Multiple network interfaces

This page provides an overview of multiple network interfaces forCompute Engine VM instances. Instances with multiple network interfacesare referred to asmulti-NIC instances.

An instance always has at least one virtual network interface (vNIC).Depending on the machine type, you can configure additional network interfaces.

Use cases

Multi-NIC instances are useful in the following scenarios:

• To connect to resources in separate VPC networks: multi-NICinstances can connect to resources located in different VPC networksthat aren't connected to each other through VPC Network Peeringor Network Connectivity Center.

  • Because each interface of a multi-NIC instance is in a separateVPC network, you can use each interface for a uniquepurpose. For example, you can use some interfaces to route packetsbetween VPC networks that carry production traffic andanother interface for management or configuration purposes.

  • Within the guest OS of each multi-NIC instance, you must configureroute policies and local route tables.

• Routing packets between VPC networks: multi-NIC instances can beused as next hops for routes to connect two or more VPCnetworks.

  • Software running within the guest OS of a multi-NIC instance can perform packetinspection, network address translation (NAT), or another network securityfunction.

  • When connecting VPC networks using multi-NIC instances, it's abest practice to configure two or more multi-NIC instances, using themas backends for an internal passthrough Network Load Balancer in each VPC network.For more information, seeUsecasesin the Internal passthrough Network Load Balancers as next hops documentation.

You can also use multi-NIC instances withPrivate Service Connect interfacesto connect service producer and consumer networks in different projects.

Network interface types

Google Cloud supports the following types of network interfaces:

• vNICs: the virtual network interfaces of Compute Engine instances.Each instance must have at least one vNIC. vNICs in regular VPCnetworks can be eitherGVNIC,VIRTIO_NET, orIDPF. You can onlyconfigure vNICs when creating an instance.

• Dynamic NICs:a child interface of a parent vNIC. You can configureDynamic NICs when you create an instance, or add them later.For more information, seeDynamic NICs.

You can also configure multi-NIC instances using machine types thatinclude RDMA network interfaces (IRDMAorMRDMA), which must beattached to a VPC network with anRDMA network profile. Othernetwork interface types, including Dynamic NICs, aren'tsupported in VPC networks with an RDMA network profile.

Specifications

The following specifications apply to instances with multiple network interfaces:

• Instances and network interfaces: every instance has anic0 interface.Themaximum number of network interfaces varies dependingon the instance's machine type.

  • Each interface has an associated stack type, which determines the supportedsubnet stack types and IP address versions. For more information, seeStack type and IP addresses.

• Unique network for each network interface: except for VPCnetworks that are created with anRDMA networkprofile, each network interface must use asubnet in a unique VPC network.

  • For VPC networks created with an RDMA network profile,multiple RDMA NICs can use the same VPC network, as long aseach RDMA NIC uses a unique subnet.

  • A VPC network and subnet must exist before you can createan instance whose network interface uses the network and subnet. For moreinformation about creating networks and subnets, seeCreate and manageVPCnetworks.

• Project of instance and subnets: for multi-NIC instances in standalone projects,each network interface must use a subnet located in the same project asthe instance.

  • For instances in Shared VPC host or service projects, seeShared VPC.

  • Private Service Connectinterfaces provide away for a multi-NIC instance to have network interfaces in subnetsin different projects. For more information, seeAbout networkattachments.

• IP forwarding, MTU, and routing considerations: multi-NIC instances requirecareful planning for the following instance and interface specific configurationoptions:

  • The IP forwarding option is configurable on a per instance basis, applyingto all network interfaces. For more information, seeEnable IP forwardingfor instances.

  • Each network interface can use a unique maximum transmission unit (MTU),matching the MTU of the associated VPC network. For moreinformation, seeMaximum transmission unit.

  • Each instance receives a default route using DHCP Option 121, as defined byRFC3442. The default routeis associated withnic0. Unless manually configured otherwise, anytraffic leaving an instance for any destination other than a directlyconnected subnet will leave the instance using the default route onnic0.

    On Linux systems, you can configure customrules and routes within the guest OS using the/etc/iproute2/rt_tablesfile and theip rule andip route commands. For more information,consult the guest OS documentation. For an example,see the following tutorial:Configure routing for an additional interface.

Dynamic NICs

If your use case requires any of the following, use Dynamic NICs.Ensure that you also review theproperties andlimitations of Dynamic NICs.

• You need to add or remove network interfaces to or from existing instances.Adding or removing Dynamic NICs doesn't requirerestarting or recreating the instance.

• You need more network interfaces. The maximum number of vNICs for mostmachine types in Google Cloud is 10; however, you can configure upto 16 total interfaces by using Dynamic NICs.For more information, seeMaximum number of network interfaces.

• You need to configure multi-NIC Compute Enginebare metal instances, which only have one vNIC.

Properties of Dynamic NICs

See the following information about the properties of Dynamic NICs:

• Dynamic NICs are VLAN interfaces that use theIEEE 802.1Q standard packet format. See the following considerations:

  • The VLAN ID of a Dynamic NIC must be an integer from 2 to 255.
  • The VLAN ID of a Dynamic NIC must be unique within a parent vNIC. However, Dynamic NICs that belong to different parent vNICs can use the same VLAN ID.

• Google Cloud uses the following format for the name of a Dynamic NIC:nicNUMBER.VLAN_ID, where

  • nicNUMBER is the name of the parent vNIC, such asnic0.
  • VLAN_ID is the VLAN ID that you set, such as4.

  An example Dynamic NIC name isnic0.4.

• Creating an instance with Dynamic NICs or adding Dynamic NICsto an existing instance requires additional steps to install and manage thecorresponding VLAN interfaces in the guest OS. You can use one of thefollowing methods:

  • Configure automatic management of Dynamic NICs byusing the guest agent.

  • Configure the guest OS manually.

  For more information, seeConfigure the guest OS for Dynamic NICs.

• Dynamic NICs share the bandwidth of their parent vNIC.To prevent any of the network interfaces from consuming all of the bandwidth,you must create an application-specific traffic policy in the guest OS toprioritize or distribute traffic, such as by using Linux Traffic Control (TC).

• Dynamic NICs share the samereceive and transmit queuesas their parent vNIC. To configure a network interface to use different receive andtransmit queues, use vNICs instead of Dynamic NICs.

• Thestack type of a Dynamic NIC can be the sameas or different than its parent vNIC. For example, you can create IPv6-onlyand dual-stack Dynamic NICs under an IPv4-only parent vNIC.

Limitations of Dynamic NICs

See the following limitations of Dynamic NICs:

• You can't modify the following properties of a Dynamic NICafter it is created:

  • The parent vNIC to which the Dynamic NIC belongs.
  • The VLAN ID of the Dynamic NIC.

• Dynamic NICs don't support the following:

  • Advanced network DDoS protectionandnetwork edge security policiesfor Google Cloud Armor
  • Configuring IP addresses by usingper-instance configurations for MIGs.
  • Features that rely on packet intercept,such asfirewall endpoints
  • Compute Engine Windows drivers

• Forthird generation VMs,a Dynamic NIC with a VLAN ID of255 can'taccess theMetadata server IP address.If you need to access the metadata server, ensure that you use a differentVLAN ID.

• Dynamic NICs aren't supported for use withGPU instances. For more information, seeCreation errors and decreased performance when using Dynamic NICs with GPU instances.

Stack types and IP addresses

When you create a network interface, you specify one of the followinginterfacestack types:

• IPv4-only
• Dual-stack
• IPv6-only

A VM instance can have network interfaces that have different stack types.

The following table describes supported subnet stack types and IP addressdetails for each interface stack type:

Changing network interface stack type

You canchange the stacktype ofa network interface as follows:

• You can convert an IPv4-only interface to dual-stack if theinterface's subnet is a dual-stack subnet or if you stop the instance andassign the interface to a dual-stack subnet.

• You can convert a dual-stack interface to IPv4-only.

You can't change the stack type of an IPv6-only interface. IPv6-onlyinterfaces are only supported when creating instances.

IPv4 address details

Each IPv4-only or dual-stack network interface receives a primary internal IPv4address. Each interface optionally supports alias IP ranges and an external IPv4address. The following are the IPv4 specifications and requirements:

• Primary internal IPv4 address: Compute Engine assigns the networkinterface a primary internal IPv4 address from the primary IPv4 address rangeof the interface's subnet. The primary internal IPv4 address is allocated byDHCP.

  • You can control which primary internal IPv4 address is assigned byconfiguring a static internal IPv4addressor by specifying a custom ephemeral internal IPv4 address.

  • Within a VPC network, the primary internal IPv4 address ofeach VM network interface is unique.

• Alias IP ranges: optionally, you can assign the interface one or morealias IP ranges. Each alias IP range can come from either the primary IPv4address range or a secondary IPv4 address range of the interface's subnet.

  • Within a VPC network, each interface's alias IP range mustbe unique.

• External IPv4 address: optionally, you can assign the interface anephemeral or reserved external IPv4 address. Google Cloud ensures theuniqueness of each external IPv4 address.

IPv6 address details

Compute Engine assigns each dual-stack or IPv6-only network interfacea/96 IPv6 address range from the/64 IPv6 address range of the interface's subnet:

• Whether the/96 IPv6 address range is internal or external depends on theIPv6 access type of the interface's subnet. Google Cloud ensures theuniqueness of each internal and external IPv6 address range. For moreinformation, seeIPv6specifications.

  • If an instance needs both an internal IPv6 address range and an externalIPv6 address range: you must configure two dual-stack interfaces, twoIPv6-only interfaces, or one dual-stack interface and one IPv6-onlyinterface. The subnet used by one interface must have an external IPv6address range, and the subnet used by the other interface must have aninternal IPv6 address range.

• The first IPv6 address (/128) is configured on the interface by DHCP.For more information, seeIPv6 addressassignment.

• You can control which/96 IPv6 address range is assigned by configuring astaticinternalorexternalIPv6 address range. For internal IPv6 addresses, you can specify a customephemeral internal IPv6 address.

If you are connecting an instance to multiple networks by using IPv6addresses, installgoogle-guest-agent version20220603.00or later. For more information, seeI can't connect to a secondary interface'sIPv6 address.

Maximum number of network interfaces

For most machine types, the maximum number of network interfaces that you canattach to an instance scales with the number of vCPUs as described in thefollowing tables.

The following are machine-specific exceptions:

• Compute Engine bare metal instances support a single vNIC.

• The maximum number of vNICs is different for some accelerator optimized machine types, such as A3, A4, and A4X.For more information, seeAccelerator-optimized machine family.

Example distributions of Dynamic NICs

You don't have to distribute Dynamic NICs evenly acrossvNICs. However, you might want an even distribution becauseDynamic NICs share the bandwidth of their parent vNIC.

An instance must have at least one vNIC. For example, an instance that has2 vCPUs can have one of the following configurations:

• 1 vNIC
• 2 vNICs
• 1 vNIC and 1 Dynamic NIC

The following tables provide example configurations that evenly distributeDynamic NICs across vNICs while using the maximum numberof network interfaces for a given number of vCPU.

Product interactions

This section describes interactions between multi-NIC instances and other productsand features in Google Cloud.

Shared VPC

Except for Private Service Connect interfaces, the subnet andproject relationship of a multi-NIC instance in a Shared VPC host orservice project is as follows:

• Each network interface of a multi-NIC instance located in aShared VPC host project must use a subnet of a Shared VPCnetwork in the host project.

