Create a public advertised prefix
You can bring your own IP addresses (BYOIP) to Google Cloud. After we validate that you own the IP range, and the IP addresses are imported to Google Cloud, you can assign them to supported resources.
You can import IPv4 and IPv6 address ranges to Google Cloud. IPv4 addresses can be used with most Google Cloud resources that support external IP addresses. IPv6 addresses can be used with external passthrough Network Load Balancer only. For more information, see Support for BYOIP addresses.
The first step in using bring your own IP is to create a public advertised prefix. The following options are available:
Configuration | Regional (v2) | Regional (v1) | Global (v1) |
---|---|---|---|
Availability | Recommended regional configuration | Not recommended for new regional configurations | Must request adding your project to an allowlist |
Public advertised prefix provisioning time | Approximately 2 weeks | Approximately 4 weeks | Approximately 4 weeks |
Public delegated prefix provisioning time | A few minutes | 4 weeks
Can overlap with public advertised prefix provisioning time |
4 weeks
Can overlap with public advertised prefix provisioning time |
Sub-prefix provisioning time | A few minutes | A few minutes | A few minutes |
BGP announcement | The public advertised prefix is not automatically announced when it is provisioned. You decide when to announce or withdraw advertisement. | The public advertised prefix is automatically announced after provisioning completes. | The public advertised prefix is automatically announced after provisioning completes. |
IP stack |
|
IPv4 | IPv4 |
Before you begin
- Bringing your own IP addresses to Google Cloud requires careful planning. For more information, see Planning for bring your own IP addresses.
- Consider using an organization, and creating a dedicated project for managing BYOIP addresses. For more information, see Project architecture.
- Check if any part of the prefix that you want to import is already publicly
advertised. If it is, you must make sure that Google Cloud does not
advertise it while it is being advertised from another source:
- If you are creating a v2 public advertised prefix for regional addresses, you have control over the announcement of the prefix. You can create the public advertised prefix and public delegated prefixes, but you must ensure the prefix is not advertised anywhere else before you announce it from Google Cloud.
- If you are creating a v1 public advertised prefix for global addresses, the prefix is automatically announced as soon as public delegated prefix provisioning is complete. Don't create public delegated prefixes until the prefix is no longer being announced from another source.
Roles
To get the permissions that you need to complete the tasks in this guide,
ask your administrator to grant you the
Compute Public IP Admin (roles/compute.publicIpAdmin
) IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Validate ownership of your prefix
When you create a public advertised prefix, you complete two tasks which together let Google validate that you own this prefix:
- Creating a Route Origin Authorization (ROA) for your prefix.
- Creating a PTR record for an IP address in your prefix.
The details of these validation tasks are outlined in the following sections.
After validation is complete, it takes approximately four weeks for the public advertised prefix configuration to complete.
Create a ROA request
To prove that you have ownership of a prefix, create a Route Origin Authorization (ROA) request.
Submit a ROA request with your regional registry for the prefix that you want
Google to advertise. The request includes the prefix, the prefix length, and
Google's ASN: 396982
.
When you create the public advertised prefix, the ROA for this prefix must exist and point to Google's ASN and remain in effect for some time after you delete the public advertised prefix. For more information, see Remove a ROA.
We recommend that you submit another ROA request for the same prefix and prefix length but use your own ASN as the origin. If you ever need to advertise the prefix, the ROA with your ASN prevents networks that use Resource Public Key Infrastructure (RPKI) from considering the prefix to be invalid because it is also advertised with Google's origin ASN.
Your local regional internet registry processes ROA requests. For more information, see the link for your location:
- AFRINIC (Africa)
- APNIC (Portions of Asia and Oceania)
- ARIN (North America and some Caribbean Islands)
- LACNIC (Latin America)
- RIPE NCC (Europe, Central Asia, Middle East)
Create a public advertised prefix
You can create a public advertised prefix for the prefix that you want to bring to Google.
A public advertised prefix name can't be changed without deleting and recreating
the resource. For this reason, we recommend that you create generic names that
won't need to change—for example, pap-203-0-113-0-24
, where pap
denotes the resource type and 203-0-113-0-24
denotes the specific prefix and
prefix length.
If you want to use the public advertised prefix to create global public delegated prefixes, your project must be added to an allowlist. For more information, see Global public delegated prefixes.
Choose an unused IP address for DNS validation. Verification requires that you configure a new PTR record for this IP address, and you don't know the hostname until after you create the public advertised prefix.
Console
In the Google Cloud console, go to Bring your own IP.
Click Add PAP.
For Name, enter a name for the public advertised prefix.
For Description, enter an optional description for the public advertised prefix.
For IP version, select IPv4 or IPv6.
Enter the prefix that you want to import.
If you're importing an IPv4 prefix, select a Scope for the public advertised prefix: Regional or Global.
Click Next.
