Configure routing for an additional network interface

This tutorial describes how to create a virtual machine (VM) instance withmultiple network interfaces, each of which is attached to differentVirtual Private Cloud (VPC) networks. Additionally, the tutorial provides anexample of how to configure routing on a Linux VM so that you can successfullyping thenic1 interface.

The routing configuration in this tutorial applies to bothnetwork interface types: vNICs andDynamic Network Interfaces (NICs). While the example in this tutorial uses an instance withmultiple vNICs, you can configure the same example for an instance that hasDynamic NICs.

Instances with multiple network interface are referred to asmulti-NIC instances.

Costs

In this document, you use the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use thepricing calculator.

New Google Cloud users might be eligible for afree trial.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Compute Engine API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Compute Engine API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

Example configuration

The following diagram shows the VPC networks, subnets, and instancesthat you create in this tutorial, along with example values that you canuse for resource names and subnet IP address ranges:

Figure 1. In this tutorial, you create two VPC networks that each have two subnets. All subnets are in the same region. Additionally, you create three instances: one multi-NIC instance that attaches to the first two subnets, and one instance in each of the two remaining subnets (click to enlarge).

Create two VPC networks

To create a multi-NIC instance, the VPC networks that you areconnecting it to must already exist. Create two VPC networks.In this tutorial, each VPC network has two subnets.

To create the configuration shown in theexample configuration,create your networks and subnets with the following values:

  • A network callednetwork-1 that contains the following:
    • A subnet calledsubnet-1 that has a primary IPv4 address range of10.10.1.0/24.
    • A subnet calledsubnet-3 that has a primary IPv4 address range of10.10.3.0/24.

  • A network callednetwork-2 that contains the following:

    • A subnet calledsubnet-2 that has a primary IPv4 address range of10.10.2.0/24.
    • A subnet calledsubnet-4 that has a primary IPv4 address range of10.10.4.0/24.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. In theName field, enter a name for the VPC network.

  4. ChooseCustom for theSubnet creation mode.

  5. In theNew subnet section, specify the following:

    1. Provide aName for the subnet.
    2. Select aRegion. Make sure that both VPC networks thatyou create use the same region for at least one of their subnets. Usethis same region when you create the multi-NIC instance in the followingsection. Theexample configuration uses thesame region for all subnets.

    3. Enter anIP address range. This is theprimary IPv4range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm thatthe range doesn't conflict with an existing configuration. For moreinformation, seeIPv4 subnetranges.

    4. ClickDone.

  6. ClickAdd subnet to create a second subnet. Use this secondsubnet for testingping from outside of the primary subnet range ofthe network interface of your instance.

  7. In theFirewall rules section, select theallow-custom rule, and thenclickEDIT. Configure the rule as follows to ensure that you can testconnectivity from the test instances tomulti-nic-vm:

    1. UnderIPv4 ranges, keep the checkboxes selected for the subnets'IPv4 address ranges.
    2. UnderOther IPv4 ranges, enter35.235.240.0/20 so that youcan connect to the test instances using SSH. Including this range allows SSHconnections using Identity-Aware Proxy (IAP) TCP forwarding. Formore information, seeAllow ingress ssh connections to VMs.
    3. UnderProtocols and ports, selectspecified protocols and ports.
      1. SelectTCP, and then enter22, 3389 to allow RDP and SSH.
      2. SelectOther, and then entericmp to allow ICMP.

  8. ClickCreate.

  9. Repeat these steps to create a second VPC network.Make sure that the subnet IP address ranges don't overlap withthe subnets from your first network, such as the IP address ranges usedin theexample configuration.

gcloud

  1. Use thenetworks create command to create a VPC network.

    gcloud compute networks createNETWORK --subnet-mode=custom

    Replace the following:

    • NETWORK: a name for the VPC network.

  2. Use thenetworks subnets create command to create a subnet for yourVPC network.

    gcloud compute networks subnets createNAME \  --network=NETWORK \  --range=RANGE \  --region=REGION

    Replace the following:

    • NAME: a name for the subnet.
    • NETWORK: the name of the VPC network.

    • RANGE: an IP address range. This is theprimary IPv4 range for thesubnet.

