Private services access is a secure, private connection between your Google Cloud virtual private cloud (VPC) network and Google-managed or third-party services. It enables VM instances in your VPC network to communicate with these services using internal IP addresses, without exposing traffic to the public internet.
Before you begin
To establish a private connection, complete the following prerequisites:
- You must have an existing VPC network that you can use to connect to the service producer's network. VM instances must use this VPC network to connect to services over a private connection.
- Follow the steps on the Live Stream API Before you begin page to create a properly-configured Google Cloud project (or choose an existing project).
Enable private services access for the Live Stream API
The general process for configuring private services access is provided in the Virtual Private Cloud documentation. This page adapts the process to the Live Stream API.
Enable the Service Networking API.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud services enable servicenetworking.googleapis.com
Windows (PowerShell)
gcloud services enable servicenetworking.googleapis.com
Windows (cmd.exe)
gcloud services enable servicenetworking.googleapis.com
To get the permissions that you need to set up a private connection, ask your administrator to grant you the Compute Engine Network Admin (
roles/compute.networkAdmin
) IAM role on the Google Cloud project in which the VPC network resides. For more information about granting roles, see Manage access.The required permissions are also available through custom roles or other predefined roles.
In the VPC network, allocate a named IP range using the
addresses create
command as shown in the following examples.To specify an address range and a prefix length, which is also the subnet mask, use the
addresses
andprefix-length
flags. For example, to allocate the CIDR block 192.168.0.0/13, specify192.168.0.0
for the address and13
for the prefix length.Before using any of the command data below, make the following replacements:
: a name for the allocated range, such asRESERVED_RANGE_NAME my-allocated-range
: a description for the range, such asDESCRIPTION allocated for my-service
: the name of your VPC network, such asVPC_NETWORK my-vpc-network
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud compute addresses create
RESERVED_RANGE_NAME \ --global \ --purpose=VPC_PEERING \ --addresses=192.168.0.0 \ --prefix-length=13 \ --description="DESCRIPTION " \ --network=VPC_NETWORK Windows (PowerShell)
gcloud compute addresses create
RESERVED_RANGE_NAME ` --global ` --purpose=VPC_PEERING ` --addresses=192.168.0.0 ` --prefix-length=13 ` --description="DESCRIPTION " ` --network=VPC_NETWORK Windows (cmd.exe)
gcloud compute addresses create
RESERVED_RANGE_NAME ^ --global ^ --purpose=VPC_PEERING ^ --addresses=192.168.0.0 ^ --prefix-length=13 ^ --description="DESCRIPTION " ^ --network=VPC_NETWORK You should receive a response similar to the following:
Created [https://www.googleapis.com/compute/v1/projects/
PROJECT_ID /global/addresses/RESERVED_RANGE_NAME ].To only specify a prefix length, use the
prefix-length
flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 13-bit prefix length.Before using any of the command data below, make the following replacements:
: a name for the allocated range, such asRESERVED_RANGE_NAME my-allocated-range
: a description for the range, such asDESCRIPTION allocated for my-service
: the name of your VPC network, such asVPC_NETWORK my-vpc-network
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud compute addresses create
RESERVED_RANGE_NAME \ --global \ --purpose=VPC_PEERING \ --prefix-length=13 \ --description="DESCRIPTION " \ --network=VPC_NETWORK Windows (PowerShell)
gcloud compute addresses create
RESERVED_RANGE_NAME ` --global ` --purpose=VPC_PEERING ` --prefix-length=13 ` --description="DESCRIPTION " ` --network=VPC_NETWORK Windows (cmd.exe)
gcloud compute addresses create
RESERVED_RANGE_NAME ^ --global ^ --purpose=VPC_PEERING ^ --prefix-length=13 ^ --description="DESCRIPTION " ^ --network=VPC_NETWORK You should receive a response similar to the following:
Created [https://www.googleapis.com/compute/v1/projects/
PROJECT_ID /global/addresses/RESERVED_RANGE_NAME ].The preceding example creates a private connection to Google so that the VM instances in the provided VPC network (for example,
my-vpc-network
) can use private services access to reach Google services that support it.The Live Stream API requires the allocation of a CIDR/13 block per region. If you are planning to use the Live Stream API in multiple regions, allocate a larger block. The following table describes the recommended block size to allocate depending on the number of regions:
Number of regions value for the prefix-length
flag1 13 2 12 3-4 11 5-8 10 7-16 9 Create a private connection between the service producer network and your VPC network:
Create a private connection.
Before using any of the command data below, make the following replacements:
: the name of the allocated range you created in the previous stepRESERVED_RANGE_NAME
: the name of your VPC networkVPC_NETWORK
: the Google Cloud project ID of the project that contains your VPC networkPROJECT_ID
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud services vpc-peerings connect \ --service=servicenetworking.googleapis.com \ --ranges=
RESERVED_RANGE_NAME \ --network=VPC_NETWORK \ --project=PROJECT_ID Windows (PowerShell)
gcloud services vpc-peerings connect ` --service=servicenetworking.googleapis.com ` --ranges=
RESERVED_RANGE_NAME ` --network=VPC_NETWORK ` --project=PROJECT_ID Windows (cmd.exe)
gcloud services vpc-peerings connect ^ --service=servicenetworking.googleapis.com ^ --ranges=
RESERVED_RANGE_NAME ^ --network=VPC_NETWORK ^ --project=PROJECT_ID You should receive a response similar to the following:
Operation "operations/
OPERATION_ID " finished successfully.This command creates a long-running operation (LRO).
If the command succeeds, skip to the next step. Otherwise, check the operation status.
Before using any of the command data below, make the following replacements:
: the ID of the operation returned in the previous stepOPERATION_ID
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud services vpc-peerings operations describe \ --name=operations/
OPERATION_ID Windows (PowerShell)
gcloud services vpc-peerings operations describe ` --name=operations/
OPERATION_ID Windows (cmd.exe)
gcloud services vpc-peerings operations describe ^ --name=operations/
OPERATION_ID You should receive a response similar to the following:
Operation "operations/
OPERATION_ID " finished successfully.
(Optional) If you are using VPC Service Controls, you need to enable VPC-SC for the private connection you just created.
Before using any of the command data below, make the following replacements:
: the name of your VPC networkVPC_NETWORK
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud services vpc-peerings enable-vpc-service-controls \ --service=servicenetworking.googleapis.com \ --network=
VPC_NETWORK Windows (PowerShell)
gcloud services vpc-peerings enable-vpc-service-controls ` --service=servicenetworking.googleapis.com ` --network=
VPC_NETWORK Windows (cmd.exe)
gcloud services vpc-peerings enable-vpc-service-controls ^ --service=servicenetworking.googleapis.com ^ --network=
VPC_NETWORK You should receive a response similar to the following:
Operation "operations/
OPERATION_ID " finished successfully.(Optional) If you have an on-premises network connected to your VPC, you can configure the peering connection so that on-premises hosts can communicate with the service producer's network. For more information, see on-premises host troubleshooting.