Networking overview for VMs

This document provides an overview of the networking functionality of your virtual machine (VM) instances. It provides a basic foundational understanding of how your VMs interact with Google Cloud Virtual Private Cloud (VPC) networks. For more information about VPC networks and related features, read the VPC network overview.

Networks and subnets

Every VM is part of a VPC network. VPC networks provide connectivity for your VM instance to other Google Cloud products and to the internet. VPC networks can be auto mode or custom mode.

  • Auto mode networks have one subnetwork (subnet) in each region. All subnets are contained within this IP address range: 10.128.0.0/9. Auto mode networks support only IPv4 subnet ranges.
  • Custom mode networks don't have a specified subnet configuration; you decide which subnets to create in regions that you choose by using IPv4 ranges that you specify. Custom mode networks also support IPv6 subnet ranges.

Unless you choose to disable it, each project has a default network, which is an auto mode network.

Each subnet in a VPC network is associated with a region and contains one or more IP address ranges. You can create more than one subnet per region. Each of the network interfaces for your VM must be connected to a subnet.

When you create a VM, you can specify a VPC network and subnet. If you omit this configuration, the default network and subnet are used. Google Cloud assigns an internal IPv4 address to the new VM from the primary IPv4 address range of the selected subnet. If the subnet also has an IPv6 address range, you can choose to assign an IPv6 address.

For more information on VPC networks, read the VPC network overview. For an illustrated example of VMs using a VPC network with three subnets in two regions, see VPC network example.

Network interface controllers (NICs)

Every VM in a VPC network has a default network interface. You can create additional network interfaces for your VMs, but each interface must attach to a different VPC network. Multiple network interfaces enable you to create configurations in which an instance connects directly to several VPC networks. For more information about using multiple NICs, see the Multiple network interfaces overview.

IP addresses

Each VM interface has an internal IPv4 address, which is allocated from the subnet. You can optionally configure an external IPv4 address. If the interface connects to a subnet that has an IPv6 range, you can optionally configure an IPv6 address. VMs use these IP addresses to communicate with other Google Cloud resources and external systems. External IP addresses are publicly routable IP addresses that can communicate with the internet. Both external and internal IP addresses can be either ephemeral or static.

Internal IP addresses are local to one of the following:

  • A VPC network
  • A VPC network connected using VPC Network Peering
  • An on-premises network connected to a VPC network using Cloud VPN, Cloud Interconnect, or a Router appliance

An instance can communicate with instances on the same VPC network, or a connected network as specified in the preceding list, using the VM's internal IPv4 address. If the VMs have IPv6 configured, you can also use one of the VM's internal or external IPv6 addresses. As a best practice, use internal IPv6 addresses for internal communication. For more information about IP addresses, read the IP addresses overview for Compute Engine.

To communicate with the internet, you can use an external IPv4 or external IPv6 address configured on the instance. If the instance doesn't have an external address, Cloud NAT can be used for IPv4 traffic.

If you have multiple services running on a single VM instance, you can give each service a different internal IPv4 address by using alias IP ranges. The VPC network forwards packets that are destined to a particular service to the corresponding VM. For more information, see alias IP ranges.

Internal Domain Name System (DNS) names

When you create a virtual machine (VM) instance, Google Cloud creates an internal DNS name from the VM name. Unless you specify a custom hostname, Google Cloud uses the automatically created internal DNS name as the hostname it provides to the VM.

For communication between VMs in the same VPC network, you can specify the fully qualified DNS name (FQDN) of the target instance instead of using its internal IP address. Google Cloud automatically resolves the FQDN to the internal IP address of the instance.

For more information about fully qualified domain names (FQDN), see Zonal and global internal DNS names.

Routes

Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside your VPC network (for example, in another VM) or outside it. The routing table for a VPC network is defined at the VPC network level. Each VM instance has a controller that is kept informed of all applicable routes from the network's routing table. Each packet leaving a VM is delivered to the appropriate next hop of an applicable route based on a routing order.

Subnet routes define paths to resources like VMs and internal load balancers in a VPC network. Each subnet has at least one subnet route whose destination matches the primary IP range of the subnet. Subnet routes always have the most specific destinations. They cannot be overridden by other routes, even if another route has a higher priority. This is because Google Cloud considers destination specificity before priority when selecting a route. For more information about subnet IP ranges, see the subnets overview.

Forwarding rules

While routes govern traffic leaving an instance, forwarding rules direct traffic to a Google Cloud resource in a VPC network based on IP address, protocol, and port. Some forwarding rules direct traffic from outside of Google Cloud to a destination in the network; other rules direct traffic from inside the network.

You can configure forwarding rules for your instances to implement virtual hosting by IPs, Cloud VPN, private virtual IPs (VIPs), and load balancing. For more information about forwarding rules, see Using protocol forwarding.

Firewall rules

VPC firewall rules let you allow or deny connections to or from your VM based on a configuration that you specify. Google Cloud always enforces enabled VPC firewall rules, protecting your VMs regardless of their configuration and operating system, even if the VM has not started.

By default, every VPC network has incoming (ingress) and outgoing (egress) firewall rules that block all incoming connections and allow all outgoing connections. The default network has additional firewall rules, including the default-allow-internal rule, which permits communication among instances in the network. If you are not using the default network, you must explicitly create higher priority ingress firewall rules to allow instances to communicate with one another.

Every VPC network functions as a distributed firewall. Firewall rules are defined at the VPC level, and can apply to all instances in the network, or you can use target tags or target service accounts to apply rules to specific instances. You can think of the VPC firewall rules as existing not only between your instances and other networks, but also between individual instances within the same VPC network.

Hierarchical firewall policies let you create and enforce a consistent firewall policy across your organization. You can assign hierarchical firewall policies to the organization as a whole or to individual folders. These policies contain rules that can explicitly deny or allow connections, the same as VPC firewall rules. In addition, hierarchical firewall policy rules can delegate evaluation to lower-level policies or VPC firewall rules with a goto_next action. Lower-level rules can't override a rule from a higher place in the resource hierarchy. This lets organization-wide administrators manage critical firewall rules in one place.

Network bandwidth

Google Cloud accounts for bandwidth per virtual machine (VM) instance, not per network interface (NIC) or IP address. Bandwidth is measured using two dimensions: traffic direction (ingress and egress) and type of destination IP address. A VM's machine type defines its maximum possible egress rate; however, you can only achieve that maximum possible egress rate in specific situations. For more information, see Network bandwidth.

Google Virtual NIC (gVNIC) is a virtual network interface designed specifically for Compute Engine. gVNIC is an alternative to the virtIO-based ethernet driver. gVNIC is required to support higher network bandwidths such as the 50 to 100 Gbps speeds that can be used for distributed workloads on VMs that have attached GPUs. Also, gVNIC is required when working with some machine types that are meant for optimal performance. For more information, see Using Google Virtual NIC.

Managed instance groups and networking configurations

If you use managed instance groups (MIGs), the network configuration you specify on the instance template applies across all VMs created with the template. If you create an instance template in an auto mode VPC network, Google Cloud automatically selects the subnet for the region where you created the managed instance group.

For more information, see Networks and subnets and Creating instance templates.

What's next?