Creating instances with multiple network interfaces

By default, every virtual machine (VM) instance in a VPC network has a single network interface. However, you can configure an instance with multiple network interfaces. When using multiple interfaces from an instance, each interface must attach to a different VPC network; you can't attach multiple network interfaces to the same VPC network.

You can configure VM interfaces with IPv4 addresses only (single-stack) or both IPv4 and IPv6 addresses (dual-stack).

If you don't require multiple network interfaces, follow the procedure for Creating and starting an instance to create instances with the default network configuration.

For more information about multiple network interfaces and how they work, see Multiple network interfaces.

Specifications

  • You can only configure a network interface when you create an instance.

  • Each network interface configured in a single instance must:

    • Attach to a different VPC network, either a standalone VPC network or a Shared VPC network.
    • Belong to a subnet whose IP range doesn't overlap with the subnets of any other interface.
  • If you want to create a VM that is attached to multiple VPC networks, all of the networks must exist before you create the instance. For more information about creating networks, see Create and modify Virtual Private Cloud (VPC). networks.

  • You can't delete a network interface without deleting the instance.

  • Each instance must have a minimum of one network interface and a maximum of eight, depending on the instance's machine type.

    • nic0 is required and must be configured at instance creation.
    • nic1 to nic7 are optional, but must also be configured at instance creation.
    • For more information, see Maximum number of interfaces.
  • Every interface can optionally have an external IPv4 address.

  • If you connect a VM to a subnet that has an internal or external IPv6 subnet range, you can optionally configure an internal or external IPv6 address.

  • Google Cloud's DHCP server sends a default route (RFC 3442, "classless static route") only to the default NIC, nic0. If a default route is needed on another NIC, you must configure policy routing on the instance.

  • All VM interfaces must connect to networks in the same project as the VM or to a Shared VPC shared with the project.

Limitations

  • You cannot add or remove network interfaces from an existing VM.

  • IP forwarding is enabled at the VM level and cannot be applied to individual interfaces.

Permissions, IAM, and instances with multiple network interfaces

To create an instance with multiple network interfaces, you must have one of the following roles:

  • Project owner or editor role
  • compute.instanceAdmin.v1 role

Creating and deleting instances and instance templates with multiple interfaces in a project not using Shared VPC environment: A user with the OWNER, EDITOR, or compute.instanceAdmin.v1 role at the project level can create an instance with multiple interfaces associated with VPC networks and subnets that are part of that same project.

Creating and deleting instances and instance templates with multiple interfaces in Shared VPC environments: A user with the OWNER, EDITOR, or compute.instanceAdmin.v1 role at the project level can create an instance with multiple interfaces. If any of the interfaces is associated with a subnet in a Shared VPC host project, you must also have the compute.networkUser role at the Shared VPC host project level, or at the Shared VPC subnet level.

To learn more about permissions, read the Compute Engine IAM documentation

Using multiple network interfaces with different VPC network types

  • Multiple network interfaces are not supported with legacy networks.
  • When you configure multiple network interfaces, attach each interface to an auto mode VPC network or custom mode VPC network.

Network interface IP address allocation

  • You must configure each network interface with a primary internal IP address that is allocated from the primary IP address range of a subnet.
    • The primary internal address allocated to each of the interfaces in a single instance must be different.
  • You can choose to configure each of the virtual interfaces (NIC) with a unique external IP address. External addresses can be ephemeral or reserved.

Maximum number of network interfaces

The number of virtual network interfaces scales with the number of vCPUs with a minimum of 2 and maximum of 8.

Use the following table to determine how many network interfaces can be attached to an instance:

Number of vCPU Number of vNICs
2 or less 2
2 to 8 2 to 8
8 or more 8

Before you begin

  • Verify that all required networks are created before you create the instance. If you need to create networks, see Create and modify Virtual Private Cloud (VPC) networks.

  • Verify that each network has appropriate firewall rules to allow the traffic that you want allow to and from the VM with multiple interfaces. If you need to create firewall rules, see Using firewall rules.

  • If you are connecting a VM to multiple networks using IPv6 addresses, the VM needs one of the following configurations. Otherwise, the interfaces with IPv6 addresses are not configured with an IPv6 subnet route.

    • The VM has google-guest-agent version 20220412.00 or later. For more information about managing google-guest-agent versions, see Guest environment.

