El 15 de septiembre del 2026, todos los entornos de Cloud Composer 1 y Cloud Composer 2 versión 2.0.x alcanzarán el final de su ciclo de vida previsto y no podrás usarlos. Te recomendamos que planifiques la migración a Cloud Composer 3.
El enmascaramiento de IP es una forma de traducción de dirección de red (NAT) que sirve para realizar traducciones de direcciones IP de muchos a uno. Esto permite que varios clientes accedan a un destino desde una sola dirección IP.
Cloud Composer ejecuta tus cargas de trabajo en GKE. Para que funcione correctamente, requiere intervalos de IP para los nodos (máquinas virtuales), así como pods y servicios de GKE. Cuando los DAGs y las tareas de Airflow se comunican con otros servicios, utilizan IPs de pods. Estos intervalos de IPs de pods deben poder enrutarse hacia y desde cualquier destino con el que interactúen las tareas.
Con el agente IP Masquerade, tienes la opción de traducir las direcciones IP de los pods a direcciones IP de los nodos, de forma que los destinos y los servicios a los que se dirigen los DAGs y las tareas de Airflow solo reciban paquetes de las direcciones IP de los nodos en lugar de las direcciones IP de los pods. Esto resulta útil en entornos en los que solo se espera recibir paquetes de direcciones IP de nodos o en los que los intervalos de IP de pods no se pueden enrutar fuera del clúster.
Además, puedes usar el agente de enmascaramiento de IP para guardar intervalos de red en tu configuración de red. Por ejemplo, puedes usar un intervalo de red independiente para los pods del clúster de tu entorno y enmascarar este tráfico para que parezca que procede del intervalo de direcciones IP del nodo. De esta forma, ahorras espacio de direcciones IP en un intervalo usando direcciones IP de otro intervalo para los pods del clúster de tu entorno.
Por ejemplo:
Usas el intervalo 10.0.0.0/8 para las VMs y solo este intervalo está permitido por tus reglas de cortafuegos.
Para guardar los intervalos de red, utiliza otro intervalo (por ejemplo, 192.168.0.0/16) para los pods del clúster de tu entorno.
Para poder conectarse a cualquier servicio desde un pod (trabajador de Airflow), es necesario el enmascaramiento de IP. De lo contrario, el servicio recibe tráfico de 192.168.0.0/16 y lo rechaza debido a una regla de cortafuegos. Con el agente de enmascaramiento de IP habilitado y configurado, el servicio recibe solicitudes de 10.0.0.0/8, que se aceptan.
Antes de empezar
No es posible habilitar el agente de enmascaramiento de IP en la consola de Google Cloud .
Habilitar el agente de enmascaramiento de IP en un entorno
No es posible habilitar el agente de enmascaramiento de IP en un entorno que ya existe.
Habilitar el agente de enmascaramiento de IP al crear un entorno
Puedes habilitar el agente de enmascaramiento de IP al crear un entorno.
Para obtener más información sobre cómo crear entornos de Cloud Composer, consulta el artículo Crear un entorno.
Consola
No es posible habilitar el agente de enmascaramiento de IP en la consola de Google Cloud .
gcloud
Cuando creas un entorno, el argumento --enable-ip-masq-agent habilita el agente de enmascaramiento de IP.
También debe habilitar el alias de IP con el argumento --enable-ip-alias.
LOCATION con la región en la que se encuentra el entorno.
ENVIRONMENT_NAME con el nombre del entorno.
Ejemplo:
// POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments{"name":"projects/example-project/locations/us-central1/environments/example-environment","config":{"softwareConfig":{"imageVersion":"composer-1.20.12-airflow-1.10.15"},"nodeConfig":{"ipAllocationPolicy":{"useIpAliases":true,},"enableIpMasqAgent":true}}}
Terraform
Cuando creas un entorno, el campo enable_ip_masq_agent
del bloque node_config habilita el agente de enmascaramiento de IP.
También debe habilitar el alias de IP con el campo use_ip_aliases en el bloque ip_allocation_policy.
resource"google_composer_environment""example_environment"{provider=google-betaname="ENVIRONMENT_NAME"region="LOCATION"config{software_config{image_version="composer-1.20.12-airflow-1.10.15"}node_config{ip_allocation_policy=[{use_ip_aliases=true // Other networking configuration}]enable_ip_masq_agent=true}}
Sustituye:
ENVIRONMENT_NAME con el nombre del entorno.
LOCATION con la región en la que se encuentra el entorno.
Ejemplo:
resource"google_composer_environment""example_environment"{provider=google-betaname="example-environment"region="us-central1"config{software_config{image_version="composer-1.20.12-airflow-1.10.15"}node_config{ip_allocation_policy=[{use_ip_aliases=true // Other networking configuration}]enable_ip_masq_agent=true}}}
[[["Es fácil de entender","easyToUnderstand","thumb-up"],["Me ofreció una solución al problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Es difícil de entender","hardToUnderstand","thumb-down"],["La información o el código de muestra no son correctos","incorrectInformationOrSampleCode","thumb-down"],["Me faltan las muestras o la información que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-08-29 (UTC)."],[[["\u003cp\u003eThe IP Masquerade agent in Cloud Composer allows translating Pod IP addresses to node IP addresses, enabling communication with external services using the environment's cluster IP addresses.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the IP Masquerade agent is recommended if your project faces IP address shortages, as it performs many-to-one IP address translations, conserving IP address space.\u003c/p\u003e\n"],["\u003cp\u003eThe IP Masquerade agent must be enabled during environment creation, as it cannot be enabled for existing environments.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the IP Masquerade agent requires also enabling IP alias using the \u003ccode\u003egcloud\u003c/code\u003e, \u003ccode\u003eAPI\u003c/code\u003e, or \u003ccode\u003eTerraform\u003c/code\u003e methods.\u003c/p\u003e\n"],["\u003cp\u003eWhen configuring the IP Masquerade agent, you must include at least the cluster's node and Pod IP address ranges as non-masquerade destinations, due to Cloud Composer's use of intranode visibility on GKE clusters.\u003c/p\u003e\n"]]],[],null,["# Enable the IP Masquerade agent in Cloud Composer environments\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/change-networking-type#comparison \"View this page for Cloud Composer 3\") \\| [Cloud Composer 2](/composer/docs/composer-2/enable-ip-masquerade-agent \"View this page for Cloud Composer 2\") \\| **Cloud Composer 1**\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to enable the IP Masquerade agent for your environment.\n| **Important:** Consider using the IP Masquerade agent if your project is impacted by the shortage of IP addresses. By enabling the IP Masquerade agent, you can use your environment's cluster IP addresses to communicate with external services.\n\nAbout the IP Masquerade agent in Cloud Composer\n-----------------------------------------------\n\nCloud Composer supports\nthe [IP Masquerade agent](/kubernetes-engine/docs/how-to/ip-masquerade-agent) for your environments.\n\n*IP masquerading* is a form of network address translation (NAT) used to\nperform many-to-one IP address translations. This allows multiple clients to\naccess a destination from a single IP address.\n\nCloud Composer runs your workloads on GKE. For\ncorrect function, it requires IP ranges for nodes (VMs) as well as\nGKE Pods and Services. When Airflow DAGs and tasks\ncommunicate with other services, they use Pod IPs and these Pod IP ranges need\nto be routable to and from any destinations that the tasks interact with.\n\nWith the IP Masquerade agent, you have the option to translate Pod IP\naddresses to node IP addresses, so that destinations and services targeted\nfrom Airflow DAGs and tasks only receive packets from node IP addresses\ninstead of Pod IP addresses. This is useful in environments that expect to\nonly receive packets from node IP addresses or where Pod IP ranges are not\nroutable outside of the cluster.\n\nIn addition, you can use the IP Masquerade agent to save network ranges in\nyour networking configuration. For example, you can use a separate network\nrange for Pods inside your environment's cluster and masquerade this traffic\nas coming from the node IP address range. In this way, you save IP address\nspace in one range by using IP addresses from a different range for Pods in\nyour environment's cluster.\n\nFor example:\n\n1. You use the `10.0.0.0/8` range for VMs and only this range is allowed by\n your firewall rules.\n\n2. To save network ranges, you use a different range (for example,\n `192.168.0.0/16`) for Pods in your environment's cluster.\n\n3. To be able to connect to any service from a Pod (Airflow worker), IP\n masquerading is needed; otherwise the service receives traffic from\n `192.168.0.0/16` and drops it because of a firewall rule. With the IP\n Masquerade agent enabled and configured, the service gets requests from\n `10.0.0.0/8`, which are accepted.\n\nBefore you begin\n----------------\n\n- It is not possible to enable the IP Masquerade agent in Google Cloud console.