Public IPv4 & IPv6¶
Service ownership
Owner: network-platform (network-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11
Public IP addressing — both v4 and v6 — for VMs, load balancers, NAT gateways, and other public-facing endpoints.
What it is¶
A public IP is a routable address that lives on a Cloud Digit ENI (or attached to an LB / NAT GW / floating-IP object). You can request dynamic (released when the resource is destroyed) or static / reserved (held until you release it explicitly — see Floating / Reserved IP).
IPv4 allocation pools¶
- General-purpose pool — assigned at random within Cloud Digit's IPv4 ranges
- BDIX-only pool — reachable from BDIX peers only, not international transit (useful for sovereign-only services)
- BYOIP — bring your own range (subject to sub-allocation review and routing setup)
IPv6¶
- Dual-stack subnets supported — every public IPv4 can be paired with an IPv6 (/128)
- IPv6-only subnets supported (no IPv4); useful for new builds that want to skip NAT entirely
- Egress-only IGW for IPv6 supported (the v6 equivalent of a NAT GW for v4)
Pricing¶
| Component | Pricing |
|---|---|
| Public IPv4 attached to running VM | Free (one per VM) |
| Public IPv4 not attached / extra | Per-hour (idle-IP charge) |
| Public IPv6 | Free |
| BYOIP | Free; one-time onboarding fee |
This idle-IPv4 model encourages release-when-not-needed; IPv6 is unmetered.
Related¶
- Floating / Reserved IP — persistent IPs that survive resource destruction
- VPC
- DNS
Operate this service¶
Provisioning and governance of public addresses — the rare resource that's actually scarce.
IPv4 vs IPv6¶
- IPv4 — Bangladesh-allocated pool, limited. Each project starts with 25; bumps require justification.
- IPv6 — abundant, free, dual-stack on every public subnet.
Default new public-facing service: dual-stack. IPv4-only is acceptable for legacy clients; IPv6-only is acceptable for modern public APIs.
IAM¶
| Role | Can do |
|---|---|
pubip.viewer | List public IPs |
pubip.allocator | Allocate / release public IPs in a project |
pubip.admin | Above + reverse DNS, BYOIP (BGP-imported ranges) |
Quota and stewardship¶
IPv4 is finite. Cloud Digit reclaims unused IPs after 30 days. Cost: an idle IPv4 is metered at a non-trivial rate to discourage hoarding.
Best practice: - Tag every IP with the workload that owns it - Quarterly: audit unattached IPs and release
bash cd network public-ip list --attached false --older-than 30d
BYOIP (Bring Your Own IP)¶
For customers with their own IPv4 ranges (typical for ISPs and large enterprises): import a /24 minimum via BGP. Process:
- Provide RIR allocation document
- Cloud Digit announces the range from the regional edge
- Allocate from the range like any platform IP
Setup typically 5–10 BWD; speak to your Customer Engineer.
Reverse DNS¶
Every public IP can have a customer-controlled PTR record:
bash cd network pubip ptr set --ip 103.5.7.42 --hostname mail.acme.com
PTR cannot be set if the hostname's forward record doesn't resolve to that IP (anti-spoofing).
Related¶
Allocation¶
```bash
IPv4¶
cd network public-ip allocate --vpc acme-prod-vpc --tag workload=web-tier
IPv6 (auto-allocated when subnet is dual-stack; no explicit allocate)¶
```
Allocated IPs are detached until associated with a VM, Load Balancer, or NAT GW.
Association¶
bash cd compute vm attach-ip --vm web-01 --ip 103.5.7.42
A VM can have one IPv4 and one IPv6 per vNIC. Use a Load Balancer for shared-IP-fronting-multiple-VMs scenarios.
Reverse DNS verification¶
```bash dig +short -x 103.5.7.42 # PTR dig +short mail.acme.com # Forward
Both should match for mail-sending VMs¶
```
Without correct PTR, outbound mail is rejected by most servers.
DDoS protection¶
All public IPs get DDoS Protection (Basic) free. For larger expected attack surface (public-facing services in news/government/finance), enable DDoS Premium.
Reclaim policy¶
Unused IPv4 (allocated, never attached) is billed. Quarterly audit:
bash cd network public-ip list --attached false -o table cd network public-ip release --ip <ip> # for each genuinely-unused
Cloud Digit will email project admins about idle IPs at 30/60/90 days; auto-reclaim at 120 days unless an exception is granted.
BGP announcement health (BYOIP)¶
| Metric | Healthy | Alert |
|---|---|---|
byoip.announced | true | false (range withdrawn from edge) |
byoip.propagation_pct | > 95% | < 90% (some upstream networks lost route) |
Related¶
Can't reach a VM by its public IP¶
- VM
Running? - Public IP associated (not just allocated)?
- Security group allows the inbound port?
- NACL allows it?
- VM's OS firewall (ufw / firewalld / Windows firewall) allows it?
- VM's service is actually listening on the port? (
ss -tlnp) - Subnet route table has Internet GW route?
cd network reachability test --from internet --to <public-ip>:443 walks the path.
IPv6 connectivity works from some clients but not others¶
Common pattern: client ISP lacks IPv6. Cloud Digit's IPv6 is fully functional but consumer networks in BD lag — keep IPv4 dual-stack for public services.
Test with a known-IPv6 ISP:
bash curl -6 https://your-service.com
QuotaExceeded on IP allocation¶
ERROR: QuotaExceeded: project public-ipv4 quota 25, current 25
Audit attached IPs first — usually 30–40% of "allocated" are sitting on stopped VMs or orphaned. After cleanup, request a bump if genuinely needed.
Reverse DNS not propagating¶
PTR records cache at upstream resolvers (24–48 h typical). After setting:
bash dig +short -x 103.5.7.42 @8.8.8.8 # Google's resolver dig +short -x 103.5.7.42 @1.1.1.1 # Cloudflare's resolver
If both still show the old value after 48 h, ticket Cloud Digit DNS team.
IP attached to wrong VM¶
A detach + re-attach is required:
bash cd compute vm detach-ip --vm web-01 cd compute vm attach-ip --vm web-02 --ip 103.5.7.42
If detach fails: another resource (LB, NAT GW) holds the association. cd network public-ip show --ip <ip> reveals the holder.
BYOIP announcement withdrawn¶
byoip.announced = false:
- BGP peer flapped (transient — wait 5 min, then ticket)
- Range RPKI status changed (ROA mismatch)
- Cloud Digit edge network maintenance (rare; pre-announced)
DDoS attack drops legit traffic¶
DDoS Basic uses signature + rate-limit. Heavy mitigation can drop legitimate spikes. If you expect a campaign / event:
- Allowlist known good source CIDRs in
cd network ddos allowlist add - Pre-arrange with Cloud Digit SRE 5+ BWD before the event
- Upgrade to DDoS Premium for ML-based separation