Public IP Addresses

This topic describes how to manage public IPv4 addresses on instances in a virtual cloud network (VCN).

IPv6 addressing is currently supported only in the US Government Cloud. For more information, see IPv6 Addresses.

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Overview of Public IP Addresses

A public IP address is an IPv4 address that is reachable from the internet. If a resource in your tenancy needs to be directly reachable from the internet, it must have a public IP address. Depending on the type of resource, there might be other requirements.

Certain types of resources in your tenancy are designed to be directly reachable from the internet and therefore automatically come with a public IP address. For example: a NAT gateway or a public load balancer. Other types of resources are directly reachable only if you configure them to be. For example: instances in your VCN.

This topic focuses on these subjects:

  • The types of public IP addresses and their characteristics
  • How to control whether an instance has a public IP address

For more information about resources that automatically get a public IP address, see Overview of Public IP Addresses.

Instances and Public IP Addresses

You can assign a public IP address to an instance to enable communication with the internet. The instance is assigned a public IP address from the Oracle Cloud Infrastructure address pool.

The assignment is actually to a private IP object on the instance. The VNIC that the private IP is assigned to must be in a public subnet. A given instance can have multiple secondary VNICs, and a given VNIC can have multiple secondary private IPs. So you can assign a given instance multiple public IPs across one or more VNICs if you like.

For an instance to communicate directly with the internet, all of the following are required:

Tip

Oracle Cloud Infrastructure FastConnect public peering lets your on-premises network access the public IP addresses of resources in Oracle Cloud Infrastructure without the traffic traversing the internet. For more information, see FastConnect.

The Public IP Object

The Networking service defines an object called a public IP, which consists of these items:

  • Public IPv4 address (chosen by Oracle)
  • Properties that further define the public IP's type and behavior

Each public IP object has an Oracle-assigned OCID (see Resource Identifiers). If you're using the API, you can also assign each public IP object a friendly name.

Types of Public IPs

There are two types of public IPs:

  • Ephemeral: Think of it as temporary and existing for the lifetime of the instance.
  • Reserved: Think of it as persistent and existing beyond the lifetime of the instance it's assigned to. You can unassign it and then reassign it to another instance whenever you like. Exception: reserved public IPs on public load balancers. See Overview of Public IP Addresses.

The following table summarizes the differences between the two types.

Characteristic Ephemeral Public IPs Reserved Public IPs
Allowed assignment

To a VNIC's primary private IP only

Limits:

  • One per VNIC
  • Two per VM instance, and 16 per bare metal instance

To either a primary or secondary private IP

Limit: 32 per VNIC

Creation

Optionally created and assigned during instance launch or secondary VNIC creation. You can create and assign one later if the VNIC doesn't already have one.

 

You create one at any time. You can then assign it when you like.

Limit: You can create 50 per region

Unassignment

You can unassign it at any time, which deletes it. You might do this if whoever launched the instance included a public IP, but you don't want the instance to have one.

When you stop an instance, its ephemeral public IPs remain assigned to the instance.

You can unassign it at any time, which returns it to your tenancy's pool of reserved public IPs.
Moving to a different resource

You cannot move an ephemeral public IP to a different private IP.

If assigned to a secondary private IP: If you move the private IP to a different VNIC (must be in the same subnet), the reserved public IP goes with it.

You can move it (unassign and then reassign it) at any time to another private IP in the same region. Can be in a different VCN or availability domain.

Automatic deletion

Its lifetime is tied to the private IP's lifetime. Automatically unassigned and deleted when:

  • Its private IP is deleted
  • Its VNIC is detached or terminated
  • Its instance is terminated

Never. Exists until you delete it.

Scope Availability domain Regional (can be assigned to a private IP in any availability domain in the region)
Compartment and availability domain Same as the private IPs Can be different from the private IPs

When you launch an instance in a public subnet, by default, the instance gets a public IP unless you say otherwise. See To choose whether an ephemeral public IP is assigned when launching an instance.

After you create a given public IP, you can't change which type it is. For example, if you launch an instance that is assigned an ephemeral public IP with address 203.0.113.2, you can't convert the ephemeral public IP to a reserved public IP with address 203.0.113.2.

The preceding table notes the public IP limits per VNIC and instance. If you try to perform any operation that assigns or moves a public IP to a VNIC or instance that has already reached its public IP limit, an error is returned. The operations include:

  • Assigning a public IP
  • Creating a new secondary VNIC with a public IP
  • Moving a private IP with a public IP to another VNIC
  • Moving a public IP to another private IP

Resources That Always Get a Public IP

As mentioned earlier, certain types of resources are designed to be directly reachable from the internet. Examples: a NAT gateway or a public load balancer. These resources automatically get a public IP address upon creation. Oracle chooses the public IP address from the Oracle pool. You can't remove or change the address.

