Overview
VPC peering works by configuring the VPCs to communicate with one another. If your source is in the same Google Cloud project in Cloud SQL or Compute Engine, then this allows the destination to communicate with the source directly. If your source is within a VPN (in AWS, for example, or your own on-premises VPN), then configure the source VPN and Google Cloud VPN to work with each other. For more information, see connecting VPCs through VPNs.VPC chaining isn't supported. If your source is in a different Google Cloud project, then see Shared VPC overview to learn how to connect resources from multiple projects to a common VPC network for VPC peering.
The source database server's firewall must be configured to allow the entire internal IP range allocated for the private service connection of the VPC network that the Cloud SQL destination instance is going to use.
To find the internal IP range in the console:
Go to the VPC networks page in the Google Cloud console.
Select the VPC network that you want to use.
Select the PRIVATE SERVICE CONNECTION tab.
pg_hba.conf
file or the security groups definitions in AWS RDS on the source database are updated to accept connections from the
Cloud SQL VPC's IP address range.
VPC peering uses private services access,
which must be configured once for each project using VPC peering. After you have
established private services access
, test your
migration job to verify connectivity.
Configuring private services access for Database Migration Service
If you are using private IP for any of your Database Migration Service instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Database Migration Service instance.
Establishing private services access requires the
compute.networkAdmin IAM role. After private
services access is established for your network, you no longer
need the compute.networkAdmin
IAM role to configure an instance to
use private IP.
Private services access requires you to first allocate an internal IP address range, then create a private connection, and then export a custom route.
An allocated range is a reserved CIDR block that can't otherwise be used in your local VPC network. When you create a private connection, you specify an allocation. The private connection links your VPC network with the underlying ("service producer") VPC network.
When you create a private connection, the VPC network and service producer network exchange subnet routes only. You must export the VPC network's custom routes so that the service provider's network can import them and correctly route traffic to your on-premises network.
A peering configuration establishes the intent to connect to another VPC network. Your network and the other network are not connected until each one has a peering configuration for the other. After the other network has a corresponding configuration to peer with your network, the peering state changes to ACTIVE in both networks, and they are connected. If there's no matching peering configuration in the other network, the peering state remains INACTIVE, indicating that your network is not connected to the other one.
Once connected, the two networks always exchange subnet routes. You can optionally import both static and dynamic custom routes from a peered network if it has been configured to export them
There are two parts to the private services access configuration process:
- Allocating an IP address range. The range encompasses all of your instances.
- Creating a private connection from your VPC network to the service producer network.
Allocating an IP address range
Console
- Go to the VPC networks page in the Google Cloud console.
- Select the VPC network that you want to use.
- Select the Private service connection tab.
- Select the Allocated IP ranges for services tab.
- Click Allocate IP range.
For the Name of the allocated range, specify
google-managed-services-VPC_NETWORK_NAME
, whereVPC_NETWORK_NAME
is the name of the VPC network you are connecting (for example,google-managed-services-default
). The Description is optional.Click ALLOCATE to create the allocated range.
gcloud
Do one of the following:
To specify an address range and a prefix length (subnet mask), use the
addresses
andprefix-length
flags. For example, to allocate the CIDR block192.168.0.0/16
, specify192.168.0.0
for the address and16
for the prefix length.gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \ --global \ --purpose=VPC_PEERING \ --addresses=192.168.0.0 \ --prefix-length=16 \ --network=[VPC_NETWORK_NAME]
To specify a prefix length (subnet mask) only, just use the
prefix-length
flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a16
bit prefix length.gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \ --global \ --purpose=VPC_PEERING \ --prefix-length=16 \ --network=[VPC_NETWORK_NAME]
Replace [VPC_NETWORK_NAME]
with the name of your VPC
network, such as my-vpc-network
.
The following example allocates an IP range that allows resources in the
VPC network my-vpc-network
to connect to Database Migration Service
instances using private IP.
gcloud compute addresses create google-managed-services-my-vpc-network \ --global \ --purpose=VPC_PEERING \ --prefix-length=16 \ --network=my-vpc-network \ --project=my-project
Creating a private connection
Console
- Go to the VPC networks page in the Google Cloud console.
- Select the VPC network that you want to use.
- Select the Private service connection tab.
- Select the Private connections to services tab.
- Click Create connection to create a private connection between your network and a service producer.
- For the Assigned allocation, select one or more existing allocated ranges that aren't being used by other service producers, and then click OK.
- Click CONNECT to create the connection.
gcloud
Create a private connection.
gcloud services vpc-peerings connect \ --service=servicenetworking.googleapis.com \ --ranges=google-managed-services-[VPC_NETWORK_NAME] \ --network=[VPC_NETWORK_NAME] \ --project=[PROJECT_ID]
Replace
[VPC_NETWORK_NAME]
with the name of your VPC network and[PROJECT_ID]
with the ID of the project that contains your VPC network.The command initiates a long-running operation, returning an operation name.
Check whether the operation was successful.
gcloud services vpc-peerings operations describe \ --name=[OPERATION_NAME]
Replace
[OPERATION_NAME]
with the operation name that was returned from the previous step.
You can specify more than one allocated range when you create a private connection. For example, if a range has been exhausted, you can assign additional allocated ranges. The service uses IP addresses from all the provided ranges in the order that you specified.
Exporting custom routes
Update an existing VPC Network Peering connection to change whether your VPC network exports or imports custom routes to or from the peer VPC network.
Your network imports custom routes only if the peer network is also exporting custom routes, and the peer network receives custom routes only if it imports them.
Console
- Go to the VPC Network Peering page in the Google Cloud console.
Go to the VPC Network Peering page - Select the peering connection to update.
- Click EDIT.
- Update your custom route settings by selecting or deselecting Import custom routes or Export custom routes.
- Click SAVE.
gcloud
Update the peering connection to change your import or export settings for custom routes.
gcloud compute networks peerings update [PEERING-NAME] \ --network=[MY-LOCAL-NETWORK] \ [--[no-]import-custom-routes] \ [--[no-]export-custom-routes]
Granting the roles/servicenetworking.serviceAgent
role
gcloud beta services identity create \
--service=servicenetworking.googleapis.com \
--project=project-id
gcloud projects add-iam-policy-binding project-id \
--member="service-account-prefix@service-networking.iam.gserviceaccount.com" \
--role="roles/servicenetworking.serviceAgent"
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-30 UTC.