Create a public advertised prefix

You can bring your own IP addresses (BYOIP) to Google Cloud. After we validate that you own the IP range, and the IP addresses are imported to Google Cloud, you can assign them to supported resources.

You can import IPv4 and IPv6 address ranges to Google Cloud. IPv4 addresses can be used with most Google Cloud resources that support external IP addresses. IPv6 addresses can be used with external passthrough Network Load Balancer only. For more information, see Support for BYOIP addresses.

The first step in using bring your own IP is to create a public advertised prefix. The following options are available:

Configuration	Regional (v2)	Regional (v1)	Global (v1)
Availability	Recommended regional configuration	Not recommended for new regional configurations	Must request adding your project to an allowlist
Public advertised prefix provisioning time	Approximately 2 weeks	Approximately 4 weeks	Approximately 4 weeks
Public delegated prefix provisioning time	A few minutes	4 weeks Can overlap with public advertised prefix provisioning time	4 weeks Can overlap with public advertised prefix provisioning time
Sub-prefix provisioning time	A few minutes	A few minutes	A few minutes
BGP announcement	The public advertised prefix is not automatically announced when it is provisioned. You decide when to announce or withdraw advertisement.	The public advertised prefix is automatically announced after provisioning completes.	The public advertised prefix is automatically announced after provisioning completes.
IP stack	IPv4 IPv6 (for external passthrough Network Load Balancer only)	IPv4	IPv4

Before you begin

Bringing your own IP addresses to Google Cloud requires careful planning. For more information, see Planning for bring your own IP addresses.
Consider using an organization, and creating a dedicated project for managing BYOIP addresses. For more information, see Project architecture.
Check if any part of the prefix that you want to import is already publicly advertised. If it is, you must make sure that Google Cloud does not advertise it while it is being advertised from another source:
- If you are creating a v2 public advertised prefix for regional addresses, you have control over the announcement of the prefix. You can create the public advertised prefix and public delegated prefixes, but you must ensure the prefix is not advertised anywhere else before you announce it from Google Cloud.
- If you are creating a v1 public advertised prefix for global addresses, the prefix is automatically announced as soon as public delegated prefix provisioning is complete. Don't create public delegated prefixes until the prefix is no longer being announced from another source.

Roles

To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you the Compute Public IP Admin (roles/compute.publicIpAdmin) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Validate ownership of your prefix

When you create a public advertised prefix, you complete two tasks which together let Google validate that you own this prefix:

Creating a Route Origin Authorization (ROA) for your prefix.
Creating a PTR record for an IP address in your prefix.

The details of these validation tasks are outlined in the following sections.

After validation is complete, it takes approximately four weeks for the public advertised prefix configuration to complete.

Create a ROA request

To prove that you have ownership of a prefix, create a Route Origin Authorization (ROA) request.

Submit a ROA request with your regional registry for the prefix that you want Google to advertise. The request includes the prefix, the prefix length, and Google's ASN: 396982.

When you create the public advertised prefix, the ROA for this prefix must exist and point to Google's ASN and remain in effect for some time after you delete the public advertised prefix. For more information, see Remove a ROA.

We recommend that you submit another ROA request for the same prefix and prefix length but use your own ASN as the origin. If you ever need to advertise the prefix, the ROA with your ASN prevents networks that use Resource Public Key Infrastructure (RPKI) from considering the prefix to be invalid because it is also advertised with Google's origin ASN.

Your local regional internet registry processes ROA requests. For more information, see the link for your location:

AFRINIC (Africa)
APNIC (Portions of Asia and Oceania)
ARIN (North America and some Caribbean Islands)
LACNIC (Latin America)
RIPE NCC (Europe, Central Asia, Middle East)

Create a public advertised prefix

You can create a public advertised prefix for the prefix that you want to bring to Google.

A public advertised prefix name can't be changed without deleting and recreating the resource. For this reason, we recommend that you create generic names that won't need to change—for example, pap-203-0-113-0-24, where pap denotes the resource type and 203-0-113-0-24 denotes the specific prefix and prefix length.

If you want to use the public advertised prefix to create global public delegated prefixes, your project must be added to an allowlist. For more information, see Global public delegated prefixes.

Choose an unused IP address for DNS validation. Verification requires that you configure a new PTR record for this IP address, and you don't know the hostname until after you create the public advertised prefix.

Console

In the Google Cloud console, go to Bring your own IP.

Go to Bring your own IP
Click Add PAP.
For Name, enter a name for the public advertised prefix.
For Description, enter an optional description for the public advertised prefix.
For IP version, select IPv4 or IPv6.
Enter the prefix that you want to import.
If you're importing an IPv4 prefix, select a Scope for the public advertised prefix: Regional or Global.

Note: if the Global option is not available, you are not part of the allowlist for global public advertised prefixes.
Click Next.
Review the information that you entered. To confirm that you own this prefix, click Confirm.
For IP address, enter an unused IP address from the prefix that you are adding. This address is used for DNS validation, and in a later step, you must create a PTR record for it that uses a hostname provided by Google.
Click Create. The Validation screen shows you the validation status of this request.

gcloud

Use the public-advertised-prefixes create command.

