IP addressing options IPv4 and IPv6

1. Introduction

IP addressing options in Google Cloud

IP addresses help identify both networks and hosts in the network. There are IPv4 and IPv6 address types.These addresses should be unique in order to allow traffic on the networking to identify source and destination for packet exchange. IP addressing is not unique to Google Cloud and exists both in the cloud and on premise environments.

Virtual Private Cloud (VPC)

The VPC is a logical representation of a traditional data center. In addition to the default VPC and auto mode VPC, Google Cloud allows you to create a custom VPC. These custom VPC's allow you full administration over the VPC configuration.

Load balancers

A Load balancer allows distribution of traffic across multiple instances of your application. Google Cloud has several load balancer types listed in the Load balancing documentation. In this lab we would be creating a Global external HTTP(S) load balancer to access our simple website.

Cloud NAT

This allows your private subnets to communicate with the internet. This works by translating your internal IP address to a public IP address to make a connection to the external host. The return traffic from the external source is then reverse translated at the NAT gateway to use private addressing to return the traffic to the client. The connection is initiated in an egress manner.

Virtual machine

These are virtual systems which run operating systems. These can be configured based on the user requirements and comprise of memory, storage, networking and OS components.

What you'll build

In this codelab, you're going to create two custom VPCs, enable and configure IPv4 and IPv6 address types (internal & external). You will also build a simple nginx server on a VM with a Private IP address, expose it using an external HTTP(S) Load Balancer and connect to it using a IPv4 and IPv6 addresses:

  • Create two custom VPCs and add some firewall rules
  • Create single stack IPv4 and dual stack IPv4_IPv6 subnets
  • Create a NAT Gateway for the private resources in the subnet to get updates
  • Create a private VM apache server using a MIG
  • Expose private VM servers via HTTP(S) LB with static IPV4 and IPv6 addresses
  • Create an external IPv4, IPv6 client
  • Connect to IPv4 and IPv6 HTTP(S) load balancer address from client

c184b465720a47d6.png

What you'll learn

  • How to create custom VPC
  • How to enable IPV6 on subnets
  • How to set firewall rules
  • How to create a NAT gateway
  • How to create a managed instance group
  • How you create IPv4, IPv6 clients
  • How to create static IP's
  • How to create HTTP(S) LB

This codelab is focused on IP addressing and would also use VMs and load balancers specifically.

What you'll need

  • A web browser to connect to the Google Cloud console
  • Ability to create VPCs and firewall rules
  • Ability to use ssh
  • A Google Cloud account

2. Getting set up

Lab setup

Self-paced environment setup

  1. Sign-in to the Google Cloud Console and create a new project or reuse an existing one. If you don't already have a Gmail or Google Workspace account, you must create one.

b35bf95b8bf3d5d8.png

a99b7ace416376c4.png

bd84a6d3004737c5.png

  • The Project name is the display name for this project's participants. It is a character string not used by Google APIs. You can always update it.
  • The Project ID is unique across all Google Cloud projects and is immutable (cannot be changed after it has been set). The Cloud Console auto-generates a unique string; usually you don't care what it is. In most codelabs, you'll need to reference your Project ID (typically identified as PROJECT_ID). If you don't like the generated ID, you might generate another random one. Alternatively, you can try your own, and see if it's available. It can't be changed after this step and remains for the duration of the project.
  • For your information, there is a third value, a Project Number, which some APIs use. Learn more about all three of these values in the documentation.
  1. Next, you'll need to enable billing in the Cloud Console to use Cloud resources/APIs. Running through this codelab won't cost much, if anything at all. To shut down resources to avoid incurring billing beyond this tutorial, you can delete the resources you created or delete the project. New Google Cloud users are eligible for the $300 USD Free Trial program.

Start Cloud Shell

While Google Cloud can be operated remotely from your laptop, in this codelab you will be using Google Cloud Shell, a command line environment running in the Cloud.

From the Google Cloud Console, click the Cloud Shell icon on the top right toolbar:

55efc1aaa7a4d3ad.png

It should only take a few moments to provision and connect to the environment. When it is finished, you should see something like this:

7ffe5cbb04455448.png

This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on Google Cloud, greatly enhancing network performance and authentication. All of your work in this codelab can be done within a browser. You do not need to install anything.

3. Configure Custom VPC

Why a custom VPC?

