Create VMs with multiple network interfaces

By default, every virtual machine (VM) instance in a Virtual Private Cloud (VPC) network has a single network interface. However, you can configure an instance with multiple network interfaces. When using multiple network interfaces from an instance, each interface must attach to a subnet that is in a different VPC network. You can't attach multiple network interfaces to the same subnet or to subnets that are in the same VPC network.

If you don't require multiple network interfaces, follow the procedure for Creating and starting an instance to create instances with the default network configuration.

For more information about multiple network interfaces and how they work, see Multiple network interfaces.

Before you begin

Verify that all required networks and subnets are created before you create the instance. If you need to create networks or subnets, see Create and manage VPC networks.
Verify that each network has appropriate firewall rules to allow the traffic that you want to allow to and from the VM that has multiple interfaces. If you need to create firewall rules, see Use VPC firewall rules.
If you are connecting a VM to multiple networks by using IPv6 addresses, install google-guest-agent version 20220603.00 or later. For more information, see I can't connect to a secondary interface's IPv6 address.

IAM roles

To create an instance with multiple network interfaces, you must have one of the following roles:

Project Owner or Editor role
Compute Instance Admin (v1) role (roles/compute.instanceAdmin.v1)

Creating and deleting instances and instance templates with multiple interfaces in a project not using a Shared VPC environment: A user with the Owner, Editor, or Compute Instance Admin (v1) role at the project level can create an instance with multiple interfaces associated with VPC networks and subnets that are part of that same project.

Creating and deleting instances and instance templates with multiple interfaces in Shared VPC environments: A user with the Owner, Editor, or Compute Instance Admin (v1) role at the project level can create an instance with multiple interfaces. If any of the interfaces are attached to a subnet in a Shared VPC host project, you must also have the Compute Network User role (roles/compute.networkUser) at the Shared VPC host project level or at the Shared VPC subnet level.

To learn more about permissions, read the Compute Engine IAM documentation.

Create VM instances with multiple network interfaces

For general instructions about creating instances, see Create and start a VM instance.

The first interface is always created as nic0, and it is always the default interface. This is important for some other aspects of Google Cloud networking. For example, Google Cloud load balancers (except for the passthrough Network Load Balancers) only distribute traffic to nic0.

Console

In the Google Cloud console, go to the Create an instance page.

Go to Create an instance
In the Name field, enter a name for the instance.
In the Region field, select a region.
In the Zone field, select a zone.
In the Advanced options section, expand Networking, and then do the following:
1. In the Network interfaces section, expand the network interface to edit it.
2. For Network and Subnetwork, select the network and subnetwork that you want to use.
  
  If you want to configure IPv6 addresses on the interface, select a subnet that has an IPv6 address range configured. The IPv6 access type of the subnet determines whether the VM receives an internal IPv6 address or an external IPv6 address.
3. Select one of the following options for the IP stack type for the interface:
  - IPv4 (single-stack)
  - IPv4 and IPv6 (dual-stack)
  - IPv6 (single-stack) (Preview)
4. For interfaces with IPv4 addresses, do the following:
  1. For Primary internal IPv4 address, select one of the following:
    - Ephemeral to assign a new ephemeral IPv4 address
    - A reserved static internal IPv4 address from the list
    - Reserve static internal IPv4 address to reserve and assign a new static internal IPv4 address
  2. For External IPv4 address, select one of the following:
    - Ephemeral to assign a new ephemeral IPv4 address
    - None to not assign an external IPv4 address
    - A reserved static IPv4 address from the list
    - Reserve static external IP address to reserve and assign a new static external IPv4 address
5. For interfaces with IPv6 addresses, do the following, depending on the access type of the connected subnet:
  1. For Primary internal IPv6 address, select one of the following:
    - Auto-allocated to automatically assign a new ephemeral internal IPv6 address
    - A reserved static internal IPv6 address from the list
    - Reserve static internal IPv6 address to reserve and assign a new static internal IPv6 address
  2. For External IPv6 address, select one of the following:
    - Auto-Allocate to automatically assign a new ephemeral external IPv6 address
    - A reserved static external IPv6 address from the list
    - Reserve static external IPv6 address to reserve and assign a new static external IPv6 address
6. To finish modifying the network interface, click Done.
To add another interface, click Add network interface.
Continue with the VM creation process.
Click Create.

gcloud

To create network interfaces on a new instance, use the instances create command.

Include the --network-interface flag for each interface, followed by any appropriate networking keys, such as network, subnet, private-network-ip, address, and external-ipv6-address. To view examples of how to create VMs with multiple interfaces, see Example configurations.

This snippet only illustrates the --network-interface flag, one of many possible parameters that you can specify when creating an instance.

