Create and use IPv6 sub-prefixes

This page describes how to divide your IPv6 public delegated prefix intosub-prefixes that you can assign to resources in specific projects. You can useIP addresses from an IPv6 sub-prefix to create forwarding rules forexternal passthrough Network Load Balancers or subnets that can only host virtual machine (VM) instances.

There are three types or modes for sub-prefixes. A sub-prefix's mode determineshow you can use its IP address range:

  • For further delegation: Sub-prefixes that you can further divideinto smaller sub-prefixes (--mode=DELEGATION).

  • For forwarding rules: Sub-prefixes that you can use as a sourceof regional external IPv6 addresses for forwarding rules(--mode=EXTERNAL_IPV6_FORWARDING_RULE_CREATION). You choose aprefix length for the IPv6 addresses at the time that you create thesub-prefix. The forwarding rules can only be used forexternal passthrough Network Load Balancers and external protocol forwarding.

  • For subnets: Sub-prefixes that you can use as a source ofregional external IPv6 address ranges for subnets(--mode=EXTERNAL_IPV6_SUBNETWORK_CREATION). IP addresses insubnets that you create with these sub-prefixes can only be used byVM instances.

IPv6 sub-prefix specifications

A sub-prefix is a public delegated prefix that has a public delegated prefixparent.

You can't change the mode of a sub-prefix. If needed, you candeleteit and then recreate it. Before youcan delete a sub-prefix, it must not be in use by any resources.

A public delegated prefix can besub-delegated upto three times from a public advertised prefix.

All IP addresses in the sub-prefix are made available; there is no reservednetwork address or broadcast address.

You can't edit a sub-prefix to change its name. As a best practice, choosegeneric names that won't need to change—for example,sub-2001-db8-0-0-0-0-0-0-40, wheresub denotes the resource type and2001-db8-0-0-0-0-0-0-40 denotes the specific prefix and prefix length.

The following table describes additional specifications for creatingIPv6 sub-prefixes.

ConfigurationRegional (v2)
Public advertised prefixMinimum size (maximum prefix length) is/48
Public delegated prefix

(top level, not sub-prefix)

Can be the same size or smaller (have a longer prefix length) than the parent public advertised prefix

Valid lengths:/32,/40,/48, or/56

The difference between the prefix length of a top level public delegated prefix and its parent public advertised prefix can't be greater than 24

Sub-prefix

Can be the same size or smaller (have a longer prefix length) than the parent public delegated prefix

Valid lengths:

  • Delegation or forwarding rule creation mode:/32,/40,/48,/56,/64, or/72
  • Subnetwork creation mode:/32,/40,/48, or/56
  • Parent of subnet creation mode sub-prefix:/32,/40,/48, or/56

The difference between the prefix length of a sub-prefix and its parent public delegated prefix can't be greater than 24

Allocatable prefix length for forwarding rules

Determines the prefix length for IPv6 address ranges that are used by forwarding rules

Specified by theAllocatable prefix length field when creating an IPv6 sub-prefix for forwarding rules

Must be smaller than the associated sub-prefix—the difference between the allocatable prefix length and the sub-prefix length must be at least 8, and can't be greater than 32

Valid lengths:/48,/56,/64,/72,/80,/88,/96

Default lengths:

  • If the parent sub-prefix's length is/64 or/72, the default allocatable prefix length is/96
  • Otherwise, the default allocatable prefix length is/64

Before you begin

  1. Create an IPv6public advertised prefix.
  2. Create an IPv6public delegated prefix.

Roles

To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you theCompute Public IP Admin (roles/compute.publicIpAdmin) IAM role on your project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create IPv6 sub-prefixes for further delegation

IPv6 sub-prefixes that are in delegation mode can be sub-delegated into smallersub-prefixes. IPv6 sub-prefixes in other modes can't be further divided.

A public delegated prefix can be sub-delegated up to three times froma public advertised prefix. For example, if you have a public advertised prefixwith IP address range2001:db8::/32, you can do the following:

  • Create a public delegated prefix in delegation mode with IP address range2001:db8::/40, with the public advertised prefix as a parent.
  • Create a sub-prefix in delegation mode with IP address range2001:db8::/48that has the previous public delegated prefix as its parent.

  • Create a sub-prefix in forwarding rule or subnet creation mode with IPaddress range2001:db8::/56 that has the previous sub-prefix as itsparent.

    At this point, you cannot create further sub-prefixes that have the2001:db8::/56 sub-prefix as a parent.

The prefix length of a delegation mode sub-prefixdetermines the possible modesof child sub-prefixes.

Console

  1. In the Google Cloud console, go toBring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix that you want to subdivide.