In this lab we will be adding a few firewall rules including those for IPv6 traffic and it would be great to separate those from the default network. Additionally we will be enabling IPv6 on a subnet. Some of the requirements for this is that it be enabled on a custom mode network. Automatically created subnets in auto mode networks are not supported.

Set up a custom VPC with internal IPv6

  1. Under networking select VPC network
  2. From the top select create VPC network

dda2618060d62ed5.png

  1. In the Create a VPC network section add the following:
  2. Enter a Name for the network as ipv4-ipv6-network
  3. In the VPC network ULA internal IPv6 range section select Enabled
  4. In the Allocate ULA internal IPv6 range section select Automatically
  5. Choose Custom for the Subnet creation mode.
  6. In the New subnet section, specify the following configuration parameters for a subnet:

Configuration

Value

Name

ipv4

Region

europe-west1

IP stack type

IPv4(single stack)

IPv4 range

192.168.10.0/24

Create Secondary IPv4 ranges

select

Subnet range name 1

ipv4-sec

Secondary IPv4 range 1

10.0.10.0/24

  • Select done
  1. We are going to add another subnet and enable IPV6. To add another subnet select ADD SUBNET. In the New subnet section, specify the following configuration parameters for a subnet:
  • For the Name for the subnet enter ipv6net
  • For Region select us-central1
  • For IP stack type select IPv4 and IPV6 (dual-stack)
  • Enter an IPv4 range use 192.168.20.0/24
  • For IPv6 access type select Internal
  • Select done
  1. In the Firewall rules section, select the following
  • On the IPv4 Firewall rules tab select all available options: allow-cutom (for internal communication), allow-icmp, allow-rdp, allow-ssh.
  • On the IPv6 Firewall rules tab select all available options: allow-ipv6-cutom (for internal communication), allow-ipv6-icmp, allow-ipv6-rdp, allow-ipv6-ssh.
    These options automatically create a matching rule for the new subnet.
  1. In the Dynamic routing mode section select Global.for the VPC network. For more information, see dynamic routing mode. You can change the dynamic routing mode later.
  2. For the Maximum transmission unit (MTU) choose 1460.
  3. Click Create.

Set up a custom VPC with external IPv6

  1. Under networking select VPC network
  2. From the top select create VPC network
  3. dda2618060d62ed5.png
  4. In the Create a VPC network section add the following:
  5. Enter a Name for the network as external-ipv6-network
  6. In the VPC network ULA internal IPv6 range section select Enabled
  7. In the Allocate ULA internal IPv6 range section select Automatically
  8. Choose Custom for the Subnet creation mode.
  9. In the New subnet section, specify the following configuration parameters for a subnet:
  • For the Name for the subnet enter ipv6-external
  • For Region select us-east1
  • For IP stack type select IPv4 and IPv6 (dual stack)
  • Enter an IPv4 range use 192.168.200.0/24
  • For IPv6 access type select External
  • Select done
  1. In the Firewall rules section, select the following
  • On the IPv4 Firewall rules tab select all available options: allow-cutom (for internal communication), allow-icmp, allow-rdp, allow-ssh.
  • On the IPv6 Firewall rules tab select all available options: allow-ipv6-cutom (for internal communication), allow-ipv6-icmp, allow-ipv6-rdp, allow-ipv6-ssh. In this lab we would use this option to automatically create a matching rule in the new subnet.
  1. In the Dynamic routing mode section select Global.for the VPC network. For more information, see dynamic routing mode. You can change the dynamic routing mode later.
  2. For the Maximum transmission unit (MTU) choose 1460.
  3. Click Create.

Verify firewall rules

Firewall rule control allows you to deny traffic to your services.

To verify rules exist:

  1. Go to VPC network
  2. On the left panel select firewall

f27d26d423d50f59.png

  1. Look at the display area and make sure you see firewall rules for the new networks created. Scroll across, look for the network column and scroll down. You should see the name of the network you create in the network column of the firewall rules. In this case ipv4-ipv6-network and external-ipv6-network. This name must be unique for the project.
  2. Next we will create a new firewall rule to allow health checks
  3. Open cloud run f not already open by select Activate Cloud Shell ( 9db7bdee3b6c113d.png) on the top bar. A Cloud Shell session opens and displays a command-line prompt. Ensure you are in the correct project and paste the following code.
gcloud compute firewall-rules create ipv4-ipv6-hc \
--direction=INGRESS \
--network=ipv4-ipv6-network \
--action=ALLOW \
--rules=tcp:80,tcp:8080,tcp:443 \
--source-ranges=35.191.0.0/16,130.211.0.0/22,209.85.152.0/22,209.85.204.0/22 \
--target-tags=ipv6-server
  1. Once complete verify you see and entry for the firewall rule ipv6-ipv4-hc attached to the ipv4-ipv6-network

