Networking

This page gives an overview of networking for Memorystore for Redis.

Memorystore uses VPC peering to connect your VPC network with the internal Google services network. Memorystore for Redis provides different peering architectures and networking features depending on what connection mode you choose when creating an instance.

The option to select a connection mode has been introduced to support advanced networking options in Google Cloud like Shared VPC architectures and better IP management, while ensuring support for Memorystore's existing peering architecture.

Memorystore for Redis supports two connection modes, DIRECT_PEERING and PRIVATE_SERVICE_ACCESS.

Regardless of the connection mode, Memorystore for Redis always uses internal IP addresses to provision Redis instances.

Connection modes

Memorystore for Redis provides two connection modes that support different functionalities:

  • Direct peering
  • Private services access

To view the networking connection mode for an existing instance, run the following command, replacing variables with appropriate values:

gcloud redis instances describe instance-id --region=region
  • The connectMode value displays either DIRECT_PEERING or PRIVATE_SERVICE_ACCESS.

For instructions on how to choose the connect mode during instance creation, see Creating a Redis instance with a Shared VPC network in a service project or Creating a Redis instance with a centralized IP address range.

Direct peering

When using the direct peering mode, Memorystore creates a VPC peering between the customer VPC network and the VPC network in the Google managed project. The peering is created automatically during instance creation and requires no additional steps from the user. Other Google Cloud services do not share the peering. Memorystore for Redis used the direct peering connection mode before the availability of the private services access connection mode.

By default, new instances are created using the direct peering connection mode. Any existing scripts without the connection mode specified use the direct peering mode by default.

Private services access

Private services access is another way to create a peering between your VPC network and the Google services network.

Establishing a private services access connection for a VPC network creates a peering between that VPC network and the Google services network. Once the connection is established, you can create your instance using the private services access connection mode.

Using private services access enables you to use the following capabilities for your Redis instance:

  • Provision a Memorystore for Redis instance in a service project using Shared VPC.
  • Centrally manage IP address ranges across multiple Google services.
  • Connect from external sources to your VPC network over a VPN tunnel or Cloud Interconnect to your VPC network.

Currently you can only create instances with the private services access connection mode using the gcloud command-line tool.

One of the added benefits of private service access is that the same network peering is shared across multiple Google services, thereby limiting the number of peerings created by Google services.

Choosing a connection mode

The table below outlines the different use cases and connection modes you should use.

Scenario Supported connection mode
Provision a Redis instance with a Shared VPC network Private services access only
Access a Redis instance from on-premise networks using VPN Private services access only
Use centralized IP range management for multiple Google services Private services access only
Provision a Redis instance using a dedicated VPC network Private services access (recommended) or direct peering

Switching connection modes of existing instances

You cannot switch the connection mode of an existing instance. To switch the connection mode you have to recreate the instance using the new connection mode. This results in a change in the IP address of the instance.

For example, if you have an existing instance that was created before the private services access connection mode was available, the connection mode property for that instance is set to direct peering. If you recreate the instance using private service access connection mode, the IP address of the instance changes.

Also, Memorystore for Redis supports having Redis instances using private services access, and instances using direct peering, in the same project and in the same network.

On-premises access with private services access

You can connect from a client in an on-premises network if the on-premises network is connected to the VPC network to which your Memorystore for Redis instance is connected. To permit connections from an on-premises network, do the following:

  1. Ensure your Shared VPC network is connected to your on-premises network using a one of the following options
  2. Identify the peering produced by the private services connection. The peering used by Memorystore for Redis is named servicenetworking-googleapis-com.
  3. Update the peering connection to exchange custom routes by setting both --import-custom-routes and --export-custom-routes flag
  4. Identify the allocated range used by the private services connection.
  5. Create a Cloud Router custom route advertisement for the allocated range on the Cloud Routers managing BGP sessions for your Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).

Setting a custom IP range

There are two ways to designate a custom IP range with Memorystore for Redis:

  • Private services access method

    • Use this method if your Redis instance uses the PRIVATE_SERVICE_ACCESS connect mode
  • Direct peering method

    • Use this method if your Redis instance uses the DIRECT_PEERING connect mode

IP address ranges are expressed using CIDR notation.

Custom IP range with private services access connect mode

You can use the both the Cloud Console and gcloud tool to designate a custom range. For instructions on allocating a range, see Creating allocated IP address ranges.

Custom IP range with direct peering

If your instance uses the DIRECT_PEERING connection mode you can only designate a custom IP address range for Memorystore for Redis by using the --reserved-ip-range gcloud parameter with the gcloud redis instances create command. You cannot modify the reserved range after instance creation or add a reserved range to an existing Redis instance.

Here is an example of an acceptable value for this parameter:

--reserved-ip-range=10.0.0.0/29

Communicating networking requirements

Usually the networking team and/or network admin for your organization is responsible for setting up a private services access connection. This allows the networking team to ensure that no IP addresses or ranges used for other Google Cloud resources overlap, which can cause connectivity issues.

We recommend that you contact the network\security team in your organization to set up the private service connection for you, especially if you encounter an error during the setup process. When reaching out to your networking team, send them the following information:

The Memorystore for Redis instance cannot be created due to the following
error:

"Google private services access is not enabled. Enable privates service access
and try again."

Before an instance can be created, a private service access connection needs to
be established for network <project name: network>. Please refer to the
following Memorystore documentation links for more information on how to create
this connection:

* Networking.
* Establishing a private services access connection.
* Verifying a private services access connection.

Required permissions to establish a private services access connection

In order to manage a private services access connection, the user should have the following IAM roles. If you do not have the required permissions you can get insufficient-permissions errors. For a list of common networking errors, see Networking error scenarios.

UI permissions

Permissions required to list local and host project networks in the UI:
  • compute.networks.list
    • Needed in both the local and host projects.
Permission required to check the private services access connection in the UI:
  • compute.networks.list
    • Needed in both the local and host projects.
Permission required to create a private services access connection in the UI:
  • serviceusage.services.enable
    • Needed to enable the Service Networking API.
  • compute.addresses.create
  • compute.addresses.list
  • servicenetworking.services.addPeering

gcloud permissions

gcloud permissions required to check the private services access connection
  • compute.networks.list
    • Needed in both the local and host projects.
gcloud permissions required to create a private services access connection
  • serviceusage.services.enable
    • Needed to enable the Service Networking API.
  • compute.addresses.create
  • compute.addresses.list
  • servicenetworking.services.addPeering

Supported networks and client IP ranges

Memorystore for Redis currently only supports RFC 1918 addresses for Redis instances and incoming client connections.

Supported networks