  3. ClickCreate sub-prefix.

  4. Enter a name and optional description for the sub-prefix.

  5. In thePrefix length list, select a prefix length for thesub-prefix.

  6. Enter an IPv6 address range to assign to the sub-prefix.

  7. In theHow this PDP will be used section, selectSubdivide into smaller PDPs.

  8. In theProject menu, select the project that you want to use thesub-prefix in.

  9. ClickCreate.

gcloud

To create a sub-prefix for further delegation, use thegcloud compute public-delegated-prefixes create command.

gcloud compute public-delegated-prefixes createSUB_PREFIX_NAME \    --range=SUB_PREFIX_RANGE \    --mode=DELEGATION \    --public-delegated-prefix=PDP_NAME \    --region=PDP_REGION \    --project=PROJECT_ID

Replace the following:

  • SUB_PREFIX_NAME: a name for this sub-prefix

  • SUB_PREFIX_RANGE: the IP address range for thissub-prefix

  • PDP_NAME: the parent public delegated prefix ofthis sub-prefix

  • PDP_REGION: the region for this sub-prefix

  • PROJECT_ID: the project to delegate the sub-prefixto

    If the--delegatee-project flag is omitted, the sub-prefix iscreated in the same project as the parent public delegated prefix.

Create forwarding rules by using IPv6 sub-prefixes

To create forwarding rules with regional external IPv6 address ranges that areallocated from IPv6 sub-prefixes, do the following. The forwarding rules canonly be used forexternal passthrough Network Load Balancers andexternal protocol forwarding.

Create an IPv6 sub-prefix for forwarding rules

Create a sub-prefix in forwarding rule creation mode that uses the IP addressrange that you want to use for forwarding rules. When you create an IPv6sub-prefix for forwarding rules, you can't further sub-divide that prefix.

Console

  1. In the Google Cloud console, go toBring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix that you want to subdivide.

  3. ClickCreate sub-prefix.

  4. Enter a name and optional description for the sub-prefix.

  5. In thePrefix length list, select aPrefix length for thesub-prefix.

  6. Enter an IPv6 address range to assign to the sub-prefix.

  7. In theHow this PDP will be used section, selectAllocate IPv6 address ranges for use.

  8. In theAllocate to list, selectNetwork Load Balancer forwarding rule.

  9. In theAllocatable prefix length list, select a prefix length forIPv6 address ranges of forwarding rules that are created from thissub-prefix.

  10. In theProject list, select the project that you want to use thesub-prefix in.

  11. ClickCreate.

gcloud

To create a sub-prefix to use for creating forwarding rules, use thegcloud compute public-delegated-prefixes create command.

gcloud compute public-delegated-prefixes createSUB_PREFIX_NAME \    --range=SUB_PREFIX_RANGE \    --mode=EXTERNAL_IPV6_FORWARDING_RULE_CREATION \    --allocatable-prefix-length=PREFIX_LENGTH \    --public-delegated-prefix=PDP_NAME \    --region=PDP_REGION \    --project=PROJECT_ID

Replace the following:

  • SUB_PREFIX_NAME: a name for this sub-prefix

  • SUB_PREFIX_RANGE: the IP address range for thissub-prefix

  • PREFIX_LENGTH: the prefix length for the IPv6 addressranges that are used by forwarding rules

    The default and possible values depend on the prefix length ofSUB_PREFIX_RANGE. For moreinformation, seeAllocatable prefix length for forwarding rules.

  • PDP_NAME: the parent public delegated prefix of thissub-prefix

  • PDP_REGION: the region for this sub-prefix

  • PROJECT_ID: the project to delegate the sub-prefixto

    If the--delegatee-project flag is omitted, the sub-prefix iscreated in the same project as the parent public delegated prefix.

Create forwarding rules for external passthrough Network Load Balancers

To create forwarding rules that use IPv6 address ranges from your sub-prefix,do any of the following:

Create and update subnets by using IPv6 sub-prefixes

To create or update subnets with external IPv6 address ranges that areallocated from IPv6 sub-prefixes, do the following. Subnet external addressranges that are allocated from IPv6 sub-prefixes can only be used to host VMinstances orreserve static regional external IPv6 addresseswith the VM endpoint type.

Create IPv6 sub-prefixes for subnets

Create a sub-prefix in subnet creation mode that uses the IP addressrange that you want to use for subnets. When you create an IPv6sub-prefix for subnets, you can't further sub-divide that prefix.

Console

  1. In the Google Cloud console, go toBring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix that you want to subdivide.

  3. ClickCreate sub-prefix.

  4. Enter aName and optionalDescription for the sub-prefix.

  5. Select aPrefix length for the sub-prefix.

  6. InIPv6 range, enter an IPv6 address range to assign to thesub-prefix.

  7. In theHow this PDP will be used section, selectAllocate IPv6 address ranges for use.

  8. In theAllocate to list, selectExternal subnet range for VMs.

  9. InProject, select the project that you want to use the sub-prefixin.

  10. ClickCreate.

gcloud

To create a sub-prefix to use for creating subnets, use thegcloud compute public-delegated-prefixes create command.

gcloud compute public-delegated-prefixes createSUB_PREFIX_NAME \    --range=SUB_PREFIX_RANGE \    --mode=EXTERNAL_IPV6_SUBNETWORK_CREATION \    --public-delegated-prefix=PDP_NAME \    --region=PDP_REGION \    --project=PROJECT_ID

Replace the following:

  • SUB_PREFIX_NAME: a name for this sub-prefix

  • SUB_PREFIX_RANGE: the IP address range for thissub-prefix

  • PDP_NAME: the parent public delegated prefix of thissub-prefix

  • PDP_REGION: the region for this sub-prefix

  • PROJECT_ID: the project to delegate the sub-prefixto

    If the--delegatee-project flag is omitted, the sub-prefix iscreated in the same project as the parent public delegated prefix.

