How to add ipv6 to Google cloud firewall rules

Solution 1:

All VPC networks use the IPv4 protocol. Compute Engine networks currently do not support IPv6. However, Google is a major advocate of IPv6 and it is an important future direction.

In other words, IPv6 is not supported on Compute Engine, period. Global load balancers support IPv6 connectivity to clients, but they will communicate with your Compute Engine resources using IPv4 only.

Solution 2:

This is what the relevant documentation says:

Firewall rules

You must create a firewall rule that allows traffic from 130.211.0.0/22 and 35.191.0.0/16 to reach your instances. This rule allows traffic from both the load balancer and the health checker. The rule must allow traffic on the port your global forwarding rule has been configured to use, and your health checker should be configured to use the same port. If your health checker uses a different port, then you must create another firewall rule for that port.

Note that firewall rules block and allow traffic at the instance level, not at the edges of the network. They cannot prevent traffic from reaching the load balancer itself.

Connections from the internet to the HTTP/HTTPS load balancer can be IPv4 or IPv6 (assuming you have assigned an address from each family to the load balancer). Connections from the load balancer to the VMs are at this time only IPv4 and will originate from one of the ranges mentioned in the documentation. The client IP address is sent in an HTTP header and can be either IPv4 or IPv6.

The firewall will only see the IPv4 address of the load balancer, not the client. If your VMs have external IP addresses and you don't want to allow clients to bypass the load balancer, you can use firewall rules to only allow HTTP/HTTPS connections from the IP range allocated for load balancers and health checks.