Bring your own IP addresses
Bring your own IP addresses (BYOIP) lets you provision and use your own public IPv4 addresses for Google Cloud resources. After the IP addresses are imported, Google Cloud manages them in the same way as Google-provided IP addresses, with these exceptions:
The IP addresses are available only to the customer who brought them.
There are no charges for idle or in-use IP addresses.
Live migration lets you control when Google starts advertising routes for your prefix. Live migration is not available by default. To request access, contact your Google Cloud customer engineer.
Overview
To bring your own IP to Google, you create a public advertised prefix (PAP). Verification of ownership is done for this public advertised prefix using ROA and reverse DNS validation. After verification is complete, we configure the announcement of this prefix to the internet, but the prefix is not advertised until it is provisioned. It takes approximately four weeks for the public advertised prefix to be provisioned.
While you wait for the public advertised prefix to provision, you split the prefix into public delegated prefixes (PDPs). You can then either divide the public delegated prefix further or use it to create assignable IP addresses. It takes approximately four weeks for the public delegated prefix to be provisioned.
By default, after provisioning of the public delegated prefix is complete, the public advertised prefix is advertised to the internet. If you're using live migration, you must complete additional steps when you are ready to announce the prefix. For more information, see Live migration.
Public advertised prefixes
A public advertised prefix (PAP) is a resource in Compute Engine that represents an IP prefix that you bring to Google Cloud. This lets you allocate IP addresses from your own prefix to Google Cloud resources. The public advertised prefix is a single unit of route advertisement. Google's global backbone advertises the public advertised prefix from all of its points of presence. IP addresses in the public advertised prefix always use the Premium Tier of Network Service Tiers.
A public advertised prefix can be used to either create global public delegated prefixes or regional public delegated prefixes, but not both.
If your public advertised prefix was created before July 10, 2023, see Behavior changes for BYOIP.
When creating a new public advertised prefix, it must have an IPv4 IP range with
a minimum CIDR range of size /24. A smaller CIDR range, for example /25,
cannot be created as a new public advertised prefix. However, once created, you
can break up a public advertised prefix, say a /24 or /23, into smaller
public delegated prefixes.
Public delegated prefixes
A public delegated prefix (PDP) is an IP address block within your public advertised prefix that is configured within a single scope (a specific region or global). The IP blocks must be delegated and assigned to a scope before you can allocate IP addresses to your project or organization.
Creation of global public delegated prefixes is controlled by an allowlist. For more information, see Global public delegated prefixes.
You can break up a single public delegated prefix into multiple smaller blocks, but these blocks must have the same scope as the parent block. You can configure multiple non-contiguous public delegated prefixes in a given scope. These smaller blocks are public delegated prefixes, but are also referred to as sub-prefixes.
Global public delegated prefixes
To create a global public delegated prefix, you must use a public advertised prefix that is used to create only global public delegated prefixes. You must create the public delegated prefix in a project that has been given access to create global prefixes.
To request access, file a support case to request that your project be added to the allowlist for global public delegated prefix creation.
IP addresses
When you create IP addresses
from a public delegated prefix or sub-prefix, the IP addresses can be used only
within the project and scope that they are allocated to. All IP addresses in the
public delegated prefix or sub-prefix are made available; there is no reserved
network address or broadcast address. For example, if you use a /28 public
delegated prefix or sub-prefix to create IP addresses, 16 IP address resources
are created.
Anyone who has the appropriate IAM permissions in the project can use the IP addresses:
compute.addresses.*for regional IP addressescompute.globalAddresses.*for global IP addresses
Bring your own IP configurations
The following table summarizes the available bring your own IP configurations.
| Configuration | Regional (v2) | Regional (v1) | Global (v1) |
|---|---|---|---|
| Availability | Recommended regional configuration | Not recommended for new regional configurations | Must request adding your project to an allowlist |
| Public advertised prefix provisioning time | Approximately 2 weeks | Approximately 4 weeks | Approximately 4 weeks |
| Public delegated prefix provisioning time | A few minutes | 4 weeks
Can overlap with public advertised prefix provisioning time |
4 weeks
Can overlap with public advertised prefix provisioning time |
| Sub-prefix provisioning time | A few minutes | A few minutes | A few minutes |
| BGP announcement | The public advertised prefix is not automatically announced when it is provisioned. You decide when to announce or withdraw advertisement. | By default, the public advertised prefix is automatically announced after provisioning completes.
BGP announcement control is available only through live migration (available through allowlist). |
The public advertised prefix is automatically announced after provisioning completes. |
| Public advertised prefix size | /16 to /24 |
/16 to /24 |
/16 to /24 |
| Public delegated prefix size |
Can be the same size or smaller than the public advertised prefix. |
Must be smaller than the public advertised prefix. |
Must be smaller than the public advertised prefix. |
Limitations
Provisioning time takes multiple weeks and cannot be accelerated. For more information about provisioning time, see Bring your own IP configurations.
A public delegated prefix can be sub-delegated up to three times from a public advertised prefix. For more information, see Create sub-prefixes.
When you create addresses from a public delegated prefix, the group of addresses can have size
/17to/28. You can't create a smaller group of addresses, for example, a single/32address.If you use privately used public IP address ranges for any subnets in your VPC networks, your imported BYOIP prefixes must not overlap with these IP address ranges. Don't use any part of an imported BYOIP prefix as a primary or secondary IPv4 subnet range.
Importing IPv6 addresses is not supported.
Support for BYOIP addresses
BYOIP addresses are static external IP addresses and can be used with most resources that support static external IP addresses. However, there are some exceptions:
Cloud VPN supports using a BYOIP address as the peer IP address of a Classic VPN gateway tunnel. However, you cannot use a BYOIP address as the peer IP address of an HA VPN gateway tunnel.
Cloud VPN does not support using a BYOIP address as the external IP address of Classic VPN or HA VPN gateway tunnels.
You can create BYOIP addresses in Shared VPC host projects and use the host project IP addresses in the service projects. However, Shared VPC does not support creating BYOIP addresses in service projects.
You can use BYOIP addresses to create external forwarding rules used with GKE ingress for external Application Load Balancers. However, Google Kubernetes Engine nodes and Pods don't support BYOIP addresses.
Stateful managed instance groups (MIGs) support using BYOIP addresses for configuring static IP addresses on VM creation in a MIG. However, MIGs that automatically allocate IP addresses to VMs don't support BYOIP.
Public IP Admin role
You can designate an administrator for your BYOIP prefixes and addresses by
assigning them the Compute Public IP Admin
role
(roles/compute.publicIpAdmin). This role lets them manage publicly routable
IP addresses in your organization.
The Public IP Admin can do the following tasks:
- Configure public advertised prefixes in a project they own.
- Configure the public advertised prefixes into public delegated prefixes in a project they own.
- Delegate sub-prefixes from the public delegated prefixes to specific projects in the organization.
- Revoke sub-prefixes that were previously delegated from the public delegated prefixes to a specific project in the organization.
- Delete public delegated prefixes.
Open ports on BYOIP addresses
Running a port scan on a BYOIP address might return unexpected results. Global BYOIP addresses are implemented by an infrastructure service called the Google Front End (GFE). A BYOIP address, even if it is unused, might appear to have open ports because those ports are used by other Google services that also share the GFE. Traffic to these ports is dropped and not logged.
Only supported load balancers can use global IP addresses. For more information about open ports on load balancers, see the following:
- Open ports on external Application Load Balancers
- Open ports on external proxy Network Load Balancers
Quotas and limits
There are quotas and limits for public delegated prefixes and public advertised prefixes. For more information, see VPC quotas and limits.