Create subnets for VM instances

Create a dual-stack or IPv6-only subnet that uses an IP address range from yourIPv6 sub-prefix. Subnet external addressranges that are allocated from IPv6 sub-prefixes can only be used to host VMinstances orreserve static regional external IPv6 addresseswith the VM endpoint type.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. To view theVPC network details page, click the name of a VPC network.

  3. On theSubnets tab, clickAdd subnet.In the panel that appears:

    1. Provide a name.
    2. Select a region.
    3. ForIP stack type, select eitherIPv4 and IPv6 (dual-stack)orIPv6 (single-stack).
    4. If you are creating a dual-stack subnet, enter an IPv4 range.
    5. In theIPv6 access type menu, selectExternal.
    6. Select theFrom PDP checkbox.
    7. In thePDP list, select the sub-prefix to use for allocating IPaddresses to the subnet.
    8. ClickAdd.

gcloud

To create a dual-stack or IPv6-only subnet by using an IPv6sub-prefix, use thegcloud compute networks subnets create command.

gcloud compute networks subnets createSUBNET \    --network=NETWORK \    --stack-type=STACK_TYPE \    --ipv6-access-type=EXTERNAL \    --region=REGION \    --ip-collection=PDP_NAME \    [--external-ipv6-prefix=IPV6_CIDR_RANGE] \    [--range=PRIMARY_IPv4_RANGE]

Replace the following:

  • SUBNET: a name for the new subnet
  • NETWORK: the name of the VPC networkthat will contain the new subnet

  • STACK_TYPE: the subnet's stack type

    The stack type can beIPV4_IPV6 orIPV6_ONLY. If you useIPV4_IPV6, you must specifya primary IPv4 range by using the--range flag.

  • REGION: the Google Cloud region in which the newsubnet will be created, which must be the same region as this subnet'ssub-prefix

  • PDP_NAME: the name of an IPv6 sub-prefix inEXTERNAL_IPV6_SUBNETWORK_CREATION mode to use for allocating IPaddresses to this subnet

  • IPV6_CIDR_RANGE: an optional /64 external IPv6 CIDRrange to assign to this subnet

    The range must be associated with thesubnet's sub-prefix. If empty, Google Cloud assigns the subnet arandom /64 range from the CIDR block of the associated sub-prefix.

  • PRIMARY_IPv4_RANGE: for dual-stack subnets, theprimary IPv4 range for the new subnet, in CIDR notation

Change an IPv4-only subnet into a dual-stack subnet for VM instances

You can change an IPv4-only subnet into a dual-stack subnet that uses anexternal IPv6 address range from a sub-prefix. Subnet external addressranges that are allocated from IPv6 sub-prefixes can only be used to host VMinstances orreserve static regional external IPv6 addresseswith the VM endpoint type.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network that contains the subnetto update.

  3. ClickSubnets, and then click the name of the subnet to update.

  4. ClickEdit.

  5. In theIP stack type section, selectIPv4 and IPv6 (dual-stack).

  6. In theIPv6 access type section, selectExternal.

  7. Click theFrom PDP checkbox.

  8. In thePDP list, select the sub-prefix to use for allocating IPaddresses to the subnet.

  9. ClickSave.

gcloud

To change an IPv4-only subnet into a dual-stack subnet that uses an externalIPv6 address range from a sub-prefix, use thegcloud compute networks subnets update command.

gcloud compute networks subnets updateSUBNET \    --ipv6-access-type=EXTERNAL \    --stack-type=IPV4_IPV6 \    --ip-collection=PDP_NAME \    --region=REGION \    [--external-ipv6-prefix=IPV6_CIDR_RANGE]

Replace the following:

  • SUBNET: a name for the new subnet
  • PDP_NAME: the name of an IPv6 sub-prefix inEXTERNAL_IPV6_SUBNETWORK_CREATION mode to use for allocating IPaddresses to this subnet
  • REGION: the Google Cloud region in which the newsubnet will be created, which must be the same region as this subnet'ssub-prefix

  • IPV6_CIDR_RANGE: an optional /64 external IPv6 CIDRrange to assign to this subnet

    The range must be associated with thesubnet's sub-prefix. If empty, Google Cloud assigns the subnet arandom /64 range from the CIDR block of the associated sub-prefix.

List prefixes

You can list all public advertised prefixes and public delegated prefixes(including sub-prefixes) in a project.

Console

  1. In the Google Cloud console, go toBring your own IP.

    Go to Bring your own IP

  2. All public advertised prefixes, public delegated prefixes, andsub-prefixes are displayed.

gcloud

To list public delegated prefixes, including sub-prefixes, use thepublic-delegated-prefixes listcommand.

gcloud compute public-delegated-prefixes list

Create VMs with BYOIP-provided external IPv6 address ranges

After you create a subnet that uses a BYOIP-provided IPv6 range,you can do the following:

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.