oxidecomputer · david-crespo · Feb 6, 2026
diff --git a/app/components/AttachEphemeralIpModal.tsx b/app/components/AttachEphemeralIpModal.tsx
@@ -17,37 +17,34 @@ import {
   queryClient,
   useApiMutation,
   usePrefetchedQuery,
+  type IpVersion,
 } from '~/api'
 import { IpPoolSelector } from '~/components/form/fields/IpPoolSelector'
 import { HL } from '~/components/HL'
 import { useInstanceSelector } from '~/hooks/use-params'
 import { addToast } from '~/stores/toast'
+import { Message } from '~/ui/lib/Message'
 import { Modal } from '~/ui/lib/Modal'
 import { ALL_ISH } from '~/util/consts'
-import { getCompatibleVersionsFromNics } from '~/util/ip'
 
-export const AttachEphemeralIpModal = ({ onDismiss }: { onDismiss: () => void }) => {
+type AttachEphemeralIpModalProps = {
+  availableVersions: IpVersion[]
+  onDismiss: () => void
+}
+
+export const AttachEphemeralIpModal = ({
+  availableVersions,
+  onDismiss,
+}: AttachEphemeralIpModalProps) => {
   const { project, instance } = useInstanceSelector()
   const { data: siloPools } = usePrefetchedQuery(
     q(api.ipPoolList, { query: { limit: ALL_ISH } })
   )
-  const { data: nics } = usePrefetchedQuery(
-    q(api.instanceNetworkInterfaceList, { query: { limit: ALL_ISH, project, instance } })
-  )
 
-  // Determine compatible IP versions based on instance's primary network interface
-  // External IPs route through the primary interface, so only its IP stack matters
-  // https://github.com/oxidecomputer/omicron/blob/d52aad0/nexus/db-queries/src/db/datastore/external_ip.rs#L544-L661
-  const compatibleVersions = useMemo(
-    () => getCompatibleVersionsFromNics(nics.items),
-    [nics]
-  )
-
-  // Only unicast pools can be used for ephemeral IPs
+  // Only show unicast pools for the IP versions that still have open slots
   const compatibleUnicastPools = useMemo(
-    () =>
-      siloPools.items.filter(isUnicastPool).filter(poolHasIpVersion(compatibleVersions)),
-    [siloPools, compatibleVersions]
+    () => siloPools.items.filter(isUnicastPool).filter(poolHasIpVersion(availableVersions)),
+    [siloPools, availableVersions]
   )
 
   const defaultPool = useMemo(() => {
@@ -73,25 +70,31 @@ export const AttachEphemeralIpModal = ({ onDismiss }: { onDismiss: () => void })
   const pool = form.watch('pool')
 
   const disabledReason =
-    compatibleVersions.length === 0
-      ? 'Instance has no network interfaces with compatible IP stacks'
-      : compatibleUnicastPools.length === 0
-        ? 'No compatible unicast pools available for this instance'
-        : !pool
-          ? 'Select a pool to continue'
-          : undefined
+    compatibleUnicastPools.length === 0
+      ? 'No compatible unicast pools available for this instance'
+      : !pool
+        ? 'Select a pool to continue'
+        : undefined
+
+  const message =
+    availableVersions.length === 1
+      ? `Only ${availableVersions[0]} pools are shown because this instance already has a ${availableVersions[0] === 'v4' ? 'v6' : 'v4'} ephemeral IP.`
+      : availableVersions.length === 2
+        ? 'Dual-stack network interfaces support one ephemeral IP per version.'
+        : undefined
 
   return (
     <Modal isOpen title="Attach ephemeral IP" onDismiss={onDismiss}>
       <Modal.Body>
         <Modal.Section>
+          {message && <Message variant="info" content={message} />}
           <form>
             <IpPoolSelector
               control={form.control}
               poolFieldName="pool"
               pools={compatibleUnicastPools}
               disabled={compatibleUnicastPools.length === 0}
-              compatibleVersions={compatibleVersions}
+              compatibleVersions={availableVersions}
             />
           </form>
         </Modal.Section>

diff --git a/app/pages/project/instances/NetworkingTab.tsx b/app/pages/project/instances/NetworkingTab.tsx
@@ -14,6 +14,7 @@ import { match } from 'ts-pattern'
 import {
   api,
   instanceCan,
+  isUnicastPool,
   q,
   qErrorsAllowed,
   queryClient,
@@ -58,7 +59,12 @@ import { TableEmptyBox } from '~/ui/lib/Table'
 import { TipIcon } from '~/ui/lib/TipIcon'
 import { Tooltip } from '~/ui/lib/Tooltip'
 import { ALL_ISH } from '~/util/consts'
-import { getCompatibleVersionsFromNics, ipHasVersion, parseIp } from '~/util/ip'
+import {
+  getCompatibleVersionsFromNics,
+  getEphemeralIpSlots,
+  ipHasVersion,
+  parseIp,
+} from '~/util/ip'
 import { pb } from '~/util/path-builder'
 
 import { fancifyStates } from './common'
@@ -301,6 +307,11 @@ export default function NetworkingTab() {
     })
   ).data.items
 
