This document provides an overview of the networking functionality of yourvirtual machine (VM) instances. It provides a basic foundational understandingof how your virtual machine (VM) instances interact with Virtual Private Cloud (VPC) networks.For more information about VPC networks and related features,read theVPC network overview.

Networks and subnets

Every VM is part of a VPC network. VPC networksprovide connectivity for your VM instance to other Google Cloud products andto the internet. VPC networks can beauto mode or custom mode.

• Auto mode VPC networkshave one subnetwork (subnet) in each region. All subnets are contained withinthis IP address range:10.128.0.0/9. Auto mode VPC networkssupport only IPv4 subnet ranges.
• Custom mode networks don't have a specified subnet configuration; you decidewhich subnets to create in regions that you choose by usingIP ranges that you specify. Custom modenetworks also support IPv6 subnet ranges.

Unless you choose to disable it, each project has adefault network, which isan auto mode VPC network. You can disable the creation ofdefault networks bycreating an organization policy.

Each subnet in a VPC network is associated with aregion and contains one or more IP address ranges. You can create more than onesubnet per region. Each of the network interfaces for your VM must be connectedto a subnet.

When you create a VM, you can specify a VPC network and subnet.If you omit this configuration, thedefault network and subnet are used.Google Cloud assigns an internal IPv4 address to the new VM from theprimary IPv4 address range of the selected subnet. If the subnet also has anIPv6 address range (referred to asdual-stack), or if you created anIPv6-only subnet, you can assign an IPv6 address to the VM.

For more information on VPC networks, read theVPC network overview. For an illustrated exampleof VMs using a VPC network with three subnets in two regions, seeVPC network example.

Network interface controllers (NICs)

Every compute instance in a VPC network has a default virtualnetwork interface (vNIC). When you configure a vNIC, you select aVPC network and a subnet within that VPC networkto connect the interface to. You can create additional network interfaces foryour instances.

Multiple network interfaces enable you to create configurationsin which an instance connects directly to several VPC networks.Multiple network interfaces are useful when applications running in an instancerequire traffic separation, such as separation of data plane traffic frommanagement plane traffic. For more information about using multiple networkinterfaces, seeMultiple network interfaces.

Multiple vNICs aren't supported with bare metal instances. Additionally, youcan only add vNICs to an instance during instance creation. WithDynamic Network Interfaces,you can create VLAN-based network subinterfaces for each exposed vNIC, whichlets you scale the number of network interfaces and VPC networkconnections. You can add or remove Dynamic Network Interfaces without having torestart or recreate the compute instance. For more information aboutDynamic NIC, seeCreate VMs with multiple network interfaces.

When you configure the vNIC for a compute instance, you can specify the type ofnetwork driver to use with the interface.

• Forfirst and second generation machine series,the default isVirtIO.
• Third generation and newer machine series are configured to usegVNIC by default and don't supportVirtIO for the network interface.
• Bare metal instances useIDPF.
• With supported machine series, such as H4D, instances can optionally useCloud RDMA (IRDMA). Theremote data memory access (RDMA) network driver enables low-latency, reliablemessaging capabilities for Compute Engine instances. Cloud RDMAtransfers data between remote machines and local memory through the networkinterface without using host CPU or intermediate host buffers.

Additionally, you can choose to use per VM Tier_1 networking performance with a computeinstance that uses gVNIC or IPDF. Tier_1 networking enables highernetwork throughput limits for both inbound and outbound datatransfers.

Network bandwidth

Google Cloud accounts for bandwidth per VM instance, notper network interface (NIC) or IP address. Bandwidth is measured using twodimensions: traffic direction (ingress and egress) and type of destination IPaddress. The maximum possible egress rate is determined by themachine type that was used tocreate the instance; however, you can only achieve that maximum possible egressrate in specific situations. For more information, seeNetwork bandwidth.

To support higher network bandwidths—such as 200 Gbps for thirdgeneration and later machine series—Google Virtual NIC (gVNIC) is required.

• Standard maximum egress bandwidth limits range from1 Gbps to 100 Gbps.
• Theper VM Tier_1 networking performanceincreases the maximum egress bandwidth limit to 200 Gbps, depending onthe size and machine type of your compute instance.

Some machine series have different limits, as documented in theBandwidth summary table.

