This page discusses external and internal protocol forwarding only. For more information about protocol forwarding in the context of Classic VPN, see the following topics:
Protocol forwarding uses a regional forwarding rule to deliver packets of a specific protocol to a single virtual machine (VM) instance. The forwarding rule can have an internal or an external IP address. Protocol forwarding delivers packets while preserving the destination IP address of the forwarding rule. The forwarding rule references an object called a target instance, which, in turn, references a single VM instance.
You can use protocol forwarding to do the following:
Protocol forwarding is different from a pass-through load balancer in the following ways:
Protocol forwarding uses regional external or regional internal forwarding rules and a zonal target instance object. The target instance and the VM it references must be located in a zone in the forwarding rule's region.
External protocol forwarding. You can set up multiple forwarding rules to point to a single target instance, which lets you use multiple external IP addresses with one VM instance. You can use this in scenarios where you may want to serve data from just one VM instance, but through different external IP addresses or different protocols and ports. This is especially useful for setting up SSL virtual hosting. External protocol forwarding can handle connections from IPv6 clients.
External protocol forwarding supports the following protocols: AH, ESP, GRE, ICMP, ICMPv6, SCTP, TCP, and UDP
The following diagram shows an example of external protocol forwarding architecture. To learn how to set this up, see Set up external protocol forwarding.
External protocol forwarding architecture (click to enlarge).Internal protocol forwarding. Internal protocol forwarding uses either a regional internal IPv4 address (from the primary IPv4 address range of a subnet) or a regional internal IPv6 address range (from the IPv6 address range of a subnet).
Internal protocol forwarding supports the TCP and UDP protocols.
The following diagram shows an example of internal protocol forwarding architecture. To learn how to set this up, see Set up internal protocol forwarding.
Internal protocol forwarding architecture (click to enlarge).With internal protocol forwarding, you can change the target of a forwarding rule to switch between a target instance and a backend service of a pass-through load balancer. For details, see Switch between a target instance and a backend service.
Each forwarding rule matches an IP address, protocol, and optionally, port information (if specified and if the protocol supports ports). When a forwarding rule references a target instance, Google Cloud routes packets that match the forwarding rule's address, protocol, and port specification to the VM referenced by the target instance.
Internal protocol forwarding:
IPv4 address support. A regional internal IPv4 address (reserved static or ephemeral) from the primary IPv4 range of a subnet.
IPv6 address support. The forwarding rule references a /96 range of IP addresses from the subnet's /64 internal IPv6 address range. The subnet must be either of the following:
The subnet's ipv6-access-type setting must be set to INTERNAL.
Internal IPv6 addresses are available only in Premium Tier. The IPv6 address range can be a reserved static address or an ephemeral address.
Protocol options. TCP(default) and UDP.
Port specification options. A list of up to five contiguous or non-contiguous ports or all ports.
External protocol forwarding:
IPv4 address support. The forwarding rule references a single regional external IPv4 address. Regional external IPv4 addresses come from a pool unique to each Google Cloud region. The IP address can be a reserved static address or an ephemeral address.
IPv6 address support. The forwarding rule references a /96 range of IP addresses from the subnet's /64 external IPv6 address range. The subnet must be either of the following:
The subnet ipv6-access-type must be set to EXTERNAL.
External IPv6 addresses are available only in Premium Tier. The IPv6 address range can be a reserved static address or an ephemeral address.
Protocol options. AH, ESP, ICMP, SCTP, TCP (default), UDP, and L3_DEFAULT :
L3_DEFAULT forwarding rule protocol option forwards all AH, ESP, GRE, ICMP, ICMPv6, SCTP, TCP, and UDP traffic. For the TCP, UDP, and SCTP protocols, L3_DEFAULT also forwards all ports.ICMP protocol setting because the ICMP protocol only supports IPv4 addresses. To serve ICMPv6 and GRE traffic, set the forwarding rule protocol to L3_DEFAULT.Port specification options. A contiguous port range or all ports.
Keep the following points in mind when working with forwarding rules:
For protocol forwarding, a forwarding rule can only reference a single target instance.
For internal passthrough Network Load Balancers and backend service-based external passthrough Network Load Balancers, a forwarding rule can only reference a single backend service.
You can switch between internal protocol forwarding and an internal passthrough Network Load Balancer without deleting and re-creating the forwarding rule. To switch between external protocol forwarding and a backend service-based external passthrough Network Load Balancer, you must delete and re-create the forwarding rule. For details, see Switch between a target instance and a backend service.
Port information can only be specified for protocols that have a concept of port: TCP, UDP, or SCTP.
