Configure privately used public IP ranges

Cloud Composer 1 | Cloud Composer 2 | Cloud Composer 3

This page explains how to use privately used public IP ranges in your Private IP environment. For general information about creating Private IP environments, see Configure a private IP environment.

About privately used public IP ranges in Cloud Composer

Google Kubernetes Engine requires many IP addresses for its resources: each node, pod, and service must have a unique IP address. This can lead to a situation where existing private IP ranges cannot accommodate enough IP addresses.

Cloud Composer environments can use some IP ranges from non-RFC 1918 address space without additional configuration.

If you want to use more IP addresses, your environment can privately use certain public IP address ranges as internal, subnet IP address ranges for pods and services. Such ranges are called privately used public IP (PUPI) ranges.

You can privately use any public IP address except for certain restricted ranges.

Before you begin

  • You can only specify public IP ranges when you create a new environment. It is not possible to change IP ranges of an existing environment.

  • Your environment must be a Private IP environment.

  • You can create environments with PUPI ranges only using gcloud, Terraform, and REST API.

  • Only GKE pods and services can use public IP ranges. Other environment components such as Cloud SQL, web server, and GKE control plane cannot use public IP ranges in a private IP environment.

  • GKE cluster is created with default SNAT disabled.

Enable PUPI ranges when you create an environment

gcloud

To create an environment with PUPI ranges, use the --enable-privately-used-public-ips argument when you create a Private IP environment. Then specify public IP ranges for pods and services.

Subnet ranges managed by GKE

To create subnet ranges managed by GKE:

gcloud composer environments create ENVIRONMENT_NAME \
    --location LOCATION \
    --image-version composer-2.9.5-airflow-2.9.1 \
    --enable-private-environment \
    --enable-privately-used-public-ips \
    --cluster-ipv4-cidr POD_IP_RANGE \
    --services-ipv4-cidr SERVICES_IP_RANGE

Replace:

  • ENVIRONMENT_NAME with the name of the environment.
  • LOCATION with the region where the environment is located.
  • POD_IP_RANGE with an IP address range in the CIDR notation. This range is added as a secondary IP address range to the subnetwork of your environment and is used as the IP address range for pods.
  • SERVICES_IP_RANGE with an IP address range in the CIDR notation. This range is the secondary IP address range for services in the subnetwork of your environment.

Example:

gcloud composer environments create example-environment \
    --location us-central1 \
    --image-version composer-2.9.5-airflow-2.9.1 \
    --enable-private-environment \
    --enable-privately-used-public-ips \
    --cluster-ipv4-cidr 10.3.192.0/20 \
    --services-ipv4-cidr 172.16.194.0/23

User-managed subnet ranges

To create user-managed ranges:

gcloud composer environments create ENVIRONMENT_NAME \
    --location LOCATION \
    --image-version composer-2.9.5-airflow-2.9.1 \
    --enable-private-environment \
    --enable-privately-used-public-ips \
    --cluster-secondary-range-name POD_IP_RANGE_NAME \
    --services-secondary-range-name SERVICES_IP_RANGE_NAME

Replace:

  • ENVIRONMENT_NAME with the name of the environment.
  • LOCATION with the region where the environment is located.
  • POD_IP_RANGE_NAME with the name of an existing secondary IP address range in the specified subnetwork. This range is used by pods.
  • SERVICES_IP_RANGE_NAME with the name of an existing secondary IP address range in the specified subnetwork. This range is used by services.

Example:

gcloud composer environments create example-environment \
    --location us-central1 \
    --image-version composer-2.9.5-airflow-2.9.1 \
    --enable-private-environment \
    --enable-privately-used-public-ips \
    --cluster-secondary-range-name "public-1" \
    --services-secondary-range-name "public-2"

API

Construct an environments.create API request. In the Environment resource, specify the configuration parameters for an environment with PUPI ranges.

Subnet ranges managed by GKE

To create subnet ranges managed by GKE:

// POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments

{
  "name": "ENVIRONMENT_NAME",
  "config": {
    "nodeConfig": {
      "ipAllocationPolicy": {
        "clusterIpv4CidrBlock":"POD_IP_RANGE",
        "servicesIpv4CidrBlock":"SERVICES_IP_RANGE"
      }
    },
    "privateEnvironmentConfig": {
      "enablePrivateEnvironment": true,
      "enablePrivatelyUsedPublicIps": true
    }
  }
}

Replace:

  • ENVIRONMENT_NAME with the name of the environment.
  • POD_IP_RANGE with an IP address range in the CIDR notation. This range is added as a secondary IP address range to the subnetwork of your environment and is used as the IP address range for pods.
  • SERVICES_IP_RANGE with an IP address range in the CIDR notation. This range is the secondary IP address range for services in the subnetwork of your environment.

