Sign in

1. Products
2. Google Cloud Platform
3. Google Compute Engine

Google Compute Engine

Feedback on this document

Instances and Networks

Every instance is assigned to a single network that defines how that instance can communicate with other instances, other networks, or the Internet. Instances do not need to be in the same zone to share a network. By default, all projects have a default network named default . New instances are automatically assigned to this network, which has the following default firewall rules:

• All traffic between all instances in the same network is allowed, over any port and any protocol.
• Incoming ssh connections (port 22) from anywhere are allowed
• Incoming connections to port 3389 for Remote Desktop Protocol (RDP) are allowed

Any other incoming traffic to an instance is blocked, unless you add additional firewalls that allow more connections. Additionally, you can assign arbitrary tags to an instance, such as "frontend" or "sqlserver", and use those as permitted firewall sources/targets. This is a more flexible and scalable system than specifying the source by an IP address. You can assign instance tags when you create your instance using the --tag flag.

For more information about networks, see Networks and Firewalls .

Contents

Instance IP Addresses

Instances support one or two IP addresses: a required network address, which is used for communicating within the network, and an optional external IP address, which is used to communicate with callers outside the network. Addresses can be assigned at instance creation time or after an instance has been created. Refer to Assigning IP Addresses to Existing Instances to see how to assign external IP addresses after the instance has been created.

You can see the network and external IP addresses assigned to your instances by calling gcloud compute instances list or gcloud compute instances describe .

Instances can address each other by network or external address, or by instance name (DNS). Here is a comparison of these three techniques:

• By instance name - The network resolves an instance name to a network address for instances within that network. Addressing by instance names rather than network address is useful because network addresses can change each time an instance is deleted and recreated. Also, communication is free between instances in the same zone . However, instance names are addressable only within the same network, or when calling gcloud compute ssh from your local computer.
• By network address - You can address packets to an instance by the network (internal IP) address, but network addresses can change when an instance is restarted, unless you explicitly assign a network address to your instance. The network address is only addressable from another computer within the same network. For more information, see Network Addresses .
• By external IP address - Only use an external IP address if you must communicate with an instance on another network. Packets sent to an instance using an external address are billed as external traffic, even if the sender is in the same network. For more information, see External IP Addresses .

The following example demonstrates how to use gcloud compute ssh and ping to address your instances by instance name, external IP address, and network IP address.

1. List your instances.

   $ gcloud compute instances list
   NAME          ZONE                 MACHINE_TYPE         INTERNAL_IP    EXTERNAL_IP     STATUS
   instance-2    us-central1-a        n1-standard-1        10.181.215.203 146.148.32.59   RUNNING
   instance-1    us-central1-a        n1-standard-1        10.203.133.172 146.148.41.156  RUNNING
   www3          us-central1-a        g1-small             10.107.49.46   107.178.218.245 RUNNING
   

2. Ping your instance by external address to confirm that it is up and running.

   $ ping -c 1 146.148.41.156
   PING 146.148.41.156 56(84) bytes of data.
   64 bytes from 203.135.113.022: icmp_seq=1 ttl=55 time=17.5 ms
   
   --- 146.148.41.156 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 17.568/17.568/17.568/0.000 ms
   

3. ssh into the instance.

   $ gcloud compute ssh instance-1
   Welcome to GCE Linux 12.04 LTS (...)
   Running a Google Compute Engine VM Instance
    * Documentation: https://developers.google.com/compute/
    * You are running on an EPHEMERAL root disk, which is NOT PERSISTENT.
      For persistent data, use Persistent Disks:
        https://developers.google.com/compute/docs/disks#persistentdisks
   
   The programs included with this system are free software;
   the exact distribution terms for each program are described in the
   individual files in /usr/share/doc/*/copyright.
   
   This software comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
   applicable law.
   
   Last login: Tue Aug 30 11:16:43
   ...
   

4. Ping instance-2 from within instance-1, using the instance name.

   user@instance-1:~$ ping -c 1 instance-2
   PING instance-2.my-project.google (10.181.215.203) 56(84) bytes of data.
   64 bytes from instance-2.my-project.google (10.181.215.203): icmp_seq=1 ttl=64 time=1.00 ms
   
   --- instance-2.my-project.google ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 1.005/1.005/1.005/0.000 ms
   

5. You can also ping the instance using the internal network address.

   user@instance-1:~$ ping -c 1 10.181.215.203
   PING 10.181.215.203 56(84) bytes of data.
   64 bytes from 10.181.215.203: icmp_seq=1 ttl=64 time=1.47 ms
   
   --- 10.181.215.203 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 1.473/1.473/1.473/0.000 ms
   

Network Addresses

Every instance has a network address that is unique to the network. This address is automatically assigned by Google Compute Engine when you create the instance.

