rules, associating an IPv4 address with one and an IPv6 address with the other. You can then associate both rules with the same load balancer.

IPv6 termination features

All features supported for IPv4 load balancing are also supported with IPv6 load balancing. These include:

Client IP header with IPv6 termination for HTTP(S) load balancing

When the load balancer proxies the IPv6 connection from the client to an IPv4 connection to your instance, the original source IP address is replaced with the load balancer's IP address. However, backend instances often need to know the original source IP for logging, decision making, or for other purposes. GCP provides an HTTP header that is propagated to the backend instance which includes the original IPv6 client IP.

HTTP headers for IPv6 are similar to those for IPv4. The format for requests is:

  • X-Forwarded-For: <client IP(s)>, <global forwarding rule external IP>
  • The last element shows the load balancer IP. The second to last element shows the client IP as seen by the load balancer. There may be other elements in the X-Forwarded-For header in cases where the client or intervening proxies add other X-Forwarded-For headers before sending the request to the load balancer.

An example X-Forwarded-For header may look like this:

X-Forwarded-For: 2001:db8:abcd:1::1234, 2607:f8b0:4005:801::200e

The first (second-to-last) address is the client’s IPv6 address. The second address is the IPv6 address of the HTTP(S) load balancer.

gcloud command-line tool

Global addresses

Read and manipulate GCP addresses.

create

Reserves a new IP address or promotes an ephemeral IP address to reserved.

gcloud beta compute addresses create [ADDRESS_NAME] \
    [--addresses [IP_ADDRESS]] \
    [--description DESCRIPTION] \
     --global \
    --ip-version [IP_VERSION]
  • --ip-version [IP_VERSION]
    Valid values are IPV4 and IPV6. Allowed only when --addresses is not included. If not provided, then a value of IPV4 is used. Requires the --global flag. If provided, an ephemeral IP address of the specified IP version will be created.

To reserve a global IPv6 address, run:

gcloud beta compute addresses create [ADDRESS_NAME] --global --ip-version IPV6
address: 2001:db8:2a:1::
creationTimestamp: '2016-08-22T14:55:58.391-07:00'
description: ''
id: '3806558258942364167'
kind: compute#address
name: [ADDRESS_NAME]
selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses/[IP_ADDRESS]
status: RESERVED
ipVersion: IPV6

describe

IPv6 addresses will be displayed using colon notation. For example:

gcloud compute addresses describe [ADDRESS_NAME] --global
address: 2001:db8:2a:1::
creationTimestamp: '2016-08-22T14:55:58.391-07:00'
description: ''
id: '3806558258942364167' kind: compute#address name: ADDRESS ipVersion: IPV6

list

IPv6 addresses will be displayed using colon notation. For example:

gcloud compute addresses list --global
NAME        REGION  ADDRESS                STATUS    IP VERSION
ADDRESS1            2001:db8:2a:1::        RESERVED  IPv6
ADDRESS2            2001:db8:abcd:1234::   IN_USE    IPv6

Global forwarding rules

create

gcloud beta compute forwarding-rules create [RULE_NAME] \
    [--address [IP_ADDRESS]] \
    [--ip-protocol [IP_PROTOCOL]] \
    [--ports=[PORT | PORT-PORT],[[PORT | PORT-PORT],…]] \
    --global \
    [--ip-version [IP_VERSION]] \
    [--target-http-proxy [HTTP_PROXY]
      | --target-https-proxy [HTTPS_PROXY]
      | --target-ssl-proxy [SSL_PROXY]
      | --target-tcp-proxy [TCP_PROXY]]
  • --ip-version [IP_VERSION]
    Valid values are IPV4 and IPV6. Allowed only when --address is not included. If not provided, then a value of IPV4 is used. Requires the --global flag. If provided, an ephemeral IP address of the specified IP version will be created.

To create a global forwarding rule with an ephemeral IPv6 address, run:

gcloud beta compute forwarding-rules create [RULE_NAME] \
    --global \
    --ip-version IPV6 \
    --target_https_proxy [PROXY_NAME] \
    --ports [PORT]

This command returns something like the following:

IPAddress: 2607:f8b0:4005:801::
IPProtocol: TCP
creationTimestamp: '2016-08-26T15:00:12.579-07:00'
description: ''
id: '7746473729712784647'
kind: compute#forwardingRule
name: NAME
portRange: [PORT]-[PORT]
selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/[RULE_NAME]
target: [PROXY_NAME]
ipVersion: IPV6

describe

IPv6 addresses are displayed using colon notation.

gcloud compute forwarding-rules describe [RULE_NAME] --global
IPAddress: 2001:db8:4f:7::
IPProtocol: TCP
creationTimestamp: '2016-08-26T14:25:08.225-07:00'
description: ''
id: '5458687325652192607'
kind: compute#forwardingRule
name: [RULE_NAME]
portRange: [PORT-PORT]
selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/[RULE_NAME]
target: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetHttpProxies/[HTTP_PROXY]
ipVersion: IPV6

list

IPv6 addresses will be displayed using colon notation.

gcloud compute forwarding-rules list --global
NAME     REGION  IP_ADDRESS            PORT  IP_PROTOCOL  TARGET   IP VERSION
NAME1            [IPV4_ADDRESS]        80    TCP          TARGET1  IPv4
NAME2            [IPV6_ADDRESS]        80    TCP          TARGET2  IPv6
NAME3            [IPV6_ADDRESS]        8080  TCP          TARGET3  IPv6

Pricing

Forwarding rules for IPv6 termination are provided at no additional cost. Pricing for reserved but unused IPv6 addresses is the same as for IPv4 addresses. The rest of the pricing is the same as that for all other load balancing flavors. View load balancing pricing details here.

Send feedback about...

Compute Engine Documentation