If you expect fragmented UDP packets, do one of the following to ensure that all fragments (including those without port information) are delivered to the instance:
L3_DEFAULT forwarding rule, orUDP forwarding rule configured to forward all ports.A target instance is a zonal resource that references one VM instance in the same zone. The forwarding rule that references the target instance must be in the region containing the target instance's zone. Because a target instance doesn't have a Cloud NAT policy applied to it, it can be used for IPsec traffic that can't traverse NAT.
Multi-NIC supportProtocol forwarding using target instances supports VM instances with non-nic0 network interfaces (vNICs or Dynamic Network Interfaces) by using the --network flag when you create the target instance:
--network flag when you create a target instance, Google Cloud delivers packets to the nic0 interface of the referenced VM.--network flag when you create a target instance, Google Cloud delivers packets to the NIC of the referenced VM that's in the VPC network specified by the --network flag. Consequently, the referenced VM must have a NIC in the VPC network specified by the --network flag.If you want the protocol forwarding deployment to support IPv6 traffic, the VM instance must be configured in either a dual-stack or a single-stack IPv6-only subnet that is in the same region as the IPv6 forwarding rule.
Note that while IPv6-only instances can be created in both dual-stack and IPv6-only subnets, dual-stack VMs can't be created in IPv6-only subnets.
The VM instance can be created in a subnet with the ipv6-access-type set to either EXTERNAL or INTERNAL. The VM inherits the ipv6-access-type setting (either EXTERNAL or INTERNAL) from the subnet.
For instructions, see Create an instance that uses IPv6 addresses. If you want to use an existing VM, you can update the VM to be dual-stack by using the gcloud compute instances network-interfaces update command. Updating existing VMs to IPv6-only isn't supported.
When a target instance receives a packet from a client, the request packet's source and destination IP addresses are as shown in this table.
Table 1. Source and destination IP addresses for request packets Protocol forwarding type Source IP address Destination IP address External protocol forwarding The external IP address associated with a Google Cloud VM or an external IP address of a client on the internet. The IP address of the forwarding rule. Internal protocol forwarding A client's internal IP address; for Google Cloud clients, the primary internal IPv4 address or IPv6 address or an IPv4 address from an alias IP range of a VM's network interface. The IP address of the forwarding rule.Software running on the target instance VMs should be configured to do the following:
0.0.0.0 or ::).Return packets are sent directly from the target instance to the client. The response packet's source and destination IP addresses depend on the protocol:
The following table summarizes sources and destinations for return packets:
Table 2. Source and destination IP addresses for return packets Traffic type Source IP address Destination IP address TCP The IP address of the forwarding rule. The request packet's source IP address. AH, ESP, GRE, ICMP, ICMPv6, and UDP1 For most use cases, the IP address of the forwarding rule.2 The request packet's source IP address.1 AH, ESP, GRE, ICMP, and ICMPv6 are only supported with external protocol forwarding.
2 With internal protocol forwarding, it is possible to set the response packet's source to the VM NIC's primary internal IPv4 address or IPv6 address or an alias IP address range. If the VM has IP forwarding enabled, arbitrary IP address sources can also be used. Not using the forwarding rule's IP address as a source is an advanced scenario because the client receives a response packet from an internal IP address that does not match the IP address to which it sent a request packet.
Outbound internet connectivity from target instancesVM instances referenced by target instances can initiate connections to the internet by using the IP address of the associated forwarding rule as the source IP address of the outbound connection.
Generally, a VM instance always uses its own external IP address or Cloud NAT to initiate connections. You use the forwarding rule IP address to initiate connections from target instances only in special scenarios such as when you need VM instances to originate and receive connections at the same external IP address.
Outbound packets sent from target instance VMs directly to the internet have no restrictions on traffic protocols and ports. Even if an outbound packet is using the forwarding rule's IP address as the source, the packet's protocol and source port don't have to match the forwarding rule's protocol and port specification. However, inbound response packets must match the forwarding rule IP address, protocol, and destination port of the forwarding rule. For more information, see Paths for external passthrough Network Load Balancers and external protocol forwarding.
This path to internet connectivity from a target instance VM is the default intended behavior according to Google Cloud's implied firewall rules. However, if you have security concerns about leaving this path open, you can use targeted egress firewall rules to block unsolicited outbound traffic to the internet.
LimitationsL3_DEFAULT protocol. Use either TCP or UDP.For forwarding rules, see the following:
For target instances, see the following:
PricingProtocol forwarding is charged at the same rate as load balancing. There is a charge for the forwarding rule and a charge for the inbound data processed by the target instance.
For all pricing information, see Pricing.
Quotas and limitsFor the quotas on forwarding rules for protocol forwarding, see Quotas and limits: Forwarding rules.
What's nextRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4