Google Compute Engine resolves instance names to network addresses when called within the instance's network. For instance, from a virtual machine running inside Google Compute Engine, you can address other instances using ping, curl, or any other program that expects a DNS name.

Configuring a static network address

Although Compute Engine doesn't allow creating an instance with a user-defined local IP address, you can use a combination of routes and an instance's --can-ip-forward ability to add local IP address as a network static address which then maps to your desired virtual machine instance.

For example, if you want to assign 10.1.1.1 specifically as a network address to a virtual machine instance, you can create a static network route that sends traffic from 10.1.1.1 to your instance, even if the instance's network address assigned by Compute Engine doesn't match your desired network address.

Use the following instructions to configure your network address using a static network route.

1. Choose an IP address that doesn't belong to any network in your project.

   For this example, we are using 10.1.1.1 .

2. Create a new virtual machine instance and enable IP forwarding.

   By default, Compute Engine won't deliver packets whose destination IP address is different than the IP address of the instance receiving the packet. To disable this destination IP check, you can enable IP forwarding for the instance.

   Other than the zone, you can choose the other attributes of your instance, such as the machine type and image.

   $ gcloud compute instances create my-configurable-instance --can-ip-forward
   

3. Create a static network route to direct packets destined for 10.1.1.1 to your instance.

   $ gcloud compute routes create ip-10-1-1-1 \
            --next-hop-instance my-configurable-instance \
            --next-hop-instance-zone ZONE \
            --destination-range 10.1.1.1/32
   

4. Add a new virtual interface to your instance.

   These instructions are available for Debian and CentOS instances. Select your desired operating system for the right instructions.

1. Check that your virtual machine instance interface is up by pinging 10.1.1.1 from inside your instance.

   user@my-configurable-instance:~$ ping 10.1.1.1
   

   You can also try pinging the interface from another instance in your project.

External Addresses

You can assign an optional externally visible IP address to specific instances. Outside callers can address a specific instance by external IP if the network firewalls allow it. Only instances with an external address can send and receive traffic from outside the network.

Google Compute Engine supports two types of externally-visible IP addresses: static IPs , which can be assigned to a project long term or ephemeral IPs , which are assigned for the lifetime of the instance. Once an instance is terminated, the ephemeral IP is released back into the general Google Compute Engine pool and becomes available for use by other projects.

Ephemeral IP Addresses

When you create an instance using gcloud compute , your instance is automatically assigned an ephemeral external IP address. You can choose not to assign an external IP address in gcloud compute by providing the --no-address flag. If you are creating an instance using the API, you need to explicitly provide an accessConfig specification to request an external IP address. If you have an existing instance that doesn't have an external IP address, but would like to assign one, see Assigning IP Addresses to Existing Instances . For information on defining an accessConfig for your instance, see the API reference .

Reserved IP Addresses

If you need a static IP address that is assigned to your project until you explicitly release it, you can reserve a new IP address or promote an ephemeral IP address to using gcloud compute with the addresses create command or making a PUT request to the appropriate regional Addresses collection. Static IP addresses can be regional or global resources and you must select a either the region where your IP address will live or indicate that it is global.

Static IP addresses can only be used by one resource at a time. You cannot assign an IP address to multiple resources. There is also no way to tell whether an IP address is static or ephemeral after it has been assigned to a resource, except to compare it against the list of static IP addresses assigned to the project. Use the addresses list command to see a list of static IP addresses available to the project.

Reserving an IP Address

To reserve a new static IP address using gcloud compute , use the addresses create command:

$ gcloud compute addresses create example-address example-address-2 \
         --region us-central1

This reserves a regional IP address in us-central1. To reserve a global IP address, use the --global flag.

If you would like to promote an ephemeral IP address to a static IP address, provide the address using the --addresses flag. The following example promotes an ephemeral IP address to a reserved IP address. Since no address name is specified, gcloud compute automatically assigns a name.

