Multiple network interfaces
This page provides an overview of multiple network interfaces in a virtual machine (VM) instance, including how they work and sample configurations. For information about creating configurations that use multiple interfaces, see Create VMs with multiple network interfaces.
VMs with multiple network interface controllers are referred to as multi-NIC VMs.
Google Cloud Virtual Private Cloud (VPC) networks are by default isolated private networking domains. Networks have a global scope and contain regional subnets. VM instances within a VPC network can communicate among themselves by using internal IP addresses as long as firewall rules permit. However, no internal IP address communication is allowed between networks, unless you set up mechanisms such as VPC Network Peering or Cloud VPN.
Every instance in a VPC network has a default network interface. When you configure a network interface, you select a VPC network and a subnet within that VPC network to connect the interface to. You can create additional network interfaces attached to your VMs, but each interface must attach to a different VPC network. Multiple network interfaces let you create configurations in which an instance connects directly to several VPC networks.
Each instance can have up to eight interfaces, depending on the instance's type. For more information, see Maximum number of network interfaces.
The stack type of an interface determines the IP addresses that it can have and the types of subnets to which it can connect. The stack type of an interface can be IPv4-only, dual-stack (IPv4 and IPv6), or IPv6-only (Preview). For more information, see Stack types.
Typically, you might require multiple interfaces if you want to configure an instance as a network appliance that does load balancing, Intrusion Detection and Prevention (IDS/IPS), Web Application Firewall (WAF), or WAN optimization between networks. Multiple network interfaces are also useful when applications running in an instance require traffic separation, such as separation of data plane traffic from management plane traffic.
Each interface on a VM is affected by the MTU of the attached network. For more information about interface MTU, see Maximum transmission unit.
Use cases
Use multiple network interfaces when an individual instance needs access to more than one VPC network, but you don't want to connect both networks directly.
Network and security function: Multiple network interfaces enable virtualized network appliance functions such as load balancers, network address translation (NAT) servers, and proxy servers that are configured with multiple network interfaces. For more details, see Example 1: Networking and security virtual appliances.
Perimeter isolation (also known as DMZ isolation): An important best practice in tiered networking architectures is to isolate public-facing services from an internal network and its services. Use multiple network interfaces to create configurations where there are separate network interfaces on the instance, one of them accepting public-facing traffic and another handling backend private traffic that has more restrictive access controls.
Any resources that can be reached from the internet should be separated from your internal network and its services. This drastically limits the scope and damage that a security breach can cause. For example, you can place a second network interface on each web server that connects to a mid-tier network where an application server resides. The application server can also be dual-homed to a backend network where the database server resides. Each dual-homed instance receives and processes requests on the frontend, initiates a connection to the backend, and then sends requests to the servers on the backend network.
By configuring separate interfaces, one public-facing and another private- facing, you can apply separate firewall rules and access controls to each interface separately and enforce security functions in communications from the public to private domain. For more information, see Example 2: Using third-party appliances in a Shared VPC network scenario.
Configuration examples
This section examines several common examples of how to use multiple network interfaces.
Example 1: Networking and security virtual appliances
Networking and security virtual appliances, such as web application firewalls (WAF), security application-level firewalls, and WAN accelerators, are usually configured with multiple virtual interfaces. Each of the multiple interfaces is configured with its own internal IP address and, optionally, with its own external IP address.
Figure 1 describes an example configuration of an application-level firewall that controls traffic from the internet to a VPC network. The application-level firewall is implemented in Compute Engine VMs.
In this example, the default route of the appliance VM has been configured to
use nic1
.
Provision and configure instances for example 1
The following assumes that subnet0
, subnet1
, and subnet2
already exist,
with non-overlapping ranges.
To create the VM and network interfaces in this example, use the following command:
gcloud compute instances create vm-appliance \ --network-interface subnet=subnet0,no-address \ --network-interface subnet=subnet1 \ --network-interface subnet=subnet2,no-address \ --machine-type n1-standard-4
This command creates an instance with three network interfaces:
nic0
is attached tosubnet0
and has no external IP address.nic1
is attached tosubnet1
and has an ephemeral external IP address.nic2
is attached tosubnet2
and has no external IP address.
Example 2: Using third-party appliances in a Shared VPC network scenario
This setup is useful when you want to share a single set of centralized
third-party appliances for workloads or applications that are hosted in
different projects. In figure 2, there are four distinct
applications—App1
, App2
, App3
, and App4
—that are hosted in different service
projects. You need them to be protected for all internet ingress, and you need
egress traffic to be inspected and filtered in a third-party appliance that is
centrally located in the Shared VPC host project.
Provision and configure the VM and network interfaces for example 2
To create the VM and network interfaces in this example, use the following command:
gcloud compute instances create VM-appliance \ --network-interface subnet=subnet-perimeter,address='reserved-address' \ --network-interface subnet=subnet-1,no-address \ --network-interface subnet=subnet-2,no-address \ --network-interface subnet=subnet-3,no-address \ --network-interface subnet=subnet-4,no-address \ --machine-type=n1-standard-4
This creates an instance with five network interfaces:
nic0
is attached tosubnet-perimeter
, which is part ofnetwork-perimeter
, with a static addressreserved-address
.nic1
is attached tosubnet-1
, which is part ofnetwork-1
, with no external IP address.nic2
is attached tosubnet-2
, which is part ofnetwork-2
, with no external IP address.nic3
is attached tosubnet-3
, which is part ofnetwork-3
, with no external IP address.nic4
is attached tosubnet-4
, which is part ofnetwork-4
, with no external IP address.
