IP addressing options IPv4 and IPv6

1. Introduction

IP addressing options in Google Cloud

IP addresses help identify both networks and hosts in the network. There are IPv4 and IPv6 address types.These addresses should be unique in order to allow traffic on the networking to identify source and destination for packet exchange. IP addressing is not unique to Google Cloud and exists both in the cloud and on premise environments.

Virtual Private Cloud (VPC)

The VPC is a logical representation of a traditional data center. In addition to the default VPC and auto mode VPC, Google Cloud allows you to create a custom VPC. These custom VPC's allow you full administration over the VPC configuration.

Load balancers

A Load balancer allows distribution of traffic across multiple instances of your application. Google Cloud has several load balancer types listed in the Load balancing documentation. In this lab we would be creating a Global external Application load balancer to access our simple website.

Cloud NAT

This allows your private subnets to communicate with the internet. This works by translating your internal IP address to a public IP address to make a connection to the external host. The return traffic from the external source is then reverse translated at the NAT gateway to use private addressing to return the traffic to the client. The connection is initiated in an egress manner.

Virtual machine

These are virtual systems which run operating systems. These can be configured based on the user requirements and comprise of memory, storage, networking and OS components.

What you'll build

In this codelab, you're going to create two custom VPCs, enable and configure IPv4 and IPv6 address types (internal & external). You will also build a simple nginx server on a VM with a Private IP address, expose it using an external Application Load Balancer and connect to it using a IPv4 and IPv6 addresses:

• Create two custom VPCs and add some firewall rules
• Create single stack IPv4 and dual stack IPv4_IPv6 subnets
• Create a NAT Gateway for the private resources in the subnet to get updates
• Create a private VM apache server using a MIG
• Expose private VM servers via Application LB with static IPV4 and IPv6 addresses
• Create an external IPv4, IPv6 client
• Connect to IPv4 and IPv6 Application load balancer address from client

What you'll learn

• How to create custom VPC
• How to enable IPV6 on subnets
• How to set firewall rules
• How to create a NAT gateway
• How to create a managed instance group
• How you create IPv4, IPv6 clients
• How to create static IP's
• How to create Application LB

This codelab is focused on IP addressing and would also use VMs and load balancers specifically.

What you'll need

• A web browser to connect to the Google Cloud console
• Ability to create VPCs and firewall rules
• Ability to use ssh
• A Google Cloud account

2. Getting set up

Lab setup

Self-paced environment setup

1. Sign-in to the Google Cloud Console and create a new project or reuse an existing one. If you don't already have a Gmail or Google Workspace account, you must create one.

• The Project name is the display name for this project's participants. It is a character string not used by Google APIs. You can always update it.
• The Project ID is unique across all Google Cloud projects and is immutable (cannot be changed after it has been set). The Cloud Console auto-generates a unique string; usually you don't care what it is. In most codelabs, you'll need to reference your Project ID (typically identified as PROJECT_ID). If you don't like the generated ID, you might generate another random one. Alternatively, you can try your own, and see if it's available. It can't be changed after this step and remains for the duration of the project.
• For your information, there is a third value, a Project Number, which some APIs use. Learn more about all three of these values in the documentation.

2. Next, you'll need to enable billing in the Cloud Console to use Cloud resources/APIs. Running through this codelab won't cost much, if anything at all. To shut down resources to avoid incurring billing beyond this tutorial, you can delete the resources you created or delete the project. New Google Cloud users are eligible for the $300 USD Free Trial program.

Start Cloud Shell

While Google Cloud can be operated remotely from your laptop, in this codelab you will be using Google Cloud Shell, a command line environment running in the Cloud.

From the Google Cloud Console, click the Cloud Shell icon on the top right toolbar:

It should only take a few moments to provision and connect to the environment. When it is finished, you should see something like this:

This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on Google Cloud, greatly enhancing network performance and authentication. All of your work in this codelab can be done within a browser. You do not need to install anything.

3. Configure Custom VPC

Why a custom VPC?

