Alias IP Ranges Overview

Google Cloud Platform (GCP) Alias IP Ranges lets you assign a range of internal IP addresses as aliases to a virtual machine's (VM) primary network interface. This is useful if you have multiple services running on a VM and you want to assign each service a different IP address.


If you have only one service running on a VM, you can reference it using the VM's primary IP address. If you have multiple services running on a VM, you may want to assign each one a different internal IP address. You can do this with Alias IP ranges.

Routing to these alias IP ranges happens automatically. You do not have to configure any routes manually.

Use alias IP addresses when you need more than one IP address associated with a single interface on the VM. If you need additional interfaces on the VM so that it can connect to multiple VPC networks, see Multiple Network Interfaces.

Subnet primary and secondary CIDR ranges

All subnets have a primary CIDR range, which is the range of internal IP addresses that define the subnet. Each VM instance gets its primary internal IP address from this range. In addition, you can create subnets with additional secondary CIDR ranges.

In auto mode VPC networks, the automatically generated subnets are created with only a primary CIDR range. If you need a secondary CIDR range in an auto mode VPC network, you must manually create a new subnet that has a secondary CIDR range. You can then create your instances in the new subnet and assign alias IPs from the secondary range.

Alias IP ranges defined in the VM network interface

Using IP aliasing, you can configure multiple internal IP addresses, representing containers or applications hosted in a VM, without having to define a separate network interface. You can assign VM alias IP ranges from either the subnet's primary or secondary ranges.

Configuring Alias IP Ranges describes commands for setting up a subnet with secondary ranges and for assigning alias IP addresses to VMs.

The following diagram provides a basic illustration of primary and secondary CIDR ranges and VM alias IP ranges:

Primary and secondary CIDR ranges and VM alias IP ranges (click to
Primary and secondary CIDR ranges and VM alias IP ranges (click to enlarge)
  • A primary CIDR range is configured as part of a subnet.
  • A secondary CIDR range is configured as part of a subnet.
  • The VM primary IP is allocated from the primary CIDR range,, while an alias IP range,, is allocated in the VM from the secondary CIDR range,
  • The addresses in the alias IP range are used as the IP addresses of the containers hosted in the VM.

Key benefits of alias IP ranges

When alias IP ranges are configured, GCP automatically installs VPC network routes for primary and alias IP ranges. Your container orchestrator does not need to specify VPC network connectivity for these routes. This simplifies routing traffic and managing your containers. You do need to perform in-guest configuration as described in Alias IP ranges key properties.

When container IP addresses are allocated by GCP, validation processes in GCP ensure that container pod IP addresses do not conflict with VM IP addresses.

When alias IP addresses are configured, anti-spoofing checks are performed against traffic, ensuring that traffic exiting VMs uses VM IP addresses and pod IP addresses as source addresses. The anti-spoofing checks verify that VMs do not send traffic with arbitrary source IP addresses. Static routes are less secure because they disable anti-spoofing checks.

Alias IP ranges are routable within the GCP virtual network without requiring additional routes. You do not have to add a route for every IP alias and you do not have to take route quotas into account.

Alias IP addresses can be announced by Cloud Router to an on-premises network connected via VPN or Interconnect.

There are advantages to allocating alias IP ranges from a secondary CIDR range. By allocating from a range separate from the range used for primary IP addresses, you can separate infrastructure (VMs) from services (containers). When you configure separate address spaces for infrastructure and services, you can set up firewall controls for VM alias IP addresses separately from the firewall controls for a VM’s primary IP addresses. For example, you can allow certain traffic for container pods and deny similar traffic for the VM's primary IP address.

Container architecture in GCP

Consider a scenario in which you want to configure containerized services on top of GCP. You need to create the VMs that will host the services, and, additionally, the containers.

In this scenario, you want to route traffic from and to the containers to and from on-premises locations that are connected through a VPN. However, you don't want the primary VM IP addresses to be reachable through the VPN. To create this configuration, the container IP range need to be routable through the VPN, but not the VM primary IP range. At VM creation time, you also want to automatically assign a pool of IP addresses that are used for the container.

To create this configuration, do the following:

  • When you create the Compute Engine subnet, you configure
    • One primary CIDR range, for example,
    • One secondary CIDR range, for example,
  • Use an instance template to create VMs and automatically assign each the following:
    • A primary IP from the range
    • An Alias range /24 from the secondary CIDR space, so that you can assign each pod on a VM an IP from the /24 secondary CIDR range
  • Create two firewall rules.
    • One rule that denies traffic traveling across the VPN from on-premises from reaching the subnet primary CIDR range.
    • One rule that allows traffic traveling across the VPN from on-premises to reach the subnet secondary CIDR range.

Example: Configuring containers with alias IP ranges

Using alias IP ranges, container IP addresses can be allocated from a secondary CIDR range and configured as alias IP addresses in the VM that is hosting the container.

