IP Addresses in Google Cloud Platform

From Luis Gallego Hurtado - Not Another IT guy
Jump to: navigation, search

IP Addresses

In Google Cloud Platform, you can assign an IP address to certain resources. GCP resources, such as Compute Engine VM instances, forwarding rules, GKE containers, and App Engine, rely on IP addresses to communicate.

Internal IP Addresses

Internal addresses are visible only within the same VPC network. They are provided by subnets.

Each VM instance has one primary internal IP address, unique to VPC network, that must belong to the IP range of the subnet. Additionally, each VM instance can have one or more secondary IP addresses.

DHCP reservation is renewed every 25 hours.

For internal load balances, you can assign an internal IP address, specify explicitly an ephemeral internal IP address or let GCP assign an ephemeral internal IP address.

Internal IP assignment

  • Auto mode VPC network: the address comes from region's subnet.
  • Custom mode VPC network: you must specify which subnet the IP comes from.
  • Legacy network: IP is assigned from network's global IP range. This can't be specified from console, only via CLI.

External IP Addresses

Each VM instance has one external IP address, to communicate with Internet or other VPC networks (unless you have a proxy for internet, or VPNs for connecting VPC networks).

They are assigned from pool, and they are ephemeral (after stopping the VM instance, they are released).

VM instances don't know external IP addresses since those addresses are mapped to the internal IP address.

Instances with external IP addresses can allow connections from hosts outside the project/network:

  1. Users connect directly using external IP address.
  2. Users connect via name, using external DNS server (outside GCP), with DNS records pointing to external IP address.
  3. Admins can also create a zone in Google Cloud DNS, configure DNS domain to use and create DNS records pointing to the instance, manually, via API.

IP releasement

Internal and external IP address can be either static or ephemeral.

  • Static IP addresses are assigned to a project long term until they are explicitly released, and remain attached to a resource. You are charged even after the VM instance is deleted.
  • Ephemeral IP addresses remain attached to a VM instance only until the VM is stopped and restarted or the instance is terminated.

Alias IP Ranges

Using IP aliasing, user can configure different internal IP addresses, for different containers or applications hosted in the same VM, without having to define a separate network interface.

They can be allocated from the subnet’s primary CIDR (classless interdomain routing) range, or from an added secondary range to the subnet (separating IPs from infraestructure/VMs from IPs from services).

When alias IP ranges are configured, GCP automatically installs VPC network routes for primary and alias IP ranges for the subnet of the primary network interface.

GCP does not associate alias IP addresses on the primary or secondary interface with the host name.

Alias IP ranges are not supported for following scenarios (only primary IP address are supported):

  • Firewall source tags
  • Next-hop IP address in static route.

VPC peering supports that both, primary and secondary IP ranges of a subnet, are reachable by VM instances in a peered network.

Allocating Alias IP ranges

  • You can allocate alias IP ranges from the subnet's primary CIDR range (even if it is automatically created in an auto VPC).
  • You can add a secondary range to the subnet and allocate alias IP ranges from the new secondary range (even if it is automatically created in an auto VPC).
  • You can create a new subnet with secondary ranges, create VM instances in the new subnet and allocate alias IP ranges from any range on that subnet.
  • A VPC network can have up to 7000 alias IP ranges across all VMs.

Multiple Network Interfaces

You can add multiple network interfaces to a VM instance, one for unique VPC network. Multiple network interfaces enable a network appliance VM to act as a gateway for securing traffic among different VPC networks or to and from the Internet.