IP addresses
Many Google Cloud resources can have internal IP addresses andexternal IP addresses. For example, you can assign an internal and external IPaddress to Compute Engine instances. The instances usethese addresses to communicate with other Google Cloud resources and externalsystems.
Each network interface of an instance can have the following IP addressesassigned according to its stack type:
| Interface stack type | IP addresses |
|---|---|
| IPv4-only |
|
| Dual-stack (IPv4 and IPv6) |
|
| IPv6-only |
|
An instance can communicate with instances on the sameVirtual Private Cloud (VPC) network by using the instance's internal IPv4 address,internal IPv6 address, or external IPv6 address. As a best practice, useinternal IPv6 addresses for internal communication.
To communicate with the internet, you can use an external IPaddress configured on the instance. If no external IP address is configured onthe instance, Cloud NAT can be used for IPv4 traffic.
Similarly, you must use the instance's external IP address to connectto instances outside of the same VPC network. However, if thenetworks are connected in some way, such as by usingVPC Network Peering, you can use the instance'sinternal IP address.
For information about identifying the internal and external IP address for yourinstances, seeView the network configuration for an instance.
Internal IP addresses
The network interfaces for an instance are assigned IP addresses from the subnetthat they are connected to. Network interfaces with IPv4 addresses have oneprimary internal IPv4 address, which is assigned from the subnet's primary IPv4range. Network interfaces with internal IPv6 addresses have one/96 IPv6address range, which is assigned from the subnet's internal/64 IPv6 range.
Internal IPv4 addresses can be assigned in the following ways:
- Compute Engine automatically assigns a single IPv4 address fromthe primaryIPv4 subnet ranges.
- You assign a specific internal IPv4 address when you create a computeinstance, either by using a reserved static internal IPv4 address or byspecifying a custom ephemeral internal IPv4 address.
Internal IPv6 addresses can be assigned to instances that are connected to asubnet that has an internal IPv6 range in the following ways:
- When youconfigure an internal IPv6 address on an instance's vNIC,Compute Engine automatically assigns a single
/96range of IPv6addresses from thesubnet's internal IPv6 range. - You assign a specific internal IPv6 address when you create aninstance, either by using a reserved static internal IPv6 address or byspecifying a custom ephemeral internal IPv6 address.
You can alsoreserve a static internal addressfrom the subnet's IPv4 or IPv6 range and later assign it to an instance.
Compute instances can also havealias IP addresses and ranges. If you have morethan one service running on an instance, you can assign each service its ownunique IP address.
Internal DNS names
Google Cloud automatically resolves the fully qualified DNS name (FQDN) ofan instance to the internal IP addresses of the instance. Internal DNS nameswork only within the instance's VPC network.
For more information about fully qualified domain names (FQDN), seeInternal DNS.
External IP addresses
If you need to communicate with the internet or with resources in anotherVPC network, you can assign an external IPv4 or IPv6 address toan instance. Iffirewall rulesorhierarchical firewall policies allow theconnection, sources from outside a VPC network can reach aspecific resource using its external IP address. Only resources with an externalIP address can directly communicate with resources outside of theVPC network. Communicating with a resource using an external IPaddress can causeadditional billed charges.
External IPv4 addresses can be assigned in the following ways:
- Compute Engine automatically assigns an IPv4 addressfrom Google's ranges of external IPv4 addresses.
You assign a specific external IPv4 address when you create aninstance by using a reserved static external IPv4 address.
For more information, seeWhere can I find Compute Engine IP ranges.
External IPv6 addresses can be assigned to instances that are connected to asubnet that has an external IPv6 range in the following ways:
- When youconfigure an external IPv6 address on an instance's vNIC,Compute Engine automatically assigns a single
/96range of IPv6addresses from thesubnet's external IPv6 range. - You assign a specific external IPv6 address when you create aninstance, either by using areserved static external IPv6 addressor by specifying a custom ephemeral external IPv6 address.