Additional operational details
Multiple network interfaces in a Shared VPC environment
Shared VPC enables you to share VPC networks across projects in your Google Cloud organization.
Shared VPC lets you create instances associated with a Shared VPC network that is hosted in a centralized Shared VPC host project. For information about configuring Shared VPC networks, see Provisioning Shared VPC.
To create instances with one or more interfaces associated with Shared VPC
networks, you must have the Compute Network User role (roles/compute.networkUser
) in the Shared VPC host
project.
DNS resolution with multiple network interfaces
When an internal DNS query is made with the instance hostname, it resolves to
the primary interface (nic0
) of the instance. If the nic0
interface of the
instance is attached to a subnet in a VPC network that is
different from the VPC network of the instance issuing the
internal DNS query, the query fails.
Private Compute Engine DNS records are not generated per interface.
DHCP behavior with multiple network interfaces
In a default multiple interface configuration, the OS is configured to use DHCP. The DHCP and ARP behavior of each of the multiple interfaces is the same as the DHCP and ARP in an instance with a single interface.
In a multiple interface instance that uses DHCP, every interface gets a route
for the subnet that it is in. In addition, the instance gets a single
default route that is associated with the primary interface eth0
. Unless
manually configured otherwise, any traffic leaving an instance for any
destination other than a directly connected subnet will leave the instance using
the default route on eth0
.
The behavior is the same for interfaces with IPv6 addresses. The interface gets a route for the IPv6 subnet range that it is in, as well as a single IPv6 default route.
In this sample, the primary interface eth0
gets the default route
(default via 10.138.0.1 dev eth0
), and both interfaces eth0
and eth1
get
routes for their respective subnets.
instance-1:~$ ip route default via 10.138.0.1 dev eth0 10.137.0.0/20 via 10.137.0.1 dev eth1 10.137.0.1 dev eth1 scope link 10.138.0.0/20 via 10.138.0.1 dev eth0 10.138.0.1 dev eth0 scope link
For more information, see the following tutorial: Configure routing for an additional interface.
Custom static routes and multiple network interfaces
When a VM instance has multiple interfaces and a network tag, the network tag might not impact all of the VM's interfaces. A VM's network tag impacts an interface if the interface is in a VPC network that contains a static route with a matching tag.
For example:
- A VM has two interfaces:
nic0
andnic1
. Thenic0
interface is invpc-net-a
. Thenic1
interface is invpc-net-b
. The VM has a network tag calledvpn-ok
. The tag is an attribute on the instance, not on a specific interface. - The
vpc-net-a
network has a custom static route with a tag calledvpn-ok
. - The
vpc-net-b
network has a custom static route with a tag calledvpn-123
.
These numbered steps correspond to figure 3:
In the case of the vpc-net-a
network, because it has a route with a tag in
common with the VM, the VM's vpn-ok
tag applies to the VM's nic0
interface
in vpc-net-a
. In contrast, because the vpc-net-b
network doesn't have a static route
with the vpn-ok
tag, the VM's vpn-ok
network tag is ignored on the VM's
nic1
interface.
Tags in routes in instances with multiple network interfaces
If you choose to use tags with routes, note that tags are applied at the instance level and, as such, tags apply to all interfaces of a virtual machine instance. If this is not desirable, make sure that the tags applied to the routes are unique to each VPC network.
Load balancers and multiple network interfaces
Except for Internal TCP/UDP Load Balancing,
all Google Cloud load balancers only distribute traffic to the first
interface (nic0
) of a backend instance.
Firewall rules and multiple network interfaces
Each VPC network has its own set of firewall rules. If an instance's interface is in a particular VPC network, that network's firewall rules apply to that interface.
For example, suppose a VM instance has two interfaces:
nic0
in VPC networknetwork-1
nic1
in VPC networknetwork-2
Firewall rules that you create for the network-1
network apply to nic0
.
Firewall rules that you create for the network-2
network apply to nic1
.
For more information, see VPC firewall rules.
Firewalls in instances with multiple network interfaces
Ingress firewall rules can use either network tags or service accounts to identify sources, targets (destinations), or both.
Egress firewall rules can use either network tags or service accounts to identify targets (sources).
For more information, see source and target filtering by service account.
Network tags and service accounts identify instances, not specific interfaces. Keep in mind that firewall rules are associated with a single VPC network, and each interface of a multi-NIC instance must be in a subnet that is in a unique VPC network.
The following example demonstrates how you can effectively use source tags for
ingress allow
firewall rules. The vm1
instance has two network interfaces:
nic0
innetwork-1
nic1
innetwork-2
Suppose you need to allow the following traffic from vm1
:
- SSH traffic from
vm1
to any instance innetwork-1
- HTTP and HTTPS traffic from
vm1
to any instance innetwork-2
To accomplish this, you can do the following:
Assign two network tags to
vm1
:vm1-network1
andvm1-network2
Create an ingress
allow
firewall rule innetwork-1
with the following components to allow SSH traffic fromvm1
to all VMs innetwork-1
:- Action:
allow
- Direction:
ingress
- Sources: VMs with tag
vm1-network1
- Targets: All instances in the VPC network
- Protocols and ports:
tcp:22
- Action:
Create an ingress allow firewall rule in
network-2
with the following components to allow HTTP and HTTPS traffic fromvm1
to all VMs innetwork-2
:- Action:
allow
- Direction:
ingress
- Sources: VMs with tag
vm1-network2
- Targets: All instances in the VPC network
- Protocols and ports:
tcp:80,443
- Action:
Figure 4 shows this firewall configuration example: