Protocol forwarding overview

This page discusses external and internal protocol forwarding only.For more information about protocol forwarding in the context of Classic VPN,see Createa Classic VPN gateway using static routing.

Protocol forwarding uses aregional forwarding rule to deliver packetsof a specific protocol to a single virtual machine (VM) instance. The forwardingrule can have an internal or an external IP address. Protocol forwarding deliverspackets while preserving the destination IP address of the forwarding rule. Theforwarding rule references an object called atarget instance,which, in turn, references a single VM instance.

You can use protocol forwarding to do the following:

Provide an IP address which can be moved from one instance to another byeither changing the VM referenced by the target instance object or by changingthe target instance referenced by the forwarding rule.
Forward packets to different VMs based on protocol and port. Two forwardingrules can share the same IP address as long as their port and protocolinformation is unique.
(External protocol forwarding only) Define additional external IP addressesfor a given network interface. Unlike a network interface with a 1:1 NATconfiguration for its external IPv4 address, protocol forwarding preserves thedestination IP address of the forwarding rule.
Send packets whose source IP addresses match the forwarding rule's IP address.

Protocol forwarding is different from apass-through loadbalancer in thefollowing ways:

No load balancing. A target instance only distributes packets to a singleVM.
No health check. Unlike a backend service, a target instance doesn'tsupport a health check. You must use other means to ensure that the necessarysoftware is running and operational on the VM referenced by the targetinstance.

Architecture

Protocol forwarding uses regional external or regional internal forwarding rulesand a zonal target instance object. The target instance and the VM it referencesmust be located in a zone in the forwarding rule's region.

External protocol forwarding. You can set up multiple forwarding rules topoint to a single target instance, which lets you use multiple external IPaddresses with one VM instance. You can use this in scenarios where you maywant to serve data from just one VM instance, but through different externalIP addresses or different protocols and ports. This is especially useful forsetting up SSL virtual hosting. External protocol forwarding can handleconnections from IPv6 clients.
External protocol forwarding supports the following protocols:AH, ESP, GRE, ICMP, ICMPv6, SCTP, TCP, and UDP
The following diagram shows an example of external protocol forwardingarchitecture. To learn how to set this up, seeSet up external protocolforwarding.
External protocol forwarding architecture (click to enlarge).
Internal protocol forwarding. Internal protocol forwarding uses either aregional internal IPv4 address (from theprimary IPv4 address range of asubnet) or a regional internal IPv6 addressrange (from theIPv6 address range of asubnet).
Internal protocol forwarding supports the TCP and UDP protocols.
The following diagram shows an example of internal protocol forwardingarchitecture. To learn how to set this up, seeSet up internal protocolforwarding.
Internal protocol forwarding architecture (click to enlarge).
With internal protocol forwarding, you can change the target of a forwardingrule to switch between a target instance and a backend service of apass-through load balancer. For details, seeSwitch between a target instanceand a backendservice.

Forwarding rules

Each forwarding rule matches an IP address, protocol, and optionally, portinformation (if specified and if the protocol supports ports). When a forwardingrule references a target instance, Google Cloud routes packets that match theforwarding rule's address, protocol, and port specification to the VM referencedby the target instance.

