Reserve an external IP address

External IP addresses allow inbound connections from the internet to a workload virtual machine (VM) instance, an appliance, or a load balancer running in your private cloud. For example, if you run a web server on your workload VM, you can serve web traffic using an external IP address through the internet.

Traffic to and from your external IP addresses follows your external access firewall rules.

Allocating an external IP address to a resource also provides the following benefits:

  • Distributed denial-of-service (DDoS) attack prevention. This protection is automatically enabled for the external IP address.
  • Always-on traffic monitoring and real-time mitigation of common network-level attacks.
  • Protection and mitigation of attacks across the entire scale of the global network. The network can be used to distribute and mitigate attack traffic across regions.

Behavior

An external IP address can only be assigned to one internal IP address, and the external IP address is dedicated to that internal IP address until you unassign it. A resource associated with an external IP address always uses the external IP address for internet access. You can reserve up to 100 external IP addresses for the primary VPC network connected to VMware Engine.

By default, incoming traffic on an external IP address is denied, and only outbound internet access is allowed. To allow inbound traffic, create an external access rule for the external IP address to the specific port.

  • You can only assign rules to port 443 for vCenter and NSX-T.
  • Although not required, we strongly recommend opening port 443 for HCX as well.

Before you begin

Before you can allocate an external IP address to a workload VM, you must create a network policy in the region that applies to your private cloud and enable the internet access service and the external IP address service.

Reserve an external IP address

To reserve an external IP address for an internal workload VM or management appliance using the Google Cloud console, Google Cloud CLI or VMware Engine API, do the following:

Console

To reserve an external IP address for an internal workload VM or management appliance using the Google Cloud console, complete these steps:

  1. In the Google Cloud console, go to the External IP addresses page.

    Go to External IP addresses

  2. Click Reserve.

  3. In the Name field, enter a name to identify the external IP address.

  4. In the Private cloud list, select the private cloud that contains the workload VM or management appliance.

  5. In the Target workload or appliance VM field, enter the itnernal IP address that you want to assign this external IP address.

  6. Click Reserve. The newly reserved external IP address appears in the list of external IP addresses.

gcloud

To reserve an external IP address for an internal workload VM or management appliance, use the gcloud vmware private-clouds external-addresses create command:

gcloud vmware private-clouds external-addresses create EXTERNAL_ADDRESS_NAME \
  --internal-ip=IP_ADDRESS \
  --private-cloud=PRIVATE_CLOUD_ID \
  --location=ZONE

Replace the following:

  • EXTERNAL_ADDRESS_NAME: the name for this external IP address
  • IP_ADDRESS: the internal IP address that this corresponds to, for example 192.168.1.11, for this request
  • PRIVATE_CLOUD_ID: the name for this private cloud
  • ZONE: the zone for this request

API

To reserve an external IP address for an internal workload VM or management appliance using the VMware Engine API, make a POST request:

  POST "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/privateClouds/PRIVATE_CLOUD_ID/externalAddresses?EXTERNAL_ADDRESS_NAME=EXTERNAL_ADDRESS_NAME"

'{ "internal_ip": "IP_ADDRESS" }'

Replace the following:

  • PROJECT_ID: the project for this request
  • ZONE: the zone for this request
  • PRIVATE_CLOUD_ID: the name for this private cloud
  • EXTERNAL_ADDRESS_NAME: the name for this external IP address
  • IP_ADDRESS: the internal IP address that this corresponds to, for example 192.168.1.11, for this request

List an external IP address

To see a list of all external IP addresses using the Google Cloud console, Google Cloud CLI or VMware Engine API, do the following:

Console

View a list of all External IP addresses by going to the External IP addresses page.

Go to External IP addresses

gcloud

If you want to list all external IP addresses, use the gcloud vmware private-clouds external-addresses list command:

gcloud vmware private-clouds external-addresses list \
  --private-cloud=PRIVATE_CLOUD_ID \
  --location=ZONE

Replace the following:

  • PRIVATE_CLOUD_ID: the name for this private cloud
  • ZONE: the zone for this request

API

If you want to list all external IP addresses using the VMware Engine API, make a GET request:

GET "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/privateClouds/PRIVATE_CLOUD_ID/externalAddresses"

Replace the following:

  • PROJECT_ID: the project for this request
  • ZONE: the zone for this request
  • PRIVATE_CLOUD_ID: the name for this private cloud

Edit an external address

You can only edit the description and the internal IP attached to an existing external IP resource. You cannot change any other properties.

Console

To edit an IP address:

  1. In the Google Cloud console, go to the External IP addresses page.

    Go to External IP addresses

  2. Click the More icon at the end of a row and select Edit.

gcloud

If you want to edit an external IP addresses, use the gcloud vmware private-clouds external-addresses update command:

gcloud vmware private-clouds external-addresses update EXTERNAL_ADDRESS_NAME \
  --internal-ip=IP_ADDRESS

API

If you want to edit an external address using the VMware Engine API, make a PATCH request:

PATCH "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/privateClouds/PRIVATE_CLOUD_ID/externalAddresses/EXTERNAL_ADDRESS_NAME?update_mask=internal_ip"

'{
  "internal_ip": "IP_ADDRESS"
}'

Replace the following:

  • PROJECT_ID: the project for this request
  • ZONE: the zone for this request
  • PRIVATE_CLOUD_ID: the name for this private cloud
  • EXTERNAL_ADDRESS_NAME: the name of the external IP for this request
  • IP_ADDRESS: the IP address, for example 192.168.1.11, for this request

Delete an external address

To delete an external address using the Google Cloud console, Google Cloud CLI or VMware Engine API, do the following:

Console

To delete an external address using the Google Cloud console, do the following:

  1. In the Google Cloud console, go to the External IP addresses page.

    Go to External IP addresses

  2. Click the Delete icon at the end of a row and select Delete.

gcloud

To delete an external address using the Google Cloud console, use the gcloud vmware private-clouds external-addresses delete command:

gcloud vmware private-clouds external-addresses delete EXTERNAL_ADDRESS_NAME \
  --private-cloud=PRIVATE_CLOUD_ID \
  --location=ZONE

Replace the following:

  • EXTERNAL_ADDRESS_NAME: the external IP address ID for this request
  • PRIVATE_CLOUD_ID: the name for this private cloud
  • ZONE: the zone for this request

API

To delete an external addresses using the VMware Engine API, make a DELETE request:

  DELETE "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/privateClouds/PRIVATE_CLOUD_ID/externalAddresses/EXTERNAL_IP_ADDRESS"

Replace the following:

  • PROJECT_ID: the project for this request
  • ZONE: the zone for this request
  • PRIVATE_CLOUD_ID: the name for this private cloud
  • EXTERNAL_ADDRESS_NAME: the name of the external IP for this request

Outbound traffic configuration

Outbound traffic from the external IP address is allowed. Set up rules to control this traffic in NSX Manager.

What's next