Google Compute Engine

Instances and Networks

Every instance is assigned to a single network that defines how that instance can communicate with other instances, other networks, or the Internet. Instances do not need to be in the same zone to share a network. By default, all projects have a default network named default. New instances are automatically assigned to this network, which has the following default firewalls:

  • All traffic between all instances in the same network is allowed, over any port and any protocol
  • Incoming ssh connections (port 22) from anywhere are allowed

Any other incoming traffic to an instance is blocked, unless you add additional firewalls that allow more connections. Additionally, you can assign arbitrary tags to an instance, such as "frontend" or "sqlserver", and use those as permitted firewall sources/targets. This is a more flexible and scalable system than specifying the source by an IP address. You can assign instance tags when you create your instance using the --tag flag.

For more information about networks, see Networks and Firewalls.

Contents

Instance IP Addresses

Instances support one or two IP addresses: a required network address, which is used for communicating within the network, and an optional external IP address, which is used to communicate with callers outside the network. Addresses can be assigned at instance creation time or after an instance has been created. Refer to Assigning IP Addresses to Existing Instances to see how to assign external IP addresses after the instance has been created.

You can see the network and external IP addresses assigned to your instances by calling gcutil listinstances or gcutil getinstance.

Instances can address each other by network or external address, or by instance name (DNS). Here is a comparison of these three techniques:

  • By instance name - The network transparently resolves an instance name to a network address for instances within that network. Addressing by instance names rather than network address is useful because network addresses can change each time an instance is deleted and recreated. Also, communication is free between instances in the same zone. However, instance names are addressable only within the same network, or when calling gcutil ssh from your local computer.
  • By network address - You can address packets to an instance by network address, but network addresses can change when an instance is restarted, unless you explicitly assign a network address to your instance. The network address is only addressable from another computer within the same network. For more information, see Network Addresses.
  • By external IP address - Only use an external IP address if you must communicate with an instance on another network. Packets sent to an instance using an external address are billed as external traffic, even if the sender is in the same network. For more information, see External IP Addresses.

The following example demonstrates how to use gcutil ssh and ping to address your instances by instance name, external IP address, and network IP address.

$ gcutil --project=myproject listinstances
+-------------+-----------------+----------------------------------------------------------------+---------+---------------+-----------------+-------+--------+-------+---------+---------------+
|     name    |     machine     |                              image                             | network |   network_ip  |   external_ip   | disks |  zone  | tags  |  status | statusMessage |
+-------------+-----------------+----------------------------------------------------------------+---------+---------------+-----------------+-------+--------+-------+---------+---------------+
| instance-1  | n1-standard-2   | projects/debian-cloud/global/images/debian-7-wheezy-vYYYYMMDD  | default | 10.35.61.220  | 203.135.113.022 |       | <zone> |       | RUNNING |               |
| instance-2  | n1-standard-2-d | projects/debian-cloud/global/images/debian-6-squeeze-vYYYYMMDD | default | 10.39.222.105 | 255.255.122.238 |       | <zone> |       | RUNNING |               |
+-------------+-----------------+----------------------------------------------------------------+---------+---------------+-----------------+-------+--------+-------+---------+---------------+

$ gcutil --project=myproject addfirewall icmpfirewall --allowed=icmp # allow ICMP traffic

$ ping -c 1 203.135.113.022
PING 203.0.113.1 (203.135.113.022) 56(84) bytes of data.
64 bytes from 203.135.113.022: icmp_seq=1 ttl=55 time=17.5 ms

--- 203.135.113.022 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 17.568/17.568/17.568/0.000 ms

$ gcutil --project=myproject ssh instance-1
Welcome to GCE Linux 12.04 LTS (...)
Running a Google Compute Engine VM Instance
 * Documentation: https://developers.google.com/compute/
 * You are running on an EPHEMERAL root disk, which is NOT PERSISTENT.
   For persistent data, use Persistent Disks:
     https://developers.google.com/compute/docs/disks#persistentdisks


The programs included with this system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

This software comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Tue Aug 30 11:16:43 ...
rufus@instance-1:~$ ping -c 1 instance-2
PING instance-2.my-project.google (10.39.222.105) 56(84) bytes of data.
64 bytes from instance-2.my-project.google (10.39.222.105): icmp_seq=1 ttl=64 time=1.00 ms

