How IP addresses work in Google Cloud VPC networks, especially for Compute Engine VMs: internal vs external, IPv4 vs IPv6, static reservations, and NAT options.
Note: This page is current as of May 2026. IP pricing, IPv6 support, and quota defaults can change, so verify time-sensitive details in the official Google Cloud docs before making production decisions.
Internal vs External IP
Compute Engine network interfaces can use different IP combinations depending on the interface stack type:
| Interface Stack | Assigned Addresses |
|---|---|
| IPv4-only | Required internal IPv4, optional alias IPv4 range, optional external IPv4 |
| Dual-stack | Required internal IPv4, optional alias IPv4 range, optional external IPv4, and one required /96 IPv6 range |
| IPv6-only | One required /96 IPv6 range, either internal or external |
For the common IPv4 case, an external IPv4 address is mapped to the VM’s internal IPv4 address through one-to-one NAT:
flowchart LR Internet["Internet"] NAT["Google Network<br/>(1:1 NAT for external IPv4)"] VM["VM Instance"] OtherVM["Other VM<br/>in same VPC"] Internet -->|external IPv4| NAT NAT -->|internal IPv4| VM VM -->|internal IP| OtherVM
| Aspect | Internal IP | External IP |
|---|---|---|
| Scope | VPC network, peered networks, or connected on-premises networks | Internet-routable |
| Assigned from | Subnet range | Google-owned or BYOIP public address space |
| Visible on VM | Yes | External IPv4 is mapped by NAT; external IPv6 is assigned as a /96 range |
| Required | Required for IPv4-only and dual-stack VM interfaces | Optional for IPv4-only and dual-stack interfaces |
| Internet reachability | Not reachable directly from the internet | Publicly routable, but inbound access still depends on firewall rules |
Key Insight: An external IP address does not automatically make every port reachable. Google Cloud firewall rules, hierarchical firewall policies, OS firewalls, and service listeners still decide what traffic is actually accepted.
Internal IP Addresses
Internal IP addresses are used for private communication inside a VPC network, across VPC Network Peering, or through hybrid connectivity such as Cloud VPN and Cloud Interconnect.
Assignment
| Method | Description |
|---|---|
| Auto-assigned ephemeral | Compute Engine chooses an available address from the subnet range. This is the default for internal IPv4. |
| Custom ephemeral | You specify an available address at VM creation time without reserving it as a named address resource. |
| Static internal | You reserve an internal IP address and attach it to a resource. The address remains reserved until you release it. |
Behavior Across VM Lifecycle
| Action | Internal IP |
|---|---|
| Stop and restart | Preserved |
| Delete and recreate | Ephemeral internal IP can change. Use a static internal IP when the private address must persist. |
Alias IP Ranges
Each IPv4-capable VM network interface has one primary internal IPv4 address. You can also add alias IP ranges as secondary addresses.
Alias IP ranges can come from either:
- The subnet’s primary IPv4 range
- A subnet secondary IPv4 range
Use cases include GKE pod networking, running multiple services on one VM, and assigning multiple IP identities to a single interface.
Internal DNS
Google Cloud automatically creates internal DNS names for VM instances:
| DNS Type | FQDN Format | Notes |
|---|---|---|
| Zonal DNS | INSTANCE.ZONE.c.PROJECT.internal | Default for projects created after January 2018. More reliable because names are scoped by zone. |
| Global DNS | INSTANCE.c.PROJECT.internal | Legacy default for older projects. |
- DNS resolution uses the metadata server at
169.254.169.254 - Internal DNS names work only within the VM’s VPC network
- IPv6-only Compute Engine instances do not support Compute Engine internal DNS
Subnet Range Rules
Internal IPv4 addresses come from subnet primary or secondary IPv4 ranges. Common designs use RFC 1918 space:
| Range | Use |
|---|---|
10.0.0.0/8 | Large private networks |
172.16.0.0/12 | Medium private networks |
192.168.0.0/16 | Smaller private networks and labs |
Google Cloud also supports additional valid internal IPv4 ranges:
| Range Type | Example | Notes |
|---|---|---|
| Shared address space | 100.64.0.0/10 | RFC 6598 range often used by ISPs for carrier-grade NAT. Avoid if it conflicts with your network path. |
| Selected RFC 6890 ranges | 192.0.0.0/24, 198.18.0.0/15 | Specialized ranges. Use only when you understand the operational implications. |
| Class E | 240.0.0.0/4 | Valid in Google Cloud, but some operating systems or appliances might not support it. |
| Privately used public IPv4 | Public IPv4 ranges used privately in a VPC | Google Cloud does not advertise these routes to the internet, but peering and hybrid routing need careful planning. |
Warning: Avoid overlapping subnet ranges with peered VPCs, Cloud VPN, Cloud Interconnect, on-premises networks, and static routes. Google Cloud blocks some overlap cases, but hybrid and multi-network designs still need an IP plan.