      If you enter a range that is not an RFC 1918 address, confirm thatthe range doesn't conflict with an existing configuration. For moreinformation, seeIPv4 subnet ranges.

    • REGION: a region. Make sure that both VPC networks thatyou create use the same region for at least one of their subnets. Usethis same region when you create the multi-NIC instance in the followingsection. Theexample configuration uses thesame region for all subnets.

  3. Repeat the previous step to create another subnet. Use this second subnet for testingpingfrom outside of the primary subnet range of the network interface of your instance.

  4. Create a firewall rule to allow SSH, RDP, and ICMP:

    gcloud compute firewall-rules create allow-ssh-rdp-icmp \ --networkNETWORK \ --action=ALLOW \ --direction=INGRESS \ --rules=tcp:22,tcp:3389,icmp \ --source-ranges=SOURCE_RANGE

    Replace the following:

    • NETWORK: enter the value that corresponds to thenetwork you're creating:
      • For the first network, enternetwork-1.
      • When you repeat the steps in this section for the second network, enternetwork-2.
    • SOURCE_RANGE: enter the value that corresponds to thenetwork you're creating:
      • For the first network, enter10.10.3.0/24, 35.235.240.0/20.Including10.10.3.0/24 ensures that you can test connectivity fromtest-vm-1to thenic0 interface of themulti-nic-vm. Including35.235.240.0/20allows SSH connections using Identity-Aware Proxy (IAP) TCP forwarding.For more information, seeAllow ingress ssh connections to VMs.
      • When you repeat the steps in this section for the second network,enter10.10.4.0/24, 35.235.240.0/20. Including10.10.4.0/24 ensuresthat you can test connectivity fromtest-vm-2 to thenic0 interfaceof themulti-nic-vm. Including35.235.240.0/20 allows SSHconnections using Identity-Aware Proxy (IAP) TCP forwarding. Formore information, seeAllow ingress ssh connections to VMs.

  5. Repeat these steps to create a second VPC network.Make sure that the subnet IP address ranges don't overlap withthe subnets from your first network, such as the IP address ranges usedin theexample configuration.

Create a multi-NIC instance

Create an instance that has one interface for each VPC networkthat you created in the previous section.

To create a multi-NIC instance:

Console

  1. In the Google Cloud console, go to theCreate an instance page.

    Go to Create an instance

  2. In theName field, enter a name for the instance.This corresponds tomulti-nic-vm in theexample configuration.

  3. In theRegion field, select the same region in which you createdone subnet in each of your VPC networks. The instancemust be in the same region as the subnets to which its interfaces connect.Theexample configuration uses the same region forall subnets.

  4. In theZone field, select a zone.

  5. In theAdvanced options section, expandNetworking, and then do the following:

    1. Review theNetwork interfaces section. Google Cloud automatically populates the first network interface with a network and subnetwork. This corresponds tonetwork-1 andsubnet-1 in theexample configuration.
    2. ForPrimary internal IPv4 address, select one of the following:
      • Ephemeral to assign a new ephemeral IPv4 address
      • A reserved static internal IPv4 address from the list
      • Reserve static internal IPv4 address to reserve and assign a new static internal IPv4 address.If you are using the example configuration, reserve10.10.1.3.

    3. ForExternal IPv4 address, select oneNone.

    4. To add another interface, clickAdd network interface.

    5. ForNetwork andSubnetwork, select the second networkand subnetwork that you created. This corresponds tonetwork-2 andsubnet-2 in theexample configuration.

    6. ForIP stack type, selectIPv4 (single-stack).

    7. ForPrimary internal IPv4 address, select one of the following:

      • Ephemeral to assign a new ephemeral IPv4 address
      • A reserved static internal IPv4 address from the list
      • Reserve static internal IPv4 address to reserve and assign a new static internal IPv4 address.If you are using the example configuration, reserve10.10.2.3.

    8. ForExternal IPv4 address, select oneNone.

    9. To finish adding the network interface, clickDone.

  6. ClickCreate.

gcloud

To create network interfaces on a new instance, use theinstances create command.

