Preview — Dual-stack support for App Engine
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms . Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions .
Dual-stack subnets let your App Engine resources send IPv4 and IPv6 traffic to a VPC network with Direct VPC egress. You can change an existing IPv4 only (single-stack) subnet to a dual-stack subnet.
Subnet types
VPC networks support the following Compute Engine subnet types :
-
IPv4 only (single-stack) subnets, with only IPv4 subnet ranges
-
IPv4 and IPv6 (dual-stack) subnets, with both IPv4 and IPv6 subnet ranges
Dual-stack limitations
Before you change the stack type on an existing App Engine resource, consider the following limitations:
-
Dual-stack support is only available with subnets in a custom-mode VPC network. To have the internal access type available for dual-stack subnets, the VPC network internal IPv6 range must be enabled. Set up or convert the VPC network to custom mode.
-
Compared to IPv4-only subnets, dual-stack subnets might experience elevated cold-start latencies, limiting how quickly your application can scale up.
-
NAT64 isn't supported.
Before you begin
Be sure that the App Engine service agent has the Compute Public IP Admin role ( roles/compute.publicIpAdmin
)
to use the subnet with external IPv6.
Set up a dual-stack subnet
Dual-stack subnets have both IPv4 and IPv6 address ranges.
To set up a dual-stack subnet, you can either use the Google Cloud console or the Google Cloud CLI:
Console
-
Go to the Google Cloud console and enable the Compute Engine API:
-
Navigate to the VPC networkspage:
-
Click Create VPC networkif you are creating a new custom-mode network. If you are using an existing VPC network, click the name of the VPC network to show its VPC network details page.
-
If you are creating a new network or converting an existing one, enter the name and be sure that the Subnet creation modeis set to Custom, then select Configure a ULA internal IPv6 range for this VPC Network.
-
From the Subnetstab, click Add subnet. In the panel that appears:
- Provide a Name.
- Select a Region.
- For IP stack type, select IPv4 and IPv6 (dual-stack).
- Enter an IPv4 range. This is the primary IPv4 range for the subnet.
-
Select the IPv6 access type.
If the Internaloption is not available and you need it, check that an internal IPv6 range is assigned on the network.
-
Click Add.
gcloud
-
To create a custom-mode network that supports dual-stack subnets, run the
gcloud compute networks createcommand.To configure internal IPv6 ranges on any subnets in this network, use the
--enable-ula-internal-ipv6flag. This option assigns a/48ULA prefix from within thefd20::/20range used by Google Cloud for internal IPv6 subnet ranges.gcloud compute networks create NETWORK \ --subnet-mode = custom \ --enable-ula-internal-ipv6
Replace NETWORK with the name of the VPC network that will contain the new subnet.
-
To convert to or update a custom-mode network so that it supports dual-stack subnets, run the following command:
gcloud compute networks update NETWORK \ --switch-to-custom-subnet-mode \ --enable-ula-internal-ipv6
Replace NETWORK with the name of the VPC network that will contain the new subnet.
-
To create a dual-stack subnet with an IPv6 range, run the
subnets createcommand using the dual-stack settings:gcloud compute networks subnets create SUBNET \ --network = NETWORK \ --range = PRIMARY_IPv4_RANGE \ --stack-type = IPV4_IPV6 \ --ipv6-access-type = IPV6_ACCESS_TYPE \ --region = REGION
Replace the following:
- SUBNET : a name for the new subnet.
- NETWORK : the name of the VPC network that will contain the new subnet.
- PRIMARY_IPv4_RANGE : the primary IPv4 range for the new subnet, in CIDR notation. For more information, see IPv4 subnet ranges .
- IPV6_ACCESS_TYPE
: the IPv6 access type for the new
subnet, either
internalorexternal. - REGION : the Google Cloud region that the new subnet will be created in.
Add the dual-stack subnet to an App Engine resource
After you create a dual-stack subnet, configure your App Engine service to use the subnet:
-
In your
app.yamlfile, specify the network and subnet in thevpc_accessfield:vpc_access : network_interface : network : NETWORK subnet : SUBNET vpc_egress : EGRESS_SETTING
Replace the following:
-
NETWORK : the name of network you created in the previous step.
-
SUBNET : the name of the subnet you created in the previous step.
-
Optional: EGRESS_SETTING : controls how outbound traffic is routed. This field supports the following configuration settings:
-
all-traffic: All outbound requests are routed through the VPC network. -
private-ranges-only(default): Only traffic to internal IP addresses is routed through the VPC network. Internet traffic uses the default App Engine path.
-
-
-
Deploy to App Engine by running the following command:
gcloud beta app deploy
Change a subnet from single-stack to dual-stack
To add an IPv6 subnet range to an existing IPv4-only subnet in a custom-mode VPC network, see Change a subnet's stack type to dual-stack . Then, deploy the App Engine service on the dual-stack subnet.
Change a subnet from dual-stack to single-stack
To change a resource's dual-stack subnet to a single-stack subnet, see Change a dual-stack subnet to IPv4 only . Then, deploy the App Engine service on the dual-stack subnet.
Verify the network and subnet
To check that your resource is on the VPC network, run the following command:
gcloud beta app versions describe VERSION --service = SERVICE
Replace the following:
- VERSION : the deployed version of your service
- SERVICE : the deployed service
The following example output shows your network and subnet:
vpcAccess:
networkInterfaces:
- network: projects/ YOUR_PROJECT
/global/networks/ YOUR_NETWORK
subnet: projects/ YOUR_PROJECT
/regions/ YOUR_REGION
/subnetworks/ YOUR_SUBNET
vpcEgress: ALL_TRAFFIC/PRIVATE_RANGES_ONLY
