IP addresses

Resources such as VM instances and load balancers have IP addresses in Google Cloud. These IP addresses let Google Cloud resources communicate with other resources in Google Cloud, in on-premises networks, or on the public internet. This page describes the IP address categorization used by Google Cloud.

Google Cloud uses the following labels to describe different IP address types. For example, an internal IP address is not publicly routed. An external IP address is a publicly routed IP address. You can assign an external IP address to the network interface of a Google Cloud VM.

External IP address

External IP addresses are publicly advertised, meaning they are reachable by any host on the internet. External IP addresses must be publicly routable IP addresses. Resources with external IP addresses can communicate with the public internet.

External IPv4 addresses for resources can be provided by Google, or you can bring your own IP (BYOIP) addresses to Google. While BYOIP addresses are static external IPv4 addresses, and can be used with most resources that support static external IPv4 addresses, there are some exceptions.

External IPv6 addresses are provided by Google. For more information, see IPv6 subnet ranges.

Internal IP address

Internal IP addresses cannot be reached from the internet and are not publicly routable.

Internal IP addresses are local to a VPC network, a VPC network connected by using VPC Network Peering, or an on-premises network connected to a VPC network by using Cloud VPN, Cloud Interconnect, or a Router appliance. Resources with internal IP addresses communicate with other resources as if they're all on the same private network.

Internal IPv4 addresses can be private IPv4 addresses, or they can be privately used public IPv4 addresses. For a list of valid internal IPv4 addresses, see Valid IPv4 ranges.

Internal IPv6 addresses are unique within Google Cloud. For more information, see IPv6 subnet ranges.

For details about how internal IP addresses are advertised when you connect your VPC network to another network, see Route advertisements and internal IP addresses.

Private IP address

Private IP addresses are addresses that cannot be routed on the internet.

In Google Cloud, private IP addresses can only be used as internal IP addresses within a VPC network or an on-premises network connected to a VPC network.

For a list of private IPv4 ranges, see the entries for Private IP address ranges in the valid internal IPv4 address ranges table.

Unique local addresses (ULAs) are private IPv6 addresses. ULAs are used for internal IPv6 subnet ranges.

Public IP address

Public IP addresses are internet routable. In Google Cloud, external IPv4 and IPv6 addresses are always public IP addresses.

You can also use public IPv4 addresses as internal addresses when you configure the primary or secondary IPv4 address range of a subnet in your VPC network. These addresses are referred to as privately used public IP addresses.

Regional and global IP addresses

When you list or describe IP addresses in your project, Google Cloud labels addresses as global or regional, which indicates how a particular address is being used. When you associate an address with a regional resource, such as a VM, Google Cloud labels the address as regional. Regions are Google Cloud regions, such as us-east4 or europe-west2.

For more information about global and regional resources, see Global, regional, and zonal resources in the Compute Engine documentation.

Summary of IP address types

The following tables describes examples of different regional and global IP addresses.

Internal IP addresses

Internal IP addresses are always Premium Tier.

Classification Definition and Tier Purpose
Regional internal IPv4 address A valid IPv4 range used as a subnet primary IPv4 range or subnet secondary IPv4 range Addresses from a subnet primary IPv4 range can be used for:
  • The primary internal IPv4 address of a Compute Engine VM network interface ; includes GKE nodes
  • Alias IP ranges assigned to a VM's interface
  • Internal protocol forwarding
  • Internal passthrough Network Load Balancer
  • Internal Application Load Balancer
  • Cloud DNS forwarder entry points
  • Private Service Connect endpoints for managed services

Addresses from a subnet secondary IPv4 range can be used as sources for alias IP ranges assigned to a VM's interface.
Regional internal IPv6 address An internal IPv6 range automatically allocated for a subnet IPv6 range Regional internal IPv6 addresses can be used by Compute Engine VM network interfaces
Global internal IPv4 addresses Private Service Connect endpoints for Google APIs

Allocated ranges for private services access
For more information, see Access Google APIs through endpoints or private services access.

External IP addresses

Some External IP addresses can be Standard Tier as well as Premium Tier.

Classification Definition and Tier Purpose
Regional external IPv4 address Each region has its own set of external IP addresses for use by zonal or regional resources.

Regional external IPv4 addresses can be provided by Google, or you can bring your own IPv4 address ranges to Google Cloud
Premium Tier regional external IPv4 addresses can be used by:
  • Compute Engine VM network interfaces (in a one-to-one NAT configuration)
  • External protocol forwarding
  • External passthrough Network Load Balancers

Standard Tier regional external IPv4 addresses can be used by:
  • Compute Engine VM network interfaces (in a one-to-one NAT configuration)
  • External protocol forwarding
  • External passthrough Network Load Balancers
  • External proxy Network Load Balancers and external Application Load Balancers

Regional external IPv4 addresses are also used by:
  • External addresses for Cloud NAT
  • External addresses for Cloud VPN
Regional external IPv6 address

Exclusive to Premium tier
An external IPv6 range automatically allocated for an IPv6 subnet range Regional external IPv6 addresses always use Premium Tier. They can be used by:
  • Compute Engine VM network interfaces
  • External passthrough Network Load Balancers (backend service-based only)
Global external IPv4 addresses

Exclusive to Premium tier
Internet accessible anycast external IPv4 addresses for global load balancing.

Global external IPv4 addresses can be provided by Google, or you can bring your own IPv4 address ranges to Google Cloud
Global external IPv4 addresses always use Premium Tier. They can be used by:
  • External proxy Network Load Balancers
  • External Application Load Balancers
Global external IPv6 addresses

Exclusive to Premium tier
Internet accessible anycast external IPv6 addresses for global load balancing. Global external IPv6 addresses always use Premium Tier. They can be used by:
  • External proxy Network Load Balancers
  • External Application Load Balancers

Ephemeral and static IP addresses

An ephemeral IP address is an IP address that doesn't persist beyond the life of the resource. For example, when you create an instance or forwarding rule without specifying an IP address, Google Cloud automatically assigns the resource an ephemeral IP address. In general, the ephemeral IP address is released if you stop or delete the resource.

Internal and external IP addresses can be ephemeral or static.

Reserving a static IP address assigns the address to your project until you explicitly release it. This is useful if you are dependent on a specific IP address for your service and need to prevent another resource from being able to use the address. Static addresses are useful if you need to move an IP address from one Google Cloud resource to another.

Some services have exceptions to the previous definitions:

  • For HA VPN, you cannot manually assign a static IPv4 address to the interface of an HA VPN gateway. Cloud VPN creates two regional external IPv4 addresses for you when you create the gateway, and those addresses remain assigned to the gateway until you delete it.

  • For Cloud NAT, when you configure Cloud NAT to automatically allocate external IPv4 addresses, those addresses appear as static; however, they are deleted if you delete the Cloud NAT gateway or if you change the Cloud NAT gateway to use manual addresses.

What's next