4. Configure NAT gateway

  1. Go to Network Services
  2. Select Cloud NAT and the select get started

3972e67f4ed8beba.png

  1. Gateway name use ipv4-ipv6-nat
  2. Network select ipv4-ipv6-network
  3. Region select us-central1
  4. Cloud router select Create new router
  5. Create a router page configure the following:
  • Name ipv4-ipv6-nat-router
  • Leave everything else as default and select create
  1. Back on the Create Cloud NAT gateway page leave other options as they are an select create

5. Configure Instances in private VPC

Create Instances template private VPC

  1. Open Cloud Shell.
  2. Verify you are in the correct project if you have multiple
  3. Copy and paste the following
gcloud compute instance-templates create ipv6-internal-server \
--region=us-central1 \
--network-interface=subnet=ipv6net,no-address,stack-type=IPV4_IPV6 \
--machine-type=n1-standard-1 \
--metadata=^,@^startup-script=\#\!/bin/bash$'\n'\#\ package\ updates\ \ \ \ \ \ $'\n'apt\ update\ -y$'\n'apt\ install\ nginx\ -y$'\n'systemctl\ start\ nginx$'\n'systemctl\ enable\ nginx$'\n'systemctl\ status\ nginx\ \|\ grep\ Active$'\n'chown\ -R\ \$USER:\$USER\ /var/www$'\n'cd\ /var/www/html/$'\n'echo\ \'\<\!DOCTYPE\ html\>\'\ \>\ /var/www/html/index.html$'\n'echo\ \'\<html\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<head\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<title\>Awesome\ web\ app\</title\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<meta\ charset=\"UTF-8\"\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\</head\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<body\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<h1\>IPv6\ server\</h1\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\<h3\>You\ are\ successful\</h3\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\</body\>\'\ \>\>\ /var/www/html/index.html$'\n'echo\ \'\</html\>\'\ \>\>\ /var/www/html/index.html$'\n'  --tags=ipv6-server,http-server,https-server \
--create-disk=auto-delete=yes,boot=yes,device-name=ipv6-internal-server,image=projects/debian-cloud/global/images/debian-11-bullseye-v20230306,mode=rw,size=20,type=pd-balanced 
  1. Go to Compute Engine
  2. Select Instance template
  3. In the instance template window ensure you see the template you just createdceaa7bc8d8b62b28.png
  4. Click on the name of the template and scroll down to see the configuration.
  • Under Network interfaces make sure you see Stack Type as IPv4 and IPv647f618608644c410.png

Create an instance group in private VPC

  1. Go to Compute Engine
  2. Select expand Instance groups
  3. Select Health Checks

f4ec2244a539bd6f.png

  1. Select create a health check
  2. On the Create a health check page use the following:
  • Name use ipv6-server-hc
  • Protocol TCP Port 80
  • Scroll to the Health Criteria section
  • Check interval 10, Timeout 5
  • Healthy threshold 2, Unhealthy threshold 48bf5e76ce58b014c.png
  1. Scroll to the end select create
  2. Go to Compute Engine
  3. Select Instance groups
  4. Select Create Instance group
  5. Select New managed instance group (stateful)
  6. Name use ipv6-server-igp
  7. For Instance template use ipv6-internal-server
  8. For number of instances use 2
  9. For Location use Single Zone make sure region is us-central1
  10. Scroll down under Auto-healing:
  • Health-check use ipv6-server-hc
  • For Initial delay type 120
  • Leave everything else as default and select create

This will take a few minutes to complete creating the instance group

Verify Instance group and VMs

Once you Instance group is complete lets verify

  1. Go to Compute Engine and select Instance groups
  2. Select the name of the instance group you just created ipv6-server-igp
  3. Ensure that you are seeing the following:
  • Instance by status 2 instances (Please give it a little time for all the health check to run if it is not yet showing healthy)
  • Instance by health 100% healthy

