Create and use IPv6 sub-prefixes

This page describes how to divide your IPv6 public delegated prefix into sub-prefixes that you can assign to resources in specific projects. When you create a sub-prefix, your configuration includes a prefix length and a mode that determines how the IP addresses can be used.

The following modes are supported:

  • For further delegation (--mode=DELEGATION): Sub-prefixes that you can further divide into smaller sub-prefixes. The associated IP addresses can't be assigned to resources until you create a non-delegation mode sub-prefix.

  • For forwarding rules (--mode=EXTERNAL_IPV6_FORWARDING_RULE_CREATION): Sub-prefixes that you can use as a source of regional external global unicast address (GUA) ranges for forwarding rules. You choose a prefix length for the IPv6 addresses when you create the sub-prefix. The forwarding rules can only be used for external passthrough Network Load Balancers and external protocol forwarding. Sub-prefixes in this mode can't be further delegated.

  • For external subnet ranges (--mode=EXTERNAL_IPV6_SUBNETWORK_CREATION): Sub-prefixes that you can use as a source of GUAs for external subnet ranges. BYOIP-provided external subnet ranges can only be used by VM instances. Sub-prefixes in this mode can't be further delegated.

  • For internal subnet ranges (--mode=INTERNAL_IPV6_SUBNETWORK_CREATION): Sub-prefixes that you can use as a source of GUAs for internal subnet ranges. When assigned to an internal subnet range, GUAs are used privately and aren't advertised to the internet. Sub-prefixes in this mode can't be further delegated.

The different modes support different prefix sizes and IPv6 access types. For more information, see the following section.

Sub-prefix mode configuration

The following table describes the configuration settings and requirements for each sub-prefix mode.

Sub-prefix mode or setting Prefix length specifications IPv6 access type
Sub-prefix for delegation
(--mode=DELEGATION)

Can be the same size or smaller (have a longer prefix length) than the parent public delegated prefix

The difference between the prefix length of a sub-prefix and its parent public delegated prefix can't be greater than 24

Valid lengths: /32, /40, /48, /56
  • External
  • Internal
Sub-prefix for external forwarding rules
(--mode=EXTERNAL_IPV6_FORWARDING_RULE_CREATION)

Can be the same size or smaller (have a longer prefix length) than the parent public delegated prefix

The difference between the prefix length of a sub-prefix and its parent public delegated prefix can't be greater than 24

Valid lengths: /32, /40, /48, /56, /64, or /72
  • External
Setting: External forwarding rule allocatable prefix length

Determines the prefix length for IPv6 address ranges that are used by external forwarding rules. Specified when creating an IPv6 sub-prefix for external forwarding rules.

Must be smaller than the associated sub-prefix—the difference between the allocatable prefix length and the sub-prefix length must be at least 8, and can't be greater than 32

Valid lengths: /48, /56, /64, /72, /80, /88, /96

Default lengths:

  • If the parent sub-prefix's length is /64 or /72, the default allocatable prefix length is /96
  • Otherwise, the default allocatable prefix length is /64
Sub-prefix for external subnet ranges
(--mode=EXTERNAL_IPV6_SUBNETWORK_CREATION)

Can be the same size or smaller (have a longer prefix length) than the parent public delegated prefix

The difference between the prefix length of a sub-prefix and its parent public delegated prefix can't be greater than 24

Valid lengths: /32, /40, /48, /56
  • External
Sub-prefix for internal subnet ranges
(--mode=INTERNAL_IPV6_SUBNETWORK_CREATION)

Can be the same size or smaller (have a longer prefix length) than the parent public delegated prefix

The difference between the prefix length of a sub-prefix and its parent public delegated prefix can't be greater than 24

Valid lengths: /32, /40, /48, /56
  • Internal

Sub-prefix delegation

IPv6 sub-prefixes that are in delegation mode can be sub-delegated into smaller sub-prefixes. This lets you assign the address blocks to different projects or regions. When you sub-delegate a sub-prefix, the following applies:

  • A public delegated prefix can be sub-delegated up to three times from a public advertised prefix.
  • IPv6 sub-prefixes can only be sub-delegated if they are in delegation mode.
  • Public delegated prefixes and sub-prefixes inherit the access type that you specify when you create a parent public advertised prefix.
  • The prefix length of a delegation mode sub-prefix affects the possible modes of its child sub-prefixes. This is because a child sub-prefix must have a prefix length that is valid for its mode, and the prefix length must be the same size as or smaller than its parent.

