IPv6 support in Google Cloud

This document describes which services in Google Cloud include support for IPv6.

IPv6 has a much larger address space than IPv4, with 128 bits per address. IPv6 has many more addresses available than IPv4 does, which helps mitigate the growing shortage of IPv4 addresses.

IPv6 support is widely available in Google Cloud through dual-stack (IPv4 and IPv6) compute and networking services. You can deploy dual-stack subnets, which lets you deploy IPv6 workloads. Additionally, IPv6-only support is available for some compute and networking services in Preview.

You can control IPv6 configurations by using organization policy constraints as described in the organization policy constraints section of the VPC networks overview.

Core compute and networking services

The following table summarizes support for IPv6 in core compute and networking services in Google Cloud.

If a service has an IP stack type configuration option, the table lists the supported stack types. The IPv6-only (Preview) stack type is available for some services where marked in the table. If a service doesn't have a stack type configuration option, the table lists not applicable (N/A).

For more information about a given service, see the corresponding documentation.

Service	IPv6 support	Supported stack types	Documentation
Compute
Compute Engine instances¹		Dual-stack, IPv6-only (Preview)	Compute Engine IP addresses overview Configuring IPv6 for instances and instance templates
Compute Engine instance templates		Dual-stack, IPv6-only (Preview)
Compute Engine managed instance groups (MIGs)²		Dual-stack	MIGs IPv6 overview Basic scenarios for creating MIGs
Google Kubernetes Engine (GKE) nodes and pods		Dual-stack	GKE IPv6 overview Use an IPv4 and IPv6 dual-stack network to create a dual-stack cluster
Networking
VPC networks
Subnets		Dual-stack, IPv6-only (Preview)	Subnets IPv6 overview Add a subnet with an IPv6 address range
VPC Network Peering³		Dual-stack	VPC Network Peering overview Use VPC Network Peering
Static IP address reservation		N/A	IP addresses overview Reserve a static internal IPv6 address Reserve a static external IPv6 address
Static routes⁴		N/A	Static routes Add an IPv6 static route
Policy-based routes	(Preview)	N/A	Policy-based routes overview Create a policy-based route for IPv6 traffic
Network Connectivity
Cloud Router		N/A	Cloud Router IP protocols support Establish IPv6 BGP sessions Configure multiprotocol BGP for IPv4 or IPv6 BGP sessions
Network Connectivity Center	(Preview)	N/A	You can configure VPC spokes to exchange only IPv4 subnet ranges, both IPv4 and IPv6 subnet ranges, or only IPv6 subnet ranges. See: IP addressing Create a VPC spoke
Dedicated Interconnect VLAN attachments³		Dual-stack	Dedicated Interconnect IPv6 overview Create dual-stack VLAN attachments
Partner Interconnect VLAN attachments³		Dual-stack	Partner Interconnect IPv6 overview Create dual-stack VLAN attachments
HA VPN		Dual-stack, IPv6-only (Preview)	HA VPN IPv6 overview Migrate to an IPv6 HA VPN gateway
Classic VPN		N/A
Network security
Cloud Next Generation Firewall		N/A	Firewall policy rules overview VPC firewall rules overview
Packet Mirroring		N/A	Packet Mirroring overview Mirror IPv6 traffic
DNS
Cloud DNS⁵		N/A	DNS records overview Add, modify, and delete records
Cloud Load Balancing
Global external Application Load Balancer		Dual-stack	End-to-end dual-stack support. See: IPv6 for Application Load Balancers and proxy Network Load Balancers Convert Application Load Balancer to IPv6 Convert proxy Network Load Balancer to IPv6
Global external proxy Network Load Balancer		Dual-stack
Regional external Application Load Balancer		Dual-stack	Dual-stack backends are supported but load balancers can't terminate IPv6 connections from clients. See: IPv6 for Application Load Balancers and proxy Network Load Balancers Convert Application Load Balancer to IPv6 Convert proxy Network Load Balancer to IPv6
Regional internal Application Load Balancer		Dual-stack
Cross-region internal Application Load Balancer		Dual-stack
Regional external proxy Network Load Balancer		Dual-stack
Regional internal proxy Network Load Balancer		Dual-stack
Cross-region internal proxy Network Load Balancer		Dual-stack
Classic Application Load Balancer		N/A	Load balancers can terminate IPv6 connections from clients but backends with IPv6 addresses aren't supported. See IPv6 for Application Load Balancers and proxy Network Load Balancers.
Classic proxy Network Load Balancer		N/A
External passthrough Network Load Balancer⁶		Dual-stack, IPv6-only (Preview)	End-to-end dual-stack or IPv6-only support. See Backend service-based external passthrough Network Load Balancer overview.
Internal passthrough Network Load Balancer⁶		Dual-stack, IPv6-only (Preview)	End-to-end dual-stack or IPv6-only support. See Internal passthrough Network Load Balancer overview.
Private access for services
Private Service Connect published services⁷		N/A	Published services overview Publish IPv6 services by using Private Service Connect
Private Service Connect endpoints for published services		N/A	Accessing published services through endpoints overview Access IPv4 and IPv6 published services through IPv6 endpoints
Private Service Connect interfaces		Dual-stack	Private Service Connect interfaces overview Create a dual-stack interface Create a network attachment with a dual-stack subnet
Private Service Connect backends		N/A