    • The VM has a startup script configured to make the following configuration change for each secondary interface.

      sudo sysctl -w net.ipv6.conf.INTERFACE_NAME.accept_ra_rt_info_max_plen=128
      

      Replace INTERFACE_NAME with the name of the interface—for example, eth1 or ens5.

Create virtual machine instances with multiple network interfaces

Creating an instance with a single interface is unchanged. For general instructions on creating instances, see Creating and starting an instance.

You can add multiple network interfaces when you create an instance:

  • On the Console, you add network interfaces on the Create an Instance page, in the Networking -> Network interfaces section.
  • On the gcloud command line tool, use the instances create command. Include the --network-interface flag for each interface, followed by any appropriate networking keys, such as ([network | subnet], private-network-ip, address).

The first interface is always created as nic0 and it is always the default interface. This is important for some other aspects of Google Cloud networking. For example, Google Cloud load balancers (except for Internal TCP/UDP Load Balancing) only distribute traffic to nic0.

Console

  1. Go to the Create an instance page.

    Go to Create an instance

  2. Enter a Name for the instance.

  3. Select a Region.

  4. Select a Zone.

  5. Expand the Networking, disks, security, management, sole tenancy section.

  6. Expand Networking, and do the following:

    1. In the Network interfaces section, expand the network interface to edit it.

    2. For Network and Subnetwork, select the network and subnetwork that you want to use.

      If you want to configure IPv6 addresses on the interface, select a subnet that has an IPv6 address range configured. The IPv6 access type of the subnet determines whether the VM receives an internal IPv6 address or an external IPv6 address.

    3. Select an IP stack type: IPv4 (single stack) or IPv4 and IPv6 (dual-stack)

    4. For Primary internal IP, select one of the following:

      • Ephemeral to assign a new ephemeral IPv4 address
      • A reserved IPv4 address from the list
      • Static to assign a new static IPv4 address
    5. For External IPv4 address, select one of the following:

      • Ephemeral to assign a new ephemeral IPv4 address
      • None to not assign an external IPv4 address
      • A reserved IPv4 address from the list
      • Create new IP address to assign a new static IPv4 address
    6. To finish modifying the network interface, click Done.

  7. Click Add network interface to add another interface.

  8. Continue with the VM creation process.

  9. Click Create.

gcloud

Create network interfaces on a new instance by using the instances create command. Include the --network-interface flag for each interface, followed by any appropriate networking keys, such as [network,subnet],private-network-ip,address).

This snippet only illustrates the --network-interface flag, one of many possible parameters you can specify when creating an instance. For other flags, see the gcloud reference for the instances create command. See the Maximum number of network interfaces table to see what machine types support the number of network interfaces you need.

gcloud compute instances create INSTANCE_NAME \
    --zone [ZONE] \
    [--network-interface \
        [network=NETWORK,subnet=SUBNET], \
        [stack-type=STACK_TYPE], \
        [address=RESERVED_EXTERNAL_ADDRESS | no-address], \
        [private-network-ip=INTERNAL_ADDRESS] \
    ...]

Replace the following:

  • ZONE: the zone where the instance is created.
  • NETWORK: the network where the interface will attach.
  • SUBNET: the subnet where the interface will attach.
  • STACK_TYPE: the stack type for the interface. The default value is IPV4_ONLY. Specify IPV4_IPV6 to configure a dual-stack interface.
  • RESERVED_EXTERNAL_ADDRESS: assigns the named external IP address to the interface. You must have previously reserved an external address. Specify "no-address" instead of address=RESERVED_EXTERNAL_ADDRESS if you don't want the interface to have an external IP address. Specify address='' if you want the interface to receive an ephemeral external IP address.
  • INTERNAL_ADDRESS: the internal IP address you want the interface to have in the target subnet. Omit if you just want any valid address assigned.

API

Create a VM instance with multiple network interfaces.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
{
  "networkInterfaces": [
    {
      "subnetwork": "SUBNET_URL"
    },
      for each interface, specify a network...
  ],
  other instance settings...
}

Replace the placeholders with valid values:

  • SUBNET_URL is the URL of the subnet where the network interface will be located.
  • PROJECT_ID is the ID of the project that will contain the instance.
  • ZONE the zone that will contain the instance.

For more information, refer to the instances.insert method.

Terraform

You can use a Terraform resource to create a VM instance with multiple network interfaces.

