Select IP address ranges

Stay organized with collections Save and categorize content based on your preferences.

CIDR ranges for Managed Service for Microsoft Active Directory domain controllers cannot be changed after they are set. To avoid conflicts and time-consuming mistakes, you should carefully consider your current and future infrastructure needs when selecting these ranges. This topic identifies important considerations and helps you select the appropriate IP address ranges for your domains.

Using a /24 range size

Managed Microsoft AD requires a minimum of /24 private RFC 1918 CIDR range, such as Although you can select a broader private RFC 1918 CIDR range, we highly recommend using /24 because this range will be exclusively reserved for domain controllers. No other resources will be able to use the additional IP addresses in the range.

Avoiding overlapping ranges

You should avoid setting ranges that might overlap with current and future infrastructure.

Asking your network specialist

Check if there is a network specialist in your organization who can help you identify or reserve safe IP ranges.

Listing IP ranges in use

To avoid conflicts with existing infrastructure, you can list which IP address ranges are currently in use, and then use one that is not in the list.


To view the IP address ranges in use on your VPC network, complete the following steps:

  1. Go to the VPC page in the Google Cloud console.
    Go to the VPC page

  2. Select the name of your VPC network.

  3. On the VPC Network details page, in the IP address ranges column, you can see which ranges are already in use.

You should use an IP address range not shown in the list.


To list all subnetworks in a project, run the following gcloud CLI command.

gcloud compute networks subnets list --sort-by=NETWORK

You should use an IP address range not shown in the list.

Learn more about the compute networks subnets list command.

Considering future needs

To avoid future conflicts, consider your infrastructure plans. If you plan to add any authorized networks, check for potential future conflicts. For instance, if you plan to configure a VPN or Interconnect from the authorized networks to your on-premises networks, you should select an IP range that is not used on any of those networks.

Separating test and production

To prevent development and testing work from impacting production workloads or hampering the security of your deployment, consider deploying separate domains for each.

For a simple isolated test domain, any private CIDR /24 range that isn't already a subnet on your authorized network VPC or one of its peers is sufficient.