Include the--network-interface flag for each interface,followed by any appropriate networking keys, such asnetwork,subnet,private-network-ip. For the external IP address, thefollowing command specifiesno-address.

gcloud compute instances createINSTANCE_NAME \    --zoneZONE \    --network-interface \        network=NIC0_NETWORK,subnet=NIC0_SUBNET,private-network-ip=NIC0_INTERNAL_IPV4_ADDRESS,no-address \    --network-interface \        network=NIC1_NETWORK,subnet=NIC1_SUBNET,private-network-ip=NIC1_INTERNAL_IPV4_ADDRESS,no-address

Replace the following:

  • INSTANCE_NAME: the name of the instance to create.This corresponds tomulti-nic-vm in theexample configuration.
  • ZONE: the zone where the instance is created. Enter azone in the same region in which you createdone subnet in each of your VPC networks. The instancemust be in the same region as the subnets to which its interfaces connect.Theexample configuration uses the same region forall subnets.
  • Values for the first interface:
    • NIC0_NETWORK: the network where the interface attaches.This corresponds tonetwork-1 in theexample configuration.
    • NIC0_SUBNET: the subnet where the interface attaches.This corresponds tosubnet-1 in theexample configuration.
    • NIC0_INTERNAL_IPV4_ADDRESS: the internal IPv4 address that you want theinterface to have in the target subnet. If you are using the example configuration,enter10.10.1.3. Omit if you just want any valid address assigned.
  • Values for the second interface
    • NIC1_NETWORK: the network where the interface attaches.This corresponds tonetwork-2 in theexample configuration.
    • NIC1_SUBNET: the subnet where the interface attaches.This corresponds tosubnet-2 in theexample configuration.
    • NIC1_INTERNAL_IPV4_ADDRESS: the internal IPv4 address that you want theinterface to have in the target subnet. If you are using the exampleconfiguration, enter10.10.2.3. Omit if you just want anyvalid address assigned.

Create two test instances

Create two additional instances:

  • One in the same network, but different subnet, as thenic0 interfaceof the multi-NIC instance that you created. This corresponds totest-vm-1 insubnet-3 in theexample configuration.
  • One in the same network, but different subnet, as thenic1 interfaceof the multi-NIC instance that you created. This corresponds totest-vm-2 insubnet-4 in theexample configuration.

You use these instances for testingping from the subnets that areoutside of the primary subnet range of your instance that has multiplenetwork interfaces.

To create the instances:

Console

  1. In the Google Cloud console, go to theCreate an instance page.

    Go to Create an instance

  2. In theName field, enter a name for the instance.

  3. In theRegion field, select the region in which you placed the additionalsubnet in your first VPC network.

  4. In theZone field, select a zone.

  5. In theAdvanced options section, expandNetworking, and then do the following:

    1. Review theNetwork interfaces section. Make sure that the subnetis different from the one used by thenic0 interface of yourmulti-NIC instance.

  6. ClickCreate.

  7. Repeat these steps to create an instance in your second VPC network, andin a subnet that is different from that of thenic1 interfaceof your multi-NIC instance.

gcloud

  1. Run theinstances create command and include the--network-interface flag for each interface,followed by any appropriate networking keys, such asnetwork,subnet,private-network-ip, oraddress.

    gcloud compute instances createINSTANCE_NAME \  --zoneZONE \  --network-interface \       network=NIC0_NETWORK,subnet=NIC0_SUBNET, private-network-ip=NIC0_INTERNAL_IPV4_ADDRESS

    Replace the following:

    • INSTANCE_NAME: the name of the instance to create.
    • ZONE: the zone where the instance is created. Enterthe region in which you placed the additional subnet in your firstVPC network—the subnet that is not used by themulti-NIC instance.
    • NIC0_NETWORK: the network where the interface attaches.
    • NIC0_SUBNET: the subnet where the interface attaches.
    • NIC0_INTERNAL_IPV4_ADDRESS: the internal IPv4 addressthat you want the interface to have in the target subnet. Omit if youjust want any valid address assigned.

  2. Repeat the previous step to create an instance in your second VPC networkand in a subnet that is different from that of thenic1 interface ofyour multi-NIC instance.

Test connectivity to the multi-NIC instance

Follow the steps in this section to testping from the additional instancesthat you created to each interface of your instance with multiple networkinterfaces.

The following table shows the scenarios in which you can successfully pingat this point in the tutorial using the IP address values from theexample configuration.