Subnet Size and Reserved Addresses
- Subnets are regional resources
- VPC networks are global, so VMs in different regions can communicate over internal IP if firewall rules and routes allow it
- The minimum IPv4 subnet size is
/29 - Google Cloud reserves the first two and last two IPv4 addresses in each primary IPv4 subnet range
- Secondary IPv4 ranges do not lose those four addresses to subnet hosting
External IP Addresses
External IP addresses are public, internet-routable addresses used by VMs, load balancers, Cloud NAT, Cloud VPN, and other networking resources.
Ephemeral vs Static
| Property | Ephemeral External IP | Static External IP |
|---|---|---|
| Persistence | Released when the VM stops or is deleted | Reserved until you explicitly release it |
| Assignment | Auto-assigned from Google’s pool | Reserved from Google-owned or BYOIP address space |
| Promotion | Can be promoted to static while in use | Already reserved |
| Use case | Temporary access, development, short-lived VMs | DNS records, production endpoints, allowlists |
| Unused cost | Not applicable because it is released | Charged at the unused static IP rate |
External IP Pricing
As of May 2026, Google Cloud charges for external IPv4 addresses as follows:
| State | Price |
|---|---|
| Static or ephemeral external IPv4 in use on a standard VM | $0.005/hour |
| Static or ephemeral external IPv4 in use on a Spot or preemptible VM | $0.0025/hour |
| Static external IPv4 reserved but unused | $0.01/hour |
| External IPv4 used by Cloud NAT | $0.005/hour |
| Static or ephemeral external IPv4 attached to a forwarding rule or used as a Cloud VPN public IP | No charge |
| External IPv6 address ranges assigned to subnets or VM instances | No charge |
Tip: A static external IPv4 address associated with a stopped VM still counts as in use. An ephemeral external IPv4 address is released when the VM stops.
Cloud NAT
Use Cloud NAT when private VMs need outbound internet access without external IP addresses:
- VMs keep only internal addresses
- Cloud NAT provides outbound connectivity for IPv4 traffic
- NAT64 with DNS64 lets IPv6-only instances reach IPv4 destinations in supported configurations
- Return traffic for established outbound connections is allowed
- Unsolicited inbound internet connections are not allowed through Cloud NAT
Typical use case: private VMs that need package updates, container pulls, or API calls without exposing public IPs on the VM instances.
IPv4 vs IPv6
Google Cloud supports IPv4-only, dual-stack, and IPv6-only configurations. IPv6 is available only on Premium Tier networking.
IPv6 Support by Service
| Service | IPv6 Support | Notes |
|---|---|---|
| Compute Engine VMs | Yes | Dual-stack and IPv6-only are supported, with OS and feature limitations |
| VPC subnets | Yes | IPv6 subnets require custom mode VPC networks |
| GKE nodes and pods | Yes | Dual-stack support |
| Cloud Run | Yes | Internal IPv6 for services and jobs |
| Global external Application Load Balancer | Yes | End-to-end dual-stack support |
| Regional load balancers | Varies | Support depends on load balancer type |
| Cloud DNS | Partial | Supports IPv6 records and DNS64; inbound forwarding does not support IPv6 |
| Cloud NAT | NAT64 | IPv6-only instances can reach IPv4 destinations by using DNS64 and NAT64 |
| HA VPN | Yes | Dual-stack and IPv6-only support |
IPv6 on VMs
- A VM network interface receives a
/96IPv6 range, not a single IPv6 address - The
/96range can be internal or external, but not both on the same interface - Dual-stack interfaces also have a required internal IPv4 address
- IPv6-only instances do not have an internal IPv4 address
- External IPv6 addresses are not currently charged
IPv6 on Subnets
Subnets with IPv6 address ranges are supported only in custom mode VPC networks. Auto mode VPC networks do not support IPv6 subnets unless converted to custom mode first.
