Create a public advertised prefix
You can bring your own IP addresses (BYOIP) to Google Cloud. After wevalidate that you own the IP range, and the IP addresses are imported toGoogle Cloud, you can assign them tosupportedresources.
You can import IPv4 and IPv6 address ranges. IPv4addresses can be used with most Google Cloud resources that supportexternal IP addresses. IPv6 addresses can be used with external passthrough Network Load Balancer only. Formore information, seeSupport for BYOIPaddresses.
The first step in using bring your own IP is to create a public advertisedprefix. The following options are available:
| Configuration | Regional (v2) | Regional (v1) | Global (v1) |
|---|---|---|---|
| Availability | Recommended regional configuration | Not recommended for new regional configurations | Mustrequest adding your project to an allowlist |
| Public advertised prefix provisioning time | Approximately 2 weeks | Approximately 4 weeks | Approximately 4 weeks |
| Public delegated prefix provisioning time | A few minutes | 4 weeks Can overlap with public advertised prefix provisioning time | 4 weeks Can overlap with public advertised prefix provisioning time |
| Sub-prefix provisioning time | A few minutes | A few minutes | A few minutes |
| BGP announcement | The public advertised prefix is not automatically announced when it is provisioned. You decide when toannounce or withdraw advertisement. | The public advertised prefix is automatically announced after provisioning completes. | The public advertised prefix is automatically announced after provisioning completes. |
| IP stack |
| IPv4 | IPv4 |
Before you begin
- Bringing your own IP addresses to Google Cloud requires carefulplanning. For more information, seePlanning for bring your own IPaddresses.
- Consider using an organization, and creating a dedicated project formanaging BYOIP addresses. For more information, seeProjectarchitecture.
- Check if any part of the prefix that you want to import is already publiclyadvertised. If it is, you must make sure that Google Cloud does notadvertise it while it is being advertised from another source:
- If you are creating a v2 public advertised prefix for regionaladdresses, you havecontrol over the announcement of theprefix. You can create the publicadvertised prefix and public delegated prefixes, but you must ensure theprefix is not advertised anywhere else before you announce it fromGoogle Cloud.
- If you are creating a v1 public advertised prefix for global addresses,the prefix is automatically announced as soon as public delegatedprefix provisioning is complete. Don't create public delegated prefixesuntil the prefix is no longer being announced from another source.
Roles
To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you theCompute Public IP Admin (roles/compute.publicIpAdmin) IAM role on your project. For more information about granting roles, seeManage access to projects, folders, and organizations.
You might also be able to get the required permissions throughcustom roles or otherpredefined roles.
Validate ownership of your prefix
When you create a public advertised prefix, you complete two tasks whichtogether let Google Cloud validate that you own this prefix:
- Creating a Route Origin Authorization (ROA) for your prefix.
- Creating a PTR record for an IP address in your prefix.
The details of these validation tasks are outlined in the following sections.
After validation is complete, it takes approximately four weeks for the publicadvertised prefix configuration to complete.
Create a ROA request
To prove that you have ownership of a prefix, create a Route OriginAuthorization (ROA) request.
Submit a ROA request with your regional registry for the prefix that you wantGoogle Cloud to advertise. The request includes the prefix, the prefix length, andthe ASN for Google Cloud:396982.
When you create the public advertised prefix, the ROA for this prefix must existand point to the ASN for Google Cloud and remain in effect for some timeafter you delete the public advertised prefix. For more information, seeRemovea ROA.
We recommend that you submit another ROA request for the same prefix and prefixlength but use your own ASN as the origin. If you ever need to advertise theprefix, the ROA with your ASN prevents networks that use Resource Public KeyInfrastructure (RPKI) from considering the prefix to be invalid because it isalso advertised with the origin ASN for Google Cloud.
Your local regional internet registry processes ROA requests. For moreinformation, see the link for your location:
- AFRINIC (Africa)
- APNIC (Portions of Asia and Oceania)
- ARIN (North America and some Caribbean Islands)
- LACNIC (Latin America)
- RIPE NCC (Europe, Central Asia, Middle East)
Create a public advertised prefix
Warning: Google Cloud does not support overlapping BYOIP routeannouncements. For example, importing203.0.112.0/23 is not supported if203.0.112.0/23 or a subset of this prefix, such as203.0.112.0/24, isadvertised outside Google Cloud. If Google Cloud and another networkadvertise the same route with matching or mismatched prefix lengths, you mightexperience unexpected routing and packet loss.You can create apublic advertised prefix forthe prefix that you want to bring to Google Cloud.
A public advertised prefix name can't be changed without deleting and recreatingthe resource. For this reason, we recommend that you create generic names thatwon't need to change—for example,pap-203-0-113-0-24, wherepapdenotes the resource type and203-0-113-0-24 denotes the specific prefix andprefix length.
If you want to use the public advertised prefix to create global publicdelegated prefixes, your project must be added to an allowlist. For moreinformation, seeGlobal public delegatedprefixes.
Choose an unused IP address for DNS validation. Verification requires that youconfigure a new PTR record for this IP address, and you don't know the hostnameuntil after you create the public advertised prefix.
Console
In the Google Cloud console, go toBring your own IP.
ClickAdd PAP.
ForName, enter a name for the public advertised prefix.
ForDescription, enter an optional description for the publicadvertised prefix.