To create a public advertised prefix (v1) for global addresses, run the following command:
```
gcloud compute public-advertised-prefixes create PAP_NAME \
    --range=PAP_IP_RANGE \
    --dns-verification-ip=VERIFICATION_IP_ADDRESS
```
Important: You must request that your project be added to an allowlist before you can create global public delegated prefixes from this public advertised prefix.

To create a public advertised prefix (v2) for regional addresses, run the following command:

gcloud compute public-advertised-prefixes create PAP_NAME \
    --range=PAP_IP_RANGE \
    --pdp-scope=REGIONAL \
    --dns-verification-ip=VERIFICATION_IP_ADDRESS

Creating a public advertised prefix (v1) for regional addresses is not recommended. Create a v2 public advertised prefix instead. If you must create a v1 public advertised prefix for regional addresses, run the following command:
```
gcloud compute public-advertised-prefixes create PAP_NAME \
    --range=PAP_IP_RANGE \
    --dns-verification-ip=VERIFICATION_IP_ADDRESS
```

Replace the following:

PAP_NAME: a name for the public advertised prefix that you're creating.
PAP_IP_RANGE: the IP address range for the public advertised prefix. The range can be an IPv4 or IPv6 address range.
VERIFICATION_IP_ADDRESS: an unused IP address chosen from the PAP_IP_RANGE. This address is used for DNS validation, and in a later step, you must create a PTR record for it that uses a hostname provided by Google.

Find the name to use for the PTR record

When you create a public advertised prefix, Google generates a name for you to use as a hostname for the PTR validation step.

Console

In the Google Cloud console, go to Bring your own IP.

Go to Bring your own IP
Click Check status for the prefix that you want to update.
The name and IP address to use for PTR validation are displayed in the DNS validation section.

gcloud

To get the name from the sharedSecret field, use the public-advertised-prefixes describe command.

gcloud compute public-advertised-prefixes describe \
    PAP_NAME --format='value(sharedSecret)'

If needed, you can retrieve the IP address you provided for DNS validation.

gcloud compute public-advertised-prefixes describe \
    PAP_NAME --format='value(dnsVerificationIp)'

In both commands, replace PAP_NAME with the name of the public advertised prefix.

Create the PTR record

To verify that you own the IP address range that you are importing to Google Cloud, you must create a public PTR record in the DNS zone that is used for the IP address range that you are importing.

Use the following values in the PTR record:

IP address: the verification IP address that you used when you created the public advertised prefix.
Hostname: the name (sharedSecret) that Google provided.
Domain name: the domain name associated with the DNS zone that is used for the IP address range that you are importing.

Examples:

IPv4: If your verification IP address is 203.0.113.144, and the DNS domain for 203.0.113.0/24 is example.net, and the name provided by Google is 55kk88tt00, the required PTR record would look like this:
```
$ dig +noall +answer -x 203.0.113.144

144.113.0.203.in-addr.arpa. 21599 IN PTR 55kk88tt99.example.net
```
IPv6: If your verification IP address is 2001:db8::10, and the DNS domain for 2001:db8::/32 is example.net, and the name provided by Google is 55kk88tt00, the required PTR record would look like this:
```
$ dig +noall +answer -x 2001:db8::10

0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
21599 IN PTR 55kk88tt99.example.net.
```

Validate the PTR record

After you have created the PTR record, update the public advertised prefix to trigger validation of the PTR record.

Console

In the Google Cloud console, go to Bring your own IP.

Go to Bring your own IP
Click Check status for the prefix that you want to update.
In the DNS validation section, select the I have created this PTR record checkbox and click Validate.

gcloud

To change the status of the public advertised prefix to PTR-CONFIGURED, use the public-advertised-prefixes update command.

The status change triggers validation of the PTR record. If it is successful, the status changes to VALIDATED. If it fails, the status changes to REVERSE_DNS_LOOKUP_FAILED.

gcloud compute public-advertised-prefixes update PAP_NAME --status=PTR-CONFIGURED

Replace PAP_NAME with the public advertised prefix that you have created a PTR record for.

Check the status of a public advertised prefix

It takes approximately four weeks for Google to provision the public advertised prefix. You can check the status to see if provisioning is complete.

Console

In the Google Cloud console, go to Bring your own IP.

Go to Bring your own IP
Click Check status for the prefix that you want to check.
View the Validation section.

gcloud

To describe the public advertised prefix and get its status, use the public-advertised-prefixes describe command.

After the prefix is validated, the status field changes from VALIDATED to PREFIX_CONFIGURATION_COMPLETE.

gcloud compute public-advertised-prefixes describe PAP_NAME --format='value(status)'

Replace PAP_NAME with the public advertised prefix that you want to get status information for.

What's next

Create public delegated prefixes