How to add ipv6 to Google cloud firewall rules

firewall ipv6 google-cloud-platform
5,761

Solution 1

All VPC networks use the IPv4 protocol. Compute Engine networks currently do not support IPv6. However, Google is a major advocate of IPv6 and it is an important future direction.

In other words, IPv6 is not supported on Compute Engine, period. Global load balancers support IPv6 connectivity to clients, but they will communicate with your Compute Engine resources using IPv4 only.

Solution 2

This is what the relevant documentation says:

Firewall rules

You must create a firewall rule that allows traffic from 130.211.0.0/22 and 35.191.0.0/16 to reach your instances. This rule allows traffic from both the load balancer and the health checker. The rule must allow traffic on the port your global forwarding rule has been configured to use, and your health checker should be configured to use the same port. If your health checker uses a different port, then you must create another firewall rule for that port.

Note that firewall rules block and allow traffic at the instance level, not at the edges of the network. They cannot prevent traffic from reaching the load balancer itself.

Connections from the internet to the HTTP/HTTPS load balancer can be IPv4 or IPv6 (assuming you have assigned an address from each family to the load balancer). Connections from the load balancer to the VMs are at this time only IPv4 and will originate from one of the ranges mentioned in the documentation. The client IP address is sent in an HTTP header and can be either IPv4 or IPv6.

The firewall will only see the IPv4 address of the load balancer, not the client. If your VMs have external IP addresses and you don't want to allow clients to bypass the load balancer, you can use firewall rules to only allow HTTP/HTTPS connections from the IP range allocated for load balancers and health checks.

Share:
5,761
Gokhan Dilek
Author by

Gokhan Dilek

Updated on September 18, 2022

Comments

  • Gokhan Dilek
    Gokhan Dilek over 1 year

    I have a firewall which I only allow specific ipv4 clients to access to.

    Unfortunately Google network does not allow ipv6 IP addresses within the network.

    Is there a way around this so that I can also allow ipv6 addresses?

    Not ideal but I can disable the firewall altogether.

    • kasperd
      kasperd over 6 years
      It's unclear what IPv6 traffic it is that you want to allow. Are you referring to GCE? In that case the only IPv6 traffic supported at this time is for HTTP, HTTPS, SSL Proxy, and TCP Proxy load balancing: cloud.google.com/compute/docs/load-balancing/ipv6
    • Gokhan Dilek
      Gokhan Dilek over 6 years
      Http and https. The problem is I cannot add ipv6 to the GCE whitelist.
    • Gokhan Dilek
      Gokhan Dilek over 6 years
      @kasperd still not sure how I can allow ipv6 traffic to my server. The GCE firewall is not supported by ipv6
    • Alex
      Alex over 6 years
      @GokhanDilek You don't: serverfault.com/a/893681/37475
  • Alex
    Alex over 6 years
    This, but it should be noted that firewall rules do not affect the load balancer itself, since it sits outside the VPC network.
  • kasperd
    kasperd over 6 years
    @Alex Correct. That's also what the citation from the documentation says in slightly different words.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to enable SMTP port 25 in Google Cloud Redhat 7 instance?
How to allow an IP (ipv6) address using ufw?
Deny ping response in ipv6
Configuring correct firewall settings for GCP HTTP load balancer
Google Compute Engine: Trouble accessing internet from an instance without external IP
Firewalld blocks IPv6, ignores config
Can a global IPv6 address be NAT'd to an internal IPv4 address at a firewall-level?
Managing parallel rules for ipv4 and ipv6 iptables?
Do I need seperate iptables rule for ipv6 address?
How to whitelist an IPv6 address in VPC security groups on AWS?