If using both gVNIC and IRDMA network interfaces for an instance, the networkbandwidth limit for the instance is shared between the two network communicationmethods. Cloud RDMA traffic has priority over gVNIC traffic.

IP addresses

Each VM is assigned an IP address fromthe subnet associated with the network interface. The following list providesadditional information about the requirements for configuring IP addresses.

• For IPv4-only subnets, the IP address is an internal IPv4 address.You can optionally configure an external IPv4 address for the VM.
• If the network interface connects to a dual-stack subnet that has an IPv6range, you must use a custom mode VPC network. The VM hasthe following IP addresses:
  • An internal IPv4 address. You can optionally configure an external IPv4address for the VM.
  • Either an internal or external IPv6 address,depending on the access type of the subnet.
• For IPv6-only subnets, you mustuse a custom mode VPC network. The VM has either an internalor external IPv6 address, depending on the access type of the subnet.
• To create an IPv6-only instance with both an internal and external IPv6address, you must specify two network interfaces when creating the VM. Youcan't add network interfaces to an existing instance.

Both external and internal IP addresses can be eitherephemeral or static.

Internal IP addresses are local to one of the following:

• A VPC network
• A VPC network connected using VPC Network Peering
• An on-premises network connected to a VPC network usingCloud VPN, Cloud Interconnect, or a Router appliance

An instance can communicate with instances on the sameVPC network, or a connected network as specified in the precedinglist, using the VM's internal IPv4 address. If the VM network interface connectsto a dual-stack subnet or to an IPv6-only subnet, youcan use either the VM's internal or external IPv6 addresses to communicate withother instances on the same network. As a bestpractice, use internal IPv6 addresses for internal communication. For moreinformation about IP addresses, read theIP addresses overview for Compute Engine.

To communicate with the internet or external systems, use an external IPv4 orexternal IPv6 address configured on the VM instance. External IP addresses arepublicly routable IP addresses. If an instance doesn't have an external IPaddress,Cloud NAT can be used for IPv4 traffic.

If you have multiple services running on a single VM instance, you can give eachservice a different internal IPv4 address by using alias IP ranges. TheVPC network forwards packets that are destined to a particularservice to the corresponding VM. For more information, seealias IP ranges.

Network Service Tiers

Network Service Tiers lets you optimize connectivitybetween systems on the internet and your Compute Engine instances. PremiumTier delivers traffic on Google's premium backbone, while Standard Tier usesregular ISP networks. Use Premium Tier to optimize for performance, and useStandard Tier to optimize for cost.

Because you choose a network tier at the resource level—such as theexternal IP address for a VM—you can use Standard Tier for some resourcesand Premium Tier for others. If you don't specify a tier, Premium Tier is used.

Compute instances that use internal IP addresses to communicate withinVPC networks always use the Premium Tier networkinginfrastructure.

When using either Premium Tier or Standard Tier, there is no charge for inbounddata transfer. Outbound data transfer pricing is per GiB delivered, and isdifferent for each of the Network Service Tiers. For information about pricing,seeNetwork Service Tiers pricing.

Network Service Tiers aren't the same as per VM Tier_1 networking performance, which is aconfiguration option you can choose to use with your compute instances. There isan extra cost associated with using Tier_1 networking, as described inTier_1 higher bandwidth network pricing.For more information about Tier_1 networking, seeConfigure per VM Tier_1 networking performance.

Premium tier

Premium Tier delivers traffic from external systems to Google Cloudresources by using Google's low latency, highly reliable global network. Thisnetwork is designed to tolerate multiple failures and disruptions while stilldelivering traffic. Premium Tier is ideal for customers with users in multiplelocations worldwide who need the best network performance and reliability.

The Premium Tier network consists of an extensive private fiber network withover 100points of presence (PoPs)around the globe. WithinGoogle's network,traffic is routed from that PoP to the compute instance in yourVPC network. Outbound traffic is sent through Google'snetwork, exiting at the PoP that is closest to its destination. This routingmethod minimizes congestion and maximizes performance by reducing the number ofhops between end users and the PoPs that are closest to them.

Standard tier

The Standard Tier network delivers traffic from external systems toGoogle Cloud resources by routing it over the internet. Packets that leaveGoogle's network are delivered using the public internet and are subject to thereliability of intervening transit providers and ISPs. Standard Tier providesnetwork quality and reliability comparable to that of other cloud providers.