In this lab we will be adding a few firewall rules including those for IPv6 traffic and it would be great to separate those from the default network. Additionally we will be enabling IPv6 on a subnet. Some of the requirements for this is that it be enabled on a custom mode network. Automatically created subnets in auto mode networks are not supported.

Set up a custom VPC with internal IPv6

1. Under networking select VPC network
2. From the top select create VPC network

3. In the Create a VPC network section add the following:
4. Enter a Name for the network as ipv4-ipv6-network
5. In the VPC network ULA internal IPv6 range section select Enabled
6. In the Allocate ULA internal IPv6 range section select Automatically
7. Choose Custom for the Subnet creation mode.
8. In the New subnet section, specify the following configuration parameters for a subnet:

• Select done

9. We are going to add another subnet and enable IPV6. To add another subnet select ADD SUBNET. In the New subnet section, specify the following configuration parameters for a subnet:

• For the Name for the subnet enter ipv6net
• For Region select us-central1
• For IP stack type select IPv4 and IPV6 (dual-stack)
• Enter an IPv4 range use 192.168.20.0/24
• For IPv6 access type select Internal
• Select done

10. In the Firewall rules section, select the following

• On the IPv4 Firewall rules tab select all available options: allow-cutom (for internal communication), allow-icmp, allow-rdp, allow-ssh.
• On the IPv6 Firewall rules tab select all available options: allow-ipv6-cutom (for internal communication), allow-ipv6-icmp, allow-ipv6-rdp, allow-ipv6-ssh.
  These options automatically create a matching rule for the new subnet.

11. In the Dynamic routing mode section select Global.for the VPC network. For more information, see dynamic routing mode. You can change the dynamic routing mode later.
12. For the Maximum transmission unit (MTU) choose 1460.
13. Click Create.

Set up a custom VPC with external IPv6

1. Under networking select VPC network
2. From the top select create VPC network
3. 
4. In the Create a VPC network section add the following:
5. Enter a Name for the network as external-ipv6-network
6. In the VPC network ULA internal IPv6 range section select Enabled
7. In the Allocate ULA internal IPv6 range section select Automatically
8. Choose Custom for the Subnet creation mode.
9. In the New subnet section, specify the following configuration parameters for a subnet:

• For the Name for the subnet enter ipv6-external
• For Region select us-east1
• For IP stack type select IPv4 and IPv6 (dual stack)
• Enter an IPv4 range use 192.168.200.0/24
• For IPv6 access type select External
• Select done

10. In the Firewall rules section, select the following

• On the IPv4 Firewall rules tab select all available options: allow-cutom (for internal communication), allow-icmp, allow-rdp, allow-ssh.
• On the IPv6 Firewall rules tab select all available options: allow-ipv6-cutom (for internal communication), allow-ipv6-icmp, allow-ipv6-rdp, allow-ipv6-ssh. In this lab we would use this option to automatically create a matching rule in the new subnet.

11. In the Dynamic routing mode section select Global.for the VPC network. For more information, see dynamic routing mode. You can change the dynamic routing mode later.
12. For the Maximum transmission unit (MTU) choose 1460.
13. Click Create.

Verify firewall rules

Firewall rule control allows you to deny traffic to your services.

To verify rules exist:

1. Go to VPC network
2. On the left panel select firewall

3. Look at the display area and make sure you see firewall rules for the new networks created. Scroll across, look for the network column and scroll down. You should see the name of the network you create in the network column of the firewall rules. In this case ipv4-ipv6-network and external-ipv6-network. This name must be unique for the project.
4. Next we will create a new firewall rule to allow health checks
5. Open cloud run f not already open by select Activate Cloud Shell ( ) on the top bar. A Cloud Shell session opens and displays a command-line prompt. Ensure you are in the correct project and paste the following code.

gcloud compute firewall-rules create ipv4-ipv6-hc \
--direction=INGRESS \
--network=ipv4-ipv6-network \
--action=ALLOW \
--rules=tcp:80,tcp:8080,tcp:443 \
--source-ranges=35.191.0.0/16,130.211.0.0/22,209.85.152.0/22,209.85.204.0/22 \
--target-tags=ipv6-server