--- instance-2.my-project.google ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.005/1.005/1.005/0.000 ms

rufus@instance-1:~$ ping -c 1 10.39.222.105
PING 10.39.222.105 (10.39.222.105) 56(84) bytes of data.
64 bytes from 10.39.222.105: icmp_seq=1 ttl=64 time=1.47 ms

--- 10.39.222.105 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.473/1.473/1.473/0.000 ms

Network Addresses

Every instance has a network address that is unique to the network. This address is automatically assigned by Google Compute Engine when you create the instance.

Google Compute Engine resolves instance names to network addresses when called within the instance's network. For instance, from a VM running inside Google Compute Engine, you can address other instances using ping, curl, or any other program that expects a DNS name.

Configuring a static network address

Although Compute Engine doesn't allow creating an instance with a user-defined local IP address, you can use a combination of routes and an instance's ‑‑can_ip_forward ability to add local IP address as a network static address which then maps to your desired virtual machine instance.

For example, if you want to assign 10.1.1.1 specifically as a network address to a virtual machine instance, you can create a static network route that sends traffic from 10.1.1.1 to your instance, even if the instance's network address assigned by Compute Engine doesn't match your desired network address.

Use the following instructions to configure your network address using a static network route.

Note: The following example assumes that your project just has the default network.

  1. Choose an IP address that doesn't belong to any network in your project.

    For this example, we are using 10.1.1.1.

  2. Create a new virtual machine instance and enable IP forwarding.

    By default, Compute Engine won't deliver packets whose destination IP address is different than the IP address of the instance receiving the packet. To disable this destination IP check, you can enable IP forwarding for the instance.

    Other than the zone, you can choose the other attributes of your instance, such as the machine type and image.

    $ gcutil --project=<project-id> addinstance my-configurable-instance --can_ip_forward --zone=us-central1-a
  3. Create a static network route to direct packets destined for 10.1.1.1 to your instance.
    $ gcutil --project=<project-id> addroute ip-10-1-1-1 --next_hop_instance=us-central1-a/instances/my-configurable-instance 10.1.1.1/32
  4. Add a new virtual interface to your instance.

    These instructions are available for Debian and CentOS instances. Select your desired operating system for the right instructions.

    Debian
    1. ssh into your instance.
      $ gcutil --project=<project-id> ssh my-configurable-instance
    2. Append the following lines to the /etc/network/interfaces file.
      # Change to root first
      user@my-configurable-instance:~$ sudo su -
      
      # Append the following lines
      root@my-configurable-instance:~$ cat <<EOF >>/etc/network/interfaces
      iface eth0 inet static
      address 10.1.1.1
      netmask 255.255.255.255
      EOF
    3. Restart the network.
      root@my-configurable-instance:~$ /etc/init.d/networking restart
    CentOS 6
    1. ssh into your instance.
      $ gcutil --project=<project-id> ssh my-configurable-instance
    2. Add the following lines to a new file named /etc/sysconfig/network-scripts/ifcfg-eth0:0
      # Change to root first
      user@my-configurable-instance:~$ sudo su -
      
      # Add the following lines
      root@my-configurable-instance:~$ cat <<EOF >>/etc/sysconfig/network-scripts/ifcfg-eth0:0
      DEVICE="eth0:0"
      BOOTPROTO="static"
      IPADDR=10.1.1.2
      NETMASK=255.255.255.255
      ONBOOT="yes"
      EOF
    3. Bring up your new interface.
      root@my-configurable-instance:~$ ifup eth0:0
  5. Check that your virtual machine instance interface is up by pinging 10.1.1.1 from inside your instance.
    user@my-configurable-instance:~$ ping 10.1.1.1

    You can also try pinging the interface from another instance in your project.

External Addresses

You can assign an optional externally visible IP address to specific instances. Outside callers can address a specific instance by external IP if the network firewalls allow it. Only instances with an external address can send and receive traffic from outside the network.

