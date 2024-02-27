



As network topologies grow and become more complex, managing IP address space also becomes more complex. This task becomes even more difficult as hybrid infrastructure, cross-cloud networking, VPC peering, and shared VPC complicate deployments. To simplify private IP management, we're excited to announce a new internal range API that simplifies the management of private IP addresses. Using the internal range API, you can:

Automatically allocate subnets from free address ranges within your VPC Reserve/protect internal ranges for use with specific Google Cloud networks Reserve/protect on-premises or cross-cloud ranges from use in your Google Cloud VPC

This blog provides an overview of how to use the Internal Range API and details how to create an Internal Range resource through some common use cases.

internal range resource

Internal range resources allow you to reserve and protect blocks of IP nets in your VPC network. When an internal range resource is created, the range is reserved and protected. Subsequent resource creation (such as subnet creation) must directly reference the internal range resource at creation time. Other attempts to use the range will be blocked. By default, Google Cloud enforces that no other resources in your VPC use this range. Below we show how this new resource can be used within his VPC.

Note: The internal range resource is aware of all existing allocations of subnetworks and static routes within the VPC and its peers, and performs duplication checks during allocation. This allows for gradual adoption of internal ranges into existing networks, reducing ongoing IP address management challenges.

Associate Google Cloud resources with internal scopes

You can associate a Google Cloud resource with an internal scope when you create the resource. Internal scope enforces intent through usage properties. VPC network peering intent can also be defined by internal range peering properties, as described in the next section.

Usage form

FOR_VPC – When usage is set to FOR_VPC, VPC resources can be used by associating reserved IP net blocks with internal range resources. This is the default setting. EXTERNAL_TO_VPC – Ranges created with the EXTERNAL_TO_VPC usage property cannot be associated with Google Cloud resources in the current VPC. This is intended to reserve and secure address ranges for various use cases. For example, if you want to protect an IP range that is already in use on-premises, in a cross-cloud network, in another VPC, or if you plan to reserve the range for future use.peering type

If usage is FOR_VPC, peering type is used.

FOR_SELF – This is the default behavior and indicates that the internal range can only be used in the VPC network in which it was created. This range is accessible by the associated VPC network and the peers of that VPC network. However, peers in the peer network cannot use this range. Only resources belonging to the network associated with an internal range can see that range, and peers cannot exchange this range. FOR_PEER – This behavior can be set if the internal range is reserved for use by peers. This means that no resource in the VPC in which the resource is created can use this to associate with the local VPC resource, but one of its peers can use it. This effectively reserves and donates range for use by peer networks. NOT_SHARED (for future use cases) – This behavior can be set when the internal range is reserved for use by the VPC in which it was created, but not shared with peers. This effectively reserves a range for exclusive use by your local VPC.

Note: This flag is intended for future use cases; there are currently no resources that can reference the internal range associated with this property. However, this has the side effect of preventing you from creating new static routes that are subject to protection scope.

Use Case Example 1: Create a subnetwork using internal ranges

Suppose you have a VPC called my-vpc-name. You can create a subnetwork by referencing an internal range to specify the available private IP address space for your subnet. Subnetworks can be associated with an entire internal range or a subset of a range. You can also associate subnetwork secondary ranges with internal ranges.

Step 1: Make sure you already have the correct IAM permissions and created your VPC network.

Step 2: Create an internal range to allocate the required size of free address space. Suppose you want to create a subnet of size /24.