Internal protocol forwarding:
- IPv4 address support. A regional internal IPv4address from the primary IPv4 range of a subnet. You can specify areserved static IPv4 addressor a custom ephemeral IPv4 address. If not specified, Google Cloudautomatically assigns an ephemeral IPv4 address.
- IPv6 address support. The forwarding rule references a/96 range of IPaddresses from the subnet's/64 internal IPv6 address range. The subnetmust be either of the following:
  - A dual-stack (IPv4 and IPv6) subnet
  - A single-stack (IPv6-only) subnet
  The subnet'sipv6-access-type setting must be set toINTERNAL.
  Internal IPv6 addresses are available only in Premium Tier. You canspecify areserved static IPv6 address ora custom ephemeral IPv6 address. If not specified, Google Cloud automatically assignsan ephemeral IPv6 address.
  To specify a custom ephemeral IPv6 address, you must usethe gcloud CLI or the API. The Google Cloud console doesn't supportspecifying custom ephemeral IPv6 addresses for forwarding rules.
- Protocol options.TCP(default) andUDP.
- Port specification options. A list of up to five contiguous ornon-contiguous ports or all ports.
External protocol forwarding:
- IPv4 address support. The forwarding rule references a singleregionalexternal IPv4 address. Regional external IPv4addresses come from a pool unique to each Google Cloud region. Youcan specify areserved static IPv4 address.If not specified, Google Cloud automatically assigns an IPv4 address.
- IPv6 address support. The forwarding rule references a/96 range of IPaddresses from the second half (/65) of the subnet's/64 external IPv6address range as described inExternal IPv6 specifications.The subnet must be either of the following:
  - A dual-stack (IPv4 and IPv6) subnet
  - A single-stack (IPv6-only) subnet
  The subnetipv6-access-type must be set toEXTERNAL.
  External IPv6 addresses are available only in Premium Tier. You canspecify areserved static IPv6 address ora custom ephemeral IPv6 address. If not specified, Google Cloudautomatically assigns an ephemeral IPv6 address.
  To specify a custom ephemeral IPv6 address, you must usethe gcloud CLI or the API. The Google Cloud console doesn't supportspecifying custom ephemeral IPv6 addresses for forwarding rules.
- Protocol options.AH,ESP,ICMP,SCTP,TCP (default),UDP, andL3_DEFAULT:
  - TheL3_DEFAULT forwarding rule protocol option forwards allAH, ESP, GRE, ICMP, ICMPv6, SCTP, TCP, and UDP traffic. For the TCP, UDP,and SCTP protocols,L3_DEFAULT also forwards all ports.
  - IPv6 forwarding rules don't support theICMP protocol setting becausethe ICMP protocol only supports IPv4 addresses. To serve ICMPv6 and GREtraffic, set the forwarding rule protocol toL3_DEFAULT.
- Port specification options. A contiguous port range or all ports.

Keep the following points in mind when working with forwarding rules:

For protocol forwarding, a forwarding rule can only reference a single targetinstance.
For internal passthrough Network Load Balancers and backend service-based external passthrough Network Load Balancers,a forwarding rule can only reference a single backend service.
You can switch between internal protocol forwarding and aninternal passthrough Network Load Balancer without deleting and re-creating the forwardingrule. To switch between external protocol forwarding and a backend service-basedexternal passthrough Network Load Balancer, you must delete and re-create theforwarding rule. For details, seeSwitch between a target instance and a backend service.
Port information can only be specified for protocols that have a concept ofport:TCP,UDP, orSCTP.
If you expect fragmented UDP packets, do one of the following to ensure thatall fragments (including those without port information) are delivered to theinstance:
- Use a singleL3_DEFAULT forwarding rule, or
- Use a singleUDP forwarding rule configured to forward all ports.

Target instances

A target instance is a zonal resource that references one VM instance in thesame zone. The forwarding rule that references the target instance must be inthe region containing the target instance's zone. Because a target instancedoesn't have a Cloud NAT policy applied to it, it can be used for IPsectraffic that can't traverse NAT.

Multi-NIC support

Protocol forwarding using target instances supports VM instances withnon-nic0 network interfaces (vNICs orDynamic Network Interfaces) byusing the--network flag when you create the target instance:

If you omit the--network flag when you create a target instance,Google Cloud delivers packets to thenic0 interface of the referencedVM.
If you include the--network flag when you create a target instance,Google Cloud delivers packets to the NIC of the referenced VM that's inthe VPC network specified by the--network flag.Consequently, the referenced VM must have a NIC in the VPCnetwork specified by the--network flag.
Internal protocol forwarding and IPv6 external protocol forwarding have thefollowing additional requirement because their forwarding rules use subnets:When configuring a forwarding rule to reference a target instance, theforwarding rule must use a subnet of the target instance's VPCnetwork. The forwarding rule and target instance cannot use differentVPC networks, even if those networks are connected in some way.

Note: Cloud Armor features such as advanced network DDoSprotection andnetwork edge security policies aren'tsupported for VM instances using Dynamic NICs.

IPv6 support for VM instances

If you want the protocol forwarding deployment to support IPv6 traffic,the VM instance must be configured in either adual-stack or asingle-stack IPv6-onlysubnet that is inthe same region as the IPv6 forwarding rule.

Note that while IPv6-only instances can be created in both dual-stack andIPv6-only subnets, dual-stack VMs can't be created in IPv6-only subnets.

The VM instance can be created in a subnet with theipv6-access-type set toeitherEXTERNAL orINTERNAL. The VM inherits theipv6-access-type setting(eitherEXTERNAL orINTERNAL) from the subnet.

