1

Although the GCP documentation claims that IPv6 addresses are supported when making firewall rules (https://cloud.google.com/vpc/docs/firewalls) I can't seem to make it happen. From this doc:

  • Firewall rules support IPv4 connections. IPv6 connections are also supported in VPC networks that have IPv6 enabled. When specifying a source for an ingress rule or a destination for an egress rule by address, you can specify IPv4 or IPv6 addresses or blocks in CIDR notation.
  • Each firewall rule can contain either IPv4 or IPv6 ranges, but not both.

However, when I try to create a firewall rule with an IPv6 address, I get an error and it won't let me save it, as shown in the screenshot below.

enter image description here

The example above shows two examples I've tried, but I've tried it with single addresses, with and without CIDR blocks, and so on. And they are all refused. I've confirmed that the VPC subnet has IPv6 enabled.

Am I missing something?

Improve this question
2
  • I've created a subnet in "us-west2" with "--stack-type=IPV4_IPV6" as indicated in the GCP docs. I'm trying to create rules for this subnet. Commented Jul 26, 2021 at 18:18
  • IPv6 firewall rules are now supported except for ICMPv6. Commented Mar 31, 2023 at 4:44

1 Answer 1

Reset to default
2

The GUI doesn't work for me either, but I was able to successfully create the firewall rules with an equivalent gcloud command.

To test, I created a new VPC, new subnet and new firewall rule:

error@cloudshell:~ (strange-passage-193919)$ gcloud compute networks create ipv6test --project=strange-passage-193919 --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional Created [https://www.googleapis.com/compute/v1/projects/strange-passage-193919/global/networks/ipv6test]. NAME SUBNET_MODE BGP_ROUTING_MODE IPV4_RANGE GATEWAY_IPV4 ipv6test CUSTOM REGIONAL Instances on this network will not be reachable until firewall rules are created. As an example, you can allow all internal traffic between instances as well as SSH, RDP, and ICMP by running: $ gcloud compute firewall-rules create <FIREWALL_NAME> --network ipv6test --allow tcp,udp,icmp --source-ranges <IP_RANGE> $ gcloud compute firewall-rules create <FIREWALL_NAME> --network ipv6test --allow tcp:22,tcp:3389,icmp error@cloudshell:~ (strange-passage-193919)$ gcloud compute networks subnets create ipv6test --project=strange-passage-193919 --range=10.16.0.0/20 --network=ipv6test --region=us-west2 Created [https://www.googleapis.com/compute/v1/projects/strange-passage-193919/regions/us-west2/subnetworks/ipv6test]. NAME REGION NETWORK RANGE STACK_TYPE IPV6_ACCESS_TYPE IPV6_CIDR_RANGE EXTERNAL_IPV6_CIDR_RANGE ipv6test us-west2 ipv6test 10.16.0.0/20 IPV4_ONLY error@cloudshell:~ (strange-passage-193919)$ gcloud compute networks subnets update ipv6test --project=strange-passage-193919 --stack-type=IPV4_IPV6 --ipv6-access-type=EXTERNAL --region=us-west2 Updated [https://www.googleapis.com/compute/v1/projects/strange-passage-193919/regions/us-west2/subnetworks/ipv6test]. error@cloudshell:~ (strange-passage-193919)$ gcloud compute --project=strange-passage-193919 firewall-rules create ruletest --direction=INGRESS --priority=1000 --network=ipv6test --action=ALLOW --rules=tcp:22 --source-ranges=2001:db8::/32 Creating firewall...⠹Created [https://www.googleapis.com/compute/v1/projects/strange-passage-193919/global/firewalls/ruletest]. Creating firewall...done. NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED ruletest ipv6test INGRESS 1000 tcp:22 False error@cloudshell:~ (strange-passage-193919)$
Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.