Use bring your own IP addresses

You can bring your own IP addresses (BYOIP) to Google Cloud. After we validate that you own the IP range, and the IP addresses are imported to Google Cloud, you can assign them to supported resources.

Live migration lets you control when Google starts advertising routes for your prefix. Live migration is not available by default. To request access, contact your Google Cloud customer engineer.

Before you begin

  • Bringing your own IP addresses to Google Cloud requires careful planning. Read Bring your own IP for planning guidance.

  • Consider using an organization, and creating a dedicated project for managing BYOIP addresses. For more information, see Project architecture.

  • Verify that no part of the prefix that you want to import is already publicly advertised. If it is, you must use live migration.

Roles

To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you the Compute Public IP Admin (roles/compute.publicIpAdmin) IAM role on your project. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Limitations

  • It takes up to four weeks to provision a public advertised prefix. Provisioning cannot be accelerated.

  • It takes up to four weeks to provision a public delegated prefix if the prefix has a public advertised prefix parent. Provisioning cannot be accelerated.

    The wait does not apply to sub-prefixes, which are public delegated prefixes with a public delegated prefix parent.

  • Creating global public delegated prefixes is restricted. For more information, see Global public delegated prefixes.

  • Public advertised prefixes can have size /16 to /24.

  • Public delegated prefixes can have size /17 to /28.

  • When you create a public delegated prefix, you cannot configure it with the same prefix size as the parent public advertised prefix. For example, if the public advertised prefix is /24, the public delegated prefix must be /25 or smaller.

  • A public delegated prefix can be sub-delegated up to three times from a public advertised prefix. For more information, see Create sub-prefixes.

  • When you create addresses from a public delegated prefix, the group of addresses can have size /17 to /28. You can't create a smaller group of addresses, for example, a single /32 address.

  • If you use privately used public IP addresses in your VPC network, your imported prefixes must not overlap with these IP addresses. Don't use imported prefixes as privately used public IP addresses.

  • Importing IPv6 addresses is not supported.

  • Live migration is not supported for public delegated prefixes with global scope. For more information, see live migration.

Support for BYOIP addresses

BYOIP addresses are static external IP addresses and can be used with most resources that support static external IP addresses. However, there are some exceptions:

  • Cloud VPN supports using a BYOIP address as the peer IP address of a Classic VPN gateway tunnel. However, you cannot use a BYOIP address as the peer IP address of an HA VPN gateway tunnel.

  • Cloud VPN does not support using a BYOIP address as the external IP address of Classic VPN or HA VPN gateway tunnels.

  • You can create BYOIP addresses in Shared VPC host projects and use the host project IP addresses in the service projects. However, Shared VPC does not support creating BYOIP addresses in service projects.

  • You can use BYOIP addresses to create external forwarding rules used with GKE ingress for external HTTP(S) load balancers. However, Google Kubernetes Engine nodes and Pods don't support BYOIP addresses.

  • Stateful managed instance groups (MIGs) support using BYOIP addresses for configuring static IP addresses on VM creation in a MIG. However, MIGs that automatically allocate IP addresses to VMs don't support BYOIP.

Validate ownership of your prefix

When you create a public advertised prefix, you complete two tasks which together let Google validate that you own this prefix:

  • Creating a Route Origin Authorization (ROA) for your prefix.
  • Creating a PTR record for an IP address in your prefix.

The details of these validation tasks are outlined in the following sections.

After validation is complete, it takes up to four weeks for the public advertised prefix configuration to complete.

Create a ROA request

To prove that you have ownership of a prefix, create a Route Origin Authorization (ROA) request.

Submit a ROA request with your regional registry for the prefix that you want Google to advertise. The request includes the prefix, the prefix length, and Google's ASN: 396982.

When you create the public advertised prefix, the ROA for this prefix must exist and point to Google's ASN and remain in effect for some time after you delete the public advertised prefix. For more information, see Remove a ROA.

We recommend that you submit another ROA request for the same prefix and prefix length but use your own ASN as the origin. If you ever need to advertise the prefix, the ROA with your ASN prevents networks that use Resource Public Key Infrastructure (RPKI) from considering the prefix to be invalid because it is also advertised with Google's origin ASN.

