Select IP address ranges

This page identifies important considerations and helps you select the appropriate IP address ranges for your domains. CIDR ranges for Managed Service for Microsoft Active Directory domain controllers cannot be changed after they are set. To avoid conflicts and time-consuming mistakes, you should carefully consider your current and future infrastructure needs when selecting these ranges.

Using a /24 range size

Managed Microsoft AD requires a minimum of /24 private RFC 1918 CIDR range, such as Although you can select a broader private RFC 1918 CIDR range, we recommend using /24 because this range is exclusively reserved for domain controllers. No other resources can use the additional IP addresses in the range.

If you want to use a different IP address range that is recommended by another Google Cloud product with Managed Microsoft AD, contact Google Cloud Support.

Avoiding overlapping ranges

You should avoid setting ranges that might overlap with current and future infrastructure.

Asking your network specialist

Check if there is a network specialist in your organization who can help you identify or reserve safe IP address ranges.

Listing IP address ranges in use

To avoid conflicts with existing infrastructure, you can list which IP address ranges are in use, and then use one that is not in the list.


To view the IP address ranges in use on your VPC network, follow these steps:

  1. In the Google Cloud console, go to the VPC page.
    Go to VPC

  2. Select the name of your VPC network.

  3. On the VPC Network details page, in the IP address ranges column, you can see which ranges are already in use.

Use an IP address range that is not shown in the list.


To list all subnetworks in a project, run the following gcloud CLI command:

gcloud compute networks subnets list --sort-by=NETWORK

Use an IP address range that is not shown in the list.

Learn more about the compute networks subnets list command.

Considering future needs

To avoid future conflicts, consider your infrastructure plans, including the potential addition of authorized networks. For example, if you plan to configure a VPN or Interconnect from the authorized networks to your on-premises networks, you must select an IP address range that is not used on any of those networks.

Separating test and production environments

To prevent development and testing work from impacting production workloads or hampering the security of your deployment, consider deploying separate domains for each environment.

For a simple isolated test domain, any private CIDR /24 range that isn't already a subnet on your authorized VPC network or one of its peered networks is sufficient.