A 15 de setembro de 2026, todos os ambientes do Cloud Composer 1 e do Cloud Composer 2 versão 2.0.x vão atingir o fim da vida útil planeado e não vai poder usá-los. Recomendamos que planeie a migração para o Cloud Composer 3.
A máscara de IP é uma forma de tradução de endereços de rede (NAT) usada para fazer traduções de endereços IP de muitos para um. Isto permite que vários clientes acedam a um destino a partir de um único endereço IP.
O Cloud Composer executa as suas cargas de trabalho no GKE. Para funcionar corretamente, requer intervalos de IP para nós (VMs), bem como pods e serviços do GKE. Quando as tarefas e os DAGs do Airflow comunicam com outros serviços, usam IPs de pods, e estes intervalos de IPs de pods têm de ser encaminháveis para e a partir de quaisquer destinos com os quais as tarefas interagem.
Com o agente de ocultação de IP, tem a opção de traduzir endereços IP de pods em endereços IP de nós, para que os destinos e os serviços segmentados a partir de DAGs e tarefas do Airflow apenas recebam pacotes de endereços IP de nós em vez de endereços IP de pods. Isto é útil em ambientes que esperam receber apenas pacotes de endereços IP de nós ou onde os intervalos de IP de pods não são encaminháveis fora do cluster.
Além disso, pode usar o agente de ocultação de IP para guardar intervalos de rede na configuração de rede. Por exemplo, pode usar um intervalo de rede separado para os pods no cluster do seu ambiente e mascarar este tráfego como proveniente do intervalo de endereços IP do nó. Desta forma, poupa espaço de endereços IP num intervalo usando endereços IP de um intervalo diferente para os pods no cluster do seu ambiente.
Por exemplo:
Usa o intervalo 10.0.0.0/8 para VMs e apenas este intervalo é permitido pelas suas regras de firewall.
Para guardar intervalos de rede, use um intervalo diferente (por exemplo, 192.168.0.0/16) para os pods no cluster do seu ambiente.
Para poder estabelecer ligação a qualquer serviço a partir de um pod (trabalhador do Airflow), é necessário o mascaramento de IP. Caso contrário, o serviço recebe tráfego de 192.168.0.0/16 e rejeita-o devido a uma regra de firewall. Com o agente IP
Masquerade ativado e configurado, o serviço recebe pedidos de
10.0.0.0/8, que são aceites.
Antes de começar
Não é possível ativar o agente de ocultação de IP na Google Cloud consola.
Ative o agente de ocultação de IP para um ambiente existente
Não é possível ativar o agente de ocultação de IP para um ambiente existente.
Ative o agente de ocultação de IP ao criar um ambiente
Pode ativar o agente de ocultação de IP quando cria um ambiente.
Para mais informações sobre a criação de ambientes do Cloud Composer,
consulte o artigo Crie um ambiente.
Consola
Não é possível ativar o agente de ocultação de IP na Google Cloud consola.
gcloud
Quando cria um ambiente, o argumento --enable-ip-masq-agent ativa o agente de mascaramento de IP.
Também tem de ativar o alias de IP com o argumento --enable-ip-alias.
LOCATION com a região onde o ambiente está localizado.
ENVIRONMENT_NAME com o nome do ambiente.
Exemplo:
// POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments{"name":"projects/example-project/locations/us-central1/environments/example-environment","config":{"softwareConfig":{"imageVersion":"composer-1.20.12-airflow-1.10.15"},"nodeConfig":{"ipAllocationPolicy":{"useIpAliases":true,},"enableIpMasqAgent":true}}}
Terraform
Quando cria um ambiente, o campo enable_ip_masq_agent
no bloco node_config ativa o agente de ocultação de IP.
Também tem de ativar o alias de IP com o campo use_ip_aliases no bloco ip_allocation_policy.
resource"google_composer_environment""example_environment"{provider=google-betaname="ENVIRONMENT_NAME"region="LOCATION"config{software_config{image_version="composer-1.20.12-airflow-1.10.15"}node_config{ip_allocation_policy=[{use_ip_aliases=true // Other networking configuration}]enable_ip_masq_agent=true}}
Substituir:
ENVIRONMENT_NAME com o nome do ambiente.
LOCATION com a região onde o ambiente está localizado.
