Configure private IP networking

Cloud Composer 1 | Cloud Composer 2 | Cloud Composer 3

This page provides information about configuring your Google Cloud project networking for Private IP environments.

For Private IP environments, Cloud Composer assigns only private IP (RFC 1918) addresses to the managed Google Kubernetes Engine and Cloud SQL VMs in your environment.

As an option, you can also use privately used public IP addresses and the IP Masquerade agent to save the IP address space and to use non-RFC 1918 addresses.

For information about connecting to resources in your environment, see Private IP.

Environments with Private Service Connect and VPC peerings

By default, Cloud Composer 2 uses Private Service Connect, so that your private IP environments communicate internally without the use of VPC peerings, unless you specify otherwise when you create your environment.

We recommend using environments with Private Service Connect if you do not have a specific requirement to use environments with VPC peerings.

Before you begin

Check network requirements

Verify that your project's VPC network meets the following requirements:

  • Make sure that there are no private IP block conflicts. If your VPC network and its established VPC peers have overlapping IP blocks with the VPC network in the Google-managed tenant project, Cloud Composer cannot create your environment. See the default IP ranges table for the defaults used in each region.

  • Make sure that there are sufficient secondary IP ranges for the Cloud Composer GKE pods and services. GKE searches for secondary IP ranges for IP Aliasing. If GKE cannot find a range, Cloud Composer cannot create your environment.

  • Make sure that the number of secondary ranges in your subnetwork does not exceed 30. Consider the following:

    • The GKE cluster for your Private IP environment creates two secondary ranges in the subnetwork. You can create multiple subnetworks in the same region for the same VPC network.
    • The maximum number of supported secondary ranges is 30. Each Private IP environment requires two secondary ranges for the Cloud Composer GKE pods and services.
  • Make sure that your project's network can accommodate the limit on the maximum number of connections to a single VPC network. The maximum number of Private IP environments you can create depends on the number of already existing VPC peering connections in your VPC network.

Choose a network, subnetwork, and network ranges

Choose the network ranges for your Private IP environment (or use the default ones). You use these network ranges later when you create a Private IP environment.

To create a Private IP environment, you need to have the following information:

  • Your VPC network ID
  • Your VPC subnetwork ID
  • Two secondary IP ranges in your VPC subnetwork:
    • Secondary IP range for pods
    • Secondary IP range for services
  • IP ranges for the components of the environment:

    If your environment uses Private Service Connect:

    • GKE Control Plane IP range. IP range for the GKE control plane.

      If you specify the GKE Plane IP range for an environment, GKE creates a new subnetwork in this range to provision the IP address for communication with the GKE Control Plane. Otherwise, it uses the subnetwork specified in the Cloud Composer connection subnetwork range.

    • Cloud Composer connection subnetwork. IP range for the Cloud Composer connection subnetwork. You can specify a range of only two IP addresses. This range can be used by multiple environments in your project. By default, this range is the environment's subnetwork (VPC subnetwork ID).

    If your environment uses VPC peerings:

    • GKE Control Plane IP range. IP range for the GKE control plane.
    • IP range for Cloud Composer tenant network. IP range for the Cloud Composer tenant network. This network hosts the SQL proxy component of your environment.
    • Cloud SQL IP range. IP range for the Cloud SQL instance.

See the default IP ranges table for the defaults used in each region.

Default IP ranges

Environments with Private Service Connect

Region GKE control plane IP range
africa-south1 172.16.64.0/23
asia-east1 172.16.42.0/23
asia-east2 172.16.0.0/23
asia-northeast1 172.16.2.0/23
asia-northeast2 172.16.32.0/23
asia-northeast3 172.16.30.0/23
asia-south1 172.16.4.0/23
asia-south2 172.16.50.0/23
asia-southeast1 172.16.40.0/23
asia-southeast2 172.16.44.0/23
australia-southeast1 172.16.6.0/23
australia-southeast2 172.16.56.0/23
europe-central2 172.16.36.0/23
europe-north1 172.16.48.0/23
europe-southwest1 172.16.58.0/23
europe-west1 172.16.8.0/23
europe-west10 172.16.62.0/23
europe-west12 172.16.62.0/23
europe-west2 172.16.10.0/23
europe-west3 172.16.12.0/23
europe-west4 172.16.42.0/23
europe-west6 172.16.14.0/23
europe-west8 172.16.60.0/23
europe-west9 172.16.46.0/23
me-central1 172.16.58.0/23
me-central2 172.16.64.0/23
me-west1 172.16.54.0/23
northamerica-northeast1 172.16.16.0/23
northamerica-northeast2 172.16.46.0/23
northamerica-south1 172.16.68.0/23
southamerica-east1 172.16.18.0/23
southamerica-west1 172.16.58.0/23
us-central1 172.16.20.0/23
us-east1 172.16.22.0/23
us-east4 172.16.24.0/23
us-east5 172.16.52.0/23
us-south1 172.16.56.0/23
us-west1 172.16.38.0/23
us-west2 172.16.34.0/23
us-west3 172.16.26.0/23
us-west4 172.16.28.0/23

