Create and use IPv6 sub-prefixes

This page describes how to divide your IPv6 public delegated prefix into sub-prefixes that you can assign to resources in specific projects. You can use IP addresses from an IPv6 sub-prefix to create forwarding rules for external passthrough Network Load Balancers or subnets that can only host virtual machine (VM) instances.

There are three types or modes for sub-prefixes. A sub-prefix's mode determines how you can use its IP address range:

For further delegation: Sub-prefixes that you can further divide into smaller sub-prefixes (--mode=DELEGATION).
For forwarding rules: Sub-prefixes that you can use as a source of regional external IPv6 addresses for forwarding rules (--mode=EXTERNAL_IPV6_FORWARDING_RULE_CREATION). You choose a prefix length for the IPv6 addresses at the time that you create the sub-prefix. The forwarding rules can only be used for external passthrough Network Load Balancers and external protocol forwarding.
For subnets: Sub-prefixes that you can use as a source of regional external IPv6 address ranges for subnets (--mode=EXTERNAL_IPV6_SUBNETWORK_CREATION). IP addresses in subnets that you create with these sub-prefixes can only be used by VM instances.

IPv6 sub-prefix specifications

A sub-prefix is a public delegated prefix that has a public delegated prefix parent.

You can't change the mode of a sub-prefix. If needed, you can delete it and then recreate it. Before you can delete a sub-prefix, it must not be in use by any resources.

A public delegated prefix can be sub-delegated up to three times from a public advertised prefix.

All IP addresses in the sub-prefix are made available; there is no reserved network address or broadcast address.

You can't edit a sub-prefix to change its name. As a best practice, choose generic names that won't need to change—for example, sub-2001-db8-0-0-0-0-0-0-40, where sub denotes the resource type and 2001-db8-0-0-0-0-0-0-40 denotes the specific prefix and prefix length.

The following table describes additional specifications for creating IPv6 sub-prefixes.

Configuration	Regional (v2)
Public advertised prefix	Minimum size (maximum prefix length) is `/48`
Public delegated prefix (top level, not sub-prefix)	Can be the same size or smaller (have a longer prefix length) than the parent public advertised prefix Valid lengths: `/32`, `/40`, `/48`, or `/56` The difference between the prefix length of a top level public delegated prefix and its parent public advertised prefix can't be greater than 24
Sub-prefix	Can be the same size or smaller (have a longer prefix length) than the parent public delegated prefix Valid lengths: Delegation or forwarding rule creation mode: `/32`, `/40`, `/48`, `/56`, `/64`, or `/72` Subnetwork creation mode: `/32`, `/40`, `/48`, or `/56` Parent of subnet creation mode sub-prefix: `/32`, `/40`, `/48`, or `/56` The difference between the prefix length of a sub-prefix and its parent public delegated prefix can't be greater than 24
Allocatable prefix length for forwarding rules	Determines the prefix length for IPv6 address ranges that are used by forwarding rules Specified by the Allocatable prefix length field when creating an IPv6 sub-prefix for forwarding rules Must be smaller than the associated sub-prefix—the difference between the allocatable prefix length and the sub-prefix length must be at least 8, and can't be greater than 32 Valid lengths: `/48`, `/56`, `/64`, `/72`, `/80`, `/88`, `/96` Default lengths: If the parent sub-prefix's length is `/64` or `/72`, the default allocatable prefix length is `/96` Otherwise, the default allocatable prefix length is `/64`

Before you begin

Create an IPv6 public advertised prefix.
Create an IPv6 public delegated prefix.

Roles

To get the permissions that you need to complete the tasks in this guide, ask your administrator to grant you the Compute Public IP Admin (roles/compute.publicIpAdmin) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create IPv6 sub-prefixes for further delegation

IPv6 sub-prefixes that are in delegation mode can be sub-delegated into smaller sub-prefixes. IPv6 sub-prefixes in other modes can't be further divided.

A public delegated prefix can be sub-delegated up to three times from a public advertised prefix. For example, if you have a public advertised prefix with IP address range 2001:db8::/32, you can do the following:

Create a public delegated prefix in delegation mode with IP address range 2001:db8::/40, with the public advertised prefix as a parent.
Create a sub-prefix in delegation mode with IP address range 2001:db8::/48 that has the previous public delegated prefix as its parent.
Create a sub-prefix in forwarding rule or subnet creation mode with IP address range 2001:db8::/56 that has the previous sub-prefix as its parent.

At this point, you cannot create further sub-prefixes that have the 2001:db8::/56 sub-prefix as a parent.

The prefix length of a delegation mode sub-prefix determines the possible modes of child sub-prefixes.

Console

In the Google Cloud console, go to Bring your own IP.