Example:

// POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments

{
  "name": "example-environment",
  "config": {
    "nodeConfig": {
      "ipAllocationPolicy": {
        "clusterIpv4CidrBlock":"10.3.192.0/20",
        "servicesIpv4CidrBlock":"172.16.194.0/23"
      }
    },
    "privateEnvironmentConfig": {
      "enablePrivateEnvironment": true,
      "enablePrivatelyUsedPublicIps": true
    }
  }
}

User-managed subnet ranges

To create user-managed ranges:

// POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments

{
  "name": "ENVIRONMENT_NAME",
  "config": {
    "nodeConfig": {
      "ipAllocationPolicy": {
        "clusterSecondaryRangeName":"POD_IP_RANGE",
        "servicesSecondaryRangeName": "SERVICES_IP_RANGE"
      }
    },
    "privateEnvironmentConfig": {
      "enablePrivateEnvironment": true,
      "enablePrivatelyUsedPublicIps": true
    }
  }
}

Replace:

  • ENVIRONMENT_NAME with the name of the environment.
  • POD_IP_RANGE_NAME with the name of an existing secondary IP address range in the specified subnetwork. This range is used by pods.
  • SERVICES_IP_RANGE_NAME with the name of an existing secondary IP address range in the specified subnetwork. This range is used by services.

Example:

// POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments

{
  "name": "example-environment",
  "config": {
    "nodeConfig": {
      "ipAllocationPolicy": {
        "clusterSecondaryRangeName":"public-1",
        "servicesSecondaryRangeName": "public-2"
      }
    },
    "privateEnvironmentConfig": {
      "enablePrivateEnvironment": true,
      "enablePrivatelyUsedPublicIps": true
    }
  }
}

Terraform

When you create an environment, the enable_privately_used_public_ips field in the private_environment_config block enables the use of PUPI ranges. You must also specify PUPI ranges for pods and services.

Subnet ranges managed by GKE

To create subnet ranges managed by GKE:

resource "google_composer_environment" "example_environment" {
  provider = google-beta
  name = "ENVIRONMENT_NAME"
  region = "LOCATION"

  config {

    node_config {

      ip_allocation_policy = [{
        
        cluster_ipv4_cidr_block = "POD_IP_RANGE"
        services_ipv4_cidr_block = "SERVICES_IP_RANGE"
        cluster_secondary_range_name = null
        services_secondary_range_name = null
      }]
    }

    private_environment_config {
      enable_privately_used_public_ips = true
      // Other private ip environment parameters
    }

  }
}

Replace:

  • ENVIRONMENT_NAME with the name of the environment.
  • LOCATION with the region where the environment is located.
  • POD_IP_RANGE with an IP address range in the CIDR notation. This range is added as a secondary IP address range to the subnetwork of your environment and is used as the IP address range for pods.
  • SERVICES_IP_RANGE with an IP address range in the CIDR notation. This range is the secondary IP address range for services in the subnetwork of your environment.

Example:

resource "google_composer_environment" "example_environment" {
  provider = google-beta
  name = "example-environment"
  region = "us-central1"

  config {

    node_config {

      // Specify your network and subnetwork
      network    = google_compute_network.example_network.id
      subnetwork = google_compute_subnetwork.example_subnet.id

      ip_allocation_policy = [{
        
        // Specify PUPI addresses
        cluster_ipv4_cidr_block = "10.3.192.0/20"
        services_ipv4_cidr_block = "172.16.194.0/23"
        cluster_secondary_range_name = null
        services_secondary_range_name = null
      }]
    }

    private_environment_config {
      enable_privately_used_public_ips = true
      // Other private environment parameters
    }

  }
}

User-managed subnet ranges

To create user-managed ranges:

resource "google_composer_environment" "example_environment" {
  provider = google-beta
  name = "ENVIRONMENT_NAME"
  region = "LOCATION"

  config {

    node_config {

      ip_allocation_policy = [{
        
        cluster_ipv4_cidr_block = null
        services_ipv4_cidr_block = null
        cluster_secondary_range_name = POD_IP_RANGE_NAME
        services_secondary_range_name = SERVICES_IP_RANGE_NAME
      }]
    }

    private_environment_config {
      enable_privately_used_public_ips = true
      // Other private ip environment parameters
    }

  }

Replace:

  • ENVIRONMENT_NAME with the name of the environment.
  • LOCATION with the region where the environment is located.
  • POD_IP_RANGE_NAME with the name of an existing secondary IP address range in the specified subnetwork. This range is used by pods.
  • SERVICES_IP_RANGE_NAME with the name of an existing secondary IP address range in the specified subnetwork. This range is used by services.

Example:

resource "google_composer_environment" "example_environment" {
  provider = google-beta
  name = "example-environment"
  region = "us-central1"

  config {

    node_config {

      // Specify your network and subnetwork
      network    = google_compute_network.example_network.id
      subnetwork = google_compute_subnetwork.example_subnet.id

      ip_allocation_policy = [{
        
        cluster_ipv4_cidr_block = null
        services_ipv4_cidr_block = null
        // Specify existing ranges
        cluster_secondary_range_name = "public-1"
        services_secondary_range_name = "public-2"
      }]
    }
    private_environment_config {
      enable_privately_used_public_ips = true
      // Other private environment parameters
    }

  }
}

What's next