6. Once complete verify you see and entry for the firewall rule ipv6-ipv4-hc attached to the ipv4-ipv6-network

4. Configure NAT gateway

1. Go to Network Services
2. Select Cloud NAT and the select get started

3. Gateway name use ipv4-ipv6-nat
4. Network select ipv4-ipv6-network
5. Region select us-central1
6. Cloud router select Create new router
7. Create a router page configure the following:

• Name ipv4-ipv6-nat-router
• Leave everything else as default and select create

8. Back on the Create Cloud NAT gateway page leave other options as they are an select create

5. Configure Instances in private VPC

Create Instances template private VPC

1. Open Cloud Shell.
2. Verify you are in the correct project if you have multiple
3. Copy and paste the following

gcloud compute instance-templates create ipv6-internal-server \
--region=us-central1 \
--network-interface=subnet=ipv6net,no-address,stack-type=IPV4_IPV6 \
--machine-type=n1-standard-1 \
--metadata=^,@^startup-script=\#\!/bin/bash$'\n'\#\ package\ updates\ \ \ \ \ \ $'\n'apt\ update\ -y$'\n'apt\ install\ nginx\ -y$'\n'systemctl\ start\ nginx$'\n'systemctl\ enable\ nginx$'\n'systemctl\ status\ nginx\ \|\ grep\ Active$'\n'chown\ -R\ \$USER:\$USER\ /var/www$'\n'cd\ /var/www/html/$'\n'echo\ \'\<\!DOCTYPE\ html\>\'\ \>\ /var/www/html/index.html$'\n'echo\ \'\<html\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<head\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<title\>Awesome\ web\ app\</title\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<meta\ charset=\"UTF-8\"\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\</head\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<body\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<h1\>IPv6\ server\</h1\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<h3\>You\ are\ successful\</h3\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\</body\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\</html\>\'\ \>\>\ /var/www/html/index.html$'\n'  --tags=ipv6-server,http-server,https-server \
--create-disk=auto-delete=yes,boot=yes,device-name=ipv6-internal-server,image=projects/debian-cloud/global/images/debian-11-bullseye-v20230306,mode=rw,size=20,type=pd-balanced 

4. Go to Compute Engine
5. Select Instance template
6. In the instance template window ensure you see the template you just created
7. Click on the name of the template and scroll down to see the configuration.

• Under Network interfaces make sure you see Stack Type as IPv4 and IPv6

Create an instance group in private VPC

1. Go to Compute Engine
2. Select expand Instance groups
3. Select Health Checks

4. Select create a health check
5. On the Create a health check page use the following:

• Name use ipv6-server-hc
• Protocol TCP Port 80
• Scroll to the Health Criteria section
• Check interval 10, Timeout 5
• Healthy threshold 2, Unhealthy threshold 4

6. Scroll to the end select create
7. Go to Compute Engine
8. Select Instance groups
9. Select Create Instance group
10. Select New managed instance group (stateful)
11. Name use ipv6-server-igp
12. For Instance template use ipv6-internal-server
13. For number of instances use 2
14. For Location use Single Zone make sure region is us-central1
15. Scroll down under Auto-healing:

• Health-check use ipv6-server-hc
• For Initial delay type 120
• Leave everything else as default and select create

This will take a few minutes to complete creating the instance group

Verify Instance group and VMs

Once you Instance group is complete lets verify

1. Go to Compute Engine and select Instance groups
2. Select the name of the instance group you just created ipv6-server-igp
3. Ensure that you are seeing the following:

• Instance by status 2 instances (Please give it a little time for all the health check to run if it is not yet showing healthy)
• Instance by health 100% healthy

Next let's jump over directly to the VMs in this instance group and do some test

4. Select VM instances you should see two VMs with names starting with ipv6-server-igp
5. Scroll across and under the Internal IP column you should see both IPV4 and IPV6 addresses. Take a note of both addresses for each server.
6. Next to the first VM select SSH. This will open an SSH session directly to the server.
7. In the SSH window type curl localhost. You should get a response from the web server running on the VM displaying the HTML like below:

8. Next type ip addr to display the address information. Verify that the exxx interface has the same IPv4 and IPv6 address that you recorded from the before in step 6 for this VM
9. Do a ping -c 4 XXXX from this VM to the second VMs IPv4 address, then do the same using the second VMs IPv6 address.