Go to Bring your own IP
Click the public delegated prefix that you want to subdivide.
Click Create sub-prefix.
Enter a name and optional description for the sub-prefix.
In the Prefix length list, select a prefix length for the sub-prefix.
Enter an IPv6 address range to assign to the sub-prefix.
In the How this PDP will be used section, select Subdivide into smaller PDPs.
In the Project menu, select the project that you want to use the sub-prefix in.
Click Create.

gcloud

To create a sub-prefix for further delegation, use the gcloud compute public-delegated-prefixes create command.

gcloud compute public-delegated-prefixes create SUB_PREFIX_NAME \
    --range=SUB_PREFIX_RANGE \
    --mode=DELEGATION \
    --public-delegated-prefix=PDP_NAME \
    --region=PDP_REGION \
    --project=PROJECT_ID

Replace the following:

SUB_PREFIX_NAME: a name for this sub-prefix
SUB_PREFIX_RANGE: the IP address range for this sub-prefix
PDP_NAME: the parent public delegated prefix of this sub-prefix
PDP_REGION: the region for this sub-prefix
PROJECT_ID: the project to delegate the sub-prefix to

If the --delegatee-project flag is omitted, the sub-prefix is created in the same project as the parent public delegated prefix.

Create forwarding rules by using IPv6 sub-prefixes

To create forwarding rules with regional external IPv6 address ranges that are allocated from IPv6 sub-prefixes, do the following. The forwarding rules can only be used for external passthrough Network Load Balancers and external protocol forwarding.

Create an IPv6 sub-prefix for forwarding rules

Create a sub-prefix in forwarding rule creation mode that uses the IP address range that you want to use for forwarding rules. When you create an IPv6 sub-prefix for forwarding rules, you can't further sub-divide that prefix.

Console

In the Google Cloud console, go to Bring your own IP.

Go to Bring your own IP
Click the public delegated prefix that you want to subdivide.
Click Create sub-prefix.
Enter a name and optional description for the sub-prefix.
In the Prefix length list, select a Prefix length for the sub-prefix.
Enter an IPv6 address range to assign to the sub-prefix.
In the How this PDP will be used section, select Allocate IPv6 address ranges for use.
In the Allocate to list, select Network Load Balancer forwarding rule.
In the Allocatable prefix length list, select a prefix length for IPv6 address ranges of forwarding rules that are created from this sub-prefix.
In the Project list, select the project that you want to use the sub-prefix in.
Click Create.

gcloud

To create a sub-prefix to use for creating forwarding rules, use the gcloud compute public-delegated-prefixes create command.

gcloud compute public-delegated-prefixes create SUB_PREFIX_NAME \
    --range=SUB_PREFIX_RANGE \
    --mode=EXTERNAL_IPV6_FORWARDING_RULE_CREATION \
    --allocatable-prefix-length=PREFIX_LENGTH \
    --public-delegated-prefix=PDP_NAME \
    --region=PDP_REGION \
    --project=PROJECT_ID

Replace the following:

SUB_PREFIX_NAME: a name for this sub-prefix
SUB_PREFIX_RANGE: the IP address range for this sub-prefix
PREFIX_LENGTH: the prefix length for the IPv6 address ranges that are used by forwarding rules

The default and possible values depend on the prefix length of SUB_PREFIX_RANGE. For more information, see Allocatable prefix length for forwarding rules.
PDP_NAME: the parent public delegated prefix of this sub-prefix
PDP_REGION: the region for this sub-prefix
PROJECT_ID: the project to delegate the sub-prefix to

If the --delegatee-project flag is omitted, the sub-prefix is created in the same project as the parent public delegated prefix.

Create forwarding rules for external passthrough Network Load Balancers

To create forwarding rules that use IPv6 address ranges from your sub-prefix, do any of the following:

Create and update subnets by using IPv6 sub-prefixes

To create or update subnets with external IPv6 address ranges that are allocated from IPv6 sub-prefixes, do the following. Subnet external address ranges that are allocated from IPv6 sub-prefixes can only be used to host VM instances or reserve static regional external IPv6 addresses with the VM endpoint type.

Create IPv6 sub-prefixes for subnets

Create a sub-prefix in subnet creation mode that uses the IP address range that you want to use for subnets. When you create an IPv6 sub-prefix for subnets, you can't further sub-divide that prefix.

Console

In the Google Cloud console, go to Bring your own IP.

Go to Bring your own IP
Click the public delegated prefix that you want to subdivide.
Click Create sub-prefix.
Enter a Name and optional Description for the sub-prefix.
Select a Prefix length for the sub-prefix.
In IPv6 range, enter an IPv6 address range to assign to the sub-prefix.
In the How this PDP will be used section, select Allocate IPv6 address ranges for use.
In the Allocate to list, select External subnet range for VMs.
In Project, select the project that you want to use the sub-prefix in.
Click Create.

gcloud

To create a sub-prefix to use for creating subnets, use the gcloud compute public-delegated-prefixes create command.

gcloud compute public-delegated-prefixes create SUB_PREFIX_NAME \
    --range=SUB_PREFIX_RANGE \
    --mode=EXTERNAL_IPV6_SUBNETWORK_CREATION \
    --public-delegated-prefix=PDP_NAME \
    --region=PDP_REGION \
    --project=PROJECT_ID

Replace the following:

SUB_PREFIX_NAME: a name for this sub-prefix
SUB_PREFIX_RANGE: the IP address range for this sub-prefix
PDP_NAME: the parent public delegated prefix of this sub-prefix
PDP_REGION: the region for this sub-prefix
PROJECT_ID: the project to delegate the sub-prefix to

If the --delegatee-project flag is omitted, the sub-prefix is created in the same project as the parent public delegated prefix.