The following example demonstrates a multi-level delegation. Each step adheres to the prefix length and mode restrictions that are detailed in the sub-prefix mode table. If you have an external access public advertised prefix with IP address range 2001:db8::/32, you might do the following:

  1. From the parent public advertised prefix, you can create one or more top-level public delegated prefixes. A top-level public delegated prefix can be the same size or smaller than its parent public advertised prefix, and it must be in delegation mode. For this example, the entire IP address range of the parent prefix is delegated (2001:db8::/32).

  2. From the top-level public delegated prefix, you can create one or more sub-prefixes. A sub-prefix can be the same size as or smaller than its parent public delegated prefix, and it can be in any mode that's compatible with its access type. For this example, another delegation mode sub-prefix is created with IP address range 2001:db8::/48.

  3. From the previous sub-prefix, you can create one or more sub-prefixes. To make the IP addresses available for resources, these prefixes must be in a non-delegation mode such as forwarding rule or subnet creation mode. For this example, two sub-prefixes are created: one for external subnet ranges with IP address range 2001:db8:0:0::/56 and one for external forwarding rules with IP address range 2001:db8:1:0::/64.

At this point, you can't further divide the sub-prefixes that use the 2001:db8:0:0::/56 or 2001:db8:1:0::/64 ranges. A sub-prefix can't be divided if it's in a non-delegation mode or if it already has three levels of delegation from its parent public advertised prefix. In this example, both conditions are true.

Before you begin

  1. Create an IPv6 public advertised prefix.
  2. Create an IPv6 public delegated prefix.

Roles

To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you the Compute Public IP Admin (roles/compute.publicIpAdmin) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create IPv6 sub-prefixes

When you create an IPv6 sub-prefix, all IP addresses in the sub-prefix are made available; there is no reserved network address or broadcast address.

You can't change the mode of a sub-prefix. If needed, you can delete it and then recreate it. Before you can delete a sub-prefix, it must not be in use by any resources.

You can't edit a sub-prefix to change its name. As a best practice, choose generic names that don't need to change—for example, sub-2001-db8-0-0-0-0-0-0-40, where sub denotes the resource type and 2001-db8-0-0-0-0-0-0-40 denotes the specific prefix and prefix length.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. Click the public delegated prefix that you want to subdivide.

  3. Click Create sub-prefix.

  4. Enter a name and optional description for the sub-prefix.

  5. In the Prefix length list, select a prefix length for the sub-prefix.

  6. Enter an IPv6 address range to assign to the sub-prefix.

  7. In the How this PDP will be used section, do the following:

    • To create a sub-prefix for further delegation, select Subdivide into smaller PDPs.
    • To create a sub-prefix with addresses that you can assign to resources, select Allocate IPv6 address ranges for use, and then specify how you want to use the IP addresses:
      • For external forwarding rules for external passthrough Network Load Balancers and external protocol forwarding, select External Network Load Balancer forwarding rule, and then select an Allocatable prefix length.
      • For external subnet ranges that can only host VMs, select External subnet range for VMs.
      • For internal subnet ranges, select Internal subnet range.

