Create and use IPv6 sub-prefixes

This page describes how to divide your IPv6 public delegated prefix intosub-prefixes that you can assign to resources in specific projects. When youcreate a sub-prefix, your configuration includes a prefix length and a mode thatdetermines how the IP addresses can be used.

The following modes are supported:

• For further delegation (--mode=DELEGATION): Sub-prefixes that you canfurther divide into smaller sub-prefixes. The associated IP addresses can'tbe assigned to resources until you create a non-delegation mode sub-prefix.

• For forwarding rules (--mode=EXTERNAL_IPV6_FORWARDING_RULE_CREATION):Sub-prefixes that you can use as a source of regional externalglobal unicast address (GUA) ranges for forwarding rules. You choose aprefix length for the IPv6 addresses when you create the sub-prefix. Theforwarding rules can only be used for external passthrough Network Load Balancers and external protocolforwarding. Sub-prefixes in this mode can't be further delegated.

• For external subnet ranges(--mode=EXTERNAL_IPV6_SUBNETWORK_CREATION): Sub-prefixes that you can useas a source of GUAs forexternalsubnet ranges. BYOIP-provided external subnet ranges can only be used byVM instances. Sub-prefixes in this mode can't be further delegated.

• For internal subnet ranges(--mode=INTERNAL_IPV6_SUBNETWORK_CREATION): Sub-prefixes that you can useas a source of GUAs forinternalsubnet ranges. When assigned to an internal subnet range, GUAs are usedprivately and aren't advertised to the internet. Sub-prefixes in this modecan't be further delegated.

The different modes support different prefix sizes and IPv6 access types. Formore information, see the following section.

Sub-prefix mode configuration

The following table describesthe configuration settings and requirements for each sub-prefix mode.

Sub-prefix delegation

IPv6 sub-prefixes that are in delegation mode can be sub-delegatedinto smaller sub-prefixes. This lets you assign the address blocks to differentprojects or regions. When you sub-delegate a sub-prefix, the following applies:

• A public delegated prefix can besub-delegatedup to three times from a public advertised prefix.
• IPv6 sub-prefixes can only be sub-delegated if they are in delegation mode.
• Public delegated prefixes and sub-prefixes inherit theaccess type that you specifywhen you create a parent public advertised prefix.
• The prefix length of a delegation mode sub-prefix affects thepossible modes of its child sub-prefixes. This is because a childsub-prefix must have a prefix length that is valid for its mode, andthe prefix length must be the same size as or smaller than its parent.

The following example demonstrates a multi-level delegation. Each step adheresto the prefix length and mode restrictions that are detailed in the sub-prefixmode table. If you have an external access public advertised prefixwith IP address range2001:db8::/32, you might do the following:

1. From the parent public advertised prefix, you can create one or moretop-level public delegated prefixes. A top-level public delegated prefixcan be the same size or smaller than its parent public advertised prefix,and it must be in delegation mode. For this example, the entire IP addressrange of the parent prefix is delegated (2001:db8::/32).

2. From the top-level public delegated prefix, you can create one or moresub-prefixes. A sub-prefix can be the same size as or smaller than itsparent public delegated prefix, and it can be in any mode that's compatiblewith its access type. For this example, another delegation modesub-prefix is created with IP address range2001:db8::/48.

3. From the previous sub-prefix, you can create one or more sub-prefixes. Tomake the IP addresses available for resources, these prefixes must be in anon-delegation mode such as forwarding rule or subnet creation mode.For this example, two sub-prefixes are created: onefor external subnet ranges with IP address range2001:db8:0:0::/56 andone for external forwarding rules with IP address range2001:db8:1:0::/64.

At this point, you can't further divide the sub-prefixes that use the2001:db8:0:0::/56 or2001:db8:1:0::/64 ranges. A sub-prefix can't bedivided if it's in a non-delegation mode or if it already has three levelsof delegation from its parent public advertised prefix. In this example,both conditions are true.

Before you begin

1. Create an IPv6public advertised prefix.
2. Create an IPv6public delegated prefix.

Roles

To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you theCompute Public IP Admin (roles/compute.publicIpAdmin) IAM role on your project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create IPv6 sub-prefixes

When you create an IPv6 sub-prefix, all IP addresses in the sub-prefix are madeavailable; there is no reserved network address or broadcast address.