To see what machine types support the number of network interfaces you need, see the Maximum number of network interfaces table.

gcloud compute instances create INSTANCE_NAME \
    --zone ZONE \
    --network-interface \
        network=NETWORK,subnet=SUBNET, \
        stack-type=STACK_TYPE, \
        private-network-ip=INTERNAL_IPV4_ADDRESS \
        address=EXTERNAL_IPV4_ADDRESS | no-address, \
        internal-ipv6-address=INTERNAL_IPV6_ADDRESS \
    ...
    --network-interface \
        network=NETWORK,subnet=SUBNET, \
        stack-type=STACK_TYPE, \
        external-ipv6-address=EXTERNAL_IPV6_ADDRESS, \
        external-ipv6-prefix-length=96 \
        ipv6-network-tier=PREMIUM \
    ...

Replace the following:

INSTANCE_NAME: the name of the VM instance to create.
ZONE: the zone where the instance is created.
NETWORK: the network where the interface attaches.
SUBNET: the subnet where the interface attaches.
STACK_TYPE: the stack type for the interface.

The default value is IPV4_ONLY. Specify IPV4_IPV6 to configure a dual-stack interface, or IPV6_ONLY to configure an IPv6-only interface (Preview).
Values for interfaces with IPv4 addresses:
- INTERNAL_IPV4_ADDRESS: the internal IPv4 address that you want the interface to have in the target subnet. Omit if you just want any valid address assigned.
- EXTERNAL_IPV4_ADDRESS: the external IPv4 address of the interface.
  
  You must have previously reserved an external IPv4 address. If you don't want the interface to have an external IP address, specify "no-address" instead of address=EXTERNAL_IPV4_ADDRESS. If you want the interface to receive an ephemeral external IP address, specify address=''.
Values for interfaces with IPv6 addresses:
- INTERNAL_IPV6_ADDRESS: the internal IPv6 address that you want the interface to have in the target subnet. You must have previously reserved an internal IPv6 address. If not specified, Google Cloud automatically assigns an internal IPv6 address from the subnet.
- EXTERNAL_IPV6_ADDRESS: the external IPv6 address that you want the interface to have in the target subnet. You must have previously reserved an external IPv6 address. If not specified, Google Cloud automatically assigns an external IPv6 address from the subnet.
Note: An interface can have only one IPv6 address, either internal or external, but not both.

API

Use the instances.insert method to create a VM instance with multiple network interfaces.

To create a VM instance with only internal IPv4 addresses, do the following:
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
{
....

"networkInterfaces": [
  {
    "networkIP": "IPV4_ADDRESS",
    "subnetwork": "regions/REGION/subnetworks/SUBNET"
  },
    for each interface, specify a network...
],
other instance settings...
}
```
Replace the following:
- PROJECT_ID: the ID of the project that contains the instance.
- ZONE: the zone that contains the instance.
- IPV4_ADDRESS: the internal IPv4 address that you want to assign to the network interface.
- REGION: the region that contains the instance.
- SUBNET: the subnet where the network interface is located.
To create a VM instance with both internal IPv4 and internal IPv6 addresses, do the following:
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
{
....

"networkInterfaces": [
  {
    "subnetwork": "regions/REGION/subnetworks/SUBNET"
    "ipv6Address": "IPV6_ADDRESS",
    "internalIpv6PrefixLength": 96,
    "stackType": IPV4_IPV6,
    "ipv6AccessType": INTERNAL
  },
    for each interface, specify a network...
],
other instance settings...
}
```
Replace the following:
- PROJECT_ID: the ID of the project that contains the instance.
- ZONE: the zone that contains the instance.
- REGION: the region that contains the instance.
- SUBNET: the subnet where the network interface is located.
- IPV6_ADDRESS: the internal IPv6 address that you want the interface to have in the target subnet. You must have previously reserved an internal IPv6 address. If not specified, Google Cloud automatically assigns an internal IPv6 address from the subnet.
To create a VM instance with only internal IPv6 addresses (Preview), do the following:
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
{
....