Review the information that you entered. To confirm that you own this prefix, click Confirm.
For IP address, enter an unused IP address from the prefix that you are adding. This address is used for DNS validation, and in a later step, you must create a PTR record for it that uses a hostname provided by Google.
Click Create. The Validation screen shows you the validation status of this request.
gcloud
Use the public-advertised-prefixes create
command.
To create a public advertised prefix (v1) for global addresses, run the following command:
gcloud compute public-advertised-prefixes create PAP_NAME \ --range=PAP_IP_RANGE \ --dns-verification-ip=VERIFICATION_IP_ADDRESS
To create a public advertised prefix (v2) for regional addresses, run the following command:
gcloud compute public-advertised-prefixes create PAP_NAME \ --range=PAP_IP_RANGE \ --pdp-scope=REGIONAL \ --dns-verification-ip=VERIFICATION_IP_ADDRESS
Creating a public advertised prefix (v1) for regional addresses is not recommended. Create a v2 public advertised prefix instead. If you must create a v1 public advertised prefix for regional addresses, run the following command:
gcloud compute public-advertised-prefixes create PAP_NAME \ --range=PAP_IP_RANGE \ --dns-verification-ip=VERIFICATION_IP_ADDRESS
Replace the following:
PAP_NAME
: a name for the public advertised prefix that you're creating.PAP_IP_RANGE
: the IP address range for the public advertised prefix. The range can be an IPv4 or IPv6 address range.VERIFICATION_IP_ADDRESS
: an unused IP address chosen from the PAP_IP_RANGE. This address is used for DNS validation, and in a later step, you must create a PTR record for it that uses a hostname provided by Google.
Find the name to use for the PTR record
When you create a public advertised prefix, Google generates a name for you to use as a hostname for the PTR validation step.
Console
In the Google Cloud console, go to Bring your own IP.
Click Check status for the prefix that you want to update.
The name and IP address to use for PTR validation are displayed in the DNS validation section.
gcloud
To get the name from the
sharedSecret
field, use thepublic-advertised-prefixes describe
command.gcloud compute public-advertised-prefixes describe \ PAP_NAME --format='value(sharedSecret)'
If needed, you can retrieve the IP address you provided for DNS validation.
gcloud compute public-advertised-prefixes describe \ PAP_NAME --format='value(dnsVerificationIp)'
In both commands, replace PAP_NAME
with the name of the
public advertised prefix.
Create the PTR record
To verify that you own the IP address range that you are importing to Google Cloud, you must create a public PTR record in the DNS zone that is used for the IP address range that you are importing.
Use the following values in the PTR record:
- IP address: the verification IP address that you used when you created the public advertised prefix.
- Hostname: the name (
sharedSecret
) that Google provided. - Domain name: the domain name associated with the DNS zone that is used for the IP address range that you are importing.
Examples:
IPv4: If your verification IP address is
203.0.113.144
, and the DNS domain for203.0.113.0/24
isexample.net
, and the name provided by Google is55kk88tt00
, the required PTR record would look like this:$ dig +noall +answer -x 203.0.113.144 144.113.0.203.in-addr.arpa. 21599 IN PTR 55kk88tt99.example.net
IPv6: If your verification IP address is
2001:db8::10
, and the DNS domain for2001:db8::/32
isexample.net
, and the name provided by Google is55kk88tt00
, the required PTR record would look like this:$ dig +noall +answer -x 2001:db8::10 0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa 21599 IN PTR 55kk88tt99.example.net.
Validate the PTR record
After you have created the PTR record, update the public advertised prefix to trigger validation of the PTR record.
Console
In the Google Cloud console, go to Bring your own IP.
Click Check status for the prefix that you want to update.
In the DNS validation section, select the I have created this PTR record checkbox and click Validate.
gcloud
To change the status of the public advertised prefix to PTR-CONFIGURED
,
use the public-advertised-prefixes update
command.
The status change triggers validation of the PTR record. If it is
successful, the status changes to VALIDATED
. If it fails, the status
changes to REVERSE_DNS_LOOKUP_FAILED
.
gcloud compute public-advertised-prefixes update PAP_NAME --status=PTR-CONFIGURED
Replace PAP_NAME
with the public advertised prefix that
you have created a PTR record for.
Check the status of a public advertised prefix
It takes approximately four weeks for Google to provision the public advertised prefix. You can check the status to see if provisioning is complete.
Console
In the Google Cloud console, go to Bring your own IP.
Click Check status for the prefix that you want to check.
View the Validation section.
gcloud
To describe the public advertised prefix and get its status, use the
public-advertised-prefixes describe
command.
After the prefix is validated, the status field changes from VALIDATED
to
PREFIX_CONFIGURATION_COMPLETE
.
gcloud compute public-advertised-prefixes describe PAP_NAME --format='value(status)'
Replace PAP_NAME
with the public advertised prefix that
you want to get status information for.