Alternatives to using an external IP address
Internal, or private, IP addresses provide a number of advantages over external,or public, IP addresses, including:
- Reduced attack surface. Removing external IP addresses from computeinstances makes it more difficult for attackers to reach the instances andexploit potential vulnerabilities.
- Increased flexibility. Introducing a layer of abstraction, such as aload balancer or a NAT service, allows more reliable and flexible servicedelivery when compared with static, external IP addresses.
The following table summarizes the ways that compute instancescan access or be accessed from the internet when they don't have an externalIP address.
| Access method | Solution | Best used when |
|---|---|---|
| Interactive | Configure TCP forwarding for Identity-Aware Proxy (IAP) | You want to use administrative services like SSH and RDP to connect to your backend instances, but the requests must pass authentication and authorization checks before they get to their target resource. |
| Fetching | Cloud NAT gateway | You want your Compute Engine instances that don't have external IP addresses to connect to the internet (outbound), but hosts outside of your VPC network can't initiate their own connections to your compute instances (inbound). You might use this approach for OS updates or external APIs. |
| Secure Web Proxy | You need to isolate your Compute Engine instances from the Internet by creating new TCP connections on their behalf, while adhering to the administered security policy. | |
| Serving | Create an external load balancer | You want clients to connect to resources without external IP addresses anywhere in Google Cloud while protecting your compute instances from DDoS attacks and direct attacks. |
Regional and global IP addresses
When you list or describe IP addresses in your project, Google Cloudlabels addresses as global or regional, which indicates how a particular addressis being used. When you associate an address with a regional resource, such asan instance, Google Cloud labels the address as regional.Regions are Google Cloudregions, such asus-east4 oreurope-west2.
Global IP addresses are used in the following configurations:
- Global internal IP addresses:Access Google APIs through endpointsorprivate services access
- Global external IP addresses:External proxy Network Load BalancersandExternal Application Load Balancers using aPremium tier network
For instructions on how to create a global IP address, seeReserve a new static external IP address.
Overview of the SLA for Compute Engine networking
Compute Engine has aService Level Agreement (SLA), whichdefines service level objectives (SLOs) for the monthly uptime percentage fornetwork service tiers.
When you create a Compute Engine instance, by default you get aninternal IP address. You can additionally configure an external IP addresswith either Premium Tier (default) or Standard Tier networking. Which networkservice tier you choose depends on your cost and quality of servicerequirements. Each network service tier has a different SLO.
When you create the compute instance, you can configure multiple NICs attachedto the instance, and each NIC can have a different network configuration, asshown in the following diagram:
Figure 1. An instance with three NICs, each of which handles differentnetwork traffic with different network service tiers.
In the preceding diagram, the example instance namedVM appliance has threeNICs, which are configured as follows:
nic0is configured with an internal IP subnet.nic1is configured with an external IP subnet and uses the Standardnetworking tier.nic2is configured with an external IP subnet and uses the Premiumnetworking tier.
In this example, the VM instance is not a memory-optimized VM. Depending onwhich NIC suffers a connectivity loss, different SLOs are applicable. Thefollowing list describes the SLA for the different NICs in thisexample.
nic0: A single-instance VM with internal IP addresses. The monthly uptimepercentage is 99.9%.nic1: A single-instance VM with an external IP address that uses theStandard networking tier. This VM isn't protected by any SLA. Only multipleinstances across zones are protected at 99.9% with the Standard networkingtier.nic2: A single-instance VM with external IP address that uses thePremium networking tier. The monthly uptime percentage is 99.9%. For multipleinstances across zones, the monthly uptime percentage is 99.99% with thePremium networking tier.
What's next
- View the network configuration for an instance.
- Reserve a new static external IP address.
- Assigning a static external IP to a new instance.
- Choosing an internal IP address at instance creation.
- Promoting an ephemeral external IP address.
- Learn how to use internal DNS namesto address instances over the internal VPC network.
- Learn more about IP addresses.
- Learn more about IPv6.
- Learn more about IP addresses and load balancing.
- Review external IP address pricing.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.