  8. In the Project menu, select the project that you want to use the sub-prefix in.

  9. Click Create.

gcloud

Use the gcloud compute public-delegated-prefixes create command.

gcloud compute public-delegated-prefixes create SUB_PREFIX_NAME \
    --range=SUB_PREFIX_RANGE \
    --mode=MODE \
    --public-delegated-prefix=PDP_NAME \
    --region=PDP_REGION \
    --project=PROJECT_ID \
    [--allocatable-prefix-length=PREFIX_LENGTH]

Replace the following:

  • SUB_PREFIX_NAME: a name for this sub-prefix

  • SUB_PREFIX_RANGE: the IP address range for this sub-prefix, in CIDR notation

  • MODE: the mode for this sub-prefix, which must be one of the following:

    • DELEGATION
    • EXTERNAL_IPV6_FORWARDING_RULE_CREATION
    • EXTERNAL_IPV6_SUBNETWORK_CREATION
    • INTERNAL_IPV6_SUBNETWORK_CREATION

    The mode must be compatible with the access type of the parent public delegated prefix.

  • PDP_NAME: the parent public delegated prefix of this sub-prefix

  • PDP_REGION: the region for this sub-prefix

  • PROJECT_ID: the project to delegate the sub-prefix to

    If the --project flag is omitted, the sub-prefix is created in the same project as the parent public delegated prefix.

  • PREFIX_LENGTH: the prefix length for the IPv6 address ranges that are used by forwarding rules

    Only use this flag with EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode. The default and possible values depend on the prefix length of SUB_PREFIX_RANGE. For more information, see Allocatable prefix length for forwarding rules.

Assign IPv6 subnet ranges

You can assign external or internal IPv6 subnet ranges by using sub-prefixes. IPv6 subnet ranges that are created from a sub-prefix use global unicast addresses (GUAs). The way that you can use the assigned range depends on the access type and mode of the sub-prefix:

  • External subnet ranges are assigned from EXTERNAL_IPV6_SUBNETWORK_CREATION mode sub-prefixes. BYOIP-provided external subnet ranges can only be used to reserve static external IP addresses with the VM endpoint type and assign static or ephemeral external addresses to VM instances.

  • Internal subnet ranges are assigned from INTERNAL_IPV6_SUBNETWORK_CREATION mode sub-prefixes. BYOIP-provided internal subnet ranges are configured with privately used GUAs aren't advertised to the internet. The addresses can be used in the same way as a Google-provided ULA internal subnet range.

Create subnets with IPv6 BYOIP ranges

When creating a new subnet, you can allocate an IPv6 address range from your sub-prefix.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. To view the VPC network details page, click the name of a VPC network.

  3. On the Subnets tab, click Add subnet. In the panel that appears:

    1. Provide a name.
    2. Select a region.
    3. For IP stack type, select either IPv4 and IPv6 (dual-stack) or IPv6 (single-stack).
    4. If you are creating a dual-stack subnet, enter an IPv4 range.
    5. For IPv6 access type, select the access type of the sub-prefix that you want to assign to the subnet.
    6. Select the From PDP checkbox.
    7. In the PDP list, select the sub-prefix to use for allocating IP addresses to the subnet.
    8. Optional: Enter a specific IPv6 CIDR range to assign to the subnet. To let Google Cloud automatically select an address block, skip this step.
    9. Click Add.

gcloud

Use the gcloud compute networks subnets create command.

gcloud compute networks subnets create SUBNET \
    --network=NETWORK \
    --stack-type=STACK_TYPE \
    --ipv6-access-type=ACCESS_TYPE \
    --region=REGION \
    --ip-collection=PDP_NAME \
    {--external-ipv6-prefix=EXTERNAL_IPV6_RANGE | --internal-ipv6-prefix=INTERNAL_IPV6_RANGE}
    [--range=PRIMARY_IPv4_RANGE]

Replace the following:

  • SUBNET: a name for the new subnet
  • NETWORK: the name of the VPC network that will contain the new subnet

  • STACK_TYPE: the subnet's stack type

    The stack type can be IPV4_IPV6 or IPV6_ONLY. If you use IPV4_IPV6, you must specify a primary IPv4 range by using the --range flag.

  • ACCESS_TYPE: the access type of the sub-prefix that you're assigning to this subnet. Enter EXTERNAL to assign the subnet an external GUA subnet range. Enter INTERNAL to assign the subnet a privately used internal GUA subnet range.

