Troubleshoot network latency issues

For information about the ways you can improve connection latency betweenprocesses within Google Cloud and decrease the latency of TCP connections, seeTCP optimization for network performance in Google Cloud and hybrid scenarios.

Troubleshooting dropped network traffic

Compute Engine only allows network traffic that is explicitly permitted byyour project'sFirewall rules to reach yourinstance. By default, all projects automatically come with adefault network that allowscertain kinds of connections.If you deny all traffic, by default, that also denies SSH connections and allinternal traffic. For more information, see theFirewall rules page.

In addition, you may need to adjust TCP keep-alive settings to work around thedefault idle connection timeout of 10 minutes. For more information, seeCommunicating between your instances and the internet.

Troubleshooting firewall rules or routes on an instance

The Google Cloud console provides network details for each network interfaceof an instance. You can view all of the firewall rules or routes that apply toan interface, or you can view just the rules and routes that the interface uses.Either view can help you troubleshoot which firewall rules and routes apply tothe instance and which ones are actually being used (where priority andprocessing order override other rules or routes).

For more information, see the troubleshooting information in the Virtual Private Clouddocumentation:

• Listing firewalls rules for a networkinterface
• Listing routes for a networkinterface

Troubleshooting protocol forwarding for private forwarding rules

Use the following sections to resolve common issue related to protocolforwarding for private forwarding rules.

Regional restriction

Protocol forwarding for private forwarding rules is a regional product.All clients and target instance VMs must be in the same region.

Error message: "An internal target instance can only be the target of one forwarding rule"

If you see the error messageAn internal target instance can only be the targetof one forwarding rule, you might be trying to configure two forwarding rulespointing to the same target instance. You cannot point multiple forwardingrules to the same target instance.

Troubleshooting latency on Compute Engine instances when processing high packet rates

If your VM experiences latency, dropped packets, or packetretransmissions when processing high packet rates, your VM might not have enoughreceive queues (RX) or transmit queues (TX) on the network interface (NIC)processing those packets.

To resolve these issues, seeReceive and transmit queues forinformation about how Compute Engine allocates RX and TX queues.

Troubleshooting custom NIC queue oversubscription

With queue oversubscription, the maximum queue count for the VM is:

[maximum queue count per VM] * [number of NICs]

However, you must satisfy the conditions specified inCustom queue allocation. For example, ifyou didn't specify a custom queue count for one of the NICs configured for theVM, you get an error similar to the following:

ERROR: (gcloud.compute.instances.create) Could not fetch resource: - Invalid value for field 'resource.networkInterfaces': ''. The total networking queue number is more than the number of vCPUs. Please specify the queue count for all of the interfaces.

Projects migrated to zonal DNS but VMs in new project are using global DNS

If you completed the migration of your existing projects from using global DNSto using zonal DNS, but discover that VMs in a newly created project haveglobal DNS names, you didn't enforce the boolean organization policyconstraints/compute.setNewProjectDefaultToZonalDNSOnly at an organization orfolder level. This policy overrides the default DNS setting, so that newlycreated projects use internal zonal DNS by default.

For instructions on enforcing this policy, seeEnforce zonal DNS only by default for new projects.

If you aren't using an organization policy, but instead use the metadata entryVmDnsSetting=ZonalOnly for projects or VMs, check the metadata value forthe VM. If the VM hasVmDnsSetting=GlobalDefault configured in its metadata,this value overrides the metadata value set at the project level.

For information about how to set project metadata or VM metadata values,seeSetting custom metadata.

Hide the zonal DNS migration banner in the Google Cloud console

The zonal DNS migration notification banner provides assistance in migratingyour projects to zonal DNS. If you dismiss the banner, but want it to appearagain, you must contact Cloud Customer Care for assistance.

To hide the zonal DNS migration notification banner, click theDismissbutton in the banner that appears on theVM instances page of theGoogle Cloud console. If you click the button, the banner no longerappears for the project.