\n\nEnable the IP Masquerade agent for an existing environment\n----------------------------------------------------------\n\nIt is not possible to enable the IP Masquerade agent for an existing\nenvironment.\n\nEnable the IP Masquerade agent when creating an environment\n-----------------------------------------------------------\n\nYou can enable the IP Masquerade agent when you create an environment.\n\nFor more information about creating Cloud Composer environments,\nsee [Create environment](/composer/docs/composer-1/create-environments). \n\n### Console\n\nIt is not possible to enable the IP Masquerade agent in Google Cloud console.\n\n### gcloud\n\nWhen you create an environment, the `--enable-ip-masq-agent` argument\nenables the IP Masqerade agent.\n\nYou must also enable IP alias with the `--enable-ip-alias` argument. \n\n gcloud composer environments create \u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --image-version composer-1.20.12-airflow-1.10.15 \\\n --enable-ip-alias \\\n --enable-ip-masq-agent\n\nReplace:\n\n- `ENVIRONMENT_NAME` with the name of the environment.\n- `LOCATION` with the region where the environment is located.\n\nExample: \n\n gcloud composer environments create example-environment \\\n --location us-central1 \\\n --image-version composer-1.20.12-airflow-1.10.15 \\\n --enable-ip-alias \\\n --enable-ip-masq-agent\n\n### API\n\nConstruct an [`environments.create`](/composer/docs/reference/rest/v1/projects.locations.environments/create) API request.\nSpecify the configuration in the [`Environment`](/composer/docs/reference/rest/v1/projects.locations.environments#Environment)\nresource. \n\n {\n \"name\": \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/environments/\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e\",\n \"config\": {\n \"softwareConfig\": {\n \"imageVersion\": \"composer-1.20.12-airflow-1.10.15\"\n },\n \"nodeConfig\": {\n \"ipAllocationPolicy\": {\n \"useIpAliases\": true,\n },\n \"enableIpMasqAgent\": true\n }\n }\n }\n\nReplace:\n\n- `PROJECT_ID` with the [Project ID](/resource-manager/docs/creating-managing-projects).\n- `LOCATION` with the region where the environment is located.\n- `ENVIRONMENT_NAME` with the environment name.\n\nExample: \n\n // POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments\n\n {\n \"name\": \"projects/example-project/locations/us-central1/environments/example-environment\",\n \"config\": {\n \"softwareConfig\": {\n \"imageVersion\": \"composer-1.20.12-airflow-1.10.15\"\n },\n \"nodeConfig\": {\n \"ipAllocationPolicy\": {\n \"useIpAliases\": true,\n },\n \"enableIpMasqAgent\": true\n }\n }\n }\n\n### Terraform\n\nWhen you create an environment, the `enable_ip_masq_agent`\nfield in the `node_config` block enables the IP Masqerade agent.\n\nYou must also enable IP alias with the `use_ip_aliases` field in the\n`ip_allocation_policy` block. \n\n resource \"google_composer_environment\" \"example_environment\" {\n provider = google-beta\n name = \"\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e\"\n region = \"\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n\n config {\n software_config {\n image_version = \"composer-1.20.12-airflow-1.10.15\"\n }\n node_config {\n ip_allocation_policy = [{\n use_ip_aliases = true\n // Other networking configuration\n }]\n enable_ip_masq_agent = true\n }\n }\n\nReplace:\n\n- `ENVIRONMENT_NAME` with the name of the environment.\n- `LOCATION` with the region where the environment is located.\n\nExample: \n\n resource \"google_composer_environment\" \"example_environment\" {\n provider = google-beta\n name = \"example-environment\"\n region = \"us-central1\"\n\n config {\n software_config {\n image_version = \"composer-1.20.12-airflow-1.10.15\"\n }\n node_config {\n ip_allocation_policy = [{\n use_ip_aliases = true\n // Other networking configuration\n }]\n enable_ip_masq_agent = true\n }\n }\n }\n\nConfigure the IP Masquerade agent\n---------------------------------\n\n| **Caution:** Cloud Composer enables [intranode visibility](/kubernetes-engine/docs/how-to/intranode-visibility) on GKE clusters. Therefore, non-masquerade destinations must at least include the cluster's node and Pod IP address range(s).\n\n\u003cbr /\u003e\n\nFor more information about using and configuring the IP Masquerade agent in\nCloud Composer 1, see\n[Configuring an IP masquerade agent in Standard clusters](/kubernetes-engine/docs/how-to/ip-masquerade-agent).\n\nWhat's next\n-----------\n\n- [Create an environment](/composer/docs/composer-1/create-environments)\n- [Configure Shared VPC networking](/composer/docs/composer-1/configure-shared-vpc)\n- [Configure Private IP networking](/composer/docs/composer-1/configure-private-ip)"]]