$ gcloud compute addresses create \
         --addresses 162.222.181.197 \
         --region us-central1

With the API client libraries, use the addresses().insert function, passing in the region for the request and a request body that contains the name of the address and, if desired, the ephemeral IP address to promote. The following is a snippet from the Python client library:

def reserveIpAddress(auth_http, gce_service):
  addressName = 'testaddress'
  ipAddressToPromote = 'x.x.x.x'
  body = {
    "name": addressName,
    "address": ipAddressToPromote
  }
  request = gce_service.addresses().insert(project=PROJECT_ID,
    region='<region>', body=body)
  response = request.execute(auth_http)

  print response

To make a request to the API directly, make a PUT request to the following URI:

`http://www.googleapis.com/compute/v1/project/<project-id>/regions/<region>/addresses`

Your request body should contain the following (omit the address field if you are not promoting an ephemeral IP address):

body = {
  name: “<address-name>”,
  address: “<address-to-promote>”
}

If this is a new static IP address, you can assign it to an instance using the --address flag during instance creation:

$ gcloud compute instances create myinst --address x.x.x.x

where x.x.x.x is your static IP address. You can also assign an IP address to an existing instance . If you promoted an ephemeral IP address, it remains attached to its current instance.

Listing Reserved IP Addresses

To list the reserved IP addresses, run addresses list or make a GET request to the API:

$ gcloud compute addresses list --region REGION

With the APIs client libraries, use the addresses().list function. Here's a snippet from the Python client library that lists addresses from one region:

def listIpAddresses(auth_http, gce_service):
  request = gce_service.addresses().list(project=PROJECT_ID,
    region='<region>')
  response = request.execute(auth_http)

  print response

To make a request to the API directly, perform a GET request to the following URI with an empty request body:

http://www.googleapis.com/compute/v1/projects/<project-id>/regions/<region>/addresses

To list all addresses in all regions, make a request to the following URI:

http://www.googleapis.com/compute/v1/projects/<project-id>/aggregated/addresses

In the client libraries, use the addresses().aggregatedList function:

def listAllIpAddresses(auth_http, gce_service):
  request = gce_service.addresses().aggregatedList(project=PROJECT_ID)
  response = request.execute(auth_http)

  print response

Getting Information about an IP Address

To get information about a single IP address, use gcloud compute addresses describe with the name of the addresss or make a GET request to the API

To use gcloud compute addresses describe :

  $ gcloud compute addresses describe ADDRESS --region REGION

With the API client libraries, use the addresses().get method and specify the address for which you want to get more information:

def getIpAddress(auth_http, gce_service):
  addressName = "testaddress"
  request = gce_service.addresses().get(project=PROJECT_ID,
    region='<region>', address=addressName)
  response = request.execute(auth_http)

  print response

To make a request to the API directly, make a GET request with an empty request body to the following URI:

http://www.googleapis.com/compute/v1/projects/<project-id>/regions/<region>/addresses/<address-name>

Releasing an IP Address

To release an IP address, use gcloud compute with the addresses delete command or by sending a DELETE request to the API.

$ gcloud compute addresses delete ADDRESS --region REGION

With the API client libraries, use the addresses().delete method, providing the address name and the region:

def releaseAddress(auth_http, gce_service):
  addressName = "testaddress"
  request = gce_service.addresses().delete(project=PROJECT_ID,
    region='<region>', address=addressName)
  response = request.execute(auth_http)

  print response

To make a request to the API directly, make a DELETE request to the following URI with an empty request body:

https://www.googleapis.com/compute/v1/projects/<project-id>/regions/<region>/addresses/<address-name>

Assigning IP Addresses to Existing Instances

gcloud compute allows you to assign external IP addresses to existing instances using the access configuration portion of the instance's network interface. External IP addresses, both ephemeral and static, can be assigned to existing instances in this manner. You can only one external IP address to an instance so if an instance already has an external IP address, you must first remove the IP address by deleting the access configuration, and then adding a new access configuration.

To add an external IP address to an existing instance, use the instances add-access-config command:

$ gcloud compute instances add-access-config INSTANCE \
         --access-config-name ACCESS_CONFIG --address ADDRESS

To delete an access configuration from an instance's network interface, use the instances delete-access-config command:

$ gcloud compute instances delete-access-config INSTANCE \
         --access-config-name ACCESS_CONFIG