Every project on the platform needs a unique private IPv6 address space so that networks across projects can communicate without address conflicts — for example, when connected via private peering or inter-project networking.
When a user enables networking services in a project, the platform automatically allocates a unique private (ULA) /48 prefix from a platform-managed pool. All networks, subnets, and individual instance addresses within that project are drawn from this prefix.
Allocation hierarchy
| Resource |
Block size |
| Per-project root |
/48 |
| Per-subnet (network + location) |
/64 |
| Per-instance address |
/128 |
Each project supports up to 65,536 subnets — no artificial cap on how many networks or locations a project can have. The association between a subnet and its network and location is tracked by the platform, not encoded in the address itself.
Policy-mode networks
When a user creates a network with a manually specified address range (policy mode), multiple networks within the same project may intentionally use the same private address space — for example, two isolated test networks both using the same range. This gives users flexibility to create isolated networks with intentionally overlapping address spaces for advanced use cases such as multi-tenant environments or staged migrations. The platform should support this without treating it as a conflict. This requires a capability enhancement to the IPAM service (milo-os/ipam#23).
Implementation note
The per-project /48 is allocated by the network services operator when a project's networking ServiceEntitlement becomes active. The full technical design is tracked in enhancements/ipam-integration.md.
Public IPv6 addressing (globally routable GUA prefixes) is out of scope for this issue and will be tracked separately.
Every project on the platform needs a unique private IPv6 address space so that networks across projects can communicate without address conflicts — for example, when connected via private peering or inter-project networking.
When a user enables networking services in a project, the platform automatically allocates a unique private (
ULA)/48prefix from a platform-managed pool. All networks, subnets, and individual instance addresses within that project are drawn from this prefix.Allocation hierarchy
/48/64/128Each project supports up to 65,536 subnets — no artificial cap on how many networks or locations a project can have. The association between a subnet and its network and location is tracked by the platform, not encoded in the address itself.
Policy-mode networks
When a user creates a network with a manually specified address range (policy mode), multiple networks within the same project may intentionally use the same private address space — for example, two isolated test networks both using the same range. This gives users flexibility to create isolated networks with intentionally overlapping address spaces for advanced use cases such as multi-tenant environments or staged migrations. The platform should support this without treating it as a conflict. This requires a capability enhancement to the IPAM service (milo-os/ipam#23).
Implementation note
The per-project
/48is allocated by the network services operator when a project's networkingServiceEntitlementbecomes active. The full technical design is tracked inenhancements/ipam-integration.md.Public IPv6 addressing (globally routable GUA prefixes) is out of scope for this issue and will be tracked separately.