10. <Optional> you can SSH into the second VM and do the same test. Try pinging VM 1 IPv4 and IPv6 addresses.

Create a stand alone IPv4 only instance in the private VPC

1. Go to Compute Engine
2. Select VM Instances and select create instance
3. Fill out the configuration page as follows:

• Name use ipv4-only
• Region select europe-west1

4. Scroll down, expand Advanced Options then expand Networking. Now use the following: under network Interfaces

• Select the drop down arrow next to default so see the edit interface options

5. For Network change to ipv4-ipv6-network

• Subnetwork ipv4
• External IPv4 address select None
• Select done

6. Scroll to the end and select create
7. It will take a few minutes to create the VM. This VM is located in an IPv4 only subnet, with no external IP address assigned. To verify go to the VM Instance page and look for the VM called ipv4-only
8. Select SSH to SSH into the VM called ipv4-only
9. Do a ping -c 4 X.X.X.X to the private IPv4 addresses of any of the VM's created prior starting with the name ipv6-server-igp. You can successfully ping the internal IPv4 addresses of these VMs.

6. Create and Application LB with IPv4 and IPv6 addresses in private VPC

Create two static external IPs

1. Go to VPC network
2. Select IP addresses and select reserve external static address
3. For the IPv4 address use the following:

• Name ipv4-lb-ip
• IP version IPv4
• Type Global
• scroll to end and select reserve

4. For the IPv6 address repeat step 2 and use the following:

• Name ipv6-lb-ip
• IP version IPv6
• Type Global
• scroll to end and select reserve

Record these IP addresses. You will need them to test connectivity in the last section.

Create the External Application LB

5. Go to Network Services
6. Select create load balancer
7. Under Type of load balancer select Application load balancer (HTTP/HTTPS) then next
8. Under Public facing or internal select Public facing (external) then next
9. Under Global or single-region deployment select Best for global workloads then next.
10. Under Load Balancer generation select Global external application load balancer then next.
11. Select configure
12. At the top under Create global external Application Load Balancer use the name ipv4-ipv6-lb-demo
13. Next select Frontend configuration and use the following:

• Name ipv4-fe-lb
• Protocol HTTP
• IP version IPv4
• IP address select ipv4-lb-ip to assign the static external IPv4 IP we created
• Port 80
• Select done

14. Under frontend let's configure and IPv6 attachment select Add Frontend IP and Port:

• Name ipv6-fe-lb
• Protocol HTTP
• IP version IPv6
• IP address select ipv6-lb-ip to assign the static external IPv6 IP we created
• Port 80
• Select done

15. Select Backend configuration on the right hand pane under backend service and backend buckets choose Create a backend service then use the following:

• Name server-backend
• Backend type Instance group
• Protocol HTTP
• Instance group ipv6-server-igp
• Port numbers 80, 8080
• Deselect Enable Cloud CDN

• Health check select ipv6-server-hc
• Scroll to end select create
• Then select ok

16. Scroll to the bottom of the page choose create. When it's complete it you should see this

17. Click on the name of the new LB and under the front end take a note of the ipv4 and ipv6 addresses. You will need them for the last test.