Your local regional internet registry processes ROA requests. For more information, see the link for your location:

  • AFRINIC (Africa)
  • APNIC (Portions of Asia and Oceania)
  • ARIN (North America and some Caribbean Islands)
  • LACNIC (Latin America)
  • RIPE NCC (Europe, Central Asia, Middle East)

Create a public advertised prefix

You can create a public advertised prefix for the prefix that you want to bring to Google.

A public advertised prefix name can't be changed without deleting and recreating the resource. For this reason, we recommend that you create generic names that won't need to change—for example, pap-203-0-113-0-24, where pap denotes the resource type and 203-0-113-0-24 denotes the specific prefix and prefix length.

If you want to use the public advertised prefix to create global public delegated prefixes, see Global public delegated prefixes.

Choose an unused IP address for DNS validation. Verification requires that you configure a new PTR record for this IP address, and you don't know the hostname until after you create the public advertised prefix.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click Add PAP.

  3. For Name, enter a name for the public advertised prefix.

  4. For Description, enter an optional description for the public advertised prefix.

  5. For Prefix, enter the prefix that you want to import.

  6. Click Next.

  7. Review the information that you entered. To confirm that you own this prefix, click Confirm.

  8. For IP address, enter an unused IP address from the prefix that you are adding. This address is used for DNS validation, and in a later step, you must create a PTR record for it that uses a hostname provided by Google.

  9. Click Create. The Validation screen shows you the validation status of this request.

gcloud

Use the public-advertised-prefixes create command.

gcloud compute public-advertised-prefixes create PAP_NAME \
    --range=PAP_IP_RANGE] \
    --dns-verification-ip=VERIFICATION_IP_ADDRESS

Replace the following:

  • PAP_NAME: a name for the public advertised prefix that you're creating.

  • PAP_IP_RANGE: an IP range for the public advertised prefix.

  • VERIFICATION_IP_ADDRESS: an unused IP address chosen from the PAP_IP_RANGE. This address is used for DNS validation, and in a later step, you must create a PTR record for it that uses a hostname provided by Google.

For more information, see the gcloud compute public-advertised-prefixes create reference.

Find the name to use for the PTR record

When you create a public advertised prefix, Google generates a name for you to use as a hostname for the PTR validation step.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click Check status for the prefix that you want to update.

  3. The name and IP address to use for PTR validation are displayed in the DNS validation section.

gcloud

  1. To get the name from the sharedSecret field, use the public-advertised-prefixes describe command.

    gcloud compute public-advertised-prefixes describe \
    PAP_NAME --format='value(sharedSecret)'

  2. If needed, you can retrieve the IP address you provided for DNS validation.

    gcloud compute public-advertised-prefixes describe \
    PAP_NAME --format='value(dnsVerificationIp)'

In both commands, replace PAP_NAME with the name of the public advertised prefix.

Create the PTR record

  • Hostname: the name (sharedSecret) that Google provided.
  • IP address: the verification IP address that you used when creating the public advertised prefix

For example, if you are importing prefix 203.0.113.0/24, your verification IP address is 203.0.113.144, and the name provided by Google is 55kk88tt00, the required PTR record would look like this:

$ dig +noall +answer -x 203.0.113.144

144.113.0.203.in-addr.arpa. 21599 IN PTR 55kk88tt99.example.net

If you are using Cloud DNS for this IP address, see add a record.

Validate the PTR record

After you have created the PTR record, update the public advertised prefix to trigger validation of the PTR record.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click Check status for the prefix that you want to update.

  3. In the DNS validation section, select the I have created this PTR record checkbox and click Validate.

gcloud

To change the status of the public advertised prefix to PTR-CONFIGURED, use the public-advertised-prefixes update command.

The status change triggers validation of the PTR record. If it is successful, the status changes to VALIDATED. If it fails, the status changes to REVERSE_DNS_LOOKUP_FAILED.

gcloud compute public-advertised-prefixes update PAP_NAME --status=PTR-CONFIGURED

Replace PAP_NAME with the public advertised prefix that you have created a PTR record for.

Check the status of a public advertised prefix

It takes up to four weeks for Google to provision the public advertised prefix. You can check the status to see if provisioning is complete.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click Check status for the prefix that you want to check.

  3. View the Validation section.

gcloud

To describe the public advertised prefix and get its status, use the public-advertised-prefixes describe command.

After the prefix is validated, the status field changes from VALIDATED to PREFIX_CONFIGURATION_COMPLETE.

gcloud compute public-advertised-prefixes describe PAP_NAME --format='value(status)'

Replace PAP_NAME with the public advertised prefix that you want to get status information for.