For public load balancers, the address is a regional reserved public IP that is assigned to a private IP on the load balancer. This public IP appears in the list of your tenancy's reserved public IPs, which you can view in the Console. However, unlike other reserved public IPs that you create, you have no control over this public IP. You can't edit it or unassign it from the load balancer yourself. It's automatically unassigned and deleted from your tenancy when you terminate the load balancer.

For NAT gateways, the address is a regional ephemeral public IP that is assigned to the NAT gateway. Like other ephemeral public IPs, it's automatically unassigned and deleted when you terminate its assigned resource (the NAT gateway). However, unlike other ephemeral public IPs, you can't edit it or unassign it yourself.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: see IAM Policies for Networking.

Ephemeral Public IPs: Using the Console

To choose whether an ephemeral public IP is assigned when launching an instance
To assign an ephemeral public IP when creating a secondary VNIC

When you add a secondary VNIC to an instance, you choose whether the primary private IP on the new VNIC gets an ephemeral public IP. This choice is available only if the secondary VNIC is in a public subnet.

In the Create VNIC dialog box, there's an Assign a public IP address check box. By default, the check box is NOT selected, which means the secondary VNIC does not get an ephemeral public IP. You must select the check box.

For instructions, see Connectivity Choices.

To assign an ephemeral public IP to an existing primary private IP

Prerequisite: The primary private IP must not have a reserved or ephemeral public IP already assigned to it. If it does, first delete the ephemeral public IP, or unassign the reserved public IP.

  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IP Addresses.

    The VNIC's primary private IP and any secondary private IPs are displayed.

  7. For the VNIC's primary private IP, click the Actions icon (three dots), and then click Edit.
  8. In the Public IP Address section, for Public IP type, select the radio button for Ephemeral Public IP.
  9. In the Ephemeral Public IP Name field, enter an optional friendly name for the public IP. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
  10. Click Update.
To delete an ephemeral public IP from an instance

Deleting an ephemeral public IP automatically unassigns it from its private IP.

  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IP Addresses.

    The VNIC's primary private IP and any secondary private IPs are displayed.

  7. For the VNIC's primary private IP, click the Actions icon (three dots), and then click Edit.
  8. In the Public IP Address section, for Public IP Type, select the radio button for No Public IP.
  9. Click Update.
To change the display name for an ephemeral public IP
  1. Confirm you're viewing the compartment that contains the instance you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IP Addresses.

    The VNIC's primary private IP and any secondary private IPs are displayed.

  7. For the VNIC's primary private IP, click the Actions icon (three dots), and then click Edit.
  8. In the Public IP Address section, edit the Ephemeral Public IP Name. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
  9. Click Update.

Reserved Public IPs: Using the Console

To view your reserved public IPs
  1. Confirm you're viewing the region and compartment you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Networking and click Public IPs.

The details of the reserved public IPs in the selected region and compartment are displayed. If the reserved public IP is assigned, there's a link to the relevant VNIC.

To create a new reserved public IP in your pool
  1. Confirm you're viewing the region and compartment where you want to create the reserved public IP.
  2. Open the navigation menu. Under Core Infrastructure, go to Networking and click Public IPs.

  3. Click Create Reserved Public IP.
  4. Enter the following:

    • Name: An optional friendly name for the reserved public IP. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
    • Compartment: Leave as is.
    • Tags: If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  5. Click Create Reserved Public IP.

The new reserved public IP is created and displayed on the page. You can now assign it to an existing private IP if you like.

To delete a reserved public IP from your pool

The reserved public IP can be in the "Assigned" state. Deleting a reserved public IP automatically unassigns it from its private IP.

  1. Confirm you're viewing the region and compartment that contains the reserved public IP.
  2. Open the navigation menu. Under Core Infrastructure, go to Networking and click Public IPs.

  3. For the reserved public IP you want to delete, click the Actions icon (three dots), and then click Terminate.
  4. Confirm when prompted.

After a few seconds, the reserved public IP is unassigned (if it was assigned) and deleted from your pool.

To assign a reserved public IP to a private IP

Prerequisite: The private IP must not have an ephemeral or reserved public IP already assigned to it. If it does, first delete the ephemeral public IP, or unassign the reserved public IP.

  1. Confirm you're viewing the compartment that contains the instance with the private IP you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IP Addresses.

    The VNIC's primary private IP and any secondary private IPs are displayed.