¹ See the following limitations:

IPv6-only instances support only Debian and Ubuntu operating systems.
IPv6-only instances don't support Compute Engine Internal DNS.

² For MIGs, the autohealing endpoint supports only IPv4.

³ VPC Network Peering and Cloud Interconnect VLAN attachments themselves can only be configured as dual-stack and not IPv6-only. However, when configured as dual-stack they are compatible with IPv6-only resources such as subnets and instances.

⁴ For static routes, some next hop types don't support IPv6, and support differs between dual-stack and IPv6-only. For more information, see Next hops and features.

⁵ Cloud DNS doesn't support IPv6 for inbound or outbound forwarding.

⁶ IPv6-only support is limited to unmanaged instance group backends and protocol forwarding with IPv6-only target instances.

⁷ Private Service Connect doesn't support IPv6-only subnets for the producer's NAT subnet. For more information, see Create a subnet for Private Service Connect.

Application services

The following table summarizes support for IPv6 in commonly used Google APIs and services.

For services that support private IPv6 access, private access from IPv6 clients is supported by Private Google Access.

For more information, see Additional details about application services and IPv6.

Service	Public IPv6 access	Private IPv6 access
AlloyDB for PostgreSQL API
AlloyDB for PostgreSQL instances¹
Bigtable
BigQuery
Dataflow
Dataproc
Cloud Deploy
Firestore
Cloud Identity
Cloud Logging
Memorystore for Memcached API
Memorystore for Memcached instances¹
Memorystore for Redis API
Memorystore for Redis instances¹
Cloud Monitoring
Pub/Sub
Spanner
Cloud SQL Admin API for MySQL
Cloud SQL for MySQL instances¹
Cloud SQL Admin API for PostgreSQL
Cloud SQL for PostgreSQL instances¹
Cloud SQL Admin API for SQL Server
Cloud SQL for SQL Server instances¹
Cloud Storage
Cloud Tasks
Cloud Trace
Workflows
Container Registry / Artifact Registry
Secret Manager

¹ Some products have an administrative API that runs on Google's production infrastructure and can be accessed by IPv6 clients, but the API creates VPC-hosted resources that can't be accessed by IPv6 clients. For example, Memorystore for Memcached has an administrative API at memcache.googleapis.com. Using this API lets you perform some administrative tasks for your Memorystore for Memcached instances, but you must use private services access to access the Memorystore for Memcached instances.

Additional details about application services and IPv6

There are two varieties of Google APIs and services:

Services that run on Google's production infrastructure, including all *.googleapis.com service endpoints.
Services that run in VPC networks that are run by Google (also known as VPC-hosted services), such as Cloud SQL and Filestore.

Most services that run on Google's production infrastructure support access by clients with IPv6 addresses:

Public access from IPv6 clients is supported.
Private access from IPv6 clients is supported by Private Google Access. For more information about Private Google Access and supported services, see Domain options. You can't use Private Service Connect endpoints for global Google APIs or regional Google APIs to access services from IPV6 clients.

For more information about services that run on Google's infrastructure, see the Google APIs Explorer.

For VPC-hosted services, support for access by IPv6 clients depends on the private access option that you use:

You can create IPv6 Private Service Connect endpoints to let clients with IPv6 addresses access published services.
Private services access doesn't support access by clients that have IPv6 addresses. For more information, see the Supported services in the private services access documentation.