This page describes how to configure network connectivity to AlloyDB.
About network connectivity
AlloyDB supports network connectivity through private, internal IP addresses configured for private services access.
Private services access is implemented as a VPC peering connection between your VPC network and the underlying Google Cloud VPC network where your AlloyDB resources (clusters and instances) reside. The private connection enables resources in your VPC network to communicate with the AlloyDB resources they access exclusively by using internal IP addresses. The resources in your VPC network don't need Internet access or external IP addresses to reach AlloyDB resources.
Several Google Cloud services support connectivity through the private services access feature. These services and AlloyDB all use the same internal IP address pool to provide access to their resources residing in the underlying Google Cloud VPC network.
Sizing the IP address range for private services access
AlloyDB uses a different subnet in each region containing AlloyDB clusters or instances. Therefore, you need to make sure you allocate an IP address range big enough to accommodate AlloyDB resources in all the regions where you plan to create them.
In each region, AlloyDB uses a subnet with a 24 bit prefix length (subnet mask). However, if you allocate an IP address range subnet with a 24 bit prefix length, such a range would permit you to create AlloyDB resources in only one region.
Google recommends that you allocate an IP address range with a 20 bit prefix length for AlloyDB so that you can create clusters and instances in several different regions.
When creating a private services access configuration, make sure to include the address space requirements of AlloyDB together with any other Google Cloud services you intend to use with private services access when determining the prefix length to use for the initial IP address range.
As your use of AlloyDB grows to encompass more regions, AlloyDB might encounter an error when trying to create subnet in a new region due to a shortage of IP address space. If this happens, increase the AlloyDB IP address space to remedy the shortage.
Connectivity limitations
Google reserves the IP range 172.17.0.0/16
for internal use, making
this range unavailable for AlloyDB connections.
You can't connect to AlloyDB instances from virtual machine (VM) instances or other resources whose IP addresses are within the range
172.17.0.0/16
.When setting up private services access, avoid allocating an IP address range that overlaps with
172.17.0.0/16
.
Supported private services access configurations
AlloyDB can use private services access configurations in VPC networks that reside in the same project as AlloyDB or that reside in other projects.
Using a VPC network in the same project as AlloyDB
How you configure AlloyDB connectivity using a VPC network that resides in the same Google Cloud project as AlloyDB depends on whether a private services access configuration already exists in the VPC network.
If the VPC network does not already have private services access configured, create a private services access configuration.
If the VPC network already has an existing private services access configuration, make sure the configuration has sufficient IP address space for AlloyDB and increase the address space if necessary.
Using a VPC network in another project
To configure AlloyDB connectivity using a VPC network that resides in a different Google Cloud project from AlloyDB, you need to configure the project where the VPC network resides for Shared VPC, with it as the host project and the project where AlloyDB resides as a service project.
Then, you need to make sure the VPC network's private services access configuration has sufficient IP address space for AlloyDB and increase the address space if necessary.
Finally, you need to configure users who can create AlloyDB resources as Service Project Admins with access to the appropriate allocated IP address ranges in the private services access configuration.
For more information about shared VPC, see Shared VPC overview and Provisioning Shared VPC.
Create a private services access configuration
To create a private services access configuration in a VPC network that resides in the same Google Cloud project as AlloyDB, you perform two operations:
- Create an allocated IP address range in the VPC network.
- Create a private connection between the VPC network and the underlying Google Cloud VPC network.
Before you begin
- The Google Cloud project you are using must have been enabled to access AlloyDB.
- You must have one of these IAM roles in the Google Cloud project you are using:
roles/alloydb.admin
(the AlloyDB Admin predefined IAM role)roles/owner
(the Owner basic IAM role)roles/editor
(the Editor basic IAM role)
If you don't have any of these roles, contact your Organization Administrator to request access.
- To create a private services access configuration, you also must have these
IAM permissions:
compute.networks.list
compute.addresses.create
compute.addresses.list
servicenetworking.services.addPeering
Procedure
Console
Go to the VPC networks page in the Google Cloud console.
Select the project where AlloyDB and the VPC network reside.
Click the name of VPC network that you want to use for private services access.
On the VPC network details page, scroll through the list of tabs to the Private service connection tab and then click it.
In the Private service connection tab, click the Allocated IP ranges for services tab.
Click Allocate IP range.
In the Name and Description fields, enter a name and a description for the allocated range.
Specify an IP range value for the allocation:
To specify an IP address range, click Custom and then enter a CIDR block, such as
192.168.0.0/16
.To provide sufficient address space for AlloyDB, specify a prefix length of 16 or less.
To specify a prefix length and let Google select an available range, click Automatic and then enter a prefix length, such as
16
.
Click Allocate to create the allocated range.
In the Private service connection tab, click the Private connections to services tab.
Click Create connection to create a private connection between your network and a service producer.
Make sure that Google Cloud Platform is the Connected service producer.
For the Assigned allocation, select the allocated IP range you created earlier.
Click Connect to create the connection.
gcloud
To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.
Use the
gcloud config set project
command to set the default project to the one where AlloyDB and the VPC network reside.gcloud config set project PROJECT_ID
Where
PROJECT_ID
is the ID of the project where AlloyDB and the VPC network reside.Use the
compute addresses create
command to create an allocated IP address range.To provide sufficient address space for AlloyDB, specify a prefix length of 16 or less.
To specify an address range and a prefix length (subnet mask), use the
addresses
andprefix-length
flags. For example, to allocate the CIDR block192.168.0.0/16
, specify192.168.0.0
for the address and16
for the prefix length.gcloud compute addresses create RESERVED_RANGE_NAME \ --global \ --purpose=VPC_PEERING \ --addresses=192.168.0.0 \ --prefix-length=16 \ --description="DESCRIPTION" \ --network=VPC_NETWORK
To specify just a prefix length (subnet mask), just use the
prefix-length
flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a16
bit prefix length.gcloud compute addresses create RESERVED_RANGE_NAME \ --global \ --purpose=VPC_PEERING \ --prefix-length=16 \ --description="DESCRIPTION" \ --network=VPC_NETWORK
Replace the following placeholders with relevant values:
RESERVED_RANGE_NAME
: a name for the allocated range, such asmy-allocated-range
.DESCRIPTION
: a description for the range, such asallocated for my-service
.VPC_NETWORK
: the name of your VPC network, such asmy-vpc-network
.
The following example creates a private connection to Google so that the VM instances in the
default
VPC network can use private services access to reach Google services that support it.gcloud compute addresses create google-managed-services-default \ --global \ --purpose=VPC_PEERING \ --prefix-length=16 \ --description="peering range for Google" \ --network=default
Use the
services vpc-peerings connect
command to create a private connection.gcloud services vpc-peerings connect \ --service=servicenetworking.googleapis.com \ --ranges=RESERVED_RANGE_NAME \ --network=VPC_NETWORK
Replace the following placeholders with relevant values:
RESERVED_RANGE_NAME
: the name of the allocated IP address range you created.VPC_NETWORK
: the name of your VPC network.
The command initiates a long-running operation, returning an operation name.
Check whether the operation was successful.
gcloud services vpc-peerings operations describe \ --name=OPERATION_NAME
Replace
OPERATION_NAME
with the operation name that was returned from the previous step.