Create public delegated prefixes

You can create public delegated prefixes before the public advertised prefix creation is complete. Both the public advertised prefix and public delegated prefix provisioning processes take up to four weeks.

A public delegated prefix name can't be changed without deleting and recreating the resource. For this reason, we recommend that you create generic names that won't need to change—for example, pdp-203-0-113-0-25, where pdp denotes the resource type and 203-0-113-0-25 denotes the specific prefix and prefix length.

To create a global public delegated prefix, you must use a public advertised prefix that is used for global public delegated prefixes only, and is in a project that has been added to an allowlist for global prefixes. For more information, see Global public delegated prefixes.

If you are using live migration, all public delegated prefixes in a given public advertised prefix must be created with live migration enabled to prevent the public advertised prefix from being advertised. For more information, see live migration. The public delegated prefix must be created with a regional scope. For more information, see live migration recommendations. Make sure your project is enabled for live migration before you create the public delegated prefix.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click the public advertised prefix that you want to delegate.

  3. Click Create PDP.

  4. For Name, enter a name for the public delegated prefix.

  5. For Description, enter an optional description for the public delegated prefix.

  6. Select a Prefix length for the public delegated prefix.

  7. Select IP addresses for the public delegated prefix.

  8. Select a Scope for the public delegated prefix.

  9. Select a Project for the public delegated prefix.

  10. Click Create.

gcloud

To create a public delegated prefix, use the public-delegated-prefixes create command.

The following examples demonstrate how to create a public delegated prefix:

  • To create a public delegated prefix with live migration off, run the following command:

    gcloud compute public-delegated-prefixes create PDP_NAME \
    --public-advertised-prefix=PAP_NAME \
    --range=PDP_IP_RANGE \
    --region=PDP_REGION

  • To create a public delegated prefix with live migration on, run the following command:

    gcloud compute public-delegated-prefixes create PDP_NAME \
    --public-advertised-prefix=PAP_NAME \
    --range=PDP_IP_RANGE \
    --enable-live-migration \
    --region=PDP_REGION

Replace the following:

  • PDP_NAME: the name to use for the public delegated prefix that you are creating.

  • PAP_NAME: the name of the public advertised prefix to use to create the public delegated prefix.

  • PDP_IP_RANGE: the IP range to use to create the public delegated prefix.

  • PDP_DESCRIPTION: an optional description for the public delegated prefix.

  • PDP_REGION: the region where you want to use the public delegated prefix addresses. If you want a global public delegated prefix instead, replace --region=PDP_REGION with --global.

Check the status of a public delegated prefix

It takes up to four weeks for Google to start announcing the prefixes. When the public delegated prefix is first created, the status is INITIALIZING.

The status of the public delegated prefix changes to ANNOUNCED when the configuration is completed.

If the public delegated prefix was created with live migration enabled, the status changes to READY_TO_ANNOUNCE when the configuration is completed. With live migration, the prefix isn't announced until you start prefix advertisement.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. The Status column displays the status for all public delegated prefixes.

gcloud

To describe the public delegated prefix and get its status, use the public-delegated-prefixes describe command.

gcloud compute public-delegated-prefixes describe PDP_NAME \
    --region=PDP_REGION \
    --format='value(status)'

Replace the following:

  • PDP_NAME: the public delegated prefix or sub-prefix that you want to get information for.

  • PDP_REGION: the region of the public delegated prefix or sub-prefix.

  • PDP_REGION: the region where you want to use the public delegated prefix addresses. If you want a global public delegated prefix instead, replace --region=PDP_REGION with --global.

Create sub-prefixes

You can divide a public delegated prefix into smaller IP address ranges by creating a sub-prefix. A sub-prefix is a public delegated prefix that has a public delegated prefix parent.

A sub-prefix name can't be changed without deleting and recreating the resource. For this reason, we recommend that you create generic names that won't need to change—for example, sub-203-0-113-0-28, where sub denotes the resource type and 203-0-113-0-28 denotes the specific prefix and prefix length.

A public delegated prefix can be sub-delegated up to three times from a public advertised prefix. For example, if you have a public advertised prefix with IP address range 203.0.113.0/24, you can do the following:

  • Create a public delegated prefix with IP address range 203.0.113.0/25 from the public advertised prefix.
  • Create a sub-prefix with IP address range 203.0.113.0/26 that has the previous public delegated prefix as its parent.
  • Create a sub-prefix with IP address range 203.0.113.0/27 that has the previous sub-prefix as its parent.

