Private services access is a secure, private connection between your Google Cloud virtual private cloud (VPC) network and Google-managed or third-party services. It enables VM instances in your VPC network to communicate with these services using internal IP addresses, without exposing traffic to the public internet.
Before you begin
To establish a private connection, complete the following prerequisites:
- You must have an existing VPC network that you can use to connect to the service producer's network. VM instances must use this VPC network to connect to services over a private connection.
- Follow the steps on the Live Stream API Before you begin page to create a properly-configured Google Cloud project (or choose an existing project).
Enable private services access for the Live Stream API
The general process for configuring private services access is provided in the Virtual Private Cloud documentation. This page adapts the process to the Live Stream API.
Enable the Service Networking API.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud services enable servicenetworking.googleapis.com
Windows (PowerShell)
gcloud services enable servicenetworking.googleapis.com
Windows (cmd.exe)
gcloud services enable servicenetworking.googleapis.com
To get the permissions that you need to set up a private connection, ask your administrator to grant you the Compute Engine Network Admin (
roles/compute.networkAdmin) IAM role on the Google Cloud project in which the VPC network resides. For more information about granting roles, see Manage access.The required permissions are also available through custom roles or other predefined roles.
In the VPC network, allocate a named IP range using the
addresses createcommand as shown in the following examples.To specify an address range and a prefix length, which is also the subnet mask, use the
addressesandprefix-lengthflags. For example, to allocate the CIDR block 192.168.0.0/13, specify192.168.0.0for the address and13for the prefix length.Before using any of the command data below, make the following replacements:
RESERVED_RANGE_NAME: a name for the allocated range, such asmy-allocated-rangeDESCRIPTION: a description for the range, such asallocated for my-serviceVPC_NETWORK: the name of your VPC network, such asmy-vpc-network
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud compute addresses create RESERVED_RANGE_NAME \ --global \ --purpose=VPC_PEERING \ --addresses=192.168.0.0 \ --prefix-length=13 \ --description="DESCRIPTION" \ --network=VPC_NETWORKWindows (PowerShell)
gcloud compute addresses create RESERVED_RANGE_NAME ` --global ` --purpose=VPC_PEERING ` --addresses=192.168.0.0 ` --prefix-length=13 ` --description="DESCRIPTION" ` --network=VPC_NETWORKWindows (cmd.exe)
gcloud compute addresses create RESERVED_RANGE_NAME ^ --global ^ --purpose=VPC_PEERING ^ --addresses=192.168.0.0 ^ --prefix-length=13 ^ --description="DESCRIPTION" ^ --network=VPC_NETWORKYou should receive a response similar to the following:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses/RESERVED_RANGE_NAME].
To only specify a prefix length, use the
prefix-lengthflag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 13-bit prefix length.Before using any of the command data below, make the following replacements:
RESERVED_RANGE_NAME: a name for the allocated range, such asmy-allocated-rangeDESCRIPTION: a description for the range, such asallocated for my-serviceVPC_NETWORK: the name of your VPC network, such asmy-vpc-network
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud compute addresses create RESERVED_RANGE_NAME \ --global \ --purpose=VPC_PEERING \ --prefix-length=13 \ --description="DESCRIPTION" \ --network=VPC_NETWORKWindows (PowerShell)
gcloud compute addresses create RESERVED_RANGE_NAME ` --global ` --purpose=VPC_PEERING ` --prefix-length=13 ` --description="DESCRIPTION" ` --network=VPC_NETWORKWindows (cmd.exe)
gcloud compute addresses create RESERVED_RANGE_NAME ^ --global ^ --purpose=VPC_PEERING ^ --prefix-length=13 ^ --description="DESCRIPTION" ^ --network=VPC_NETWORKYou should receive a response similar to the following:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses/RESERVED_RANGE_NAME].
The preceding example creates a private connection to Google so that the VM instances in the provided VPC network (for example,
my-vpc-network) can use private services access to reach Google services that support it.The Live Stream API requires the allocation of a CIDR/13 block per region. If you are planning to use the Live Stream API in multiple regions, allocate a larger block. The following table describes the recommended block size to allocate depending on the number of regions:
Number of regions value for the prefix-lengthflag1 13 2 12 3-4 11 5-8 10 7-16 9 Create a private connection between the service producer network and your VPC network:
Create a private connection.
Before using any of the command data below, make the following replacements:
RESERVED_RANGE_NAME: the name of the allocated range you created in the previous stepVPC_NETWORK: the name of your VPC networkPROJECT_ID: the Google Cloud project ID of the project that contains your VPC network
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud services vpc-peerings connect \ --service=servicenetworking.googleapis.com \ --ranges=RESERVED_RANGE_NAME \ --network=VPC_NETWORK \ --project=PROJECT_IDWindows (PowerShell)
gcloud services vpc-peerings connect ` --service=servicenetworking.googleapis.com ` --ranges=RESERVED_RANGE_NAME ` --network=VPC_NETWORK ` --project=PROJECT_IDWindows (cmd.exe)
gcloud services vpc-peerings connect ^ --service=servicenetworking.googleapis.com ^ --ranges=RESERVED_RANGE_NAME ^ --network=VPC_NETWORK ^ --project=PROJECT_IDYou should receive a response similar to the following:
Operation "operations/OPERATION_ID" finished successfully.
This command creates a long-running operation (LRO).
If the command succeeds, skip to the next step. Otherwise, check the operation status.
Before using any of the command data below, make the following replacements:
OPERATION_ID: the ID of the operation returned in the previous step
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud services vpc-peerings operations describe \ --name=operations/OPERATION_ID
Windows (PowerShell)
gcloud services vpc-peerings operations describe ` --name=operations/OPERATION_ID
Windows (cmd.exe)
gcloud services vpc-peerings operations describe ^ --name=operations/OPERATION_ID
You should receive a response similar to the following:
Operation "operations/OPERATION_ID" finished successfully.
(Optional) If you are using VPC Service Controls, you need to enable VPC-SC for the private connection you just created.
Before using any of the command data below, make the following replacements:
VPC_NETWORK: the name of your VPC network
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud services vpc-peerings enable-vpc-service-controls \ --service=servicenetworking.googleapis.com \ --network=VPC_NETWORKWindows (PowerShell)
gcloud services vpc-peerings enable-vpc-service-controls ` --service=servicenetworking.googleapis.com ` --network=VPC_NETWORKWindows (cmd.exe)
gcloud services vpc-peerings enable-vpc-service-controls ^ --service=servicenetworking.googleapis.com ^ --network=VPC_NETWORKYou should receive a response similar to the following:
Operation "operations/OPERATION_ID" finished successfully.
(Optional) If you have an on-premises network connected to your VPC, you can configure the peering connection so that on-premises hosts can communicate with the service producer's network. For more information, see on-premises host troubleshooting.