| IPv6 Access Type | Address Type | Use |
|---|---|---|
| Internal IPv6 | ULA range from the VPC network’s /48 ULA range | Private VM-to-VM communication inside VPC networks |
| External IPv6 | GUA range from Google’s regional external IPv6 pools or BYOIP | Internet-routable IPv6 workloads |
Note: A subnet’s IPv6 range has one access type: internal or external. You can design a VPC with different subnets for different IPv6 access patterns, but a single subnet IPv6 range is not both internal and external.
Static IP Addresses
Static IP addresses are reserved address resources in your project. Use them when a workload needs a stable address for DNS records, allowlists, failover targets, or long-lived service endpoints.
Static Internal vs Static External
| Type | Scope | Cost | Common Use |
|---|---|---|---|
| Static internal IPv4/IPv6 | Regional | No charge | Stable private service address, internal failover, manually assigned VM address |
| Static external IPv4 | Regional or global | Charged depending on use state | Public DNS records, public endpoints, allowlists |
| Static external IPv6 | Regional or global, depending on resource type | No charge for current VM/subnet assignments | IPv6 public endpoints |
Regional vs Global External Addresses
| Property | Regional | Global |
|---|---|---|
| Scope | Specific region | Global |
| Used by | VMs, Cloud NAT, Cloud VPN, regional load balancers | Global external load balancers with Premium Tier |
| IPv4 range | /32 single address | /32 single address |
| IPv6 range | Usually /96 for VM-facing regional IPv6 usage | /64 for global load balancer IPv6 frontend usage |
| Convertibility | Cannot convert regional to global | Cannot convert global to regional |
Common Operations
# Reserve a new regional static IPv4
gcloud compute addresses create my-static-ip --region=us-central1
# Reserve a global static IP for a global load balancer
gcloud compute addresses create my-global-ip --global
# Promote an ephemeral IPv4 to static without downtime
gcloud compute addresses create my-promoted-ip \
--addresses=35.192.xx.xx \
--region=us-central1
# Assign a static IP to a new VM
gcloud compute instances create my-vm \
--address=35.192.xx.xx \
--zone=us-central1-a
# List all static IPs
gcloud compute addresses list
# Release a static IP after detaching it
gcloud compute addresses delete my-static-ip --region=us-central1Quotas
External IP quotas vary by project, region, address type, and resource type. Check IAM & Admin > Quotas & System Limits or use gcloud compute project-info describe before planning large deployments.
TL;DR
- IPv4-only and dual-stack VM interfaces require an internal IPv4 address; IPv6-only interfaces use a
/96IPv6 range instead. - External IPv4 addresses on VMs use one-to-one NAT. The VM OS sees the internal IPv4 address, not the external IPv4 address.
- Public IP does not equal open access. Firewall rules and service listeners still control inbound connectivity.
- Internal subnet ranges are usually RFC 1918, but Google Cloud also supports ranges like
100.64.0.0/10, selected RFC 6890 ranges, Class E, and privately used public IPv4 with caveats. - Alias IP ranges can come from a subnet’s primary or secondary IPv4 range.
- Cloud NAT gives outbound internet access to VMs without external IPs; NAT64 plus DNS64 supports IPv6-only to IPv4 access in supported configurations.
- A subnet IPv6 range is either internal or external, not both.
- Static external IPv4 addresses cost more when reserved but unused. Release unused static IPs.
Resources
Compute Engine IP Addresses Official reference for internal and external IP addresses on Compute Engine.
VPC IP Addresses Google Cloud’s internal, external, regional, and global IP address categories.
VPC Subnets Valid subnet ranges, reserved addresses, IPv6 subnet behavior, and subnet limitations.
Reserve Static External IP Addresses How to create, promote, assign, and release static external IP addresses.
IPv6 Support in Google Cloud IPv6 capabilities, supported services, and limitations.
VPC Pricing Current pricing for external IP addresses, Cloud NAT, data transfer, and related VPC resources.
Google Compute Engine Overview of GCE features and architecture.