Using bring your own IP

You can bring your own IP addresses (BYOIP) to Google Cloud. After we validate that you own the IP range, and the IP addresses are imported to Google Cloud, you can assign them to supported resources.

Live migration lets you control when Google starts advertising routes for your prefix. Live migration is not available by default. To request access, contact your Google Cloud representative.

Roles

The Compute Public IP Admin (roles/compute.publicIpAdmin) provides the permissions needed to perform the tasks in this guide.

Before you begin

  • Bringing your own IP addresses to Google Cloud requires careful planning. Read Bring your own IP for planning guidance.

  • Consider using an organization, and creating a dedicated project for managing BYOIP addresses. For more information, see Project architecture.

  • Verify that no part of the prefix that you want to import is already publicly advertised. If it is, you must use live migration.

Limitations

  • It takes up to four weeks to provision a public advertised prefix. Provisioning cannot be accelerated.

  • It takes up to four weeks to provision a public delegated prefix if the prefix has a public advertised prefix parent. Provisioning cannot be accelerated.

    The wait does not apply to sub-prefixes, which are public delegated prefixes with a public delegated prefix parent.

  • Public advertised prefixes can have size /16 to /24.

  • Public delegated prefixes can have size /17 to /28.

  • When you create a public delegated prefix, you cannot configure it with the same prefix size as the parent public advertised prefix. For example, if the public advertised prefix is /24, the public delegated prefix must be /25 or smaller.

  • A public delegated prefix can be sub-delegated up to three times from a public advertised prefix.

  • When you create addresses from a public delegated prefix, the group of addresses can have size /17 to /28. You can't create a smaller group of addresses, for example, a single /32 address.

  • If you use privately used public IP addresses in your VPC network, your imported prefixes must not overlap with these IP addresses. Do not use imported prefixes as privately used public IP addresses.

  • Importing IPv6 addresses is not supported.

  • Live migration is not supported for public delegated prefixes with global scope. For more information, see live migration.

Support for BYOIP addresses

BYOIP addresses are static external IP addresses, and can be used with most resources that support static external IP addresses. However, there are some exceptions:

  • Cloud VPN does not support using BYOIP addresses.

  • Shared VPC does not support creating BYOIP addresses in service projects. You can create BYOIP addresses in Shared VPC host projects, and use the host project IP addresses in the service projects.

  • Google Kubernetes Engine nodes and Pods do not support BYOIP addresses; however you can use BYOIP addresses to create external forwarding rules used with GKE Ingress for External HTTP(S) load balancing.

  • Managed instance groups (MIGs) do not support BYOIP addresses, because MIG VM IP addresses are automatically allocated.

Validating ownership of your prefix

When you create a public advertised prefix, you complete two tasks which together let Google validate that you own this prefix:

  • Creating a Route Origin Authorization (ROA) for your prefix.
  • Creating a PTR record for an IP address in your prefix.

The details of these validation tasks are outlined in the following sections.

After validation is complete, it takes up to four weeks for the public advertised prefix configuration to complete.

Creating a ROA request

To prove you have ownership of a prefix, create a Route Origin Authorization (ROA) request.

Submit a ROA request with your regional registry for the prefix that you want Google to advertise. The request includes the prefix, the prefix length, and Google's ASN: 396982.

We recommend that you submit another ROA request for the same prefix and prefix length, but using your own ASN as origin. If you ever need to also advertise the prefix, the ROA with your ASN prevents networks that use Resource Public Key Infrastructure (RPKI) from considering the prefix to be invalid because it is also advertised with Google's origin ASN.

The ROA for this prefix must exist and point to Google's ASN from the time you create the public advertised prefix until you no longer want Google to advertise this prefix.

Your local regional internet registry processes ROA requests. See the link for your location for more information.

  • AFRINIC (Africa)
  • APNIC (Portions of Asia and Oceania)
  • ARIN (North America and some Caribbean Islands)
  • LACNIC (Latin America)
  • RIPE NCC (Europe, Central Asia, Middle East)

Creating a public advertised prefix

Create a public advertised prefix for the prefix you want to bring to Google.

A public advertised prefix name can't be changed without deleting and recreating the resource. For this reason, we recommend that you create names that are easy to manage. For example, pap-203-0-113-0-24, where pap denotes the resource type, and 203-0-113-0-24 denotes the specific prefix and prefix length.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click Add PAP.

