Configure private IP networking

Stay organized with collections Save and categorize content based on your preferences.

Cloud Composer 1 | Cloud Composer 2

This page provides information about configuring your Google Cloud project networking for Private IP environments.

For Private IP environments, Cloud Composer assigns only private IP (RFC 1918) addresses to the managed Google Kubernetes Engine and Cloud SQL VMs in your environment.

As an option, you can also use privately used public IP addresses and the IP Masquerade agent to save the IP address space and to use non-RFC 1918 addresses.

For information about connecting to resources in your environment, see Private IP.

Before you begin

Make sure that you have the appropriate user and service account permissions to create an environment.

Check network requirements

Verify that your project's VPC network meets the following requirements:

  • Make sure that there are no private IP block conflicts. If your VPC network and its established VPC peers have overlapping IP blocks with the VPC network in the Google-managed tenant project, Cloud Composer cannot create your environment. Consult the Web server IP range column in the default IP ranges table for the defaults used in each region.

  • Make sure that there are sufficient secondary IP ranges for the Cloud Composer GKE pods and services. GKE searches for secondary IP ranges for IP Aliasing. If GKE cannot find a range, Cloud Composer cannot create your environment.

  • Make sure that the number of secondary ranges in your subnetwork does not exceed 30. Consider the following:

    • The GKE cluster for your Private IP environment creates two secondary ranges in the subnetwork. You can create multiple subnetworks in the same region for the same VPC network.
    • The maximum number of supported secondary ranges is 30. Because each Private IP environment requires two secondary ranges for the Cloud Composer GKE pods and services, each subnetwork supports up to 15 Private IP environments.
  • Make sure that your project's network can accommodate the limit on the maximum number of connections to a single VPC network. The maximum number of Private IP environments you can create depends on the number of already existing VPC peering connections in your VPC network.

    • Each Private IP environment uses at most two VPC peerings per environment. Cloud Composer creates one VPC peering for the tenant project network. The second peering is created by the GKE cluster of your environment, and GKE clusters can reuse this connection.

Choose a network, subnetwork, and network ranges

Choose the network ranges for your Private IP environment (or use the default ones). You use these network ranges later when you create a Private IP environment.

To create a Private IP environment, you need to have the following information:

  • Your VPC network ID
  • Your VPC subnetwork ID
  • Two secondary IP ranges in your VPC subnetwork:
    • Secondary IP range for pods
    • Secondary IP range for services
  • IP ranges for the components of the environment:

    • GKE Control Plane IP range. IP range for the GKE control plane.
      • Web server IP range.
    • Web server IP range. IP range for the Airflow web server instance.
    • Cloud SQL IP range. IP range for the Cloud SQL instance.

See the default IP ranges table for the defaults used in each region.

Default IP ranges

Region GKE control plane IP range Web server IP range Cloud SQL IP range
asia-east2 172.16.0.0/23 172.31.255.0/24 10.0.0.0/12
asia-northeast1 172.16.2.0/23 172.31.254.0/24 10.0.0.0/12
asia-northeast2 172.16.32.0/23 172.31.239.0/24 10.0.0.0/12
asia-northeast3 172.16.30.0/23 172.31.240.0/24 10.0.0.0/12
asia-south1 172.16.4.0/23 172.31.253.0/24 10.0.0.0/12
asia-southeast1 172.16.40.0/23 172.31.235.0/24 10.0.0.0/12
australia-southeast1 172.16.6.0/23 172.31.252.0/24 10.0.0.0/12
europe-west1 172.16.8.0/23 172.31.251.0/24 10.0.0.0/12
europe-west2 172.16.10.0/23 172.31.250.0/24 10.0.0.0/12
europe-west3 172.16.12.0/23 172.31.249.0/24 10.0.0.0/12
europe-west6 172.16.14.0/23 172.31.248.0/24 10.0.0.0/12
europe-central2 172.16.36.0/23 172.31.237.0/24 10.0.0.0/12
northamerica-northeast1 172.16.16.0/23 172.31.247.0/24 10.0.0.0/12
southamerica-east1 172.16.18.0/23 172.31.246.0/24 10.0.0.0/12
us-central1 172.16.20.0/23 172.31.245.0/24 10.0.0.0/12
us-east1 172.16.22.0/23 172.31.244.0/24 10.0.0.0/12
us-east4 172.16.24.0/23 172.31.243.0/24 10.0.0.0/12
us-west1 172.16.38.0/23 172.31.236.0/24 10.0.0.0/12
us-west2 172.16.34.0/23 172.31.238.0/24 10.0.0.0/12
us-west3 172.16.26.0/23 172.31.242.0/24 10.0.0.0/12
us-west4 172.16.28.0/23 172.31.241.0/24 10.0.0.0/12

Step 3. Configure firewall rules

Configure your VPC network to allow traffic from your Private IP environment to reach the required destinations.

  1. In the Google Cloud console, go to the Firewall page.

    Go to Firewall

  2. Configure the following firewall rules:

    • Allow egress from GKE Node IP range to any destination (0.0.0.0/0), TCP/UDP port 53, or if you know DNS server IP addresses, then allow egress from GKE Node IP range to DNS IP addresses over TCP/UDP port 53.
    • Allow egress from GKE Node IP range to each IP address range used by your chosen domain for Google APIs and services, TCP port 443.
    • Allow ingress and egress traffic between GKE Node IP range and GKE Node IP range, all ports for TCP and UDP.
    • Allow ingress and egress traffic between GKE Node IP range and Pods IP range, all ports for TCP and UDP.
    • Allow ingress and egress traffic between GKE Node IP range and Services IP range, all ports for TCP and UDP.
    • Allow ingress and egress traffic between GKE Pods and Services IP ranges, all ports for TCP and UDP.
    • Allow ingress and egress from GKE Node IP range to GKE Control Plane IP range, all ports for TCP and UDP.
    • GKE service creates automatically a number of ingress and egress firewall rules for GKE cluster to function correctly (e.g. ingress and egress rules for GCP Health Checks). Please, check GKE Firewall Rules page for more information and don't delete or block firewall rules created by GKE services

    • Allow egress from GKE Node IP range to Web server IP range, TCP ports 3306 and 3307.

    See Using firewall rules to learn how to check, add, and update rules for your VPC network. Use Connectivity Tool to validate the connectivity between IP ranges mentioned above.

VPC-native cluster configuration

Cloud Composer supports VPC-native GKE clusters in your environment.

During environment creation, you can enable VPC Native (using alias IP) and configure networking, such as IP allocation, without enabling private IP.

Because a VPC native cluster is required for Airflow tasks to communicate with other VMs that are reachable through private IPs, you must also enable VPC Native to configure a private IP environment.