Standard Tier is priced lower than Premium Tier because traffic from systems onthe internet is routed over transit (ISP) networks before being sent to computeinstances in your VPC network. Standard Tier outbound trafficnormally exits Google's network from the same region used by the sendingcompute instance, regardless of its destination.

Standard Tier includes 200 GB of free usage per month in each region thatyou use across all of your projects, on a per resource basis.

Internal Domain Name System (DNS) names

When you create a virtual machine (VM) instance, Google Cloudcreates an internal DNS namefrom the VM name. Unless you specify acustom hostname,Google Cloud uses the automatically created internal DNS name as thehostname it provides to the VM.

For communication between VMs in the same VPC network, you canspecify the fully qualified DNS name (FQDN) of the target instance instead ofusing its internal IP address. Google Cloud automatically resolves theFQDN to the internal IP address of the instance.

For more information about fully qualified domain names (FQDN), seeZonal and global internal DNS names.

Routes

Google Cloudroutes define the paths that network traffic takes from avirtual machine (VM) instance to other destinations. These destinations can beinside your VPC network (for example, in another VM) or outsideit. Therouting tablefor a VPC network is defined at the VPC networklevel. Each VM instance has a controller that is kept informed of allapplicable routes from the network'srouting table. Each packet leaving a VM is delivered to the appropriate next hopof an applicable route based on a routing order.

Subnet routes define paths to resources like VMs and internal load balancers ina VPC network. Each subnet has at least one subnet route whosedestination matches the primary IP range of the subnet. Subnet routes alwayshave the most specific destinations. They cannot be overridden by other routes,even if another route has a higher priority. This is because Google Cloudconsiders destination specificity before priority when selecting a route. Formore information about subnet IP ranges, see thesubnets overview.

Forwarding rules

While routes govern traffic leaving an instance, forwarding rules direct trafficto a Google Cloud resource in a VPC network based on IPaddress, protocol, and port. Some forwarding rules direct traffic from outsideof Google Cloud to a destination in the network; other rules directtraffic from inside the network.

You can configure forwarding rules for your instances to implement virtualhosting by IPs, Cloud VPN, private virtual IPs (VIPs), and loadbalancing. For more information about forwarding rules,seeUsing protocol forwarding.

Firewall rules

VPC firewall rules let you allow or deny connections to or fromyour VM based on a configuration that you specify. Google Cloud alwaysenforces enabled VPC firewall rules, protecting your VMsregardless of their configuration and operating system, even if the VM has notstarted.

By default, every VPC network has incoming (ingress) and outgoing(egress)firewall rulesthat block all incoming connections and allow all outgoing connections. Thedefault network hasadditional firewall rules,including thedefault-allow-internal rule, which permits communication amonginstances in the network. If you are not using thedefault network, you mustexplicitly create higher priorityingress firewall rulesto allow instances to communicate with one another.

Every VPC network functions as a distributed firewall. Firewallrules are defined at the VPC level, and can apply to allinstances in the network, or you can use target tags or target service accountsto apply rules to specific instances. You can think of the VPCfirewall rules as existing not only between your instances and other networks,but also between individual instances within the same VPCnetwork.

Hierarchical firewall policies letyou create and enforce a consistent firewall policy across your organization.You can assign Hierarchical firewall policies to the organization as a whole orto individual folders. These policies contain rules that can explicitly deny orallow connections, the same as VPC firewall rules. In addition,hierarchical firewall policy rules can delegate evaluation to lower-levelpolicies or VPC firewall rules with agoto_next action.Lower-level rules can't override a rule from a higher place in the resourcehierarchy. This lets organization-wide administrators manage critical firewallrules in one place.

Managed instance groups and networking configurations

If you usemanaged instance groups (MIGs),the network configuration you specify on the instance template applies acrossall VMs created with the template. If you create an instance template in an automode VPC network, Google Cloud automatically selects thesubnet for the region where you created the managed instance group.

For more information, seeNetworks and subnetsandCreate instance templates.

What's next

• Learn how tocreate and manage VPC networks.
• Learn how tocreate and manage routes forVPC networks.
• Learn how tocreate and start a Compute Engine instance.
• Learn how tocreate a managed instance group (MIG).
• Learn how to scale your VMs andoptimize application latency with load balancing.