Note: Google Compute Engine bills for external IP address usage, even for instances that may be within the same network. Any traffic through an external IP addressed will be billed. An instance must have an external address in order to be allowed to make calls outside the network. A firewall rule is not required to allow outgoing calls because packets sent by an instance are never blocked, unless they're using an explicitly blocked port. Return traffic on any open connection is always allowed until the connection reaches 10 minutes of inactivity, when the connection is considered abandoned and return traffic returns to being blocked.

Google Compute Engine supports two types of externally-visible IP addresses: static IPs, which can be assigned to a project long term or ephemeral IPs, which are assigned for the lifetime of the instance. Once an instance is terminated, the ephemeral IP is released back into the general Google Compute Engine pool and becomes available for use by other projects.

Ephemeral IP Addresses

When you create an instance using gcutil, your instance is automatically assigned an ephemeral external IP address. You can choose not to assign an external IP address in gcutil by providing the --external_ip_address=none flag. If you are creating an instance using the API, you need to explicitly provide an accessConfig specification to request an external IP address. If you have an existing instance that doesn't have an external IP address, but would like to assign one, see Assigning IP Addresses to Existing Instances. For information on defining an accessConfig for your instance, see the API reference.

Reserved IP Addresses

If you need a static IP address that is assigned to your project until you explicitly release it, you can reserve a new IP address or promote an ephemeral IP address to using gcutil reserveaddress or making a PUT request to the appropriate regional Addresses collection. Static IP addresses are a regional resource and you must select a region where your IP address will live.

Static IP addresses can only be used by one resource at a time. You cannot assign an IP address to multiple resources. There is also no way to tell whether an IP address is static or ephemeral after it has been assigned to a resource, except to compare it against the list of static IP addresses assigned to the project. Use gcutil listaddresses to see a list of static IP addresses available to the project.

Note: An external IP address can only be used by a single instance through the access config, but it is possible that your instance may receive traffic from multiple forwarding rules, which may serve external IP addresses that are different than the IP address assigned to the instance. In summary, a virtual machine instance can:

  • Have one external IP address attached using the instance's accessConfig. Packets for this IP will have their destination IP translated to the intance's internal address.
  • Have any number of external IP addresses referencing the instance through forwarding rules and target pools.

For more information, review the load balancing documentation.

Reserving an IP Address

To reserve a static IP address or promote an ephemeral using gcutil:

gcutil --project=<project-id> reserveaddress --region=<region> [--source_address=<ephemeral-address>] <address-name>

Important Flags and Parameters:

--project=<project-id>
[Required] The project ID for this request.
--region=<region>
[Required] The region for this IP address.
--source_address=<ephemeral-address>
[Optional] The ephemeral IP address to promote to a static IP address. If you do not specify this flag, Google Compute Engine automatically assigns a static IP address.
<address-name>
[Required] The name to use for this address. For example, myownip.

With the API client libraries, use the addresses().insert function, passing in the region for the request and a request body that contains the name of the address and, if desired, the ephemeral IP address to promote. The following is a snippet from the Python client library:

def reserveIpAddress(auth_http, gce_service):
  addressName = 'testaddress'
  ipAddressToPromote = 'x.x.x.x'
  body = {
    "name": addressName,
    "address": ipAddressToPromote
  }
  request = gce_service.addresses().insert(project=PROJECT_ID,
    region='<region>', body=body)
  response = request.execute(auth_http)

  print response

To make a request to the API directly, make a PUT request to the following URI:

http://www.googleapis.com/compute/v1/project/<project-id>/regions/<region>/addresses

Your request body should contain the following (omit the address field if you are not promoting an ephemeral IP address):

body = {
  name: “<address-name>”,
  address: “<address-to-promote>”
}

If this is a new static IP address, you can assign it to an instance using the --external_ip_address flag during instance creation:

gcutil --project=<project-id> addinstance myinst --external_ip_address=x.x.x.x

where x.x.x.x. is your static IP address. You can also assign an IP address to an existing instance. If you promoted an ephemeral IP address, it remains attached to its current instance.

Listing Reserved IP Addresses

To list the reserved IP addresses, run gcutil listaddresses or make a GET request to the API:

gcutil --project=<project-id> listaddresses

Important Flags and Parameters:

--project=<project-id>
[Required] The project ID for this request.