You can't change the mode of a sub-prefix. If needed, you candelete it and then recreateit. Before you can delete a sub-prefix, it must not be in use by anyresources.

You can't edit a sub-prefix to change its name. As a best practice,choose generic names that don't need to change—for example,sub-2001-db8-0-0-0-0-0-0-40, wheresub denotes the resource type and2001-db8-0-0-0-0-0-0-40 denotes the specific prefix and prefix length.

gcloud compute public-delegated-prefixes createSUB_PREFIX_NAME \    --range=SUB_PREFIX_RANGE \    --mode=MODE \    --public-delegated-prefix=PDP_NAME \    --region=PDP_REGION \    --project=PROJECT_ID \    [--allocatable-prefix-length=PREFIX_LENGTH]

Assign IPv6 subnet ranges

You can assign external or internalIPv6 subnet ranges by using sub-prefixes.IPv6 subnet ranges that are created from a sub-prefix use global unicastaddresses (GUAs). The way that you can use the assigned rangedepends on the access type and mode of the sub-prefix:

• External subnet ranges are assigned fromEXTERNAL_IPV6_SUBNETWORK_CREATION mode sub-prefixes. BYOIP-providedexternal subnet ranges can only beused to reserve static external IP addresses with theVM endpoint type andassign static or ephemeral external addresses to VM instances.

• Internal subnet ranges are assigned fromINTERNAL_IPV6_SUBNETWORK_CREATION mode sub-prefixes. BYOIP-providedinternal subnet ranges are configured with privately used GUAsaren't advertised to the internet. The addresses can be used in the same wayas a Google-provided ULA internal subnet range.

Create subnets with IPv6 BYOIP ranges

When creating a new subnet, you can allocate anIPv6 address range from your sub-prefix.

gcloud compute networks subnets createSUBNET \    --network=NETWORK \    --stack-type=STACK_TYPE \    --ipv6-access-type=ACCESS_TYPE \    --region=REGION \    --ip-collection=PDP_NAME \    {--external-ipv6-prefix=EXTERNAL_IPV6_RANGE | --internal-ipv6-prefix=INTERNAL_IPV6_RANGE}    [--range=PRIMARY_IPv4_RANGE]

Add an IPv6 BYOIP range to an IPv4-only subnet

You can change an IPv4-only subnet into a dual-stack subnet that uses anIPv6 address range from a sub-prefix.

gcloud compute networks subnets updateSUBNET \    --ipv6-access-type=ACCESS_TYPE \    --stack-type=IPV4_IPV6 \    --ip-collection=PDP_NAME \    --region=REGION \    {--external-ipv6-prefix=EXTERNAL_IPV6_RANGE | --internal-ipv6-prefix=INTERNAL_IPV6_RANGE}

Deploy resources in subnets with IPv6 BYOIP ranges

After you create or update a subnet with a BYOIP-provided range, you candeploy resources that use the range's IP addresses.

For general information about assigning static and ephemeral IPv6 addressesto instances, seeConfigure IPv6 addresses for instances.

For information about assigning static external IPv6 addressesto VM instances, see the following:

• Reserve static external IPv6 addresses
• Configure static external IPv6 addresses

For information about assigning internal IPv6 addresses to VM instances orforwarding rules, see the following:

• Internal forwarding rules
• Reserve static internal IPv6 addresses
• Configure static internal IPv6 addresses

Create external forwarding rules

You can use a sub-prefix that is inEXTERNAL_IPV6_FORWARDING_RULE_CREATIONmode to create forwarding rules with regional external IPv6 address ranges.The forwarding rules can only be used forexternal passthrough Network Load Balancers andexternal protocol forwarding.

For more information, see the following:

• Create a BYOIP forwarding rule for an external passthrough Network Load Balancer with a backendservice
• Create a BYOIP forwarding rule for an external passthrough Network Load Balancer for multiple IPprotocols
• Create a BYOIP forwarding rule for an external passthrough Network Load Balancer with zonalNEGs

List prefixes

You can list all public advertised prefixes and public delegated prefixes(including sub-prefixes) in a project.

gcloud compute public-delegated-prefixes list

What's next

• Manage BGP announcement (v2)