Stay organized with collections Save and categorize content based on your preferences.

Maximum transmission unit

Virtual Private Cloud (VPC) networks have a default maximum transmission unit (MTU) of 1460 bytes. However, you can configure your VPC networks to have a different MTU.

The MTU is the size, in bytes, of the largest packet supported by a network layer protocol, including both headers and data. In Google Cloud, you can configure the MTU for each individual VPC network. VM interfaces that use that network must also be configured to use that MTU. This MTU value refers to the size of the IP packet (datagram) and thus excludes the Ethernet header.

Valid MTUs

VPC networks have a default MTU of 1460. However, they can be configured to support an MTU of 1500 (standard Ethernet), up to 8896 (jumbo frames), or down to 1300.

The following table describes the maximum packet sizes that a VM can use when communicating with another VM.

Location of destination VM IP address types Permitted packet size Notes
The same VPC network as the sender VM, or a peered VPC network connected by using VPC Network Peering, that uses an internal IP address of Google Cloud. IPv4 or IPv6, including IP addresses that are reachable by using any routes or forwarding rules. 8896 If both VM interfaces have the same MTU as their networks, and the sender's and receiver's VPC networks use an MTU of 8896, then both TCP and UDP traffic proceeds at the network MTU.
If the receiver VM is in a VPC network that has a smaller MTU than the sender VM. Internal IPv4 or IPv6 1600
  • TCP: The TCP connection uses the TCP-MSS field to limit the TCP connection to the minimum MTU of both the sender VM and the receiver VM.

    If the VM sends a TCP packet larger than 1600 bytes, Google Cloud drops the packet and returns an ICMP Fragmentation-Needed message that includes the MTU of the destination VM's VPC network or 1600 if the network MTU is smaller than 1600 bytes.

  • UDP: If a VM sends an IP datagram larger than 1600 bytes, Google Cloud drops the packet and returns an ICMP Fragmentation-Needed message that includes the MTU of the destination VPC network or 1600 if the network MTU is smaller than 1600 bytes.

Internet

External IP address of another VM

External IPv4 or IPv6 1500, but packets of up to 1600 bytes are not dropped
  • TCP: If a VM sends a TCP SYN or SYN ACK packet with an MSS that would make the datagram size larger than 1500 bytes, Google Cloud performs MSS clamping by rewriting the MSS value so that the datagram size becomes 1500.

    If the VM sends a TCP packet larger than 1600 bytes, Google Cloud drops the packet and returns an ICMP Fragmentation-Needed message that includes the MTU for internet destinations of 1500.

  • UDP: If a VM sends an IP datagram larger than 1600 bytes, Google Cloud drops the packet and returns an ICMP Fragmentation-Needed message that includes the MTU for internet destinations of 1500.
On-premises environment connected with Cloud VPN Internal 1460 See MTU differences with Cloud VPN.
On-premises environment connected with Cloud Interconnect Internal 1440 or 1500 See MTU differences with Cloud Interconnect.

Handling of packets that exceed MTU

The MTU impacts both UDP and TCP traffic:

  • All IP protocols: If an IP packet exceeds the MTU of any link on the path to the destination, then the packet is dropped if the Don't-Fragment (DF) bit is set. In addition, if the link is within Google Cloud then the packet is dropped even if the DF bit is not set. When the packet gets dropped, an ICMP packet of type 3, code 4 Fragmentation-Needed is sent back to the sender indicating what MTU is acceptable to the link. For more information on path discovery, see path MTU discovery (PMTUD).
  • TCP: During connection establishment, both systems advertise their own maximum segment size (MSS) for the connection. The MSS represents the largest amount of data that a system will accept in a TCP segment, excluding the TCP and IP headers. The MSS plus TCP headers (20-60 bytes) plus IP headers (20 bytes) must be less than or equal to the MTU of the network path. Because VPC networks do not support IP fragmentation, the sender must appropriately size TCP segments so that they are less than or equal to an MSS which is appropriate for the MTU. For some network paths, Google Cloud performs MSS clamping, lowering a sender's advertised MSS value in a SYN packet or a recipient's advertised MSS value in a SYN-ACK packet.