+  const { data: siloPools } = usePrefetchedQuery(
+    q(api.ipPoolList, { query: { limit: ALL_ISH } })
+  )
+  const unicastPools = useMemo(() => siloPools.items.filter(isUnicastPool), [siloPools])
+
   // Determine compatible IP versions from the instance's primary NIC
   // External IPs route through the primary interface, so only its IP stack matters
   const compatibleVersions = useMemo(() => getCompatibleVersionsFromNics(nics), [nics])
@@ -466,11 +477,14 @@ export default function NetworkingTab() {
       }
 
       const doDetach = match(externalIp)
-        .with(
-          { kind: 'ephemeral' },
-          () => () =>
-            ephemeralIpDetach({ path: { instance: instanceName }, query: { project } })
-        )
+        .with({ kind: 'ephemeral' }, () => () => {
+          const parsed = parseIp(externalIp.ip)
+          const ipVersion = parsed.type === 'error' ? undefined : parsed.type
+          return ephemeralIpDetach({
+            path: { instance: instanceName },
+            query: { project, ipVersion },
+          })
+        })
         .with(
           { kind: 'floating' },
           ({ name }) =>
@@ -517,12 +531,17 @@ export default function NetworkingTab() {
     getCoreRowModel: getCoreRowModel(),
   })
 
-  const ephemeralDisabledReason =
-    nics.length === 0
-      ? 'Instance has no network interfaces'
-      : eips.items.some((ip) => ip.kind === 'ephemeral')
-        ? 'Instance already has an ephemeral IP'
-        : null
+  const attachedEphemeralIps = useMemo(
+    () => eips.items.filter((ip) => ip.kind === 'ephemeral'),
+    [eips]
+  )
+  const {
+    availableVersions: ephemeralAvailableVersions,
+    disabledReason: ephemeralDisabledReason,
+  } = useMemo(
+    () => getEphemeralIpSlots(compatibleVersions, attachedEphemeralIps, unicastPools),
+    [compatibleVersions, attachedEphemeralIps, unicastPools]
+  )
 
   const floatingDisabledReason =
     eips.items.filter((ip) => ip.kind === 'floating').length >= 32
@@ -574,7 +593,10 @@ export default function NetworkingTab() {
         </CardBlock.Body>
 
         {attachEphemeralModalOpen && (
-          <AttachEphemeralIpModal onDismiss={() => setAttachEphemeralModalOpen(false)} />
+          <AttachEphemeralIpModal
+            availableVersions={ephemeralAvailableVersions}
+            onDismiss={() => setAttachEphemeralModalOpen(false)}
+          />
         )}
         {attachFloatingModalOpen && (
           <AttachFloatingIpModal

diff --git a/app/util/ip.spec.ts b/app/util/ip.spec.ts
@@ -6,9 +6,152 @@
  * Copyright Oxide Computer Company
  */
 
-import { expect, test } from 'vitest'
+import { describe, expect, test } from 'vitest'
 
