GCP Firewall and IPv6 address support?

sirkus7

11/26/22, 5:51 PM

Although the GCP documentation claims that IPv6 addresses are supported when making firewall rules (https://cloud.google.com/vpc/docs/firewalls) I can't seem to make it happen. From this doc:

Firewall rules support IPv4 connections. IPv6 connections are also supported in VPC networks that have IPv6 enabled. When specifying a source for an ingress rule or a destination for an egress rule by address, you can specify IPv4 or IPv6 addresses or blocks in CIDR notation.

Each firewall rule can contain either IPv4 or IPv6 ranges, but not both.

However, when I try to create a firewall rule with an IPv6 address, I get an error and it won't let me save it, as shown in the screenshot below.

The example above shows two examples I've tried, but I've tried it with single addresses, with and without CIDR blocks, and so on. And they are all refused. I've confirmed that the VPC subnet has IPv6 enabled.

Am I missing something?

228

1 + 1

ipv6

google-cloud-platform

sirkus7

11/26/22, 6:18 PM

I've created a subnet in "us-west2" with "--stack-type=IPV4_IPV6" as indicated in the GCP docs. I'm trying to create rules for this subnet.

John Hanley

3/31/24, 4:44 AM

IPv6 firewall rules are now supported except for ICMPv6.

Score:2

Server

Michael Hampton

11/26/22, 6:21 PM

The GUI doesn't work for me either, but I was able to successfully create the firewall rules with an equivalent gcloud command.

To test, I created a new VPC, new subnet and new firewall rule:

error@cloudshell:~ (strange-passage-193919)$ gcloud compute networks create ipv6test --project=strange-passage-193919 --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional
Created [https://www.googleapis.com/compute/v1/projects/strange-passage-193919/global/networks/ipv6test].
NAME      SUBNET_MODE  BGP_ROUTING_MODE  IPV4_RANGE  GATEWAY_IPV4
ipv6test  CUSTOM       REGIONAL

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network ipv6test --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network ipv6test --allow tcp:22,tcp:3389,icmp

error@cloudshell:~ (strange-passage-193919)$ gcloud compute networks subnets create ipv6test --project=strange-passage-193919 --range=10.16.0.0/20 --network=ipv6test --region=us-west2
Created [https://www.googleapis.com/compute/v1/projects/strange-passage-193919/regions/us-west2/subnetworks/ipv6test].
NAME      REGION    NETWORK   RANGE         STACK_TYPE  IPV6_ACCESS_TYPE  IPV6_CIDR_RANGE  EXTERNAL_IPV6_CIDR_RANGE
ipv6test  us-west2  ipv6test  10.16.0.0/20  IPV4_ONLY
error@cloudshell:~ (strange-passage-193919)$ gcloud compute networks subnets update ipv6test --project=strange-passage-193919 --stack-type=IPV4_IPV6 --ipv6-access-type=EXTERNAL --region=us-west2
Updated [https://www.googleapis.com/compute/v1/projects/strange-passage-193919/regions/us-west2/subnetworks/ipv6test].
error@cloudshell:~ (strange-passage-193919)$ gcloud compute --project=strange-passage-193919 firewall-rules create ruletest --direction=INGRESS --priority=1000 --network=ipv6test --action=ALLOW --rules=tcp:22 --source-ranges=2001:db8::/32
Creating firewall...⠹Created [https://www.googleapis.com/compute/v1/projects/strange-passage-193919/global/firewalls/ruletest].
Creating firewall...done.
NAME      NETWORK   DIRECTION  PRIORITY  ALLOW   DENY  DISABLED
ruletest  ipv6test  INGRESS    1000      tcp:22        False
error@cloudshell:~ (strange-passage-193919)$

0 + 0