7. Create single instance with external and internal IPv4 and IPv6 Addresses

Create a stand alone with external IPv4 and IPv6 address

1. Go to Compute Engine
2. Select VM Instances and select create instance
3. Fill out the configuration page as follows:

• Name use external-ipv4-ipv6
• Region select us-east1

4. Scroll down, expand Advanced Options then expand Networking. Now use the following:

• Under Network interface select Network external-ipv6-network
• Subnetwork ipv6-external
• IP Stack type IPv4 and IPv6 (dual-stack)
• External IPv4 address select Ephemeral
• Select done

5. Scroll to the end and select create
6. It will take a few minutes to create the VM. This VM is located in an IPv4_IPv6 subnet with external IPv6 address access. To verify go to the VM Instance page and look for the VM called external-ipv4-ipv6
7. Select the SSH option to SSH into the external-ipv4-ipv6 VM
8. Type ip addr to check the IPv4 and IPv6 address assigned to your VM
9. Go to the IPv4 address of the ipv4-ipv6-lb-demo
10. In your external-ipv4-ipv6 VM SSH session type curl X.X.X.X where X.X.X.X is the IPv4 address of the ipv4-ipv6-lb-demo load balancer. You should see the HTML of the website running on the servers in the ipv4-ipv6-network
11. In your external-ipv4-ipv6 VM SSH session type curl [X:X:X:X]:80 where X:X:X:X is the IPv6 address of the ipv4-ipv6-lb-demo load balancer. It should look something like this curl [2600:1901:X:XXXX::]:80 You should see the HTML of the website running on the servers in the ipv4-ipv6-network

8. Clean Up

To clean up your project you can run the following commands.

gcloud compute instances delete external-ipv4-ipv6 --zone=us-east1-b --quiet
gcloud compute instances delete ipv4-only --zone=europe-west1-b --quiet

gcloud compute forwarding-rules delete ipv4-fe-lb --global --quiet
gcloud compute forwarding-rules delete ipv6-fe-lb --global --quiet
gcloud compute target-http-proxies delete ipv4-ipv6-lb-demo-target-proxy --quiet
gcloud compute target-http-proxies delete ipv4-ipv6-lb-demo-target-proxy-2 --quiet
gcloud compute url-maps delete ipv4-ipv6-lb-demo --quiet
gcloud compute backend-services delete server-backend --global --quiet

gcloud compute addresses delete ipv4-lb-ip --global --quiet
gcloud compute addresses delete ipv6-lp-ip --global --quiet


gcloud compute instance-groups managed delete ipv6-server-igp --zone us-central1-a --quiet

gcloud compute instance-templates delete "ipv6-internal-server" --quiet

gcloud compute health-checks delete ipv6-server-hc --quiet

gcloud compute routers nats delete ipv4-ipv6-nat --router=ipv4-ipv6-nat-router --region=us-central1 --quiet

gcloud compute routers delete ipv4-ipv6-nat-router --region=us-central1 --quiet

gcloud compute firewall-rules delete external-ipv6-network-allow-ipv6-custom external-ipv6-network-allow-ipv6-ssh external-ipv6-network-allow-rdp external-ipv6-network-allow-ipv6-rdp external-ipv6-network-allow-ssh external-ipv6-network-allow-ipv6-icmp external-ipv6-network-allow-custom external-ipv6-network-allow-icmp --quiet


gcloud compute firewall-rules delete ipv4-ipv6-hc ipv4-ipv6-network-allow-custom ipv4-ipv6-network-allow-ipv6-icmp ipv4-ipv6-network-allow-icmp ipv4-ipv6-network-allow-ssh ipv4-ipv6-network-allow-rdp ipv4-ipv6-network-allow-ipv6-ssh ipv4-ipv6-network-allow-ipv6-rdp ipv4-ipv6-network-allow-ipv6-custom --quiet

gcloud compute networks subnets delete ipv4 --region=europe-west1 --quiet
gcloud compute networks subnets delete ipv6net --region=us-central1 --quiet
gcloud compute networks subnets delete ipv6-external --region=us-east1 --quiet

gcloud compute networks delete external-ipv6-network --quiet
gcloud compute networks delete ipv4-ipv6-network --quiet

9. Congratulations

Congratulations, you've successfully explored both IPv4 and IPv6 networking options!

Reference docs

• Documentation: IP Addressing
• Documentation: Enable IPv6 on the subnet.
• Documentation: IPv6 termination for External HTTP(S), SSL Proxy, and External TCP

Manual Last Updated March, 2023

Lab Last Tested March, 2023