Configure static outbound IP addresses for connections

This page explains how you can assign static IP addresses to your connections. By using the static IP addresses, you can restrict access to your backend systems, which in turn makes the connectivity more secure.

If you want Integration Connectors to connect to your backend system(s), you can use private connectivity. However, if you don't want to do the elaborate steps for setting up the private connectivity, you can consider exposing your backend system over a public IP address, and then restrict its access through firewall rules. In the firewall rules, you can allow only the IP addresses originating from Integration Connectors to connect to your backend system. To allow a connection to connect to a public endpoint, you must do the following high-level steps:

  1. Create a firewall, and route your egress traffic through the firewall.
  2. Assign a static IP address to your connection.
  3. Allowlist the assigned static IP address in your firewall.

Steps to create and configure a firewall are outside the scope of this page. This page only describes how you can assign static IP addresses to your connections.

By default, Integration Connectors allocates IP addresses automatically. However, you can configure Integration Connectors to generate static IP addresses instead of an automatic IP addresses. Integration Connectors assigns the static IP addresses at a region level. For example, the static IP addresses for the us-east1 region will be different from the static IP addresses in the us-west2 region.

To assign static IP addresses to your connection, do the following steps:

  1. Get the region of the connection for which you want to allocate the static IP address. You can view the connection region in the Location column of the Connections page.

    Go to the Connections page

  2. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  3. Configure the Integration Connectors to assign static IP address for the region that you got from step 1. Run the following command in your Cloud Shell.
    curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json" \
    -d '{"networkConfig": {"egressMode": "static_ip"}}' \
    https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/regionalSettings

    Set the LOCATION to the region that you got in step 1.

    Running this command, returns a response similar to the following:

    {
    "name": "projects/test-01/locations/us-central1/operations/operation-1696840994443-6074494b6d138-8215226d-516faaf8",
    "metadata": {
      "@type": "type.googleapis.com/google.cloud.connectors.v1.OperationMetadata",
      "createTime": "2023-10-09T08:43:14.467058513Z",
      "target": "projects/test-01/locations/us-central1/regionalSettings",
      "verb": "update",
      "requestedCancellation": false,
      "apiVersion": "v1"
     },
    "done": false
    }

    This command returns an operation ID and starts a long-running operation (LRO) which may take some time to complete. Wait for the LRO to complete. You can track the progress of the operation by using the following command:

    curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json" \
    https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/operations/OPERATION_ID

    If the static IP address allocation is successful, you will get a response similar to the following:

    ...
    ...
    "response": {
      "@type": "type.googleapis.com/google.cloud.connectors.v1.RegionalSettings",
      "name": "projects/test-01/locations/us-central1/regionalSettings",
      "networkConfig": {
       "egressMode": "STATIC_IP",
        "egressIps": [
          "35.193.227.203",
          "34.133.63.9",
          "35.223.253.58",
          "34.170.27.253"
        ]
      }
    }
    

    In this sample response, four static IP addresses are allocated for the us-central1 region, and the egressMode for the region is set to STATIC_IP.

  4. Allowlist the static IP addresses (got in step 4) in your firewall rules.

Get static IP addresses of a region

If at anytime you want to get the static IP addresses allocated to a region (location), run the following command:

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/regionalSettings

Running this command returns a response similar to the following:

  "response": {
    "@type": "type.googleapis.com/google.cloud.connectors.v1.RegionalSettings",
    "name": "projects/test-01/locations/us-central1/regionalSettings",
    "networkConfig": {
     "egressMode": "STATIC_IP",
      "egressIps": [
        "35.193.227.203",
        "34.133.63.9",
        "35.223.253.58",
        "34.170.27.253"
      ]
    }
  }

Assign auto IP addresses to a region

If you want to remove the static IP address configuration for a region, and auto assign the IP addresses, you must run the following command in your terminal:

curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json" \
    -d '{"networkConfig": {"egressMode": "auto_ip"}}' \
    https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/regionalSettings

Similar to the previous command for configuring static IP addresses, this command also returns an operation ID and starts a long-running operation (LRO) which may take some time to complete. Wait for the LRO to complete.

Considerations

Consider the following points when allocating static IP addresses for a region:

  • The reserved set of static IP addresses are different for different regions within a project.
  • When you change the egress mode for a region from STATIC_IP to AUTO_IP, the original set of static IP addresses aren't retained, and therefore, when you again change the egress mode from AUTO_IP to STATIC_IP, a new set of static IP addresses are allocated.
  • When you change the egress mode from AUTO_IP to STATIC_IP or the other way around, you can expect a downtime in the order of seconds.