Create subnets for VM instances

Create a dual-stack or IPv6-only subnet that uses an IP address range from your IPv6 sub-prefix. Subnet external address ranges that are allocated from IPv6 sub-prefixes can only be used to host VM instances or reserve static regional external IPv6 addresses with the VM endpoint type.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
To view the VPC network details page, click the name of a VPC network.
On the Subnets tab, click Add subnet. In the panel that appears:
1. Provide a name.
2. Select a region.
3. For IP stack type, select either IPv4 and IPv6 (dual-stack) or IPv6 (single-stack).
4. If you are creating a dual-stack subnet, enter an IPv4 range.
5. In the IPv6 access type menu, select External.
6. Select the From PDP checkbox.
7. In the PDP list, select the sub-prefix to use for allocating IP addresses to the subnet.
8. Click Add.

gcloud

To create a dual-stack or IPv6-only subnet by using an IPv6 sub-prefix, use the gcloud compute networks subnets create command.

gcloud compute networks subnets create SUBNET \
    --network=NETWORK \
    --stack-type=STACK_TYPE \
    --ipv6-access-type=EXTERNAL \
    --region=REGION \
    --ip-collection=PDP_NAME \
    [--external-ipv6-prefix=IPV6_CIDR_RANGE] \
    [--range=PRIMARY_IPv4_RANGE]

Replace the following:

SUBNET: a name for the new subnet
NETWORK: the name of the VPC network that will contain the new subnet
STACK_TYPE: the subnet's stack type

The stack type can be IPV4_IPV6 or IPV6_ONLY. If you use IPV4_IPV6, you must specify a primary IPv4 range by using the --range flag.
REGION: the Google Cloud region in which the new subnet will be created, which must be the same region as this subnet's sub-prefix
PDP_NAME: the name of an IPv6 sub-prefix in EXTERNAL_IPV6_SUBNETWORK_CREATION mode to use for allocating IP addresses to this subnet
IPV6_CIDR_RANGE: an optional /64 external IPv6 CIDR range to assign to this subnet

The range must be associated with the subnet's sub-prefix. If empty, Google Cloud assigns the subnet a random /64 range from the CIDR block of the associated sub-prefix.
PRIMARY_IPv4_RANGE: for dual-stack subnets, the primary IPv4 range for the new subnet, in CIDR notation

Change an IPv4-only subnet into a dual-stack subnet for VM instances

You can change an IPv4-only subnet into a dual-stack subnet that uses an external IPv6 address range from a sub-prefix. Subnet external address ranges that are allocated from IPv6 sub-prefixes can only be used to host VM instances or reserve static regional external IPv6 addresses with the VM endpoint type.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Click the name of the VPC network that contains the subnet to update.
Click Subnets, and then click the name of the subnet to update.
Click Edit.
In the IP stack type section, select IPv4 and IPv6 (dual-stack).
In the IPv6 access type section, select External.
Click the From PDP checkbox.
In the PDP list, select the sub-prefix to use for allocating IP addresses to the subnet.
Click Save.

gcloud

To change an IPv4-only subnet into a dual-stack subnet that uses an external IPv6 address range from a sub-prefix, use the gcloud compute networks subnets update command.

gcloud compute networks subnets update SUBNET \
    --ipv6-access-type=EXTERNAL \
    --stack-type=IPV4_IPV6 \
    --ip-collection=PDP_NAME \
    --region=REGION \
    [--external-ipv6-prefix=IPV6_CIDR_RANGE]

Replace the following:

SUBNET: a name for the new subnet
PDP_NAME: the name of an IPv6 sub-prefix in EXTERNAL_IPV6_SUBNETWORK_CREATION mode to use for allocating IP addresses to this subnet
REGION: the Google Cloud region in which the new subnet will be created, which must be the same region as this subnet's sub-prefix
IPV6_CIDR_RANGE: an optional /64 external IPv6 CIDR range to assign to this subnet

The range must be associated with the subnet's sub-prefix. If empty, Google Cloud assigns the subnet a random /64 range from the CIDR block of the associated sub-prefix.

List prefixes

You can list all public advertised prefixes and public delegated prefixes (including sub-prefixes) in a project.

Console

In the Google Cloud console, go to Bring your own IP.

Go to Bring your own IP
All public advertised prefixes, public delegated prefixes, and sub-prefixes are displayed.

gcloud

To list public delegated prefixes, including sub-prefixes, use the public-delegated-prefixes list command.

gcloud compute public-delegated-prefixes list

Create VMs with BYOIP-provided external IPv6 address ranges

After you create a subnet that uses a BYOIP-provided IPv6 range, you can do the following:

Reserve a static external IPv6 address, specifying VM for the endpoint type
Create an instance that uses IPv6 addresses, specifying EXTERNAL for the stack type
Assign a static external IPv6 address to a VM

What's next

Manage BGP announcement (v2)