Configure connectivity using VPC peering

VPC peering works by configuring the VPCs to communicate with one another. This is only applicable if both the source and destination are in the same Google Cloud project.

If your source is within a VPN (in AWS, for example, or your own on-premises VPN), you need to to configure the source VPN and Google Cloud VPN to work with each other. For more information, see connecting VPCs through VPNs.

VPC chaining isn't supported. See Shared VPC overview to learn how to connect resources from multiple projects to a common VPC network for VPC peering.

The source database server's firewall must be configured to allow the entire internal IP range allocated for the private service connection of the VPC network that the Cloud SQL destination instance is going to use as the privateNetwork field of its ipConfiguration settings.

To find the internal IP range in the console:

  1. Go to the VPC networks page in the Google Cloud Console.

  2. Select the VPC network that you want to use.

  3. Select the PRIVATE SERVICE CONNECTION tab.

VPC peering uses private services access, which must be configured once for each project using VPC peering. After you have established private services access, test your migration job to verify connectivity.

Configuring private services access for Database Migration Service

If you are using private IP for any of your Database Migration Service instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Database Migration Service instance.

Establishing private services access requires the compute.networkAdmin IAM role. After private services access is established for your network, you no longer need the compute.networkAdmin IAM role to configure an instance to use private IP.

Private services access requires you to first allocate an internal IP address range, then create a private connection, and then export a custom route.

An allocated range is a reserved CIDR block that can't otherwise be used in your local VPC network. When you create a private connection, you specify an allocation. The private connection links your VPC network with the underlying ("service producer") VPC network.

When you create a private connection, the VPC network and service producer network exchange subnet routes only. You must export the VPC network's custom routes so that the service provider's network can import them and correctly route traffic to your on-premises network.

A peering configuration establishes the intent to connect to another VPC network. Your network and the other network are not connected until each one has a peering configuration for the other. After the other network has a corresponding configuration to peer with your network, the peering state changes to ACTIVE in both networks, and they are connected. If there's no matching peering configuration in the other network, the peering state remains INACTIVE, indicating that your network is not connected to the other one.

Once connected, the two networks always exchange subnet routes. You can optionally import both static and dynamic custom routes from a peered network if it has been configured to export them

There are two parts to the private services access configuration process:

  • Allocating an IP address range. The range encompasses all of your instances.
  • Creating a private connection from your VPC network to the service producer network.

Allocating an IP address range

Console

  1. Go to the VPC networks page in the Google Cloud Console.
  2. Select the VPC network that you want to use.
  3. Select the Private service connection tab.
  4. Select the Allocated IP ranges for services tab.
  5. Click Allocate IP range.
  6. For the Name of the allocated range, specify google-managed-services-VPC_NETWORK_NAME, where VPC_NETWORK_NAME is the name of the VPC network you are connecting (for example, google-managed-services-default). The Description is optional.

  7. Click ALLOCATE to create the allocated range.

gcloud

Do one of the following:

  • To specify an address range and a prefix length (subnet mask), use the addresses and prefix-length flags. For example, to allocate the CIDR block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for the prefix length.

    gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \
        --global \
        --purpose=VPC_PEERING \
        --addresses=192.168.0.0 \
        --prefix-length=16 \
        --network=[VPC_NETWORK_NAME]
    
  • To specify a prefix length (subnet mask) only, just use the prefix-length flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 16 bit prefix length.

    gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \
        --global \
        --purpose=VPC_PEERING \
        --prefix-length=16 \
        --network=[VPC_NETWORK_NAME]
    

Replace [VPC_NETWORK_NAME] with the name of your VPC network, such as my-vpc-network.

The following example allocates an IP range that allows resources in the VPC network my-vpc-network to connect to Database Migration Service instances using private IP.

gcloud compute addresses create google-managed-services-my-vpc-network \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --network=my-vpc-network \
    --project=my-project

Creating a private connection

Console

  1. Go to the VPC networks page in the Google Cloud Console.
  2. Select the VPC network that you want to use.
  3. Select the Private service connection tab.
  4. Select the Private connections to services tab.
  5. Click Create connection to create a private connection between your network and a service producer.
  6. For the Assigned allocation, select one or more existing allocated ranges that aren't being used by other service producers, and then click OK.
  7. Click CONNECT to create the connection.

gcloud

  1. Create a private connection.

    gcloud services vpc-peerings connect \
        --service=servicenetworking.googleapis.com \
        --ranges=google-managed-services-[VPC_NETWORK_NAME] \
        --network=[VPC_NETWORK_NAME] \
        --project=[PROJECT_ID]
    

    Replace [VPC_NETWORK_NAME] with the name of your VPC network and [PROJECT_ID] with the ID of the project that contains your VPC network.

    The command initiates a long-running operation, returning an operation name.

  2. Check whether the operation was successful.

    gcloud services vpc-peerings operations describe \
        --name=[OPERATION_NAME]
    

    Replace [OPERATION_NAME] with the operation name that was returned from the previous step.

You can specify more than one allocated range when you create a private connection. For example, if a range has been exhausted, you can assign additional allocated ranges. The service uses IP addresses from all the provided ranges in the order that you specified.

Exporting custom routes

Update an existing VPC Network Peering connection to change whether your VPC network exports or imports custom routes to or from the peer VPC network.

Your network imports custom routes only if the peer network is also exporting custom routes, and the peer network receives custom routes only if it imports them.

Console

  1. Go to the VPC Network Peering page in the Google Cloud Console.
    Go to the VPC Network Peering page
  2. Select the peering connection to update.
  3. Click EDIT.
  4. Update your custom route settings by selecting or deselecting Import custom routes or Export custom routes.
  5. Click SAVE.

gcloud

Update the peering connection to change your import or export settings for custom routes.

gcloud compute networks peerings update [PEERING-NAME] \
    --network=[MY-LOCAL-NETWORK] \
    [--[no-]import-custom-routes] \
    [--[no-]export-custom-routes]

Granting the compute.networkAdmin role

gcloud beta services identity create --service=servicenetworking.googleapis.com --project=project-id
gcloud projects add-iam-policy-binding project-id --member="service-account-prefix@service-networking.iam.gserviceaccount.com" --role="roles/servicenetworking.serviceAgent"