At this point, you cannot create further sub-prefixes that have the 203.0.113.0/27 sub-prefix as a parent.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix that you want to subdivide.

  3. Click Create sub-prefix.

  4. Enter a Name and optional Description for the sub-prefix.

  5. Select a Prefix length for the sub-prefix.

  6. Select IP addresses for the sub-prefix.

  7. Select a Project for the sub-prefix. The IP addresses are made available in this project only.

  8. Click Create.

gcloud

To create a sub-prefix from a public delegated prefix, use the public-delegated-prefixes delegated-sub-prefixes create command

gcloud compute public-delegated-prefixes \
    delegated-sub-prefixes \
    create SUB_PREFIX_NAME \
    --range=SUB_PREFIX_RANGE \
    --public-delegated-prefix=PDP_NAME \
    --public-delegated-prefix-region=PDP_REGION \
    --delegatee-project=PROJECT_NAME

Replace the following:

  • SUB_PREFIX_NAME: a name for the sub-prefix that you are creating.

  • SUB_PREFIX_RANGE: the IP address range for the sub-prefix that you are creating.

  • PDP_NAME: the parent public delegated prefix or sub-prefix that contains the sub-prefix you are creating.

  • PDP_REGION: the region of the public delegated prefix or sub-prefix that contains the sub-prefix you are creating.

  • PROJECT_NAME: an optional project name for the sub-prefix. The following describes the behavior for this value:

    • If you specify a value, the IP addresses are available only in the specified project.

    • If you don't use --delegatee-project, the IP addresses are available in the same project as the sub-prefix's parent public delegated prefix or sub-prefix.

Create IP addresses

When you create addresses from a public delegated prefix or sub-prefix, you cannot further sub-divide that prefix.

The IP addresses that you create from a public delegated prefix or sub-prefix are static external IP addresses and can be regional or global. All IP addresses in the public delegated prefix or sub-prefix are made available; there is no reserved network address or broadcast address. For example, if you create IP addresses from a /28 public delegated prefix or sub-prefix, 16 IP address resources are created.

You can list all static external IP addresses. This list includes IP addresses that you have brought to Google Cloud and IP addresses that are provided by Google.

BYOIP addresses are created with names in a consistent format. For example, 203.0.113.144 is assigned the name address-203-0-113-144.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix or sub-prefix that you want to create IP addresses in.

  3. Click Create addresses.

  4. Select the Prefix length.

  5. Select the IP addresses you want to create.

  6. Click Create addresses.

gcloud

To create IP addresses from a public delegated prefix or sub-prefix, use the public-delegated-prefixes delegated-sub-prefixes create command.

gcloud compute public-delegated-prefixes \
    delegated-sub-prefixes \
    create ADDRESSES_NAME \
    --create-addresses \
    --public-delegated-prefix=PDP_NAME \
    --public-delegated-prefix-region=PDP_REGION

Replace the following:

  • ADDRESSES_NAME: a name for the group of addresses that you are creating.

  • PDP_NAME: the public delegated prefix or sub-prefix that you are creating IP addresses for.

  • PDP_REGION: the region of the public delegated prefix or sub-prefix that you are creating IP addresses for.

List prefixes

You can list all public advertised prefixes and public delegated prefixes (including sub-prefixes) in a project.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. All public advertised prefixes, public delegated prefixes, and sub-prefixes are displayed.

gcloud

  • To list public advertised prefixes, use the public-advertised-prefixes list command.

    gcloud compute public-advertised-prefixes list

    The output is similar to the following:

    NAME                RANGE           DNS_VERIFICATION_IP  STATUS
pap-203-0-113-0-24  203.0.113.0/24  203.0.113.0          PTR_CONFIGURED

  • To list public delegated prefixes, including sub-prefixes, use the public-delegated-prefixes list command.

    gcloud compute public-delegated-prefixes list

    The output is similar to the following:

    NAME                   LOCATION     PARENT_PREFIX         RANGE            STATUS
pdp-203-0-113-0-25     global       pap-203-0-113-0-24    203.0.113.0/25   ANNOUNCED
sub-203-0-113-0-26     global       pdp-203-0-113-0-25    203.0.113.0/26   ANNOUNCED

Deprovision BYOIP addresses

When you deprovision BYOIP addresses, complete the steps in the following sections in order.