-import { parseIp, parseIpNet } from './ip'
+import type { ExternalIp, IpVersion, UnicastIpPool } from '~/api'
+
+import { getEphemeralIpSlots, parseIp, parseIpNet } from './ip'
+
+const makePool = (ipVersion: IpVersion, name = `pool-${ipVersion}`): UnicastIpPool => ({
+  id: `id-${name}`,
+  name,
+  description: '',
+  ipVersion,
+  isDefault: false,
+  poolType: 'unicast',
+  timeCreated: new Date(),
+  timeModified: new Date(),
+})
+
+const v4Pool = makePool('v4')
+const v6Pool = makePool('v6')
+
+const v4Ephemeral: ExternalIp = { ip: '10.0.0.1', ipPoolId: 'p1', kind: 'ephemeral' }
+const v6Ephemeral: ExternalIp = { ip: 'fd00::1', ipPoolId: 'p2', kind: 'ephemeral' }
+
+describe('getEphemeralIpSlots', () => {
+  test('no NICs', () => {
+    expect(getEphemeralIpSlots([], [], [v4Pool, v6Pool])).toEqual({
+      availableVersions: [],
+      disabledReason: 'Instance has no network interfaces',
+    })
+  })
+
+  test('v4-only, no attached ephemeral', () => {
+    expect(getEphemeralIpSlots(['v4'], [], [v4Pool])).toEqual({
+      availableVersions: ['v4'],
+      disabledReason: null,
+    })
+  })
+
+  test('v4-only, v4 attached', () => {
+    expect(getEphemeralIpSlots(['v4'], [v4Ephemeral], [v4Pool])).toEqual({
+      availableVersions: [],
+      disabledReason: 'Instance already has an ephemeral IP',
+    })
+  })
+
+  test('v6-only, no attached ephemeral', () => {
+    expect(getEphemeralIpSlots(['v6'], [], [v6Pool])).toEqual({
+      availableVersions: ['v6'],
+      disabledReason: null,
+    })
+  })
+
+  test('v6-only, v6 attached', () => {
+    expect(getEphemeralIpSlots(['v6'], [v6Ephemeral], [v6Pool])).toEqual({
+      availableVersions: [],
+      disabledReason: 'Instance already has an ephemeral IP',
+    })
+  })
+
+  test('dual-stack, no attached', () => {
+    expect(getEphemeralIpSlots(['v4', 'v6'], [], [v4Pool, v6Pool])).toEqual({
+      availableVersions: ['v4', 'v6'],
+      disabledReason: null,
+    })
+  })
+
+  test('dual-stack, v4 attached, v6 pools available', () => {
+    expect(getEphemeralIpSlots(['v4', 'v6'], [v4Ephemeral], [v4Pool, v6Pool])).toEqual({
+      availableVersions: ['v6'],
+      disabledReason: null,
+    })
+  })
+
+  test('dual-stack, v6 attached, v4 pools available', () => {
+    expect(getEphemeralIpSlots(['v4', 'v6'], [v6Ephemeral], [v4Pool, v6Pool])).toEqual({
+      availableVersions: ['v4'],
+      disabledReason: null,
+    })
+  })
+
+  test('dual-stack, both attached', () => {
+    expect(
+      getEphemeralIpSlots(['v4', 'v6'], [v4Ephemeral, v6Ephemeral], [v4Pool, v6Pool])
+    ).toEqual({
+      availableVersions: [],
+      disabledReason: 'Instance already has ephemeral IPs for all supported address types',
+    })
+  })
+
+  test('dual-stack, no attached, only v4 pools available', () => {
+    expect(getEphemeralIpSlots(['v4', 'v6'], [], [v4Pool])).toEqual({
+      availableVersions: ['v4'],
+      disabledReason: null,
+    })
+  })
+
+  test('dual-stack, no attached, only v6 pools available', () => {
+    expect(getEphemeralIpSlots(['v4', 'v6'], [], [v6Pool])).toEqual({
+      availableVersions: ['v6'],
+      disabledReason: null,
+    })
+  })
+
+  test('dual-stack, v4 attached, no v6 pools', () => {
+    expect(getEphemeralIpSlots(['v4', 'v6'], [v4Ephemeral], [v4Pool])).toEqual({
+      availableVersions: [],
+      disabledReason: 'No V6 pools available for ephemeral IPs',
+    })
+  })
+
+  test('dual-stack, v6 attached, no v4 pools', () => {
+    expect(getEphemeralIpSlots(['v4', 'v6'], [v6Ephemeral], [v6Pool])).toEqual({
+      availableVersions: [],
+      disabledReason: 'No V4 pools available for ephemeral IPs',
+    })
+  })
+
+  test('dual-stack, no attached, no pools at all', () => {
+    expect(getEphemeralIpSlots(['v4', 'v6'], [], [])).toEqual({
+      availableVersions: [],
+      disabledReason: 'No V4/V6 pools available for ephemeral IPs',
+    })
+  })
+
+  test('v4-only, no pools available', () => {
+    expect(getEphemeralIpSlots(['v4'], [], [v6Pool])).toEqual({
+      availableVersions: [],
+      disabledReason: 'No V4 pools available for ephemeral IPs',
+    })
+  })
+
+  test('v4-only, v6 attached (ignored)', () => {
+    expect(getEphemeralIpSlots(['v4'], [v6Ephemeral], [v4Pool])).toEqual({
+      availableVersions: ['v4'],
+      disabledReason: null,
+    })
+  })
+
+  test('dual-stack, invalid attached IP is ignored', () => {
+    const invalidIp: ExternalIp = { ip: 'not-an-ip', ipPoolId: 'p3', kind: 'ephemeral' }
+    expect(getEphemeralIpSlots(['v4', 'v6'], [invalidIp], [v4Pool, v6Pool])).toEqual({
+      availableVersions: ['v4', 'v6'],
+      disabledReason: null,
+    })
+  })
+})
 
 // Small Rust project where we validate that the built-in Ipv4Addr and Ipv6Addr
 // and oxnet's Ipv4Net and Ipv6Net have the same validation behavior as our code.