Cloud Composer 1 | Cloud Composer 2
This page provides information about configuring your Google Cloud project networking for Private IP environments.
For Private IP environments, Cloud Composer assigns only private IP (RFC 1918) addresses to the managed Google Kubernetes Engine and Cloud SQL VMs in your environment.
As an option, you can also use privately used public IP addresses to save the IP address space.
For information about connecting to resources in your environment, see Private IP.
Before you begin
Make sure that you have the appropriate user and service account permissions to create an environment.
Step 1. Check network requirements
Verify that your project's VPC network meets the following requirements:
Make sure that there are no private IP block conflicts. If your VPC network and its established VPC peers have overlapping IP blocks with the VPC network in the Google-managed tenant project, Cloud Composer cannot create your environment. Consult the Cloud Composer network IP range column in the default IP ranges table for the defaults used in each region.
Make sure that there are sufficient secondary IP ranges for the Cloud Composer GKE pods and services. GKE searches for secondary IP ranges for IP Aliasing. If GKE cannot find a range, Cloud Composer cannot create your environment.
Make sure that the number of VPC peering connections in your VPC network does not exceed 25. Consider the following:
- The maximum number of Private IP environments you can create depends on the number of already existing VPC peering connections in your VPC network.
- For each Private IP environment, Cloud Composer creates one peering connection for the tenant project network.
- If your environment is located in a different zone than other environments in the VPC network, the private GKE cluster creates another VPC peering connection.
- If all environments in the VPC network are in the same zone, the maximum number of Private IP environments that Cloud Composer can support is 23.
- If all environments in the VPC network are in different zones, the maximum number of Private IP environments is 12.
Make sure that the number of secondary ranges in your subnetwork does not exceed 30. Consider the following:
- The GKE cluster for your Private IP environment creates two secondary ranges in the subnetwork. You can create multiple subnetworks in the same region for the same VPC network.
- The maximum number of supported secondary ranges is 30. Because each Private IP environment requires two secondary ranges for the Cloud Composer GKE pods and services, each subnetwork supports up to 15 Private IP environments.
Step 2. Choose a network, subnetwork, and network ranges
Choose the network ranges for your Private IP environment (or use the default ones). You use these network ranges later when you create a Private IP environment.
To create a Private IP environment, you need to have the following information:
- Your VPC network ID
- Your VPC subnetwork ID
- Two secondary IP ranges in your VPC subnetwork:
- Secondary IP range for pods
- Secondary IP range for services
Three IP ranges for the components of the environment:
- GKE Control Plane IP range. IP range for the GKE control plane.
- Cloud Composer network IP range. IP range for the Cloud Composer network
Cloud SQL IP range. IP range for the Cloud SQL instance.
Consult the default IP ranges table for the defaults used in each region.
Default IP ranges
|Region||GKE control plane IP range||Cloud Composer network IP range||Cloud SQL IP range|
Step 3. Configure firewall rules
Configure your VPC network to allow traffic from your Private IP environment to reach the required destinations.
In the Google Cloud console, go to the Firewall page.
Configure the following firewall rules:
- Allow egress from GKE Node IP range to any destination (0.0.0.0/0), TCP/UDP port 53, or if you know DNS server IP addresses, then allow egress from GKE Node IP range to DNS IP addresses over TCP/UDP port 53.
- Allow ingress and egress traffic between GKE Node IP range and GKE Node IP range, all ports.
- Allow ingress and egress traffic between GKE Node IP range and Pods IP range, all ports.
- Allow ingress and egress traffic between GKE Node IP range and Services IP range, all ports.
- Allow ingress and egress traffic between GKE Pods and Services IP ranges, all ports.
- Allow ingress and egress from GKE Node IP range to GKE Control Plane IP range, all ports.
- Allow ingress from GCP Health Checks 220.127.116.11/22, 18.104.22.168/16 to GKE Node IP range, TCP ports 80 and 443.
- Allow egress from GKE Node IP range to GCP Health Checks 22.214.171.124/22, 126.96.36.199/16, TCP ports 80 and 443.
- Allow egress from GKE Node IP range to Cloud Composer network IP range, TCP ports 3306 and 3307.
VPC Native configuration
Cloud Composer supports VPC-native GKE clusters in your environment.
During environment creation, you can enable VPC Native (using alias IP) and configure networking, such as IP allocation, without enabling private IP.
Because a VPC native cluster is required for Airflow tasks to communicate with other VMs that are reachable through private IPs, you must also enable VPC Native to configure a private IP environment.