FromToping successful
Instance (test-vm-1) in the same network, but different subnet, as thenic0 interface of themulti-nic-vm.Internal IP address (10.10.1.3) of thenic0 interface ofmulti-nic-vm
Instance (test-vm-2) in the same network, but different subnet, as thenic1 interface ofmulti-nic-vmInternal IP address (10.10.2.3) of thenic1 interface ofmulti-nic-vm

Get the IP addresses of the multi-NIC instance

If necessary, get the interface IP addresses of your multi-NIC instanceso that you can ping them in the following sections.

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. In the list of instances, find the multi-NIC instancethat you created, and record these values so that you can ping them inthe following steps:

    • TheInternal IP addresses of itsnic0 andnic1 interfaces

gcloud

  1. Run theinstances list command:

    gcloud compute instances list

  2. Locate your multi-NIC instance and record the followingfrom the output:

    • INTERNAL_IP: the first and second addresses correspond to thenic0 andnic1 network interfaces.

Ping thenic0 interface of your instance

  1. In the list of instances, locate the instance that you created in the samenetwork, but different subnet, as thenic0 interface of the multi-NIC instance.

    1. In the row of the instance, clickSSH.

  2. Run the following command to ping theinternal IP address of thenic0 interface of your multi-NIC instance:

    pingINTERNAL_IP_NIC0

    ReplaceINTERNAL_IP_NIC0 with the correspondingaddress that you recorded previously. If you are using theexample configuration, enter10.10.1.3.

    Note that the ping is successful.

  3. Runexit to close the terminal window.

Ping thenic1 interface of your instance

  1. In the list of instances, locate the instance that you createdin the same network, but different subnet, as thenic1 interface of themulti-NIC instance.

    1. In the row of the instance, clickSSH.

  2. Run the following command to ping theinternal IP address of thesecond interface of your multi-NIC instance:

    pingINTERNAL_IP_NIC1

    ReplaceINTERNAL_IP_NIC1 with the correspondingaddress that you recorded previously. If you are using theexample configuration, enter10.10.2.3.

    Note that the ping is unsuccessful.

  3. Runexit to close the terminal window.

Configure policy routing

The ping test in the preceding section failed due to asymmetric routing—traffic is sent to thenic1 interface ofmulti-nic-vm, but the default routefor the instance results in the replies being sent fromnic0. For more information,seeSpecifications inthe Multiple network interfaces overview.

Follow the steps in this section to configure policy routing to make sure thategress packets leave through the correct interface.

This tutorial uses Linux VMs. Source-based policy routing is not supported by Windows operating systems.

Find the default gateway for thenic1 interface of the instance

You can find the default gateway for an instance's interface by querying themetadata server. If you are using theexample configuration,the value is10.10.2.1.

To find the default gateway for thenic1 interface's IPv4 address, make the followingrequest from the multi-NIC instance:

curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway -H "Metadata-Flavor: Google"

To find the default gateway for a different network interface, specify theappropriate interface number. To find the name that Google Cloud hasassigned to the interface, seeGet the IP addresses of the multi-NIC instance.This is different from the interface name that the operating system assigns.The interface has the formatnicNUMBER. In your request tothe metadata server, enter only the number. For example, fornic2, specify2.

Configure a new routing table on the multi-NIC instance

This section describes how to configure a new routing table on the multi-NIC instance.

Note: While the following commands use the internal IP address of thenic1interface, completing this configuration lets you reach both the internal andexternal (if assigned) IP addresses of the interface. For example, when you ping the externalIPv4 address of an instance, Google Cloud performs destination network address translation(DNAT) to the internal IPv4 address of the instance. The instance then responds using thelocal routing policy that you configured with the internal IP address. For theresponse, Google Cloud then performs source network address translation(SNAT) to translate the source back to the external IP address. However, you mightneed an addition firewall rule to allow ICMP from the external IP address.

  1. Enable the serial console by following the steps inEnabling access for a VM instance.

  2. To avoid losing connectivity to the instance while you change the default route,connect to the serial console.

  3. Runip link list to list your instance's network interfaces, and then record thename of thenic1 interface, such asens5.