• Each network interface of a multi-NIC instance located in a Shared VPCservice project can use either of the following:

  • A subnet of a VPC network in the service project.
  • A subnet of a Shared VPC network in the host project.

For more information about Shared VPC, see:

• Shared VPC overview
• Provision Shared VPC

Compute Engine internal DNS

Compute Engine creates internal DNS name A and PTR records only forthe primary internal IPv4 address of thenic0 network interface of aninstance. Compute Enginedoesn't create internal DNS records for anyIPv4 or IPv6 address associated with a network interface different fromnic0.

For more information, seeCompute Engine internal DNS.

Static routes

Static routes can be scoped to specific instancesby usingnetwork tags. When a network tagis associated with an instance, the tag applies toall network interfaces ofthe instance. Consequently, adding a network tag to or removing a network tagfrom an instance might change which static routes apply toany of the instance'snetwork interfaces.

Load balancers

Instance group backends and zonal NEG backends each have an associatedVPC network as follows:

• For managed instance groups (MIGs), the VPC network for theinstance group is the VPC network assigned to thenic0interface in the instance template.

• For unmanaged instance groups, the VPC network for the instancegroup is the VPC network used by thenic0 network interfaceof the first instance that you add to the unmanaged instance group.

The following table shows which backends support distributing connections orrequests to any network interface.

Target pool-based External passthrough Network Load Balancers don't use instance groups or NEGs andonly support load balancing tonic0 network interfaces.

Firewall rules

The set of firewall rules—fromhierarchical firewallpolicies,global network firewallpolicies,regional network firewallpolicies, andVPCfirewall rules—are unique to each networkinterface. Ensure that each network has appropriate firewall rules to allow thetraffic that you want to allow to and from a multi-NIC instance. To determine which firewall rules apply to a network interface, andthe source for each rule, seeGet effective firewall rules for a VMinterface.

Firewall rules can be scoped to specific VM instances by using network tags orsecure tags, both of which apply to all network interfaces of an instance. Formore information, seeComparison of secure tags and network tags.

Known issues

This section describes known issues related to using multiple network interfacesin Google Cloud.

Creation errors and decreased performance when using Dynamic NICs with GPU instances

Dynamic NICsaren't supported for use with GPU instances. If you create a GPU instance withDynamic NICs, or add Dynamic NICs to an existingGPU instance, the following issues might occur:

• The operation fails with an error such as the following:

  Internal error. Please try again or contact Google Support. (Code: 'CODE')

• The operation succeeds, but the instance experiences decreased performance,such as significantly lowernetwork bandwidth.

These issues occur because the Dynamic NIC configuration leadsto errors when Compute Engine attempts to distribute the instance'svNICs across physical NICs on the host server.

Issues with installation and management of Dynamic NICs in guest agent versions 20250901.00 to 20251120.01

If youconfigure automatic management of Dynamic NICsand your instance is running the guest agent at a version from20250901.00 to 20251120.01, you might encounter the following issues:

• The guest agent fails to install and manage Dynamic NICs in theguest OS of your instance.

  You might receive an error that includesCannot find device when runningcommands in the guest OS that reference Dynamic NICs.

• Deleting multiple Dynamic NICs causes themetadata server to become inaccessible.

Root cause

Starting with version20250901.00, theguest agent migrated to a newplugin-based architecture to improve modularity. The new architecture didn'tinitially support the automatic installation and management ofDynamic NICs.

Resolution

To resolve these issues, update your instance to use guest agent version20251205.00 or later:

1. To update the guest agent to the latest version, seeUpdate the guest environment.
2. To confirm the guest agent version that your instance is running,seeView installed packages by operating system version.

If necessary, you can temporarily work around these issues for instances that arerunning guest agent versions 20250901.00 to 20251120.01 by following theinstructions inBackward compatibilityto revert to the previous guest agent architecture.

What's next

• Create VMs with multiple network interfaces