VMs and MTU settings

Linux VMs based on Google-provided OS images automatically have their interface MTU set to the MTU of the VPC network when they are created. If a VM has multiple network interfaces, each interface is set to the MTU of the attached network. If you change the MTU of a VPC that has running VMs, you must stop and then start those VMs to pick up the new MTU. When the VMs start up again, the changed network MTU is communicated to them from DHCP. DHCP Option 26 contains the network's MTU.

Windows VMs do not automatically configure their interfaces to use the VPC network's MTU when they start. Instead, Windows VMs based on Google-provided OS images are configured with a fixed MTU of 1460. If you change the MTU of a VPC network that contains Windows VMs based on Google-provided OS images, you must change the MTU setting for the Windows VM.

Verify MTU settings on any VMs that use custom images. It is possible that they might honor the VPC network's MTU, but it is also possible that their MTUs might be set to a fixed value.

For instructions, see Change the MTU setting of a VPC network.

GKE and MTU settings

The MTU selected for a Pod interface is dependent on the Container Network Interface (CNI) used by the cluster Nodes and the underlying VPC MTU setting. For more information, see Pods.

The Pod interface MTU value is either 1460 or inherited from the primary interface of the Node.

CNI MTU GKE Standard
kubenet 1460 Default
kubenet
(GKE version 1.26.1 and later)
Inherited Default
Calico 1460

Enabled by using --enable-network-policy.

For details, see Control communication between Pods and Services using network policies.

netd Inherited Enabled by using any of the following:
GKE Dataplane V2 Inherited

Enabled by using --enable-dataplane-v2.

For details, see Using GKE Dataplane V2.

Consequences of mismatched MTUs

A mismatched MTU is defined as two communicating VM instances that have different MTU settings. This can, in a limited number of cases, cause connectivity problems. Specific cases involve the use of instances as routers and the use of Kubernetes inside VMs.

In most common scenarios, TCP connections established between instances with different MTUs are successful due to the MSS negotiation, where both ends of a connection will agree to use the lower of the two MTUs.

This applies whether the two VMs are in the same network or peered networks.

MTU differences with Cloud VPN

Cloud VPN always uses an MTU of 1460 bytes. If the VMs and networks on either side of the tunnel have higher MTUs, then Google Cloud uses MSS clamping to reduce the TCP MTU setting to 1460.

In the event a VM does send a TCP or UDP packet larger than the configuration can handle, Google Cloud drops the packet and sends an ICMP error messages to enable PMTUD, thus setting a lower MTU for UDP packets.

For more information about Cloud VPN and MTU, see Tunnel MTU and MTU considerations.

MTU differences with Cloud Interconnect

Cloud Interconnect can have an MTU of 1440 or 1500.

If the communicating VMs have an MTU of higher than 1460 and the VLAN attachment has an MTU of 1440, MSS clamping reduces the MTU of TCP connections to 1440 and TCP traffic proceeds.

MSS clamping does not affect UDP packets, so if the VPC network has an MTU of higher than 1460 and the VLAN attachment has an MTU of 1440, then UDP datagrams with more than 1412 bytes of data (1412 bytes UDP data + 8 byte UDP header + 20 byte IPv4 header = 1440) are dropped. In such a case, you can do one of the following:

  • Lower the MTU of the attached VPC network to 1460.
  • Adjust your application to send smaller UDP packets.
  • If the VPC network has an MTU of 1500, you can modify the MTU of the existing VLAN attachment to 1500 bytes or create a new VLAN attachment with an MTU of 1500 bytes.

For more information about Cloud Interconnect and MTU, see Cloud Interconnect MTU.

What's next

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try VPC free