Set up dual-stack services and jobs

Dual-stack subnets let your Cloud Run services and jobs send IPv4 and internal IPv6 traffic to a VPC network with Direct VPC egress. You can change the stack type of an existing Cloud Run service or job or update an existing subnet to a dual-stack subnet.

Subnet types

VPC networks support the following Compute Engine subnet types:

IPv4 only (single-stack) subnets, with only IPv4 subnet ranges
IPv4 and IPv6 (dual-stack) subnets, with both IPv4 and internal IPv6 subnet ranges

Dual-stack limitations

Before you change the stack type on an existing Cloud Run service or job, consider the following limitations:

Cloud Run only supports subnets with the internal IPv6 access-type setting. Learn more about internal and external access types for IPv6 addresses.
Dual-stack support is only available with subnets in a custom-mode VPC network. To have the internal access type available for dual-stack subnets, the VPC network internal IPv6 range must be enabled. Set up or convert the VPC network to custom mode.
Compared to IPv4-only subnets, dual-stack subnets might experience elevated cold-start latencies, limiting how quickly your application can scale up.
NAT64 is not supported.

Add a dual-stack subnet on a service or job

Dual-stack subnets have both IPv4 and IPv6 address ranges. Cloud Run services and jobs can only send IPv6 traffic through a subnet that uses internal IPv6 addresses.

To add a dual-stack subnet with an internal IPv6 range on a Cloud Run service or job, do the following:

Console

In the Google Cloud console:
1. Enable the Compute Engine API:
  
  Enable the Compute Engine API
2. Go to the VPC networks page:
  
  Go to VPC networks
Click Create VPC network if you are creating a new custom-mode network. If you are using an existing VPC network, click the name of the VPC network to show its VPC network details page.
If you are creating a new network or converting an existing one, enter the name and be sure that the Subnet creation mode is set to Custom, then select Configure a ULA internal IPv6 range for this VPC Network.
From the Subnets tab, click Add subnet. In the panel that appears:
1. Provide a Name.
2. Select a Region.
3. For IP stack type, select IPv4 and IPv6 (dual-stack).
4. Enter an IPv4 range. This is the primary IPv4 range for the subnet.
5. Select Internal for the IPv6 access type.
  
  If the Internal option is not available, check that an internal IPv6 range is assigned on the network.
6. Click Done, then click Create.
Deploy a Cloud Run service or execute a job on the dual-stack subnet that you created. As you enter the needed service or job details, you can select the new IPv6 address range by following these steps:
1. Click Container(s), Volumes, Networking, Security and select the Networking tab.
2. Click Connect to a VPC for outbound traffic and then Send traffic directly to a VPC.
3. Select the Network that you created in the previous step.
4. Click the Subnet field to select the newly created IPv6 address range.
The service or job is automatically provisioned with the subnet's stack type.

gcloud

To create a custom-mode network that supports dual-stack subnets, run the following command:

gcloud compute networks create NETWORK \
    --subnet-mode=custom \
    --enable-ula-internal-ipv6

Replace NETWORK with the name of the VPC network that will contain the new subnet.

To convert to or update a custom-mode network so that it supports dual-stack subnets, run the following command:

gcloud compute networks update NETWORK \
    --subnet-mode=custom \
    --enable-ula-internal-ipv6

Replace NETWORK with the name of the VPC network that will contain the new subnet.

To create a dual-stack subnet with an internal IPv6 range, run the subnets create command using the dual-stack settings:

gcloud compute networks subnets create SUBNET \
    --network=NETWORK \
    --range=PRIMARY_IPv4_RANGE \
    --stack-type=IPV4_IPV6 \
    --ipv6-access-type=INTERNAL \
    --region=REGION

Replace the following:

SUBNET: a name for the new subnet.
NETWORK: the name of the VPC network that will contain the new subnet.
PRIMARY_IPv4_RANGE: the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges.
REGION: the Google Cloud region that the new subnet will be created in.

Deploy a Cloud Run service or execute a job on the dual-stack subnet that you created. The service or job is automatically provisioned with the subnet's stack type.

Change a subnet from single-stack to dual-stack

To add an internal IPv6 subnet range to an existing IPv4-only subnet in a custom-mode VPC network, see Change a subnet's stack type to dual-stack. Then, deploy the service or execute the job on the dual-stack subnet.

Change a subnet from dual-stack to single-stack

Changing the subnet's stack type from IPv4 and IPv6 (dual-stack) to IPv4 only (single-stack) is not supported because the Compute Engine IPv6 access type is internal. To change a service or job's dual-stack subnet to a single-stack subnet, deploy the service or execute the job on an IPv4-only (single-stack) subnet.

Verify the network and subnet

To check that your service or job is on the VPC network, run the following command:

gcloud run services describe SERVICE_NAME --region=REGION

Replace REGION with the Google Cloud region that the new subnet was created in.

The following example output shows your network and subnet:

  VPC Access:
    Network:        example-network
    Subnet:         example-subnet
    Egress:         private-ranges-only