Configure connectivity to AlloyDB

This page describes how to configure network connectivity to AlloyDB.

About network connectivity

AlloyDB supports network connectivity through private, internal IP addresses configured for private services access.

Private services access is implemented as a VPC peering connection between your VPC network and the underlying Google Cloud VPC network where your AlloyDB resources (clusters and instances) reside. The private connection enables resources in your VPC network to communicate with the AlloyDB resources they access exclusively by using internal IP addresses. The resources in your VPC network don't need Internet access or external IP addresses to reach AlloyDB resources.

Several Google Cloud services support connectivity through the private services access feature. These services and AlloyDB all use the same internal IP address pool to provide access to their resources residing in the underlying Google Cloud VPC network.

Sizing the IP address range for private services access

AlloyDB uses a different subnet in each region containing AlloyDB clusters or instances. Therefore, you need to make sure you allocate an IP address range big enough to accommodate AlloyDB resources in all the regions where you plan to create them.

In each region, AlloyDB uses a subnet with a 24 bit prefix length (subnet mask). However, if you allocate an IP address range subnet with a 24 bit prefix length, such a range would permit you to create AlloyDB resources in only one region.

Google recommends that you allocate an IP address range with a 20 bit prefix length for AlloyDB so that you can create clusters and instances in several different regions.

When creating a private services access configuration, make sure to include the address space requirements of AlloyDB together with any other Google Cloud services you intend to use with private services access when determining the prefix length to use for the initial IP address range.

As your use of AlloyDB grows to encompass more regions, AlloyDB might encounter an error when trying to create subnet in a new region due to a shortage of IP address space. If this happens, increase the AlloyDB IP address space to remedy the shortage.

Connectivity limitations

Google reserves the IP range 172.17.0.0/16 for internal use, making this range unavailable for AlloyDB connections.

You can't connect to AlloyDB instances from virtual machine (VM) instances or other resources whose IP addresses are within the range 172.17.0.0/16.
When setting up private services access, avoid allocating an IP address range that overlaps with 172.17.0.0/16.

Supported private services access configurations

AlloyDB can use private services access configurations in VPC networks that reside in the same project as AlloyDB or that reside in other projects.

Using a VPC network in the same project as AlloyDB

How you configure AlloyDB connectivity using a VPC network that resides in the same Google Cloud project as AlloyDB depends on whether a private services access configuration already exists in the VPC network.
- If the VPC network does not already have private services access configured, create a private services access configuration.
- If the VPC network already has an existing private services access configuration, make sure the configuration has sufficient IP address space for AlloyDB and increase the address space if necessary.
Using a VPC network in another project

To configure AlloyDB connectivity using a VPC network that resides in a different Google Cloud project from AlloyDB, you need to configure the project where the VPC network resides for Shared VPC, with it as the host project and the project where AlloyDB resides as a service project.

Then, you need to make sure the VPC network's private services access configuration has sufficient IP address space for AlloyDB and increase the address space if necessary.

Finally, you need to configure users who can create AlloyDB resources as Service Project Admins with access to the appropriate allocated IP address ranges in the private services access configuration.

For more information about shared VPC, see Shared VPC overview and Provisioning Shared VPC.

Create a private services access configuration

To create a private services access configuration in a VPC network that resides in the same Google Cloud project as AlloyDB, you perform two operations:

Create an allocated IP address range in the VPC network.
Create a private connection between the VPC network and the underlying Google Cloud VPC network.

Before you begin

The Google Cloud project you are using must have been enabled to access AlloyDB.
You must have one of these IAM roles in the Google Cloud project you are using:
- roles/alloydb.admin (the AlloyDB Admin predefined IAM role)
- roles/owner (the Owner basic IAM role)
- roles/editor (the Editor basic IAM role)
If you don't have any of these roles, contact your Organization Administrator to request access.
To create a private services access configuration, you also must have these IAM permissions:
- compute.networks.list
- compute.addresses.create
- compute.addresses.list
- servicenetworking.services.addPeering

Procedure

Console

Go to the VPC networks page in the Google Cloud console.

Go to the VPC networks page
Select the project where AlloyDB and the VPC network reside.
Click the name of VPC network that you want to use for private services access.
On the VPC network details page, scroll through the list of tabs to the Private service connection tab and then click it.
In the Private service connection tab, click the Allocated IP ranges for services tab.
Click Allocate IP range.
In the Name and Description fields, enter a name and a description for the allocated range.
Specify an IP range value for the allocation:
- To specify an IP address range, click Custom and then enter a CIDR block, such as 192.168.0.0/16.
  
  To provide sufficient address space for AlloyDB, specify a prefix length of 16 or less.
  
  Warning: Google reserves the IP range 172.17.0.0/16 for internal use. The IP range that you allocate in this step must not overlap with this reserved range.
- To specify a prefix length and let Google select an available range, click Automatic and then enter a prefix length, such as 16.
Click Allocate to create the allocated range.
In the Private service connection tab, click the Private connections to services tab.
Click Create connection to create a private connection between your network and a service producer.
Make sure that Google Cloud Platform is the Connected service producer.
For the Assigned allocation, select the allocated IP range you created earlier.
Click Connect to create the connection.

gcloud

To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.

Use the gcloud config set project command to set the default project to the one where AlloyDB and the VPC network reside.
```
gcloud config set project PROJECT_ID
```
Where PROJECT_ID is the ID of the project where AlloyDB and the VPC network reside.
Use the compute addresses create command to create an allocated IP address range.

To provide sufficient address space for AlloyDB, specify a prefix length of 16 or less.
- To specify an address range and a prefix length (subnet mask), use the addresses and prefix-length flags. For example, to allocate the CIDR block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for the prefix length.
  
  Warning: Google reserves the IP range 172.17.0.0/16 for internal use. The IP range that you allocate in this step must not overlap with this reserved range.
```
gcloud compute addresses create RESERVED_RANGE_NAME \
    --global \
    --purpose=VPC_PEERING \
    --addresses=192.168.0.0 \
    --prefix-length=16 \
    --description="DESCRIPTION" \
    --network=VPC_NETWORK
```
- To specify just a prefix length (subnet mask), just use the prefix-length flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 16 bit prefix length.
```
gcloud compute addresses create RESERVED_RANGE_NAME \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --description="DESCRIPTION" \
    --network=VPC_NETWORK
```
Replace the following placeholders with relevant values:
- RESERVED_RANGE_NAME: a name for the allocated range, such as my-allocated-range.
- DESCRIPTION: a description for the range, such as allocated for my-service.
- VPC_NETWORK: the name of your VPC network, such as my-vpc-network.
The following example creates a private connection to Google so that the VM instances in the default VPC network can use private services access to reach Google services that support it.
```
gcloud compute addresses create google-managed-services-default \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --description="peering range for Google" \
    --network=default
```
Use the services vpc-peerings connect command to create a private connection.
```
gcloud services vpc-peerings connect \
    --service=servicenetworking.googleapis.com \
    --ranges=RESERVED_RANGE_NAME \
    --network=VPC_NETWORK
```
Replace the following placeholders with relevant values:
- RESERVED_RANGE_NAME: the name of the allocated IP address range you created.
- VPC_NETWORK: the name of your VPC network.
The command initiates a long-running operation, returning an operation name.
Check whether the operation was successful.
```
gcloud services vpc-peerings operations describe \
    --name=OPERATION_NAME
```
Replace OPERATION_NAME with the operation name that was returned from the previous step.