Delete a public delegated prefix or sub-prefix

You can delete a public delegated prefix or sub-prefix if all IP addresses in the prefix are not assigned to resources; that is, the IP addresses are unassigned. When you delete a prefix, all associated IP addresses are deleted.

If the parent prefix is a public advertised prefix, deletion takes up to four weeks. After the deletion process is started, you cannot make changes to the public delegated prefix.

If the parent prefix is a public delegated prefix (that is, if the prefix is a sub-prefix), deletion takes place immediately.

When deletion is complete, the IP range from the deleted public delegated prefix is available in the public advertised prefix and can be delegated to a new public delegated prefix.

Console

  1. In the Google Cloud console, go to the Bring your own IP page.

    Go to Bring your own IP

  2. Click the public delegated prefix that you want to delete, and then click Delete.

gcloud

To delete a public delegated prefix or a sub-prefix, use the public-delegated-prefixes delete command.

gcloud compute public-delegated-prefixes delete PDP_NAME \
    --region=PDP_REGION

To delete a global public delegated prefix or sub-prefix, replace --region=PDP_REGION with --global.

If the prefix was delegated to another project from this project, use the --project=PROJECT_NAME flag with the public-delegated-prefixes delete command to specify the project where the prefix is located.

Or you can use the following command to delete a sub-prefix that is delegated to another project without having to include that project in the command.

gcloud compute public-delegated-prefixes \
    delegated-sub-prefixes \
    delete SUB_PREFIX_NAME \
    --public-delegated-prefix=PARENT_PDP_NAME \
    --public-delegated-prefix-region=PDP_REGION

To delete a global public delegated prefix or sub-prefix, replace --public-delegated-prefix-region=PDP_REGION with --global-public-delegated-prefix.

Delete a public advertised prefix

You can delete a public advertised prefix if it is not in use. Deletion takes up to four weeks. After the deletion process is started, you cannot make changes to the public advertised prefix.

Console

  1. In the Google Cloud console, go to the Bring your own IP page.

    Go to Bring your own IP

  2. Select the public advertised prefix that you want to delete, and then click Delete prefix.

gcloud

To delete a public advertised prefix, use the public-advertised-prefixes delete command.

gcloud compute public-advertised-prefixes delete PAP_NAME \

You can verify that the removal is pending by checking the status of the public advertised prefix. The status is PREFIX_REMOVAL_IN_PROGRESS until the public advertised prefix is deleted.

Remove a ROA

After you successfully delete a public advertised prefix, you don't need to remove the ROA that points to Google's ASN. If you want to remove this ROA, you must wait 14 days after deleting the public advertised prefix before you remove the ROA. This waiting period gives Google Cloud time to update configurations in order to stop advertising your IP address range.

Use live migration

Live migration must be carefully planned. See live migration for more information.

Start prefix advertisement

If you have created all public delegated prefixes with live migration enabled, you can choose when to start advertising the parent public advertised prefix.

When you are ready for Google to announce the public advertised prefix, make one of these configuration changes. Either change causes the public advertised prefix to be advertised to the internet:

  • Configure a resource with a BYOIP address. For example, create a compute instance, Cloud NAT, or Cloud Load Balancing forwarding rule.

  • Create a public delegated prefix within the public advertised prefix without enabling live migration.

If either of these changes are made, the associated public delegated prefix is immediately advertised on Google's network and the entire parent public advertised prefix is advertised to our peers on the internet.

After your live migration is complete, contact your Google Cloud customer engineer so that they can disable live migration for your prefix. By default, live migration is disabled 30 days after you start advertisement of the public advertised prefix. If you need to have the live migration option available for longer than 30 days, contact your customer engineer.

Withdraw prefix advertisement

If you need to withdraw the advertisement, reconfigure resources so that no resources are using IP addresses from the public advertised prefix IP range. After all IP addresses are unassigned from resources, the public delegated prefixes are withdrawn from Google's network, and the public advertised prefix is withdrawn from the internet.

To withdraw the advertisement of a public advertised prefix, you must ensure the following:

  • All public delegated prefixes within the public advertised prefix are created with live migration enabled.

  • No IP addresses in the range of the public advertised prefix are assigned to resources.

What's next