"networkInterfaces": [
  {
    "subnetwork": "regions/REGION/subnetworks/SUBNET"
    "ipv6Address": "IPV6_ADDRESS",
    "internalIpv6PrefixLength": 96,
    "stackType": IPV6_ONLY,
    "ipv6AccessType": INTERNAL
  },
    for each interface, specify a network...
],
other instance settings...
}
```
Replace the following:
- PROJECT_ID: the ID of the project that contains the instance.
- ZONE: the zone that contains the instance.
- REGION: the region that contains the instance.
- SUBNET: the subnet where the network interface is located.
- IPV6_ADDRESS: the internal IPv6 address that you want the interface to have in the target subnet. You must have previously reserved an internal IPv6 address. If not specified, Google Cloud automatically assigns an internal IPv6 address from the subnet.

Terraform

You can use a Terraform resource to create a VM instance with multiple network interfaces.

The Terraform arguments have example values that you can change.

resource "google_compute_instance" "default" {
  project      = var.project_id # Replace with your project ID in quotes
  zone         = "us-central1-b"
  name         = "backend-instance"
  machine_type = "e2-medium"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }
  network_interface {
    subnetwork = var.subnet_1 # Replace with self link to a subnetwork in quotes
    network_ip = "10.0.0.14"
  }
  network_interface {
    subnetwork = var.subnet_2 # Replace with self link to a subnetwork in quotes
    network_ip = "10.10.20.14"
  }
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Example configurations

The following sections show how to create VMs with multiple interfaces.

Configure multiple network interfaces with only IPv4 addresses

The following sample command creates an instance with three network interfaces.

 gcloud compute instances create vm1 --machine-type=n1-standard-4 \
    --network-interface '' \
    --network-interface network=net1,subnet=subnet-a,private-network-ip=10.10.10.2,address=EXTERNAL_IPV4_ADDRESS \
    --network-interface network=net2,subnet=subnet-b,private-network-ip=10.10.20.2,no-address

The interfaces are created as follows:

nic0 is created with default settings. The interface is attached to a subnet in the default VPC network, with an automatically allocated internal IP address and an ephemeral external IP address.
nic1 is attached to subnet subnet-a in network net1, with an internal IPv4 address of 10.10.10.2 and a static external IPv4 address, EXTERNAL_IPV4_ADDRESS.
nic2 is attached to subnet subnet-b in network net2, with an internal IPv4 address of 10.10.20.2 and no external IP address.

For a complete description of the gcloud compute instances create command and the --network-interface flag, read the documentation for the command.

You can use the IP address from the network interface that you have added to set up DNS forwarding. To learn more about configuring Cloud DNS forwarding zones, see Forwarding zones.

Configure multiple network interfaces with both IPv4 and IPv6 addresses

The following sample command creates a dual-stack instance with two network interfaces.

gcloud compute instances create vm1 \
    --network-interface network=dual-int,subnet=int-subnet,stack-type=IPV4_IPV6 \
    --network-interface network=dual-ext,subnet=ext-subnet,stack-type=IPV4_IPV6,ipv6-network-tier=PREMIUM \
    --machine-type=n1-standard-4 --zone=ZONE_A

The interfaces are created as follows:

nic0 is attached to subnet int-subnet in network dual-int, with an ephemeral internal IPv4 address and an ephemeral internal IPv6 address.
nic1 is attached to subnet ext-subnet in network dual-ext, with an ephemeral internal IPv4 address and an ephemeral external IPv6 address.

Configure multiple network interfaces with only IPv6 addresses

The following sample command creates an IPv6-only instance (Preview) with two network interfaces.

gcloud compute instances create vm1 \
    --network-interface network=ipv6-only-int,subnet=int-subnet,stack-type=IPV6_ONLY \
    --network-interface network=ipv6-only-ext,subnet=ext-subnet,stack-type=IPV6_ONLY,ipv6-network-tier=PREMIUM \
    --machine-type=n1-standard-4 --zone=us-west2-a

The interfaces are created as follows:

nic0 is attached to subnet int-subnet in network ipv6-only-int, with an ephemeral internal IPv6 address.
nic1 is attached to subnet ext-subnet in network ipv6-only-ext, with an ephemeral external IPv6 address.

Configure multiple network interfaces for instance groups

You can use instances with multiple network interfaces in unmanaged instance groups and managed instance groups.

For unmanaged instance groups, create each instance individually, ensuring that the nic0 network interface for each VM is attached to the same subnet. Then, add the VM instances to the unmanaged instance group.

To configure multiple network interfaces for managed instance groups, you must specify the network configuration for each interface in the instance template, by setting the --network-interface flag once for each interface. The following sample creates an instance template with three network interfaces:

gcloud compute instance-templates create template-1 \
    --network-interface subnet=net0-subnet-a \
    --network-interface subnet=net1-subnet-b,no-address \
    --network-interface subnet=net2-subnet-c,no-address \
    --region REGION_A

Because subnet names in each region of a project must be unique, specifying subnets by name implicitly associates each interface with a VPC network. Each interface must use a subnet that is in a unique VPC network:

nic0 uses the net0-subnet-a subnet
nic1 uses the net1-subnet-b subnet
nic2 uses the net2-subnet-c subnet

The no-address option in the --network-interface flag indicates that the interface is configured without an external IPv4 address. The internal IP address comes from the subnet used by the interface. For complete information about the flags and syntax, see the --network-interface flag for the instance-templates create command.