Exemplo:
resource"google_composer_environment""example_environment"{provider=google-betaname="example-environment"region="us-central1"config{software_config{image_version="composer-1.20.12-airflow-1.10.15"}node_config{ip_allocation_policy=[{use_ip_aliases=true // Other networking configuration}]enable_ip_masq_agent=true}}}
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-29 UTC."],[[["\u003cp\u003eThe IP Masquerade agent in Cloud Composer allows translating Pod IP addresses to node IP addresses, enabling communication with external services using the environment's cluster IP addresses.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the IP Masquerade agent is recommended if your project faces IP address shortages, as it performs many-to-one IP address translations, conserving IP address space.\u003c/p\u003e\n"],["\u003cp\u003eThe IP Masquerade agent must be enabled during environment creation, as it cannot be enabled for existing environments.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the IP Masquerade agent requires also enabling IP alias using the \u003ccode\u003egcloud\u003c/code\u003e, \u003ccode\u003eAPI\u003c/code\u003e, or \u003ccode\u003eTerraform\u003c/code\u003e methods.\u003c/p\u003e\n"],["\u003cp\u003eWhen configuring the IP Masquerade agent, you must include at least the cluster's node and Pod IP address ranges as non-masquerade destinations, due to Cloud Composer's use of intranode visibility on GKE clusters.\u003c/p\u003e\n"]]],[],null,["# Enable the IP Masquerade agent in Cloud Composer environments\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/change-networking-type#comparison \"View this page for Cloud Composer 3\") \\| [Cloud Composer 2](/composer/docs/composer-2/enable-ip-masquerade-agent \"View this page for Cloud Composer 2\") \\| **Cloud Composer 1**\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to enable the IP Masquerade agent for your environment.\n| **Important:** Consider using the IP Masquerade agent if your project is impacted by the shortage of IP addresses. By enabling the IP Masquerade agent, you can use your environment's cluster IP addresses to communicate with external services.\n\nAbout the IP Masquerade agent in Cloud Composer\n-----------------------------------------------\n\nCloud Composer supports\nthe [IP Masquerade agent](/kubernetes-engine/docs/how-to/ip-masquerade-agent) for your environments.\n\n*IP masquerading* is a form of network address translation (NAT) used to\nperform many-to-one IP address translations. This allows multiple clients to\naccess a destination from a single IP address.\n\nCloud Composer runs your workloads on GKE. For\ncorrect function, it requires IP ranges for nodes (VMs) as well as\nGKE Pods and Services. When Airflow DAGs and tasks\ncommunicate with other services, they use Pod IPs and these Pod IP ranges need\nto be routable to and from any destinations that the tasks interact with.\n\nWith the IP Masquerade agent, you have the option to translate Pod IP\naddresses to node IP addresses, so that destinations and services targeted\nfrom Airflow DAGs and tasks only receive packets from node IP addresses\ninstead of Pod IP addresses. This is useful in environments that expect to\nonly receive packets from node IP addresses or where Pod IP ranges are not\nroutable outside of the cluster.\n\nIn addition, you can use the IP Masquerade agent to save network ranges in\nyour networking configuration. For example, you can use a separate network\nrange for Pods inside your environment's cluster and masquerade this traffic\nas coming from the node IP address range. In this way, you save IP address\nspace in one range by using IP addresses from a different range for Pods in\nyour environment's cluster.\n\nFor example:\n\n1. You use the `10.0.0.0/8` range for VMs and only this range is allowed by\n your firewall rules.\n\n2. To save network ranges, you use a different range (for example,\n `192.168.0.0/16`) for Pods in your environment's cluster.\n\n3. To be able to connect to any service from a Pod (Airflow worker), IP\n masquerading is needed; otherwise the service receives traffic from\n `192.168.0.0/16` and drops it because of a firewall rule. With the IP\n Masquerade agent enabled and configured, the service gets requests from\n `10.0.0.0/8`, which are accepted.\n\nBefore you begin\n----------------\n\n- It is not possible to enable the IP Masquerade agent in Google Cloud console.\n\nEnable the IP Masquerade agent for an existing environment\n----------------------------------------------------------\n\nIt is not possible to enable the IP Masquerade agent for an existing\nenvironment.