The Terraform arguments have example values that you can change.

resource "google_compute_instance" "default" {
  project      = var.project_id # Replace with your project ID in quotes
  zone         = "us-central1-b"
  name         = "backend-instance"
  machine_type = "e2-medium"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }
  network_interface {
    subnetwork = var.subnet_1 # Replace with self link to a subnetwork in quotes
    network_ip = "10.0.0.14"
  }
  network_interface {
    subnetwork = var.subnet_2 # Replace with self link to a subnetwork in quotes
    network_ip = "10.10.20.14"
  }
}

Example configurations

The following sections show how to create VMs with multiple interfaces.

Configure multiple interfaces with IPv4 addresses

The following sample command creates an instance with three network interfaces.

 gcloud compute instances create vm1 --machine-type=n1-standard-4 \
    --network-interface '' \
    --network-interface network=net1,subnet=subnet-a,private-network-ip=10.10.10.2,address=RESERVED_EXTERNAL_ADDRESS \
    --network-interface network=net2,subnet=subnet-b,private-network-ip=10.10.20.2,no-address

The interfaces are created as follows:

  • nic0 is created with default settings. The interface is attached to the default VPC network, with an automatically allocated internal IP address and an ephemeral external IP address.

  • nic1 is attached to subnet subnet-a in network net1, with an internal IP address of 10.10.10.2 and a static external IP address, RESERVED_EXTERNAL_ADDRESS.

  • nic2 is attached to subnet subnet-b in network net2, with an internal IP address of 10.10.20.2 and no external IP address.

For a complete description of the gcloud compute instances create command and the --network-interface flag, read the documentation for the command.

You can use the IP address from the NIC that you have added to set up DNS forwarding. To learn more about configuring Cloud DNS forwarding zones, see Forwarding zones.

Configure multiple interfaces with IPv4 and IPv6 addresses

The following sample command creates a dual-stack instance with two network interfaces.

gcloud compute instances create vm1 \
--network-interface network=dual-int,subnet=int-subnet,stack-type=IPV4_IPV6 \
--network-interface network=dual-ext,subnet=ext-subnet,stack-type=IPV4_IPV6,ipv6-network-tier=PREMIUM \
--machine-type=n1-standard-4 --zone=us-west2-a

The interfaces are created as follows:

  • nic0 is attached to subnet int-subnet in network dual-int, with an ephemeral internal IPv4 address and an ephemeral internal IPv6 address.

  • nic1 is attached to subnet ext-subnet in network dual-ext, with an ephemeral internal IPv4 address and an ephemeral external IPv6 address.

Configuring multiple network interfaces for instance groups

You can use instances with multiple network interfaces in unmanaged instance groups and managed instance groups.

For unmanaged instance groups, create each instance individually, ensuring that the nic0 network interface for each VM is in the same VPC network. Then, add the VM instances to the unmanaged instance group.

To configure multiple network interfaces for managed instance groups, you must specify the network configuration for each interface in the instance template, by setting the --network-interface flag once for each interface. The following sample creates an instance template with three network interfaces:

gcloud compute instance-templates create template-1 \
    --network-interface subnet=net0-subnet-a \
    --network-interface subnet=net1-subnet-b,no-address \
    --network-interface subnet=net2-subnet-c,no-address \
    --region us-central1

Because subnet names in each region of a project must be unique, specifying subnets by name implicitly associates each interface with a VPC network. Each interface must use a unique VPC network:

  • nic0 uses the net0-subnet-a subnet
  • nic1 uses the net1-subnet-b subnet
  • nic2 uses the net2-subnet-c subnet

The no-address option in the --network-interface flag indicates that the interface is configured without an external IP address. The internal IP address comes from the subnet used by the interface. For complete information on the flags and syntax, see the --network-interface flag for the instance-templates create command.

Configuring policy routing

For Google supported images, when you need a secondary network interface (an interface other than nic0) to communicate with any IP address not local to the primary subnet range of that secondary interface's associated subnet, you need to configure policy routing to ensure that egress packets will leave through the correct interface. In such cases, you must configure a separate routing table for each network interface using policy routing.

Source-based policy routing is not supported by Windows operating systems.

Find the default gateway for the interface

You can find the default gateway for a VM's interface by querying the metadata server.