Next let's jump over directly to the VMs in this instance group and do some test

  1. Select VM instances you should see two VMs with names starting with ipv6-server-igp
  2. Scroll across and under the Internal IP column you should see both IPV4 and IPV6 addresses. Take a note of both addresses for each server.
  3. Next to the first VM select SSH. This will open an SSH session directly to the server.
  4. In the SSH window type curl localhost. You should get a response from the web server running on the VM displaying the HTML like below:

936962cc23787de8.png

  1. Next type ip addr to display the address information. Verify that the exxx interface has the same IPv4 and IPv6 address that you recorded from the before in step 6 for this VM
  2. Do a ping -c 4 XXXX from this VM to the second VMs IPv4 address, then do the same using the second VMs IPv6 address.

f594227c496f6aaf.png

  1. <Optional> you can SSH into the second VM and do the same test. Try pinging VM 1 IPv4 and IPv6 addresses.

Create a stand alone IPv4 only instance in the private VPC

  1. Go to Compute Engine
  2. Select VM Instances and select create instance
  3. Fill out the configuration page as follows:
  • Name use ipv4-only
  • Region select europe-west1
  1. Scroll down, expand Advanced Options then expand Networking. Now use the following: under network Interfaces e0e04a20d1d3346d.png
  • Select the drop down arrow next to default so see the edit interface options 1799749d20d494c8.png
  1. For Network change to ipv4-ipv6-network
  • Subnetwork ipv4
  • External IPv4 address select None
  • Select done
  1. Scroll to the end and select create
  2. It will take a few minutes to create the VM. This VM is located in an IPv4 only subnet, with no external IP address assigned. To verify go to the VM Instance page and look for the VM called ipv4-only 207938aabfe4251.pngbe32003508afdbd7.png
  3. Select SSH to SSH into the VM called ipv4-only
  4. Do a ping -c 4 X.X.X.X to the private IPv4 addresses of any of the VM's created prior starting with the name ipv6-server-igp. You can successfully ping the internal IPv4 addresses of these VMs. 6c2a4a052238a59d.png

6. Create and External HTTP(S) LB with IPv4 and IPv6 addresses in private VPC

Create two static external IPs

  1. Go to VPC network
  2. Select IP addresses and select reserve external static address
  3. For the IPv4 address use the following:
  • Name ipv4-lb-ip
  • IP version IPv4
  • Type Global
  • scroll to end and select reserve
  1. For the IPv6 address repeat step 2 and use the following:
  • Name ipv6-lb-ip
  • IP version IPv6
  • Type Global
  • scroll to end and select reserve

Record these IP addresses. You will need them to test connectivity in the last section.

Create the External HTTP(S) LB

  1. Go to Network Services
  2. Select create load balancer
  3. Select Start configuration under HTTP(S) load balancing
  4. Under internet facing or internal only select From Internet to my VMs or serverless services
  5. Under Global or regional select Global HTTP(S) load balancer and select continue.
  6. At the top under Create global external Application Load Balancer use the name ipv4-ipv6-lb-demo
  7. Next select Frontend configuration and use the following:
  • Name ipv4-fe-lb
  • Protocol HTTP
  • IP version IPv4
  • IP address select ipv4-lb-ip to assign the static external IPv4 IP we created
  • Port 80
  • Select done
  1. Under frontend let's configure and IPv6 attachment select Add Frontend IP and Port:6a5e3aeab563e0a1.png
  • Name ipv6-fe-lb
  • Protocol HTTP
  • IP version IPv6
  • IP address select ipv6-lb-ip to assign the static external IPv6 IP we created
  • Port 80
  • Select done
  1. Select Backend configuration on the right hand pane under backend service and backend buckets choose Create a backend service then use the following:
  • Name server-backend
  • Backend type Instance group
  • Protocol HTTP
  • Instance group ipv6-server-igp
  • Port numbers 80, 8080
  • Deselect Enable Cloud CDN

ee9c122389b61a9d.png

  • Health check select ipv6-server-hc
  • Scroll to end select create
  • Then select ok e4e0dfbb959d7424.png
  1. Scroll to the bottom of the page choose create. When it's complete it you should see this

2d18e9aadc2545be.png

  1. Click on the name of the new LB and under the front end take a note of the ipv4 and ipv6 addresses. You will need them for the last test.