\n\nEnable the IP Masquerade agent when creating an environment\n-----------------------------------------------------------\n\nYou can enable the IP Masquerade agent when you create an environment.\n\nFor more information about creating Cloud Composer environments,\nsee [Create environment](/composer/docs/composer-1/create-environments). \n\n### Console\n\nIt is not possible to enable the IP Masquerade agent in Google Cloud console.\n\n### gcloud\n\nWhen you create an environment, the `--enable-ip-masq-agent` argument\nenables the IP Masqerade agent.\n\nYou must also enable IP alias with the `--enable-ip-alias` argument. \n\n gcloud composer environments create \u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --image-version composer-1.20.12-airflow-1.10.15 \\\n --enable-ip-alias \\\n --enable-ip-masq-agent\n\nReplace:\n\n- `ENVIRONMENT_NAME` with the name of the environment.\n- `LOCATION` with the region where the environment is located.\n\nExample: \n\n gcloud composer environments create example-environment \\\n --location us-central1 \\\n --image-version composer-1.20.12-airflow-1.10.15 \\\n --enable-ip-alias \\\n --enable-ip-masq-agent\n\n### API\n\nConstruct an [`environments.create`](/composer/docs/reference/rest/v1/projects.locations.environments/create) API request.\nSpecify the configuration in the [`Environment`](/composer/docs/reference/rest/v1/projects.locations.environments#Environment)\nresource. \n\n {\n \"name\": \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/environments/\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e\",\n \"config\": {\n \"softwareConfig\": {\n \"imageVersion\": \"composer-1.20.12-airflow-1.10.15\"\n },\n \"nodeConfig\": {\n \"ipAllocationPolicy\": {\n \"useIpAliases\": true,\n },\n \"enableIpMasqAgent\": true\n }\n }\n }\n\nReplace:\n\n- `PROJECT_ID` with the [Project ID](/resource-manager/docs/creating-managing-projects).\n- `LOCATION` with the region where the environment is located.\n- `ENVIRONMENT_NAME` with the environment name.\n\nExample: \n\n // POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments\n\n {\n \"name\": \"projects/example-project/locations/us-central1/environments/example-environment\",\n \"config\": {\n \"softwareConfig\": {\n \"imageVersion\": \"composer-1.20.12-airflow-1.10.15\"\n },\n \"nodeConfig\": {\n \"ipAllocationPolicy\": {\n \"useIpAliases\": true,\n },\n \"enableIpMasqAgent\": true\n }\n }\n }\n\n### Terraform\n\nWhen you create an environment, the `enable_ip_masq_agent`\nfield in the `node_config` block enables the IP Masqerade agent.\n\nYou must also enable IP alias with the `use_ip_aliases` field in the\n`ip_allocation_policy` block. \n\n resource \"google_composer_environment\" \"example_environment\" {\n provider = google-beta\n name = \"\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e\"\n region = \"\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n\n config {\n software_config {\n image_version = \"composer-1.20.12-airflow-1.10.15\"\n }\n node_config {\n ip_allocation_policy = [{\n use_ip_aliases = true\n // Other networking configuration\n }]\n enable_ip_masq_agent = true\n }\n }\n\nReplace:\n\n- `ENVIRONMENT_NAME` with the name of the environment.\n- `LOCATION` with the region where the environment is located.\n\nExample: \n\n resource \"google_composer_environment\" \"example_environment\" {\n provider = google-beta\n name = \"example-environment\"\n region = \"us-central1\"\n\n config {\n software_config {\n image_version = \"composer-1.20.12-airflow-1.10.15\"\n }\n node_config {\n ip_allocation_policy = [{\n use_ip_aliases = true\n // Other networking configuration\n }]\n enable_ip_masq_agent = true\n }\n }\n }\n\nConfigure the IP Masquerade agent\n---------------------------------\n\n| **Caution:** Cloud Composer enables [intranode visibility](/kubernetes-engine/docs/how-to/intranode-visibility) on GKE clusters. Therefore, non-masquerade destinations must at least include the cluster's node and Pod IP address range(s).\n\n\u003cbr /\u003e\n\nFor more information about using and configuring the IP Masquerade agent in\nCloud Composer 1, see\n[Configuring an IP masquerade agent in Standard clusters](/kubernetes-engine/docs/how-to/ip-masquerade-agent).\n\nWhat's next\n-----------\n\n- [Create an environment](/composer/docs/composer-1/create-environments)\n- [Configure Shared VPC networking](/composer/docs/composer-1/configure-shared-vpc)\n- [Configure Private IP networking](/composer/docs/composer-1/configure-private-ip)"]]