  • To find the default gateway for an interface's IPv4 address, make the following request from the VM:

    curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/INTERFACE_NUMBER/gateway -H "Metadata-Flavor: Google"
    

    Replace INTERFACE_NUMBER with the number of the interface. For example, to find the default gateway for nic1, use 1.

  • To find the default gateway for an interface's IPv6 address, make the following request from the VM:

    curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/INTERFACE_NUMBER/gateway-ipv6 -H "Metadata-Flavor: Google"
    

    Replace INTERFACE_NUMBER with the number of the interface. For example, to find the default gateway for nic1, use 1.

Configure policy-based routing on Linux VMs

To avoid losing connectivity to the VM while you change the default route, use the serial console.

  • Configure policy routing for each secondary interface with ifconfig. Don't configure the primary interface (nic0), as it has a route configured.

    sudo ifconfig NIC IP_ADDRESS netmask NETMASK broadcast IP_ADDRESS mtu 1430
    echo "1 rt1" | sudo tee -a /etc/iproute2/rt_tables
    sudo ip route add GATEWAY src IP_ADDRESS dev NIC table rt1
    sudo ip route add default via GATEWAY dev NIC table rt1
    sudo ip rule add from IP_ADDRESS/PREFIX_LENGTH table rt1
    sudo ip rule add to IP_ADDRESS/PREFIX_LENGTH  table rt1
    

    Replace the following:

    • NIC: the interface that you want to add a route for. For example, eth1.
    • IP_ADDRESS: the IP address configured on the interface.
    • NETMASK: the netmask of the interface. For example, 255.255.255.255.
    • GATEWAY: the default gateway IP address of the interface.
    • PREFIX_LENGTH: the prefix length for the configured IP address.

Configure policy-based routing on Ubuntu version 18.04 or higher

With the switch from ifupdown to Netplan as the default network configuration utility for Ubuntu 18.04 LTS or later, the ifconfig package is not pre-installed. Additionally, changes you make to Netplan's network configuration files do not persist over Compute Engine VM reboots.

  1. Create a startup script that sets a routing table for each network interface at VM startup. Learn more about how to create startup scripts.

    Using a startup script does not work if you are mounting a file share in your VM because they only run after partitions are mounted. This would lead to your file share always being mounted on the default interface before the creation of the routing table by your startup script.

  2. To mount a file share on a VM through a secondary network, namely an interface other than nic0, you must configure the client VM's routing policy to ensure that the file share mounts through the correct network interface. To do this, modify the following files:

    • In /etc/default/instance_configs.cfg, set the setup flag for NetworkInterfaces to false:

      [NetworkInterfaces]
      dhclient_script = /sbin/google-dhclient-script
      dhcp_command =
      ip_forwarding = true
          setup = false
      

    • In /etc/network/interfaces, add the following lines to the interface of interest:

      auto eth1
      iface eth1 inet dhcp
          up ip route add filestore-reserved-address-range via default-gateway-of-nic-to-filestore
      

    Replace the following:

    • filestore-reserved-address-range is the reserved address range for use by the Compute Engine instance.
    • default-gateway-of-nic-to-filestore is the default gateway IP address of the NIC connected to the VPC network that is shared with the Compute Engine instance.

    For more information on mounting a file share on a VM instance, see Mounting file shares on Compute Engine.

Troubleshooting

I am not able to create VM with multiple interfaces

You may see one of the following error messages:

  • Invalid value for field 'resource': ''. Too many network interfaces. The maximum number of network interfaces allowed for this machine type is.

    If you get this error message, you are trying to create more interfaces than the maximum interfaces supported by your instance machine type. See the maximum number of interfaces table.

  • Networks must be distinct for NICs attached to a VM.

    If you get this message, you are trying to create more than one interface in the same network. Each network interface must be attached to a different VPC network.

  • Subnetwork CIDR ranges must be non-overlapping for NICs attached to a VM.

    If you get this message, the CIDR ranges associated with your VM's interfaces are overlapping. These CIDR ranges include all primary ranges of subnets associated with VM interfaces as well as secondary ranges used for alias IP ranges. Each interface is attached to a subnet, each in a different VPC network, that must not overlap with subnets of other interfaces. For example, if you are trying to create your instance in region us-west1, you can check subnet primary CIDR ranges using the following command or the Google Cloud console.

    gcloud compute networks subnets list --regions us-west1
    NAME                REGION    NETWORK          RANGE
    default             us-west1  default          10.138.0.0/20
    overlapping-subnet  us-west1  test-network     10.138.8.0/24
    

    To check secondary subnet CIDR ranges, use the following command or the Google Cloud console.

    gcloud compute networks subnets describe overlapping-subnet --region us-west1
    
    ...
    ipCidrRange: 10.128.8.0/24
    ...
    secondaryIpRanges:
    - ipCidrRange: 10.138.8.0/24
      rangeName: conflicting-range
    
  • Multiple network interfaces are not supported on legacy networks.