  3. For Name, enter a name for the public advertised prefix.

  4. For Description, enter an optional description for the public advertised prefix.

  5. For Prefix, enter the prefix you want to import.

  6. Click Next.

  7. Review the information that you have entered. Click Confirm to confirm that you own this prefix.

  8. For IP address, enter an IP address from the prefix you are adding. This IP address is used for DNS validation.

  9. Click Create.

  10. The Validation screen shows you the validation status of this request.

gcloud

Create a public advertised prefix.

gcloud compute public-advertised-prefixes create PAP_NAME \
    --range=PAP_IP_RANGE] \
    --dns-verification-ip=VERIFICATION_IP_ADDRESS \
    [--description=PAP_DESCRIPTION]

Replace the following:

  • PAP_NAME: name for the public advertised prefix you're creating.

  • PAP_IP_RANGE: IP range for the public advertised prefix.

  • VERIFICATION_IP_ADDRESS: IP address chosen from the PAP_IP_RANGE` to use for DNS verification.

  • PAP_DESCRIPTION: optional description for the public advertised prefix.

For more information, see the gcloud compute public-advertised-prefixes create reference.

Finding the name to use for the PTR record

When you create a public advertised prefix, Google generates a name for you to use as a hostname for the PTR validation step.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click Check status for the prefix that you want to update.

  3. The name and IP address to use for PTR validation are displayed in the DNS validation section.

gcloud

  1. Get the name from the sharedSecret field.

    gcloud compute public-advertised-prefixes describe \
        PAP_NAME --format='value(sharedSecret)'
    
  2. If needed, you can retrieve the IP address you provided for DNS validation.

    gcloud compute public-advertised-prefixes describe \
        PAP_NAME --format='value(dnsVerificationIp)'
    

    In both commands, replace the following:

    • PAP_NAME: the name of the public advertised prefix.

Creating the PTR record

In your DNS server, add a PTR record using the name that Google provided as the hostname. If you are using Cloud DNS for this IP address, see add a record.

For example, if you are importing prefix 203.0.113.0/24, your verification IP address is 203.0.113.144, and the name provided by Google is 55kk88tt00, the required PTR record would look like this:

$ dig +noall +answer -x 203.0.113.144

144.113.0.203.in-addr.arpa. 21599 IN PTR 55kk88tt99.example.net

Validating the PTR record

After you have created the PTR record, update the public advertised prefix to trigger validation of the PTR record.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click Check status for the prefix that you want to update.

  3. In the DNS validation section, select the I have created this PTR record checkbox and click Validate.

gcloud

Change the status of the public advertised prefix to PTR-CONFIGURED.

The status change triggers validation of the PTR record. If it is successful, the status changes to VALIDATED. If it fails, the status changes to REVERSE_DNS_LOOKUP_FAILED.

gcloud compute public-advertised-prefixes update PAP_NAME --status=PTR-CONFIGURED

Replace the following:

  • PAP_NAME: the public advertised prefix that you have created a PTR record for.

Checking the status of a public advertised prefix

It takes up to four weeks for Google to provision the public advertised prefix. You can check the status to see if provisioning is complete.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click Check status for the prefix that you want to check.

  3. View the Validation section.

gcloud

Describe the public advertised prefix to get the status.

After the prefix is validated, the status field changes from VALIDATED to PREFIX_CONFIGURATION_COMPLETE.

gcloud compute public-advertised-prefixes describe PAP_NAME --format='value(status)'

Replace the following:

  • PAP_NAME: the public advertised prefix that you want to get status information for.

Creating public delegated prefixes

You can delegate prefixes before the public advertised prefix creation is complete. Both the public advertised prefix and public delegated prefix provisioning processes take up to four weeks.

A public delegated prefix name can't be changed without deleting and recreating the resource. For this reason, we recommend that you create names that are easy to manage. For example, pdp-203-0-113-0-25, where pdp denotes the resource type, and 203-0-113-0-25 denotes the specific prefix and prefix length.

If you are using live migration, all public delegated prefixes in a given public advertised prefix must be created with live migration enabled to prevent the public advertised prefix from being advertised. For more information, see live migration. The public delegated prefix must be created with a regional scope. For more information, see live migration recommendations. Make sure your project is enabled for live migration before you create the public delegated prefix.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click the public advertised prefix that you want to delegate.

  3. Click Create PDP.

  4. For Name, enter a name for the public delegated prefix.

  5. For Description, enter an optional description for the public delegated prefix.

  6. Select a Prefix length for the public delegated prefix.

  7. Select IP addresses for the public delegated prefix.

  8. Select a Scope for the public delegated prefix.

  9. Select a Project for the public delegated prefix.

  10. Click Create.

gcloud

Create a public delegated prefix.

gcloud compute public-delegated-prefixes create PDP_NAME \
    --public-advertised-prefix=PAP_NAME \
    --range=PDP_IP_RANGE \
    [--description=PDP_DESCRIPTION] \
    [--enable-live-migration]
    [--global | --region=PDP_REGION]

Replace the following:

  • PDP_NAME: the name to use for the public delegated prefix that you are creating.