For instructions, seeCreate an instance that uses IPv6addresses. Ifyou want to use an existing VM, you can update the VM to be dual-stack by usingthegcloud compute instances network-interfaces updatecommand.Updating existing VMs to IPv6-only isn't supported.

IP addresses for request and return packets

When a target instance receives a packet from a client, the request packet'ssource and destination IP addresses are as shown in this table.

**Table 1.** Source and destination IP addresses for request packets
Protocol forwarding type	Source IP address	Destination IP address
External protocol forwarding	The external IP address associated with a Google Cloud VM or an external IP address of a client on the internet.	The IP address of the forwarding rule.
Internal protocol forwarding	A client's internal IP address; for Google Cloud clients, the primary internal IPv4 address or IPv6 address or an IPv4 address from an alias IP range of a VM's network interface.	The IP address of the forwarding rule.

Software running on the target instance VMs should be configured to do thefollowing:

Listen on (bind to) the forwarding rule IP address or any IP address(0.0.0.0 or::).
If the forwarding rule's protocol supports ports, then listen on (bind to) aport that's included in the forwarding rule.

Return packets are sent directly from the target instance to the client. Theresponse packet's source and destination IP addresses depend on the protocol:

TCP is connection-oriented. Target instances must reply with packets that havesource IP addresses that match the forwarding rule's IP address. This ensuresthat the client can associate the response packets with the appropriate TCPconnection.
AH, ESP, GRE, ICMP, ICMPv6, and UDP are connectionless. Target instances cansend response packets which have source IP addresses that either match theforwarding rule's IP address, or match any IP address assigned to the VM's NICin the same VPC network as the forwarding rule. Practically speaking, mostclients expect the response to come from the same IP address to which theysent packets.

The following table summarizes sources and destinations for return packets:

**Table 2.** Source and destination IP addresses for return packets
Traffic type	Source IP address	Destination IP address
TCP	The IP address of the forwarding rule.	The request packet's source IP address.
AH, ESP, GRE, ICMP, ICMPv6, and UDP¹	For most use cases, the IP address of the forwarding rule.²	The request packet's source IP address.

¹ AH, ESP, GRE, ICMP, and ICMPv6 are only supported with external protocol forwarding.

² With internal protocol forwarding, it is possible to set the response packet's source to the VM NIC's primary internal IPv4 address or IPv6 address or an alias IP address range. If the VM has IP forwarding enabled, arbitrary IP address sources can also be used. Not using the forwarding rule's IP address as a source is an advanced scenario because the client receives a response packet from an internal IP address that does not match the IP address to which it sent a request packet.

Outbound internet connectivity from target instances

VM instances referenced by target instances can initiate connections to theinternet by using the IP address of the associated forwarding rule as the sourceIP address of the outbound connection.

Generally, a VM instance always uses its own external IP address orCloud NAT to initiate connections. You use the forwarding rule IPaddress to initiate connections from target instances only in special scenariossuch as when you need VM instances to originate and receive connections at thesame external IP address.

Outbound packets sent from target instance VMs directly to the internet have norestrictions on traffic protocols and ports. Even if an outbound packetis using the forwarding rule's IP address as the source, the packet'sprotocol and source port don't have to match the forwarding rule's protocol andport specification. However, inbound response packets must match the forwardingrule IP address, protocol, and destination port of the forwarding rule. For moreinformation, seePaths for external passthrough Network Load Balancers and external protocolforwarding.

This path to internet connectivity from a target instance VM is thedefault intended behavior according to Google Cloud'simplied firewallrules. However, if you havesecurity concerns about leaving this path open, you can use targeted egressfirewall rules to block unsolicited outbound traffic to the internet.

Limitations

A forwarding rule cannot point to more than one target instance.
Health checks are not supported with target instances. You must ensurethat the necessary software is running and operational on the VM referenced bythe target instance.
Internal protocol forwarding for IPv6 traffic doesn't support theL3_DEFAULT protocol. Use eitherTCP orUDP.

API and gcloud reference

For forwarding rules, see the following:

For target instances, see the following:

Pricing

Protocol forwarding is charged at the same rate as load balancing. There is acharge for the forwarding rule and a charge for the inbound data processed bythe target instance.

For all pricing information, seePricing.

Quotas and limits

For the quotas on forwarding rules for protocol forwarding, seeQuotas andlimits: Forwarding rules.

What's next

Troubleshoot protocol forwarding

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Protocol forwarding overview Stay organized with collections Save and categorize content based on your preferences.