    If you get this message, you are trying to create your instance in a legacy network. Instances with multiple interfaces are not supported with legacy networks. You can check if a network is legacy network using the following command or the Google Cloud console. The Mode field indicates the type of network.

    gcloud compute networks list
    NAME             MODE    IPV4_RANGE     GATEWAY_IPV4
    default          auto
    legacy-network   legacy  10.240.0.0/16  10.240.0.1
    test-network     custom
    

  • Required 'compute.instances.create' permission for 'projects/PROJECT_ID/zones/ZONE/instances/test-inst'

    If you get this message, the account you are logged in with does not have IAM permissions necessary for creating an instance. Refer to IAM Permissions for detailed information on the roles required for creating instances. You can check if the IAM policy associated with your project grants you any of the following roles: OWNER, EDITOR or compute.instanceAdmin.v1. For creating instances in Shared VPC you would additionally need the compute.networkUser role. In the below example, the account email2@gmail.com doesn’t have sufficient IAM permissions to create an instance. For more detailed instructions see the Granting, Changing, and Revoking Access to Resources IAM guide.

    gcloud projects get-iam-policy PROJECT_ID
    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
        role: roles/editor
    - members:
      - user:email2@gmail.com
        role: roles/viewer
    etag: BwUjMhXbSPU=
    version: 1
    

    You can ask your project owner or editor to either grant you a role of OWNER, EDITOR, or compute.instanceAdmin.v1. You would need compute.networkUser role as well if you are associating any interface with a subnet belonging to Shared VPC.

    gcloud projects set-iam_policy --member user:email2@gmail.com --role roles/editor
    

I am not able to connect to secondary interface's internal IP

  • Check firewall rules to see that they allow connectivity to the VM secondary interface. You can check by looking at the firewall rules for the network that is attached to the secondary interface by either visiting Google Cloud console and clicking the appropriate VPC network or by using the following gcloud command.

    gcloud compute firewall-rules list --filter='network:NETWORK_NAME'
    
  • Check if you are trying to connect to a secondary interface from an Internet address or from outside of the secondary interface's network. You can only connect to an interface's internal IP from within its network. If you need to reach that interface from outside the network, you can assign an external IP address to your secondary interface.

  • Check if you are trying to connect to the secondary interface's internal IP from outside the subnet the secondary interface is attached to, either from another subnet of the same network or from a peered network. Multiple Network Interfaces per instance explains the interplay between VPC Peering and VM instances with multiple interfaces. In order to reach secondary interfaces from outside the interface's subnet, you might have to configure routes on the VM. See DHCP behavior with multiple network interfaces for details on how DHCP programs default routes in the VM.

I am not able to connect to secondary interface using external IP

The DHCP server programs a default route only on the primary network interface of the VM. If you want to connect to the secondary interface using an external IP, there are two options. If you only need to connect outside the network on the secondary network interface, you can set a default route on that network interface. Otherwise, you can use Configuring Policy Routing to configure a separate routing table using source-based policy routing in your VM.

I am having connectivity issues when using a netmask that is not /32

By default, the instance metadata server only responds to ARP requests for the default gateway.

To configure interfaces with a netmask other than /32, you should create an image using the flag --guest-os-features MULTI_IP_SUBNET and use it to create your instance. For example, if you are using a debian-9 based image, you can create an image using following command:

gcloud compute images create debian-9-multi-ip-subnet \
     --source-disk debian-9-disk \
     --source-disk-zone us-west1-a \
     --guest-os-features MULTI_IP_SUBNET

To view the guest features configured on the image, run the gcloud compute images describe command on the guest image.

gcloud compute images describe debian-9-multi-ip-subnet

For more information on creating custom images, see Creating, Deleting, and Deprecating Custom Images.

Troubleshooting using serial console

It is often a good idea to enable serial console on the VM to debug configuration-related issues. You can enable serial console for interactive debugging by following steps in interacting with serial console.