  • PAP_NAME: the name of the public advertised prefix to use to create the public delegated prefix.

  • PDP_IP_RANGE: the IP range to use to create the public delegated prefix.

  • PDP_DESCRIPTION: an optional description for the public delegated prefix.

  • PDP_REGION: the region where you want to use the public delegated prefix addresses.

For more information, see the gcloud compute public-delegated-prefixes create reference.

Checking the status of a public delegated prefix

It takes up to four weeks for Google to start announcing the prefixes. When the public delegated prefix is first created, the status is INITIALIZING.

The status of the public delegated prefix changes to ANNOUNCED when the configuration is completed.

If the public delegated prefix was created with live migration enabled, the status changes to READY_TO_ANNOUNCE when the configuration is completed. With live migration, the prefix isn't announced until you start prefix advertisement.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. The Status column displays the status for all public delegated prefixes.

gcloud

Describe the public delegated prefix to get the status.

gcloud compute public-delegated-prefixes describe PDP_NAME \
    [--global | --region=PDP_REGION] \
    --format='value(status)'

Replace the following:

  • PDP_NAME: the public delegated prefix or sub-prefix that you want to get information for.

  • PDP_REGION: the region of the public delegated prefix or sub-prefix.

Creating sub-prefixes

You can divide a public delegated prefix into smaller IP ranges by creating a sub-prefix. A sub-prefix is a public delegated prefix that has a public delegated prefix parent.

A sub-prefix name can't be changed without deleting and recreating the resource. For this reason, we recommend that you create names that are easy to manage. For example, sub-203-0-113-0-28, where sub denotes the resource type, and 203-0-113-0-28 denotes the specific prefix and prefix length.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix that you want to subdivide.

  3. Click Create sub-prefix.

  4. Enter a Name and optional Description for the sub-prefix.

  5. Select a Prefix length for the sub-prefix.

  6. Select IP addresses for the sub-prefix.

  7. Select a Project for the sub-prefix. The IP addresses are made available in this project only.

  8. Click Create.

gcloud

Create a sub-prefix from a public delegated prefix.

gcloud compute public-delegated-prefixes \
  delegated-sub-prefixes \
  create SUB_PREFIX_NAME \
  --range=SUB_PREFIX_RANGE
  --public-delegate-prefix=PDP_NAME \
  --public-delegated-prefix-region=PDP_REGION

Replace the following:

  • SUB_PREFIX_NAME: a name for the sub-prefix that you are creating.

  • SUB_PREFIX_RANGE: the IP range for the sub-prefix that you are creating.

  • PDP_NAME: the parent public delegated prefix or sub-prefix that contains the sub-prefix you are creating.

  • PDP_REGION: the region of the public delegated prefix or sub-prefix that contains the sub-prefix you are creating.

For more information, see the gcloud compute public-delegated-prefixes delegated-sub-prefixes create reference.

Creating IP addresses

When you create addresses from a public delegated prefix or sub-prefix, you cannot further sub-divide that prefix.

The IP addresses that you create from a public delegated prefix or sub-prefix are static external IP addresses and can be regional or global.

You can list all static external IP addresses. This list includes IP addresses that you have brought to Google Cloud and IP addresses that are provided by Google.

BYOIP addresses are created with names in a consistent format. For example, 203.0.113.144 is assigned the name address-203-0-113-144.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix or sub-prefix that you want to create IP addresses in.

  3. Click Create addresses.

  4. Select the Prefix length.

  5. Select the IP addresses you want to create.

  6. Click Create addresses.

gcloud

Create IP addresses from a public delegated prefix or sub-prefix.

gcloud compute public-delegated-prefixes \
  delegated-sub-prefixes \
  create ADDRESSES_NAME \
  --create-addresses \
  --public-delegate-prefix=PDP_NAME \
  --public-delegated-prefix-region=PDP_REGION

Replace the following:

  • ADDRESSES_NAME: a name for the group of addresses that you are creating.

  • PDP_NAME: the public delegated prefix or sub-prefix that you are creating IP addresses for.

  • PDP_REGION: the region of the public delegated prefix or sub-prefix that you are creating IP addresses for.

For more information, see the gcloud compute public-delegated-prefixes delegated-sub-prefixes create reference.