Environments with VPC peerings

Region GKE control plane IP range Cloud Composer tenant network IP range Cloud SQL IP range
africa-south1 172.16.64.0/23 172.31.223.0/24 10.0.0.0/12
asia-east1 172.16.42.0/23 172.31.255.0/24 10.0.0.0/12
asia-east2 172.16.0.0/23 172.31.255.0/24 10.0.0.0/12
asia-northeast1 172.16.2.0/23 172.31.254.0/24 10.0.0.0/12
asia-northeast2 172.16.32.0/23 172.31.239.0/24 10.0.0.0/12
asia-northeast3 172.16.30.0/23 172.31.240.0/24 10.0.0.0/12
asia-south1 172.16.4.0/23 172.31.253.0/24 10.0.0.0/12
asia-south2 172.16.50.0/23 172.31.230.0/24 10.0.0.0/12
asia-southeast1 172.16.40.0/23 172.31.235.0/24 10.0.0.0/12
asia-southeast2 172.16.44.0/23 172.31.233.0/24 10.0.0.0/12
australia-southeast1 172.16.6.0/23 172.31.252.0/24 10.0.0.0/12
australia-southeast2 172.16.56.0/23 172.31.227.0/24 10.0.0.0/12
europe-central2 172.16.36.0/23 172.31.237.0/24 10.0.0.0/12
europe-north1 172.16.48.0/23 172.31.231.0/24 10.0.0.0/12
europe-southwest1 172.16.58.0/23 172.31.226.0/24 10.0.0.0/12
europe-west1 172.16.8.0/23 172.31.251.0/24 10.0.0.0/12
europe-west10 172.16.62.0/23 172.31.224.0/24 10.0.0.0/12
europe-west12 172.16.62.0/23 172.31.224.0/24 10.0.0.0/12
europe-west2 172.16.10.0/23 172.31.250.0/24 10.0.0.0/12
europe-west3 172.16.12.0/23 172.31.249.0/24 10.0.0.0/12
europe-west4 172.16.42.0/23 172.31.234.0/24 10.0.0.0/12
europe-west6 172.16.14.0/23 172.31.248.0/24 10.0.0.0/12
europe-west8 172.16.60.0/23 172.31.225.0/24 10.0.0.0/12
europe-west9 172.16.46.0/23 172.31.232.0/24 10.0.0.0/12
me-central1 172.16.58.0/23 172.31.226.0/24 10.0.0.0/12
me-central2 172.16.64.0/23 172.31.223.0/24 10.0.0.0/12
me-west1 172.16.54.0/23 172.31.228.0/24 10.0.0.0/12
northamerica-northeast1 172.16.16.0/23 172.31.247.0/24 10.0.0.0/12
northamerica-northeast2 172.16.46.0/23 172.31.232.0/24 10.0.0.0/12
northamerica-south1 172.16.68.0/23 172.31.221.0/24 10.0.0.0/12
southamerica-east1 172.16.18.0/23 172.31.246.0/24 10.0.0.0/12
southamerica-west1 172.16.58.0/23 172.31.226.0/24 10.0.0.0/12
us-central1 172.16.20.0/23 172.31.245.0/24 10.0.0.0/12
us-east1 172.16.22.0/23 172.31.244.0/24 10.0.0.0/12
us-east4 172.16.24.0/23 172.31.243.0/24 10.0.0.0/12
us-east5 172.16.52.0/23 172.31.229.0/24 10.0.0.0/12
us-south1 172.16.56.0/23 172.31.227.0/24 10.0.0.0/12
us-west1 172.16.38.0/23 172.31.236.0/24 10.0.0.0/12
us-west2 172.16.34.0/23 172.31.238.0/24 10.0.0.0/12
us-west3 172.16.26.0/23 172.31.242.0/24 10.0.0.0/12
us-west4 172.16.28.0/23 172.31.241.0/24 10.0.0.0/12

(Optional) Configure connectivity to Google APIs and services

As an option, you might want to route all traffic to Google APIs and services through several IP addresses that belong to the private.googleapis.com domain. In this configuration, your environment accesses Google APIs and services through IP addresses only routable from within Google Cloud.

If your Private IP environment also uses VPC Service Controls, use instructions for environments with VPC Service Controls instead.

Cloud Composer environments use the following domains:

  • *.googleapis.com is used to access other Google services.

  • *.composer.cloud.google.com is used to make the Airflow web server of your environment accessible. This rule must be applied before you create an environment.

    • As an alternative, you can create a rule for a specific region. To do so, use REGION.composer.cloud.google.com. Replace REGION with the region where the environment is located, for example, us-central1.
  • (Optional) *.composer.googleusercontent.com is used when accessing the Airflow web server of your environment. This rule is required only if you access the Airflow web server from an instance that runs in the VPC network and is not required otherwise. A common scenario for this rule is when you want to call Airflow REST API from within the VPC network.