ForIP version, selectIPv4 orIPv6.
Enter the prefix that you want to import.
If you're importing anIPv4 prefix, select aScope for thepublic advertised prefix:Regional orGlobal.
Note: if theGlobal option is not available, you are not part of theallowlist forglobal public advertisedprefixes.ClickNext.
Review the information that you entered. To confirm that you own thisprefix, clickConfirm.
ForIP address, enter an unused IP address from the prefix that youare adding. This address is used for DNS validation, and in a laterstep, you must create a PTR record for it that uses a hostname providedby Google Cloud.
ClickCreate. TheValidation screen shows you the validationstatus of this request.
gcloud
Use thepublic-advertised-prefixes createcommand.
To create a public advertised prefix (v1) for global addresses, run thefollowing command:
gcloud compute public-advertised-prefixes createPAP_NAME \ --range=PAP_IP_RANGE \ --dns-verification-ip=VERIFICATION_IP_ADDRESS
To create a public advertised prefix (v2) for regional addresses, run thefollowing command:
gcloud compute public-advertised-prefixes createPAP_NAME \ --range=PAP_IP_RANGE \ --pdp-scope=REGIONAL \ --dns-verification-ip=VERIFICATION_IP_ADDRESS
Creating a public advertised prefix (v1) for regional addresses is notrecommended. Create a v2 public advertised prefix instead. If you mustcreate a v1 public advertised prefix for regional addresses, run thefollowing command:
gcloud compute public-advertised-prefixes createPAP_NAME \ --range=PAP_IP_RANGE \ --dns-verification-ip=VERIFICATION_IP_ADDRESS
Replace the following:
PAP_NAME: a name for the public advertised prefixthat you're creating.PAP_IP_RANGE: the IP address range for the publicadvertised prefix. The range can be an IPv4 or IPv6 address range.VERIFICATION_IP_ADDRESS: an unused IP address chosenfrom thePAP_IP_RANGE. This address is used for DNSvalidation, and in a later step, you must create a PTR record for itthat uses a hostname provided by Google Cloud.
Find the name to use for the PTR record
When you create a public advertised prefix, Google Cloud generates a name for you touse as a hostname for the PTR validation step.
Console
In the Google Cloud console, go toBring your own IP.
ClickCheck status for the prefix that you want to update.
The name and IP address to use for PTR validation are displayed in theDNS validation section.
gcloud
To get the name from the
sharedSecretfield, use thepublic-advertised-prefixes describecommand.gcloud compute public-advertised-prefixes describe \PAP_NAME --format='value(sharedSecret)'
If needed, you can retrieve the IP address you provided for DNSvalidation.
gcloud compute public-advertised-prefixes describe \PAP_NAME --format='value(dnsVerificationIp)'
In both commands, replacePAP_NAME with the name of thepublic advertised prefix.
Create the PTR record
To verify that you own the IP address range that you are importing toGoogle Cloud, you must create a public PTR record in the DNS zone that isused for the IP address range that you are importing.
Use the following values in the PTR record:
- IP address: the verification IP address that you used when youcreated thepublic advertised prefix.
- Hostname: thename (
sharedSecret) that Google Cloud provided. - Domain name: the domain name associated with the DNS zone that is used forthe IP address range that you are importing.
Examples:
IPv4: If your verification IP address is
203.0.113.144, and the DNSdomain for203.0.113.0/24isexample.net, and the name provided byGoogle Cloud is55kk88tt00, the required PTR record would look like this:$ dig +noall +answer -x 203.0.113.144144.113.0.203.in-addr.arpa. 21599 IN PTR 55kk88tt00.example.net
IPv6: If your verification IP address is
2001:db8::10, and the DNSdomain for2001:db8::/32isexample.net, and the name provided by Google Cloudis55kk88tt00, the required PTR record would look like this:$ dig +noall +answer -x 2001:db8::100.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa21599 IN PTR 55kk88tt00.example.net.
Validate the PTR record
After you have created the PTR record, update the public advertised prefix totrigger validation of the PTR record.
Console
In the Google Cloud console, go toBring your own IP.
ClickCheck status for the prefix that you want to update.
In theDNS validation section, select theI have created this PTRrecord checkbox and clickValidate.
gcloud
To change the status of the public advertised prefix toPTR-CONFIGURED,use thepublic-advertised-prefixes updatecommand.
The status change triggers validation of the PTR record. If it issuccessful, the status changes toVALIDATED. If it fails, the statuschanges toREVERSE_DNS_LOOKUP_FAILED.
gcloud compute public-advertised-prefixes updatePAP_NAME --status=PTR-CONFIGURED
ReplacePAP_NAME with the public advertised prefix thatyou have created a PTR record for.
Check the status of a public advertised prefix
It takes approximately four weeks for Google Cloud to provision the public advertisedprefix. You can check the status to see if provisioning is complete.
Console
In the Google Cloud console, go toBring your own IP.
ClickCheck status for the prefix that you want to check.
View theValidation section.
gcloud
To describe the public advertised prefix and get its status, use thepublic-advertised-prefixes describecommand.
gcloud compute public-advertised-prefixes describePAP_NAME --format='value(status)'
ReplacePAP_NAME with the public advertised prefix thatyou want to get status information for.
After the prefix is validated, the status field changes fromVALIDATED toPREFIX_CONFIGURATION_COMPLETE.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.