Enable private services access

This page shows you how to create the Virtual Private Cloud (VPC) IP address ranges that AlloyDB for PostgreSQL requires for private services access. For an overview of how AlloyDB uses private services access to let its internal resources communicate with each other, see About private services access.

To create a private services access configuration in a Virtual Private Cloud (VPC) network that resides in the same Google Cloud project as your AlloyDB cluster, you perform two operations:

Create an allocated IP address range in the VPC network.
Create a private connection between the VPC network and the underlying Google Cloud VPC network. You can also configure private services access to connect your AlloyDB cluster to resources residing in a separate Google Cloud project. To do this, you must merge the two projects' VPC networks using Shared VPC.

Before you begin

The Google Cloud project you are using must have been enabled to access AlloyDB.
You must have one of these IAM roles in the Google Cloud project you are using:
- roles/alloydb.admin (the AlloyDB Admin predefined IAM role)
- roles/owner (the Owner basic IAM role)
- roles/editor (the Editor basic IAM role)
If you don't have any of these roles, contact your Organization Administrator to request access.
To create a private services access configuration, you also must have these IAM permissions:
- compute.networks.list
- compute.addresses.create
- compute.addresses.list
- servicenetworking.services.addPeering

Procedure

Console

Go to the VPC networks page.

Go to VPC networks
Select the project where AlloyDB and the VPC network reside.
Click the name of VPC network that you want to use for private services access.
On the VPC network details page, scroll through the list of tabs to the Private service connection tab and then click it.
In the Private service connection tab, click the Allocated IP ranges for services tab.
Click Allocate IP range.
In the Name and Description fields, enter a name and a description for the allocated range.
Specify an IP range value for the allocation:
- To specify an IP address range, click Custom, and then enter a CIDR block, such as 192.168.0.0/16.
  
  To provide sufficient address space for AlloyDB, we recommend a prefix length of 16 or less.
- To specify a prefix length and let Google select an available range, follow these steps:
  1. Click Automatic.
  2. Enter a prefix length as a plain number, such as 16.
Click Allocate to create the allocated range.
In the Private service connection tab, click the Private connections to services tab.
Click Create connection to create a private connection between your network and a service producer.
Make sure that Google Cloud Platform is the Connected service producer.
For the Assigned allocation, select the allocated IP range you created earlier.
Click Connect to create the connection.

gcloud

To use the gcloud CLI, you can install and initialize the Google Cloud CLI, or you can use Cloud Shell.

Use the gcloud config set command to set the default project to the one where AlloyDB and the VPC network reside.
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with the ID of the project where AlloyDB and the VPC network reside.
Use the gcloud compute addresses create command to create an allocated IP address range.

To provide sufficient address space for AlloyDB, we recommend a prefix length of 16 or less.
- To specify an address range and a prefix length (subnet mask), use the --addresses and --prefix-length flags. For example, to allocate the CIDR block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for the prefix length.
```
    gcloud compute addresses create RESERVED_RANGE_NAME \
        --global \
        --purpose=VPC_PEERING \
        --addresses=192.168.0.0 \
        --prefix-length=16 \
        --description="DESCRIPTION" \
        --network=VPC_NETWORK
```
  Replace the following:
  - RESERVED_RANGE_NAME: a name for the allocated range, such as my-allocated-range
  - DESCRIPTION: a description for the range, such as allocated for my-service
  - VPC_NETWORK: the name of your VPC network, such as my-vpc-network
- To specify only a prefix length (subnet mask), use the --prefix-length flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network.
  
  The following example selects an unused IP address range with a 16 bit prefix length:
```
    gcloud compute addresses create RESERVED_RANGE_NAME \
        --global \
        --purpose=VPC_PEERING \
        --prefix-length=16 \
        --description="DESCRIPTION" \
        --network=VPC_NETWORK
```
The following example creates a private connection to Google so that the VM instances in the default VPC network can use private services access to reach Google services that support it.
```
    gcloud compute addresses create google-managed-services-default \
        --global \
        --purpose=VPC_PEERING \
        --prefix-length=16 \
        --description="peering range for Google" \
        --network=default
```
Use the gcloud services vpc-peerings connect command to create a private connection.
```
    gcloud services vpc-peerings connect \
        --service=servicenetworking.googleapis.com \
        --ranges=RESERVED_RANGE_NAME \
        --network=VPC_NETWORK
```
Replace the following:
- RESERVED_RANGE_NAME: the name of the allocated IP address range you created
- VPC_NETWORK: the name of your VPC network
The command initiates a long-running operation, returning an operation name.
Check whether the operation was successful.
```
    gcloud services vpc-peerings operations describe
    --name=OPERATION_NAME
```
Replace OPERATION_NAME with the operation name that was returned from the previous step.

What's Next

Create a cluster and its primary instance.