Create VMs with multiple network interfaces

By default, every compute instance has at least one network interface (vNIC) that determines the Virtual Private Cloud network that the instance uses. You can create an instance with multiple network interfaces. Except for VPC networks that are created with an RDMA network profile, each network interface must be assigned to a subnet in a unique VPC network. The stack type of the network interface and the stack type of the subnet work together as described in Stack types and IP addresses

Each compute instance receives a default route using DHCP Option 121, as defined by RFC 3442. The default route is associated with nic0. Unless manually configured otherwise, any traffic leaving an instance for any destination other than a directly connected subnet leaves the instance using the default route on nic0.

On Linux systems, you can configure custom rules and routes within the guest OS using the /etc/iproute2/rt_tables file and the ip rule and ip route commands. For more information, consult the guest OS documentation. For an example, see the tutorial Configure routing for an additional interface.

If you don't require multiple network interfaces, follow the procedure for creating and starting an instance to create instances with the default network configuration.

Before you begin

Verify that all required networks and subnets are created before you create the compute instance. If you need to create networks or subnets, see Create and manage VPC networks.
Verify that each network has appropriate firewall rules that let data transfer to and from the instance that has multiple interfaces. If you need to create firewall rules, see Use VPC firewall rules.
If you are connecting an instance to multiple networks by using IPv6 addresses, then install the google-guest-agent version 20220603.00 or later. For more information, see I can't connect to a secondary interface's IPv6 address.
If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

Select the tab for how you plan to use the samples on this page:
Console

When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
1. After installing the Google Cloud CLI, initialize it by running the following command:
  gcloud init
  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
  
  Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.
2. Set a default region and zone.
REST

To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Required roles

To get the permissions that you need to create an instance with a specific subnet, ask your administrator to grant you the Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to create an instance with a specific subnet. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to create an instance with a specific subnet:

compute.instances.create on the project
To specify a subnet for your instance: compute.subnetworks.use on the project or on the chosen subnet
To assign an external IP address to the instance when using a VPC network: compute.subnetworks.useExternalIp on the project or on the chosen subnet

You might also be able to get these permissions with custom roles or other predefined roles.

Requirements

Before you create an instance with multiple network interfaces, review the following requirements:

Except for VPC networks that are created with an RDMA network profile, the following limitation applies: If you create an instance with multiple network interfaces, each interface must connect to a different VPC network. The networks can be standalone VPC networks or Shared VPC networks.
Each network interface must use a unique subnet IP address range.
For multi-NIC compute instances in standalone projects, each network interface must use a subnet located in the same project as the instance. For instances in Shared VPC host or service projects, see Shared VPC in the Virtual Private Cloud documentation. Private Service Connect interfaces provide a way for a multi-NIC instance to have network interfaces in subnets in different projects. For more information, see About network attachments.

Create VM instances with multiple network interfaces

Most Compute Engine instances let you configure multiple vNICs when creating the instance.

For information about the number of network interfaces you can create for an instance, see Maximum number of network interfaces.
You can also configure Dynamic NICs when creating an instance.

For information about how to create a compute instance with multiple network interfaces, see Create VM instances with multiple network interfaces.

Add network interfaces to an existing instance

You can configure virtual NICs (vNICs) for an instance only when creating the instance. However, you can add or remove Dynamic NICs to an existing instance, and you don't have to restart the instance.

Dynamic NICs are subinterfaces of a parent vNIC. When you configure a Dynamic NIC, you specify a VLAN ID that is used to tag network traffic for the Dynamic NIC:

The VLAN ID of a Dynamic NIC must be an integer from 2 to 255.
The VLAN ID of a Dynamic NIC must be unique within a parent vNIC. However, Dynamic NICs that belong to different parent vNICs can use the same VLAN ID.

Google Cloud uses the following format for the name of a Dynamic NIC: PARENT_NIC_NUMBER.VLAN_ID

PARENT_NIC_NUMBER is the name of the parent vNIC, for example nic0. The VLAN_ID is the number you specified when configuring the Dynamic NIC. An example Dynamic NIC name is nic0.4.

For information about how to add Dynamic NICs to an instance, see Add Dynamic NICs to an instance.

What's next?

Learn how to use SSH connections to connect to your instance.
Access VMs using internal DNS
Create a PTR record for a VM instance

Create VMs with multiple network interfaces Stay organized with collections Save and categorize content based on your preferences.