Listing prefixes

You can list all public advertised prefixes and public delegated prefixes (including sub-prefixes) in a project.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. All public advertised prefixes, public delegated prefixes, and sub-prefixes are displayed.

gcloud

  • To list public advertised prefixes, use this command:

    gcloud compute public-advertised-prefixes list
    

    The output is similar to the following:

    NAME                RANGE           DNS_VERIFICATION_IP  STATUS
    pap-203-0-113-0-24  203.0.113.0/24  203.0.113.0          PTR_CONFIGURED
    
  • To list public delegated prefixes, including sub-prefixes, use this command.

    gcloud compute public-delegated-prefixes list
    

    The output is similar to the following:

    NAME                   LOCATION     PARENT_PREFIX         RANGE            STATUS
    pdp-203-0-113-0-25     global       pap-203-0-113-0-24    203.0.113.0/25   ANNOUNCED
    sub-203-0-113-0-26     global       pdp-203-0-113-0-25    203.0.113.0/26   ANNOUNCED

Deleting a public advertised prefix

You can delete a public advertised prefix if it is not in use. Deletion takes up to four weeks. After the deletion process is started, you cannot make changes to the public delegated prefix.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Select the public advertised prefix that you want to delete, and click Delete prefix.

gcloud

Delete the public advertised prefix.

gcloud compute public-advertised-prefixes delete PAP_NAME \
    [--global]

You can verify that the removal is pending by checking the status of the public advertised prefix. The status is PREFIX_REMOVAL_IN_PROGRESS until the public advertised prefix is deleted.

Deleting a public delegated prefix or sub-prefix

You can delete a public delegated prefix or sub-prefix if all IP addresses in the prefix are not assigned to resources; that is, the IP addresses are unassigned. When you delete a prefix, all associated IP addresses are deleted.

If the parent prefix is a public advertised prefix, deletion takes up to four weeks. After the deletion process is started, you cannot make changes to the public delegated prefix.

If the parent prefix is a public delegated prefix (that is, if the prefix is a sub-prefix), deletion takes place immediately.

When deletion is complete, the IP range from the deleted public delegated is available in the public advertised prefix and can be delegated to a new public delegated prefix.

Console

  1. In the Google Cloud Console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix that you want to delete, and click Delete.

gcloud

Use the gcloud compute public-delegated-prefixes delete command to delete a public delegated prefix or a sub-prefix.

gcloud compute public-delegated-prefixes delete PDP_NAME \
    [--global | --region=PDP_REGION] \
    [--project=PROJECT_NAME ]

If the prefix was delegated to another project from this project, use the --project flag with the gcloud compute public-delegated-prefixes delete command to specify the project where the prefix is located.

Or you can use this command to delete a sub-prefix that is delegated to another project without having to include that project in the command.

gcloud compute public-delegated-prefixes \
    delegated-sub-prefixes \
    delete SUB_PREFIX_NAME \
    --public-delegated-prefix=PARENT_PDP_NAME \
    [--global-public-delegated-prefix | --public-delegated-prefix-region=PDP_REGION]

Using live migration

Live migration must be carefully planned. See live migration for more information.

Starting prefix advertisement

If you have created all public delegated prefixes with live migration enabled, you can choose when to start advertising the parent public advertised prefix.

When you are ready for Google to announce the public advertised prefix, make one of these configuration changes. Either change causes the public advertised prefix to be advertised to the internet:

  • Configure a resource with a BYOIP address. For example, create a compute instance, Cloud NAT, or Cloud Load Balancing forwarding rule.

  • Create a public delegated prefix within the public advertised prefix without enabling live migration.

If either of these changes are made, the associated public delegated prefix is immediately advertised on Google's network and the entire parent public advertised prefix is advertised to our peers on the internet.

After your live migration is complete, contact your Google Cloud representative so that they can disable live migration for your prefix. By default, live migration is disabled 30 days after you start advertisement of the public advertised prefix. If you need to have the live migration option available for longer than 30 days, contact your Google Cloud representative.

Withdrawing prefix advertisement

If you need to withdraw the advertisement, reconfigure resources so that no resources are using IP addresses from the public advertised prefix IP range. After all IP addresses are unassigned from resources, the public delegated prefixes are withdrawn from Google's network, and the public advertised prefix is withdrawn from the internet.

To withdraw the advertisement of a public advertised prefix, you must ensure the following:

  • All public delegated prefixes within the public advertised prefix are created with live migration enabled.

  • No IP addresses in the range of the public advertised prefix are assigned to resources.

What's next