Configuring containers with alias IP addresses (click to
Configuring containers with alias IP addresses (click to enlarge)

To create the configuration illustrated above:

  1. Create a subnet with a CIDR range, from which VM IP addresses are allocated from, and a secondary CIDR range for the containers’ exclusive use, which will be configured as Alias IP ranges in the VM that is hosting them:

    gcloud compute networks subnets create subnet-a \
        --network network-a \
        --range \
        --secondary-range container-range=
  2. Create VMs with a primary IP from range and an Alias IP Range from the secondary CIDR range for the containers in that VM to use:

    gcloud compute instances create vm1 [...] \
        --network-interface subnet=subnet-a,aliases=container-range:
    gcloud compute instances create vm2 [...] \
        --network-interface subnet=subnet-a,aliases=container-range:
  3. Container IP addresses are configured in GCP as alias IP addresses. In this setup, both primary and alias IPs will be reachable through the VPN tunnel. If Cloud Router is configured, it will automatically advertise the secondary subnet range For more information on using VPN, see Creating a VPN and Creating a Tunnel with Dynamic Routes.

Refer to Configuring Alias IP Addresses and Ranges for more information on the commands used to create this configuration.

Alias IP addresses in auto mode VPC networks and subnets

In auto mode VPC networks, a subnet exists in each region. These automatically created subnets each have a primary CIDR range, but no secondary range. To use Alias IP with these subnets, you must allocate your alias IP ranges from the subnets primary CIDR range. Alternatively, you can create a new subnet in the region and specify a secondary range when you do so.

Automatically created subnets:

  • Do not have a secondary CIDR range. However, IP aliases can still be created in the primary range.
  • Cannot be modified or manually deleted. However, the entire network can be changed from auto to custom mode. For information on changing the network mode, see Switch a network from auto to custom.
  • Are considered default subnets: if no subnet is specified at instance creation time, the default subnet in the corresponding region is used.

Manually created subnets in auto mode VPC networks:

  • Must have one primary CIDR range and can have one optional secondary CIDR range. The secondary CIDR range does not have reserved IP addresses for the network and gateway. These will be taken from the primary CIDR range.
  • The primary CIDR ranges and secondary CIDR ranges of the subnet may not overlap with the range. This range is reserved by GCP. If you require this range, you must first switch the mode of your virtual network from auto mode to custom and then create subnets from the entire RFC 1918 private IP space.

See Creating a subnet with one or more secondary CIDR ranges if you want to create a new subnet for the network.

Alias IP addresses in custom mode networks and subnets

In custom-mode networks:

  • All of the subnets are created manually
    • One primary CIDR range is mandatory.
    • You can optionally create one secondary CIDR range.
  • There are no default subnets in custom-mode networks.
    • You can delete a custom-mode network only after all configured subnets are deleted.

Alias IP ranges key properties

The following properties apply to alias IP ranges configured in VMs:

  • From the guest OS perspective, the primary IP address and the default gateway are typically allocated using DHCP. Alias IP addresses can be configured in the guest OS, which is typically Linux or Windows, manually or by using scripts.
  • Alias IP ranges are not supported in legacy networks.
  • The primary VM IP address must be configured from the primary CIDR range.
  • The alias IP range configured in the VM can be configured from either the primary CIDR range or a secondary CIDR range. The alias IP range can be any subset of the primary or secondary range that is not already in use. Alias IP ranges are globally routable inside your GCP virtual network.
  • You can assign up to five secondary IP ranges per subnet.
  • The primary IP address and the alias IP range of the interface must be allocated from CIDR ranges configured as part of the same subnet. Note the following requirements:
    • The primary IP address must be allocated from the CIDR primary range.
    • The alias IP range can be allocated either from the same primary CIDR range or from a secondary CIDR range of that same subnet.
    • The primary IP address can be user-configured with a static private IP address or system auto-allocated with an ephemeral static IP address.
    • Alias IP ranges are optional and they are not automatically added. An alias IP range must be manually configured during instance creation or in an instance template.
    • An alias IP range can be configured as an explicit CIDR range (for example,, a single IP address (for example,, or as a netmask (/24). An alias IP range can be fully specified or auto-allocated by specifying the netmask.
    • In a single VM, the secondary CIDR range used for allocation of an alias IP range must be part of the same subnet as the primary VM IP address.
    • Because all subnets in a VPC network share a single default gateway, all alias IP addresses within an interface share the same default gateway as the primary IP address.
Alias IPs within an interface share the same default gateway as
    the primary IP address (click to enlarge)
Alias IPs within an interface share the same default gateway as the primary IP address (click to enlarge)

DNS with alias IP addresses

GCP automatically configures internal DNS for the primary IP of the primary interface of every VM instance. This associates the instance host name with the primary interface primary IP address. However, the DNS lookup on that host name only works in the network that contains the primary interface.

GCP does not automatically associate any other IP addresses with the host name. GCP does not associate Alias IP addresses on the primary interface with the host name, and it does not associate any IP addresses of secondary interfaces with the host name.

You can manually configure DNS to associate other IP addresses.


Firewall source tags are not supported for alias IP addresses. When you configure source tags in firewall rules, the source tag matches the VM primary IP address, but not the alias IP addresses. Use source ranges to allow or deny ingress traffic from IP Alias addresses.

Static routes

In a static route, the next-hop IP address must be the primary IP address of the virtual machine instance. An alias IP address alias IP is not supported as the next-hop IP address.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...