With the APIs client libraries, use the addresses().list function. Here's a snippet from the Python client library that lists addresses from one region:

def listIpAddresses(auth_http, gce_service):
  request = gce_service.addresses().list(project=PROJECT_ID,
    region='<region>')
  response = request.execute(auth_http)

  print response

To make a request to the API directly, perform a GET request to the following URI with an empty request body:

http://www.googleapis.com/compute/v1/projects/<project-id>/regions/<region>/addresses

To list all addresses in all regions, make a request to the following URI:

http://www.googleapis.com/compute/v1/projects/<project-id>aggregated/addresses
In the client libraries, use the addresses().aggregatedList function:

def listAllIpAddresses(auth_http, gce_service):
  request = gce_service.addresses().aggregatedList(project=PROJECT_ID)
  response = request.execute(auth_http)

  print response

Getting Information about an IP Address

To get information about a single IP address, use gcutil getaddress or make a GET request to the API.

To use gcutil getaddress:

gcutil --project=<project-id> getaddress --region=<region> <address-name>

Important Flags and Parameters:

--project=<project-id>
[Required] The project ID for this request.
--region=<region>
[Required] The region where this IP address lives.
<address-name>
[Required] The IP address name to get.

With the API client libraries, use the addresses().get method and specify the address for which you want to get more information:

def getIpAddress(auth_http, gce_service):
  addressName = "testaddress"
  request = gce_service.addresses().get(project=PROJECT_ID,
    region='<region>', address=addressName)
  response = request.execute(auth_http)

  print response

To make a request to the API directly, make a GET request with an empty request body to the following URI:

http://www.googleapis.com/compute/v1/projects/<project-id>/regions/<region>/addresses/<address-name>

Releasing an IP Address

To release an IP address, use the gcutil releaseaddress command or by sending a DELETE request to the API.

gcutil --project=<project-id> releaseaddress --region=<region> <address-name>

Important Flags and Parameters:

--project=<project-id>
[Required] The project ID for this request.
--region=<region>
[Required] The region where this IP address resides.
<address-name>
[Required] The IP address to release.

With the API client libraries, use the addresses().delete method, providing the address name and the region:

def releaseAddress(auth_http, gce_service):
  addressName = "testaddress"
  request = gce_service.addresses().delete(project=PROJECT_ID,
    region='<region>', address=addressName)
  response = request.execute(auth_http)

  print response

To make a request to the API directly, make a DELETE request to the following URI with an empty request body:

https://www.googleapis.com/compute/v1/projects/<project-id>/regions/<region>/addresses/<address-name>

Assigning IP Addresses to Existing Instances

gcutil allows you to assign external IP addresses to existing instances using the access configuration portion of the instance's network interface. External IP addresses, both ephemeral and static, can be assigned to existing instances in this manner.

To add an external IP address to an existing instance, use the gcutil addaccessconfig command:

gcutil --project=<project-id> addaccessconfig  <instance-name> --access_config_name=<name> --access_config_nat_ip=<ip-address> --access_config_type=<access-type> --network_interface_name=<interface-name>

Important Flags and Parameters:

--project=<project-id>
[Required] The project ID for this request.
--access_config_name=<name>
[Required] The name of the access configuration to add. The default value is External NAT.
--access_config_nat_ip=<ip-address>
[Required] The external NAT IP of the access configuration. The value may be a static external IP that is reserved by the project or an ephemeral IP address. The default value is ephemeral which specifies that Google Compute Engine should assign an available unreserved ephemeral external IP.
--access_config_type=<access-type>
[Required] The access configuration type. The default value is ONE_TO_ONE_NAT. In the current release, ONE_TO_ONE_NAT is the only supported type.
--network_interface_name=<interface-name>
[Required] The name of the instance's network interface to add the access configuration. The default value is nic0.

To delete an access configuration from an instance's network interface, use the gcutil deleteaccessconfig command:

gcutil --project=<project-id> deleteaccessconfig  <instance-name> --access_config_name=<name> --network_interface_name=<interface-name>

Important Flags and Parameters:

--access_config_name=<name>
[Required The name of the access configuration to delete. The default value is External NAT.
--network_interface_name<interface-name>
[Required] The name of the network interface from where to delete the access configuration. The default value is nic0.

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.