Configuring Guest Networking

VPCs and Subnets

VPCs are virtual private networks that are scoped within individual projects. In other words, instances under different projects cannot reach each other using their private IP addresses. Every project comes with a default VPC. More VPCs can be set up by project administrators and collaborators to isolate the network traffic between different groups of VM instances.

Each VPC includes a subnet by default with a RFC1918 IP address range. More subnets can be created for allocating different IP address ranges to different types of instances (e.g. databases versus web servers) and defining firewall rules that govern network traffic based on IP ranges.

External Connectivity

Instances that have one or more network interfaces get outbound internet access through NAT service on the rack. There are three classes of address which can be allocated to an instance:

External IP TypeDescriptionAllows Inbound External TrafficDefaultMaximum user-allocated

Source NAT

A shared temporary IP and port range.




Ephemeral IP

A 1-to-1 temporary IP address.




Floating IP

A 1-to-1 permanent IP address.




Instances with network interfaces will always have a Source NAT (SNAT) address. These allow them to communicate with external hosts, but do not allow external hosts to initiate a session with an instance.

Ephemeral and floating IP addresses can be optionally attached to VM instances, which allow them to be accessible from hosts outside of their VPCs. These addresses can be attached at instance provisioning time and are detached when instances are terminated. Floating IPs may also be attached and detached from actively-running instances using the floating_ip_attach and floating_ip_detach endpoints. Ephemeral IPs are automatically assigned and released back into an IP pool when attached or detached, while floating IPs are explicitly created with a permanent identity in a project and allow greater control over which IP an instance should have.

An instance can have a maximum of 32 external IPs, and may have a single ephemeral IP.

Instances will receive traffic from external hosts on all of their ephemeral and floating IPs, and will transparently send reply traffic from the original external address. Outbound traffic will be mapped to an external IP by priority:

balanced(floating_ips) > ephemeral_ip

That is, an instance with two floating IPs and and an ephemeral IP will randomly choose .32 or .33 as a source address for outbound traffic. It will never originate traffic on .1 unless the floating IPs are detached.

Firewall Rules

A firewall rule governs what type of traffic is allowed or denied between a pair of source and target. The scope of sources (hosts) and targets can be defined with different granularity:

  • all instances in a VPC

  • all instances in a VPC subnet

  • all instances matching a specific IP address or CIDR

  • a specific instance

The attributes in a firewall rules include:

  • target ports: ports or port ranges

  • priority level: 0-65535 (0 being the highest priority)

  • action: allow or deny

  • direction: incoming or outgoing

  • protocols: TCP, UDP, ICMP

Here is an example of a rule that allows SSH from anywhere to all instances on the rack:

  "action": "allow",
  "description": "allow inbound TCP connections on port 22 from anywhere",
  "direction": "inbound",
  "filters": {
    "hosts": null,
    "ports": [
    "protocols": [
  "name": "allow-ssh",
  "priority": 65534,
  "targets": [
      "type": "vpc",
      "value": "default"
  "vpc_id": "f04c8e14-e4f8-4a1b-94db-cf34e8780738"
Last updated