    • As an alternative, you can create a rule for a specific environment. To do so, use ENVIRONMENT_WEB_SERVER_NAME.composer.googleusercontent.com . Replace ENVIRONMENT_WEB_SERVER_NAME with the unique part of your environment's Airflow UI URL, for example, bffe6ce6c4304c55acca0e57be23128c-dot-us-central1.
  • *.pkg.dev is used to get environment images, such as when creating or updating an environment.

  • *.gcr.io GKE requires connectivity to Container Registry domain regardless of Cloud Composer version.

Configure connectivity to the private.googleapis.com endpoint:

Domain DNS name CNAME Record A Record
*.googleapis.com googleapis.com. DNS Name: *.googleapis.com.
Resource record type: CNAME
Canonical name: googleapis.com.
Resource record type: A
IPv4 addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11
*.composer.cloud.google.com composer.cloud.google.com. DNS Name: *.composer.cloud.google.com.
Resource record type: CNAME
Canonical name: composer.cloud.google.com.
Resource record type: A
IPv4 addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11
*.composer.googleusercontent.com
(optional, see description)
composer.googleusercontent.com. DNS Name: *.composer.googleusercontent.com.
Resource record type: CNAME
Canonical name: composer.googleusercontent.com.
Resource record type: A
IPv4 addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11
*.pkg.dev pkg.dev. DNS Name: *.pkg.dev.
Resource record type: CNAME
Canonical name: pkg.dev.
Resource record type: A
IPv4 addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11
*.gcr.io gcr.io. DNS Name: *.gcr.io.
Resource record type: CNAME
Canonical name: gcr.io.
Resource record type: A
IPv4 addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11

To create a DNS rule:

  1. Create a new DNS zone and use DNS name as DNS name of this zone.

    Example: pkg.dev.

  2. Add a record set for CNAME Record.

    Example:

    • DNS Name: *.pkg.dev.
    • Resource record type: CNAME
    • Canonical name: pkg.dev.
  3. Add a record set with for A Record:

    Example:

    • Resource record type: A
    • IPv4 addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11

For more information, see Setting up private connectivity to Google APIs and services.

(Optional) Configure firewall rules

Perform this step only if your project has non-default firewall rules, such as rules that override implied firewall rules, or modify pre-populated rules in the default network.

For example, Cloud Composer might fail to create an environment if you have a firewall rule that denies all egress traffic. To avoid issues, define selective allow rules that follow the list and have higher priority than the global deny rule.

Configure your VPC network to allow traffic from your environment:

  • See Using firewall rules to learn how to check, add and update rules for your VPC network.
  • Use Connectivity Tool to validate the connectivity between IP ranges.
  • You can use networking tags to further limit access. You can set these tags when you create an environment.
Description Direction Action Source or Destination Protocols Ports
DNS Egress Allow Any destination (0.0.0.0/0), or DNS server IP addresses TCP, UDP 53
Google APIs and services Egress Allow IP address range of the domain you chose for Google APIs and services. See IP addresses for default domains if you use defaults. TCP 443
Environment's cluster Nodes Egress Allow Environment's subnetwork primary IP address range TCP, UDP all
Environment's cluster Pods Egress Allow Secondary IP address range for Pods in the environment's subnetwork TCP, UDP all
Environment's cluster Control Plane Egress Allow GKE Control Plane IP range TCP, UDP all
(If your environment uses Private Service Connect) Connection subnetwork Egress Allow Cloud Composer connection subnetwork range TCP 3306, 3307
(If your environment uses VPC peerings) Tenant network Egress Allow Cloud Composer tenant network IP range TCP 3306, 3307

To obtain IP ranges:

  • Pod, Service, and Control Plane address ranges are available on the Clusters page of your environment's cluster:

    1. In Google Cloud console, go to the Environments page.

      Go to Environments

    2. In the list of environments, click the name of your environment. The Environment details page opens.

    3. Go to the Environment configuration tab.

    4. Follow the view cluster details link.

  • You can see environment's Cloud Composer tenant network IP range on the Environment configuration tab.

  • You can see environment's subnetwork ID and Cloud Composer connection subnetwork ID on the Environment configuration tab. To get IP ranges for a subnetwork, go to VPC Networks page and click on the network's name to see details:

    Go to VPC Networks

Configure proxy server settings

You can set HTTP_PROXY and HTTPS_PROXY environment variables in your environment. These standard Linux variables are used by web clients that run in containers of your environment's cluster to route traffic through the specified proxies.

The NO_PROXY variable by default is set to a list of Google domains so that they are excluded from proxying: .google.com,.googleapis.com,metadata.google.internal. This configuration makes it possible to create an environment with set HTTP_PROXY and HTTPS_PROXY environment variables in cases when the proxy is not configured to handle traffic to Google services.