Configure static outbound IP addresses for connections
This page explains how you can assign static IP addresses to your connections. By using the static IP addresses, you can restrict access to your backend systems, which in turn makes the connectivity more secure.
If you want Integration Connectors to connect to your backend system(s), you can use private connectivity. However, if you don't want to do the elaborate steps for setting up the private connectivity, you can consider exposing your backend system over a public IP address, and then restrict its access through firewall rules. In the firewall rules, you can allow only the IP addresses originating from Integration Connectors to connect to your backend system. To allow a connection to connect to a public endpoint, you must do the following high-level steps:
- Create a firewall, and route your egress traffic through the firewall.
- Assign a static IP address to your connection.
- Allowlist the assigned static IP address in your firewall.
Steps to create and configure a firewall are outside the scope of this page. This page only describes how you can assign static IP addresses to your connections.
By default, Integration Connectors allocates IP addresses automatically. However, you can
configure Integration Connectors to generate static IP addresses instead of an automatic
IP addresses. Integration Connectors assigns the static IP addresses
at a region level. For example, the static IP addresses for the us-east1
region will be different from the static IP addresses in the us-west2 region.
To assign static IP addresses to your connection, do the following steps:
- Get the region of the connection for which you want to allocate the static IP address.
You can view the connection region in the
Locationcolumn of the Connections page. -
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
- Configure the Integration Connectors to assign static IP address for the region
that you got from step 1. Run the following command in your Cloud Shell.
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d '{"networkConfig": {"egressMode": "static_ip"}}' \ https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/regionalSettingsSet the LOCATION to the region that you got in step 1.
Running this command, returns a response similar to the following:
{ "name": "projects/test-01/locations/us-central1/operations/operation-1696840994443-6074494b6d138-8215226d-516faaf8", "metadata": { "@type": "type.googleapis.com/google.cloud.connectors.v1.OperationMetadata", "createTime": "2023-10-09T08:43:14.467058513Z", "target": "projects/test-01/locations/us-central1/regionalSettings", "verb": "update", "requestedCancellation": false, "apiVersion": "v1" }, "done": false }This command returns an operation ID and starts a long-running operation (LRO) which may take some time to complete. Wait for the LRO to complete. You can track the progress of the operation by using the following command:
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_ID
If the static IP address allocation is successful, you will get a response similar to the following:
... ... "response": { "@type": "type.googleapis.com/google.cloud.connectors.v1.RegionalSettings", "name": "projects/test-01/locations/us-central1/regionalSettings", "networkConfig": { "egressMode": "STATIC_IP", "egressIps": [ "35.193.227.203", "34.133.63.9", "35.223.253.58", "34.170.27.253" ] } }In this sample response, four static IP addresses are allocated for the
us-central1region, and theegressModefor the region is set toSTATIC_IP. - Allowlist the static IP addresses (got in step 4) in your firewall rules.
Get static IP addresses of a region
If at anytime you want to get the static IP addresses allocated to a region (location), run the following command:
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/regionalSettings
Running this command returns a response similar to the following:
"response": {
"@type": "type.googleapis.com/google.cloud.connectors.v1.RegionalSettings",
"name": "projects/test-01/locations/us-central1/regionalSettings",
"networkConfig": {
"egressMode": "STATIC_IP",
"egressIps": [
"35.193.227.203",
"34.133.63.9",
"35.223.253.58",
"34.170.27.253"
]
}
}
Assign auto IP addresses to a region
If you want to remove the static IP address configuration for a region, and auto assign the IP addresses, you must run the following command in your terminal:
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{"networkConfig": {"egressMode": "auto_ip"}}' \
https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/regionalSettings
Similar to the previous command for configuring static IP addresses, this command also returns an operation ID and starts a long-running operation (LRO) which may take some time to complete. Wait for the LRO to complete.
Considerations
Consider the following points when allocating static IP addresses for a region:
- The reserved set of static IP addresses are different for different regions within a project.
- When you change the egress mode for a region from
STATIC_IPtoAUTO_IP, the original set of static IP addresses aren't retained, and therefore, when you again change the egress mode fromAUTO_IPtoSTATIC_IP, a new set of static IP addresses are allocated. - When you change the egress mode from
AUTO_IPtoSTATIC_IPor the other way around, you can expect a downtime in the order of seconds.