Maximum transmission unit
Virtual Private Cloud (VPC) networks have a default maximum transmission unit (MTU) of 1460 bytes. However, you can configure your VPC networks to have a different MTU.
The MTU is the size, in bytes, of the largest packet supported by a network layer protocol, including both headers and data. In Google Cloud, you can configure the MTU for each individual VPC network. VM interfaces that use that network must also be configured to use that MTU. This MTU value refers to the size of the IP packet (datagram) and thus excludes the Ethernet header.
Valid MTUs
VPC networks have a default MTU of 1460. However, they can
be configured to support an MTU of 1500 (standard Ethernet), up to 8896
(jumbo frames), or down to 1300.
The following table describes the maximum packet sizes that a VM can use when communicating with another VM.
| Location of destination VM | IP address types | Permitted packet size | Notes |
|---|---|---|---|
| The same VPC network as the sender VM, or a peered VPC network connected by using VPC Network Peering, that uses an internal IP address of Google Cloud. | IPv4 or IPv6, including IP addresses that are reachable by using any routes or forwarding rules. | 8896 |
If both VM interfaces have the same MTU as their networks, and the
sender's and receiver's VPC networks use an MTU of
8896, then both TCP and UDP traffic proceeds at the
network MTU. |
| If the receiver VM is in a VPC network that has a smaller MTU than the sender VM. | Internal IPv4 or IPv6 | 1600 |
|
Internet External IP address of another VM |
External IPv4 or IPv6 | 1500, but packets of up to 1600 bytes are
not dropped |
|
| On-premises environment connected with Cloud VPN | Internal | 1460 |
See MTU differences with Cloud VPN. |
| On-premises environment connected with Cloud Interconnect | Internal | 1440 or 1500 |
See MTU differences with Cloud Interconnect. |
Handling of packets that exceed MTU
The MTU impacts both UDP and TCP traffic:
- All IP protocols: If an IP packet exceeds the MTU of any link on the
path to the destination, then the packet is dropped if the Don't-Fragment
(DF) bit is set. In addition, if the link is within Google Cloud then
the packet is dropped even if the DF bit is not set. When the packet gets
dropped, an ICMP packet of type 3, code 4
Fragmentation-Neededis sent back to the sender indicating what MTU is acceptable to the link. For more information on path discovery, see path MTU discovery (PMTUD). - TCP: During connection establishment, both systems advertise their own maximum segment size (MSS) for the connection. The MSS represents the largest amount of data that a system will accept in a TCP segment, excluding the TCP and IP headers. The MSS plus TCP headers (20-60 bytes) plus IP headers (20 bytes) must be less than or equal to the MTU of the network path. Because VPC networks do not support IP fragmentation, the sender must appropriately size TCP segments so that they are less than or equal to an MSS which is appropriate for the MTU. For some network paths, Google Cloud performs MSS clamping, lowering a sender's advertised MSS value in a SYN packet or a recipient's advertised MSS value in a SYN-ACK packet.
VMs and MTU settings
Linux VMs based on Google-provided OS images automatically have their interface MTU set to the MTU of the VPC network when they are created. If a VM has multiple network interfaces, each interface is set to the MTU of the attached network. If you change the MTU of a VPC that has running VMs, you must stop and then start those VMs to pick up the new MTU. When the VMs start up again, the changed network MTU is communicated to them from DHCP. DHCP Option 26 contains the network's MTU.
Windows VMs do not automatically configure their interfaces to use the
VPC network's MTU when they start. Instead, Windows VMs based
on Google-provided OS images are configured with a
fixed MTU of 1460. If you change the MTU of a VPC network that
contains Windows VMs based on Google-provided OS images, you
must change the MTU setting for the Windows
VM.
Verify MTU settings on any VMs that use custom images. It is possible that they might honor the VPC network's MTU, but it is also possible that their MTUs might be set to a fixed value.
For instructions, see Change the MTU setting of a VPC network.
GKE and MTU settings
The MTU selected for a Pod interface is dependent on the Container Network Interface (CNI) used by the cluster Nodes and the underlying VPC MTU setting. For more information, see Pods.
The Pod interface MTU value is either 1460 or inherited from the primary
interface of the Node.
| CNI | MTU | GKE Standard |
|---|---|---|
| kubenet | 1460 | Default |
|
kubenet (GKE version 1.26.1 and later) |
Inherited | Default |
| Calico | 1460 |
Enabled by using For details, see Control communication between Pods and Services using network policies. |
| netd | Inherited | Enabled by using any of the following: |
| GKE Dataplane V2 | Inherited |
Enabled by using For details, see Using GKE Dataplane V2. |
Consequences of mismatched MTUs
A mismatched MTU is defined as two communicating VM instances that have different MTU settings. This can, in a limited number of cases, cause connectivity problems. Specific cases involve the use of instances as routers and the use of Kubernetes inside VMs.
In most common scenarios, TCP connections established between instances with different MTUs are successful due to the MSS negotiation, where both ends of a connection will agree to use the lower of the two MTUs.
This applies whether the two VMs are in the same network or peered networks.
MTU differences with Cloud VPN
Cloud VPN always uses an MTU of 1460 bytes. If the VMs and networks on either side of the tunnel have higher MTUs, then Google Cloud uses MSS clamping to reduce the TCP MTU setting to 1460.
In the event a VM does send a TCP or UDP packet larger than the configuration can handle, Google Cloud drops the packet and sends an ICMP error messages to enable PMTUD, thus setting a lower MTU for UDP packets.
For more information about Cloud VPN and MTU, see Tunnel MTU and MTU considerations.
MTU differences with Cloud Interconnect
Cloud Interconnect can have an MTU of 1440 or 1500.
If the communicating VMs have an MTU of higher than 1460 and the VLAN
attachment has an MTU of 1440, MSS clamping reduces the MTU of TCP
connections to 1440 and TCP traffic proceeds.
MSS clamping does not affect UDP packets, so if the VPC network
has an MTU of higher than 1460 and the VLAN attachment has an MTU of
1440, then UDP datagrams with more than 1412 bytes of data (1412 bytes UDP
data + 8 byte UDP header + 20 byte IPv4 header = 1440) are dropped. In such a
case, you can do one of the following:
- Lower the MTU of the attached VPC network to
1460. - Adjust your application to send smaller UDP packets.
- If the VPC network has an MTU of
1500, you can modify the MTU of the existing VLAN attachment to 1500 bytes or create a new VLAN attachment with an MTU of 1500 bytes.
For more information about Cloud Interconnect and MTU, see Cloud Interconnect MTU.
What's next
- To see a different MTU working, see Create and verify a jumbo frame MTU network.
- Create a VPC network with a specified MTU.
- Change the MTU setting of a VPC network.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how VPC performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Try VPC free