  4. Run the following command to ensure that thenic1 interface is configuredwith an IP address.

    ip addr showNIC

    ReplaceNIC with the name of thenic1 interfacefrom the previous step.

    If thenic1 interface has not been assigned an IP address automatically,you can manually assign an IP address by running the following command:

    sudo ip addr addIP_ADDRESS devNIC

    Replace the following:

    • IP_ADDRESS: the internal IP address to configure on the interface.This corresponds to10.10.2.3 in theexample configuration.
    • NIC: the name of thenic1 interface from the previous step.

  5. Create a custom route table for thenic1 network interface.

    echo "1ROUTE_TABLE_NAME" | sudo tee -a /etc/iproute2/rt_tables

    ReplaceROUTE_TABLE_NAME with a name for the route table,such asroute-nic1.

  6. Create the default route in the custom route table intended for thenic1 network interface and a route with a source hint for packets sent to the gateway.

    sudo ip route add default viaGATEWAY devNIC tableROUTE_TABLE_NAMEsudo ip route addGATEWAY srcIP_ADDRESS devNIC tableROUTE_TABLE_NAME

    Replace the following:

    • GATEWAY: the default gateway IP address of theinterface. This corresponds to10.10.2.1 in theexample configuration.
    • NIC: the interface that you want to add a route for.For example,ens5.
    • ROUTE_TABLE_NAME: the name of your route table.
    • IP_ADDRESS: the internal IP address configured on the interface.This corresponds to10.10.2.3 in theexample configuration.

  7. Create routing rules that instruct the instance to use the custom route table for packets withsources or destinations that match the primary internal IPv4 address assigned to thenic1 interface:

    sudo ip rule add fromIP_ADDRESS/PREFIX_LENGTH tableROUTE_TABLE_NAMEsudo ip rule add toIP_ADDRESS/PREFIX_LENGTH tableROUTE_TABLE_NAME

    Replace the following:

    • IP_ADDRESS: the internal IP address configured on the interface.This corresponds to10.10.2.3 in theexample configuration.
    • PREFIX_LENGTH: the prefix length for the configuredIP address.
    • ROUTE_TABLE_NAME: the name of your route table.

  8. Run the following command to remove all entries from the cache route table. Thismight be necessary if you are using an existing instance with previously configuredroute tables.

    sudo ip route flush cache

Retest connectivity to the multi-NIC instance

The following table shows the scenarios in which you can successfully pingnow that you have configured policy routing. Repeat the steps toping the nic1 interface of your instance to confirmthat you can now ping both IP addresses successfully.

FromToping successful
Instance (test-vm-1) in the same network, but different subnet, as thenic0 interface ofmulti-nic-vm.Internal IP address (10.10.1.3) of thenic0 interface ofmulti-nic-vm
Instance (test-vm-2) in the same network, but different subnet, as thenic1 interface ofmulti-nic-vmInternal IP addresses (10.10.2.3) of thenic1 interface of themulti-nic-vm

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

    Caution: Deleting a project has the following effects:
    • Everything in the project is deleted. If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.
    • Custom project IDs are lost. When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as anappspot.com URL, delete selected resources inside the project instead of deleting the whole project.

    If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects can help you avoid exceeding project quota limits.

  1. In the Google Cloud console, go to theManage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then clickDelete.
  3. In the dialog, type the project ID, and then clickShut down to delete the project.

Delete individual resources

If you don't want to delete the entire project, delete the VPC networks andinstances that you created for the tutorial.

Before you can delete a network, you must delete all resources in all of itssubnets, and all resources that reference the network.

Delete instances

To delete instances:

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. Check the instances you want to delete.

  3. Click theDelete button.

gcloud

Use thegcloud compute instances delete command.When you delete an instance in this way, the instance shuts downand is removed from the list of instances, and all resources attached tothe instance are released, such as persistent disks and any static IPaddresses.

To delete an instance, use the following command:

gcloud compute instances delete example-instance [example-instance-2 example-instance-3..]

Delete VPC networks

To delete a VPC network:

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show itsVPC networkdetails page.

  3. ClickDelete VPC network.

  4. In the message that appears, clickDelete to confirm.

gcloud

Use thenetworks delete command.

gcloud compute networks deleteNETWORK

ReplaceNETWORK with the name of the network to delete.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.