  7. For the private IP you're interested in, click the Actions icon (three dots), and then click Edit.
  8. In the Public IP Address section, for Public IP Type, select the radio button for Reserved Public IP.
  9. Enter the following:

    • Compartment: The compartment that contains the reserved public IP you want to assign.
    • Reserved Public IP: The reserved public IP you want to assign. You have three choices:

      • Create a new reserved public IP. You may optionally provide a friendly name for it. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
      • Assign a reserved public IP that isn't already assigned.
      • Move a reserved public IP from another private IP.
  10. Click Update.
To unassign a reserved public IP and return it to the pool
  1. Confirm you're viewing the compartment that contains the instance with the reserved public IP you're interested in.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IP Addresses.

    The VNIC's primary private IP and any secondary private IPs are displayed.

  7. For the private IP you're interested in, click the Actions icon (three dots), and then click Edit.
  8. In the Public IP Address section, for Public IP Type, select the radio button for No Public IP.
  9. Click Update.

The reserved public IP is unassigned and returned to your pool.

To move a reserved public IP from one private IP to another

Let's say you want to move a reserved public IP from private IP 1 to private IP 2. In summary: Make sure private IP 2 doesn't have a public IP already assigned to it. Then assign the reserved public IP to private IP 2. It will be automatically unassigned from private IP 1 first. Detailed instructions:

  1. Confirm you're viewing the compartment that contains the instance with private IP 2.
  2. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  3. Click the instance to view its details.
  4. Under Resources, click Attached VNICs.

    The primary VNIC and any secondary VNICs attached to the instance are displayed.

  5. Click the VNIC you're interested in.
  6. Under Resources, click IP Addresses.

    The VNIC's primary private IP and any secondary private IPs are displayed.

  7. For private IP 2, click the Actions icon (three dots), and then click Edit.
  8. If private IP 2 already has a public IP assigned to it:

    1. In the Public IP Address section, select the radio button for No Public IP.
    2. Click Update.
    3. Again for private IP 2, click the Actions icon (three dots), and then click Edit.
  9. In the Public IP Address section, select the radio button for Reserved Public IP.
  10. Enter the following:

    • Compartment: The compartment that contains the reserved public IP you want to assign.
    • Reserved Public IP: The reserved public IP you want to assign. It will be moved from the public IP it's currently assigned to.
  11. Click Update.
To change the display name for a reserved public IP
  1. Confirm you're viewing the region and compartment that contains the reserved public IP.
  2. Open the navigation menu. Under Core Infrastructure, go to Networking and click Public IPs.

  3. For the reserved public IP you want to edit, click the Actions icon (three dots), and then click Edit.
  4. Make your changes to the friendly name. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
  5. Click Save.
To manage tags for a reserved public IP
  1. Confirm you're viewing the region and compartment that contains the reserved public IP.
  2. Open the navigation menu. Under Core Infrastructure, go to Networking and click Public IPs.

  3. For the reserved public IP you're interested in, click the Actions icon (three dots), and then click View Tags. From there you can view the existing tags, edit them, and apply new ones.

For more information, see Resource Tags.

To move a reserved public IP to a different compartment

You can move a reserved public IP from one compartment to another. When you move a reserved public IP to a new compartment, inherent policies apply immediately.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Public IPs.

  2. For the reserved public IP you're interested in, click the Actions icon (three dots), and then click Move Resource.
  3. Choose the destination compartment from the list.
  4. Click Move Resource.

For more information about using compartments and policies to control access to your cloud network, see Access Control. For general information about compartments, see Managing Compartments.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

To manage public IPs, use these operations:

  • GetPublicIp: Use this to get a publicIp object by specifying its OCID.
  • GetPublicIpByIpAddress: Use this to get a publicIp object by specifying its public IP address.
  • GetPublicIpByPrivateIpId: Use this to get a publicIp object by specifying the OCID of the private IP it's assigned to.
  • ListPublicIps: Use this to list either your ephemeral or reserved publicIp objects.
  • CreatePublicIp: Use this to create a new reserved public IP in your pool.
  • UpdatePublicIp: Use this to assign, reassign, or unassign a reserved public IP, or to update the display name of an ephemeral or reserved public IP. You can also update a reserved public IP's tags.
  • DeletePublicIp: Use this to delete an ephemeral public IP from its private IP, or delete a reserved public IP from your pool. The operation first unassigns the public IP.
  • ChangePublicIpCompartment: Use this to move a reserved public IP from one compartment to another. This operation applies only to reserved public IPs. Ephemeral public IPs always belong to the same compartment as their VNIC and move accordingly.