  • REGION: the Google Cloud region in which the new subnet will be created, which must be the same region as this subnet's sub-prefix

  • PDP_NAME: the name of an IPv6 sub-prefix in EXTERNAL_IPV6_SUBNETWORK_CREATION or INTERNAL_IPV6_SUBNETWORK_CREATION mode to use for assigning IP addresses to this subnet

  • EXTERNAL_IPV6_RANGE or INTERNAL_IPV6_RANGE: an optional /64 IPv6 CIDR range to assign to this subnet

    The range must be associated with the subnet's sub-prefix. If empty, Google Cloud assigns the subnet a random /64 range from the CIDR block of the associated sub-prefix.

  • PRIMARY_IPv4_RANGE: for dual-stack subnets, the primary IPv4 range for the new subnet, in CIDR notation

Add an IPv6 BYOIP range to an IPv4-only subnet

You can change an IPv4-only subnet into a dual-stack subnet that uses an IPv6 address range from a sub-prefix.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of the VPC network that contains the subnet to update.

  3. Click Subnets, and then click the name of the subnet to update.

  4. Click Edit.

  5. In the IP stack type section, select IPv4 and IPv6 (dual-stack).

  6. For IPv6 access type, select the access type of the sub-prefix that you want to assign to the subnet.

  7. Click the From PDP checkbox.

  8. In the PDP list, select the sub-prefix to use for allocating IP addresses to the subnet.

  9. Optional: Enter a specific IPv6 address range to assign to the subnet.

  10. Click Save.

gcloud

Use the gcloud compute networks subnets update command.

gcloud compute networks subnets update SUBNET \
    --ipv6-access-type=ACCESS_TYPE \
    --stack-type=IPV4_IPV6 \
    --ip-collection=PDP_NAME \
    --region=REGION \
    {--external-ipv6-prefix=EXTERNAL_IPV6_RANGE | --internal-ipv6-prefix=INTERNAL_IPV6_RANGE}

Replace the following:

  • SUBNET: a name for the new subnet
  • ACCESS_TYPE: the access type of the sub-prefix that you're assigning to this subnet. Enter EXTERNAL to assign the subnet an external GUA subnet range. Enter INTERNAL to assign the subnet a privately used internal GUA subnet range.
  • PDP_NAME: the name of an IPv6 sub-prefix in EXTERNAL_IPV6_SUBNETWORK_CREATION or INTERNAL_IPV6_SUBNETWORK_CREATION mode to use for assigning IP addresses to this subnet
  • REGION: the Google Cloud region in which the new subnet will be created, which must be the same region as this subnet's sub-prefix

  • EXTERNAL_IPV6_RANGE or INTERNAL_IPV6_RANGE: an optional /64 IPv6 CIDR range to assign to this subnet

    The range must be associated with the subnet's sub-prefix. If empty, Google Cloud assigns the subnet a random /64 range from the CIDR block of the associated sub-prefix.

Deploy resources in subnets with IPv6 BYOIP ranges

After you create or update a subnet with a BYOIP-provided range, you can deploy resources that use the range's IP addresses.

For general information about assigning static and ephemeral IPv6 addresses to instances, see Configure IPv6 addresses for instances.

For information about assigning static external IPv6 addresses to VM instances, see the following:

For information about assigning internal IPv6 addresses to VM instances or forwarding rules, see the following:

Create external forwarding rules

You can use a sub-prefix that is in EXTERNAL_IPV6_FORWARDING_RULE_CREATION mode to create forwarding rules with regional external IPv6 address ranges. The forwarding rules can only be used for external passthrough Network Load Balancers and external protocol forwarding.

For more information, see the following:

List prefixes

You can list all public advertised prefixes and public delegated prefixes (including sub-prefixes) in a project.

Console

  1. In the Google Cloud console, go to Bring your own IP.

    Go to Bring your own IP

  2. All public advertised prefixes, public delegated prefixes, and sub-prefixes are displayed.

gcloud

To list public delegated prefixes, including sub-prefixes, use the public-delegated-prefixes list command.

gcloud compute public-delegated-prefixes list

What's next