7. Create single instance with external and internal IPv4 and IPv6 Addresses

Create a stand alone with external IPv4 and IPv6 address

  1. Go to Compute Engine
  2. Select VM Instances and select create instance
  3. Fill out the configuration page as follows:
  • Name use external-ipv4-ipv6
  • Region select us-east1
  1. Scroll down, expand Advanced Options then expand Networking. Now use the following:
  • Under Network interface select Network external-ipv6-network
  • Subnetwork ipv6-external
  • IP Stack type IPv4 and IPv6 (dual-stack)
  • External IPv4 address select Ephemeral
  • Select done
  1. Scroll to the end and select create
  2. It will take a few minutes to create the VM. This VM is located in an IPv4_IPv6 subnet with external IPv6 address access. To verify go to the VM Instance page and look for the VM called external-ipv4-ipv62a440854f52f1af7.png
  3. Select the SSH option to SSH into the external-ipv4-ipv6 VM
  4. Type ip addr to check the IPv4 and IPv6 address assigned to your VM
  5. Go to the IPv4 address of the ipv4-ipv6-lb-demo
  6. In your external-ipv4-ipv6 VM SSH session type curl X.X.X.X where X.X.X.X is the IPv4 address of the ipv4-ipv6-lb-demo load balancer. You should see the HTML of the website running on the servers in the ipv4-ipv6-network
  7. In your external-ipv4-ipv6 VM SSH session type curl [X:X:X:X]:80 where X:X:X:X is the IPv6 address of the ipv4-ipv6-lb-demo load balancer. It should look something like this curl [2600:1901:X:XXXX::]:80 You should see the HTML of the website running on the servers in the ipv4-ipv6-network

7cd98c6daea571ce.png

8. Clean Up

To clean up your project you can run the following commands.

gcloud compute instances delete external-ipv4-ipv6 --zone=us-east1-b --quiet
gcloud compute instances delete ipv4-only --zone=europe-west1-b --quiet

gcloud compute forwarding-rules delete ipv4-fe-lb --global --quiet
gcloud compute forwarding-rules delete ipv6-fe-lb --global --quiet
gcloud compute target-http-proxies delete ipv4-ipv6-lb-demo-target-proxy --quiet
gcloud compute target-http-proxies delete ipv4-ipv6-lb-demo-target-proxy-2 --quiet
gcloud compute url-maps delete ipv4-ipv6-lb-demo --quiet
gcloud compute backend-services delete server-backend --global --quiet

gcloud compute addresses delete ipv4-lb-ip --global --quiet
gcloud compute addresses delete ipv6-lp-ip --global --quiet


gcloud compute instance-groups managed delete ipv6-server-igp --zone us-central1-a --quiet

gcloud compute instance-templates delete "ipv6-internal-server" --quiet

gcloud compute health-checks delete ipv6-server-hc --quiet

gcloud compute routers nats delete ipv4-ipv6-nat --router=ipv4-ipv6-nat-router --region=us-central1 --quiet

gcloud compute routers delete ipv4-ipv6-nat-router --region=us-central1 --quiet

gcloud compute firewall-rules delete external-ipv6-network-allow-ipv6-custom external-ipv6-network-allow-ipv6-ssh external-ipv6-network-allow-rdp external-ipv6-network-allow-ipv6-rdp external-ipv6-network-allow-ssh external-ipv6-network-allow-ipv6-icmp external-ipv6-network-allow-custom external-ipv6-network-allow-icmp --quiet


gcloud compute firewall-rules delete ipv4-ipv6-hc ipv4-ipv6-network-allow-custom ipv4-ipv6-network-allow-ipv6-icmp ipv4-ipv6-network-allow-icmp ipv4-ipv6-network-allow-ssh ipv4-ipv6-network-allow-rdp ipv4-ipv6-network-allow-ipv6-ssh ipv4-ipv6-network-allow-ipv6-rdp ipv4-ipv6-network-allow-ipv6-custom --quiet

gcloud compute networks subnets delete ipv4 --region=europe-west1 --quiet
gcloud compute networks subnets delete ipv6net --region=us-central1 --quiet
gcloud compute networks subnets delete ipv6-external --region=us-east1 --quiet

gcloud compute networks delete external-ipv6-network --quiet
gcloud compute networks delete ipv4-ipv6-network --quiet

9. Congratulations

Congratulations, you've successfully explored both IPv4 and IPv6 networking options!

Reference docs