Back to Feed
Day 04Intermediate

Day 04: The Rule of 4 & The Alias IP Secret

Why GCP steals 4 IPs, why you can't shrink subnets, and how Alias IPs form the backbone of Kubernetes networking.

AuthorPratik Shetti
β€’Jan 24, 2026β€’5 min read

πŸ‘‹ The Goal

We often think of an IP address as "One Machine = One IP." In the cloud, this is false. Today we explore:

  1. IP Capacity: Why a /29 gives you 4 IPs, not 8.
  2. Immutability: Why you can Expand, but never Shrink.
  3. Alias IPs: How to map multiple IPs to a single Interface (The "K8s Pattern").

πŸ“ Part 1: The Math (The Rule of 4)

If you create a subnet 10.0.1.0/29, you expect 8 IPs. GCP gives you only 4 usable IPs.

IP AddressUsage
10.0.1.0Network Address (Unusable)
10.0.1.1Default Gateway (Google's Router)
10.0.1.2Reserved by GCP (Future/Internal use)
10.0.1.3Usable (VM 1)
10.0.1.4Usable (VM 2)
10.0.1.5Usable (VM 3)
10.0.1.6Usable (VM 4)
10.0.1.7Broadcast Address (Unusable)

Lesson: Always size your subnets larger than you think. A /29 is practically useless for anything except a tiny test.

πŸ—οΈ The Trap (Simulation)

We don't need to spend money on 5 VMs to prove this. We can use free Internal Static IP reservations.

1. Create the Network

gcloud compute networks create day4-vpc --subnet-mode=custom
gcloud compute networks subnets create day4-tiny-subnet \
    --network=day4-vpc \
    --range=10.0.1.0/29 \
    --region=us-central1

2. Fill the Tank We loop through and reserve all 4 usable IPs (.3 to .6).

for i in {3..6}; do
  gcloud compute addresses create ip-$i \
    --region=us-central1 \
    --subnet=day4-tiny-subnet \
    --addresses=10.0.1.$i
done

3. Hit the Wall Try to grab one more IP (e.g., .2 which is reserved, or a new one).

gcloud compute addresses create ip-fail \
    --region=us-central1 \
    --subnet=day4-tiny-subnet \
    --addresses=10.0.1.2

Result: ERROR: IP 10.0.1.2 is reserved.

You are now out of capacity. If this was a production database cluster requiring 5 nodes, you would be down.

πŸ”’ Part 2: Why Can't I Shrink a Subnet?

You can execute expand-ip-range to go from /29 to /28 live. But you cannot go from /28 to /29. Why?

The Routing Paradox: Imagine you have a subnet 10.0.0.0/24 (IPs 0-255). You have a VM running at .200. If you shrink the subnet to /25 (IPs 0-127), the VM at .200 is effectively "orphaned."

  • It is outside the defined network boundary.
  • The VPC Router no longer has a rule to send traffic to .200.
  • The VM becomes unreachable instantly.

To prevent this "Catastrophic Configuration Drift," Cloud Providers hard-block shrinking. If you need a smaller subnet, you must build a new one and migrate.

The Fix (Live Expansion)

Many engineers panic and think they need to delete the subnet (and all VMs inside it) to resize it. False. GCP allows live expansion of the subnet mask.

1. Expand to /28 A /28 gives us 16 IPs (12 usable).

gcloud compute networks subnets expand-ip-range day4-tiny-subnet \
    --region=us-central1 \
    --prefix-length=28

2. Verify Capacity Now, try to create an IP in the new space (e.g., .9).

gcloud compute addresses create ip-success \
    --region=us-central1 \
    --subnet=day4-tiny-subnet \
    --addresses=10.0.1.9

Result: Success. Crisis averted.

πŸ™ Part 3: Alias IPs (The First Principle of K8s)

This is the most critical concept for modern cloud engineering.

The Problem: You have one VM (Node). You want to run 50 Containers (Pods). You want every Pod to have its own IP address so they don't fight over Port 80.

The Solution: Alias IPs An Alias IP is a "Secondary Identity" attached to a VM's existing Network Interface (NIC).

How It Works (The Mailbox Analogy):

  • The VM: Your House.
  • Primary IP: The Address painted on the curb (10.0.0.5).
  • Alias IPs: Sticky notes on the mailbox: "I also accept mail for 10.1.0.1 and 10.1.0.2."

The Implementation (Secondary Ranges): To keep things clean, we don't mix "VM IPs" and "Container IPs."

  1. Primary Range (10.0.0.0/24): Used for Nodes (VMs).
  2. Secondary Range (10.1.0.0/16): A huge bucket of IPs attached to the subnet, reserved for Pods.

The GKE Flow:

  1. A Packet arrives destined for 10.1.0.5 (A Pod).
  2. The VPC Router looks up its table: "Oh, 10.1.0.5 is an Alias IP assigned to Node VM-A."
  3. It delivers the packet to VM-A.
  4. VM-A's Linux Kernel sees the packet, checks its internal map, and hands it to Container #5.

The Lab: Configuring an Alias

We can simulate this manually without Kubernetes.

# 1. Create a VM with a Primary IP (Auto) AND an Alias IP (10.0.1.10)
gcloud compute instances create alias-test-vm \
    --machine-type=e2-micro \
    --subnet=day4-tiny-subnet \
    --network-interface=aliases=10.0.1.10 \
    --zone=us-central1-a

Verification: SSH into that VM and run:

ip route show table local

You will see your Primary IP and the Alias IP listed. The OS knows it owns both.

🧠 Key Takeaways

  • GCP Reserves 4 IPs: Network, Gateway, Reserved, Broadcast.
  • Shrinking is Forbidden: It breaks routing contracts.
  • Alias IPs: Allow a single NIC to host multiple IPs. This is how containers get unique IPs without needing physical interfaces.

The Golden Command

# Expand a subnet without downtime
gcloud compute networks subnets expand-ip-range [SUBNET_NAME] --prefix-length=[NEW_SIZE]

Topics

NetworkingCIDRGCPKubernetesDeep Dive