This page gives an overview of networking for Memorystore for Redis.
Memorystore uses VPC peering to connect your VPC network with the internal Google services network. Memorystore for Redis provides different peering architectures and networking features depending on what connection mode you choose when creating an instance.
The option to select a connection mode has been introduced to support advanced networking options in Google Cloud like Shared VPC architectures and better IP management, while ensuring support for Memorystore's existing peering architecture.
Memorystore for Redis supports two connection modes, DIRECT_PEERING and
PRIVATE_SERVICE_ACCESS.
Regardless of the connection mode, Memorystore for Redis always uses internal IP addresses to provision Redis instances.
Connection modes
Memorystore for Redis provides two connection modes that support different functionalities:
- Direct peering
- Private services access
To view the networking connection mode for an existing instance, run the following command, replacing variables with appropriate values:
gcloud redis instances describe instance-id --region=region
- The
connectModevalue displays eitherDIRECT_PEERINGorPRIVATE_SERVICE_ACCESS.
For instructions on how to choose the connect mode during instance creation, see Creating a Redis instance with a Shared VPC network in a service project or Creating a Redis instance with a centralized IP address range.
Direct peering
When using the direct peering mode, Memorystore creates a VPC peering between the customer VPC network and the VPC network in the Google managed project. The peering is created automatically during instance creation and requires no additional steps from the user. Other Google Cloud services do not share the peering. Memorystore for Redis used the direct peering connection mode before the availability of the private services access connection mode.
By default, new instances are created using the direct peering connection mode. Any existing scripts without the connection mode specified use the direct peering mode by default.
Private services access
Private services access is another way to create a peering between your VPC network and the Google services network.
Establishing a private services access connection for a VPC network creates a peering between that VPC network and the Google services network. Once the connection is established, you can create your instance using the private services access connection mode.
Using private services access enables you to use the following capabilities for your Redis instance:
- Provision a Memorystore for Redis instance in a service project using Shared VPC.
- Centrally manage IP address ranges across multiple Google services.
- Connect from external sources to your VPC network over a VPN tunnel or Cloud Interconnect to your VPC network.
Currently you can only create instances with the private services access
connection mode using the gcloud command-line tool.
One of the added benefits of private service access is that the same network peering is shared across multiple Google services, thereby limiting the number of peerings created by Google services.
Choosing a connection mode
The table below outlines the different use cases and connection modes you should use.
| Scenario | Supported connection mode | |
|---|---|---|
| Provision a Redis instance with a Shared VPC network | Private services access only | |
| Access a Redis instance from on-premise networks using VPN | Private services access only | |
| Use centralized IP range management for multiple Google services | Private services access only | |
| Provision a Redis instance using a dedicated VPC network | Private services access (recommended) or direct peering |
Switching connection modes of existing instances
You cannot switch the connection mode of an existing instance. To switch the connection mode you have to recreate the instance using the new connection mode. This results in a change in the IP address of the instance.
For example, if you have an existing instance that was created before the private services access connection mode was available, the connection mode property for that instance is set to direct peering. If you recreate the instance using private service access connection mode, the IP address of the instance changes.
Also, Memorystore for Redis supports having Redis instances using private services access, and instances using direct peering, in the same project and in the same network.
On-premises access with private services access
You can connect from a client in an on-premises network if the on-premises network is connected to the VPC network to which your Memorystore for Redis instance is connected. To permit connections from an on-premises network, do the following:
- Ensure your Shared VPC network is connected to your on-premises
network using a one of the following options
- Cloud VPN tunnel
- a VLAN attachment for Dedicated Interconnect or Partner Interconnect.
-
Identify the peering produced by the private services connection.
The peering used by Memorystore for Redis is named
servicenetworking-googleapis-com. -
Update the peering connection to exchange custom routes by setting both
--import-custom-routesand--export-custom-routesflag - Identify the allocated range used by the private services connection.
- Create a Cloud Router custom route advertisement for the allocated range on the Cloud Routers managing BGP sessions for your Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).
Setting a custom IP range
There are two ways to designate a custom IP range with Memorystore for Redis:
Private services access method
- Use this method if your Redis instance uses the
PRIVATE_SERVICE_ACCESSconnect mode
- Use this method if your Redis instance uses the
Direct peering method
- Use this method if your Redis instance uses the
DIRECT_PEERINGconnect mode
- Use this method if your Redis instance uses the
IP address ranges are expressed using CIDR notation.
Custom IP range with private services access connect mode
You can use the both the Cloud Console and gcloud tool to
designate a custom range. For instructions on allocating a range, see Creating allocated IP address ranges.
Custom IP range with direct peering
If your instance uses the DIRECT_PEERING connection mode you can only
designate a custom IP address range for Memorystore for Redis by using the
--reserved-ip-range gcloud parameter with the gcloud redis instances create
command. You cannot modify the reserved range after instance creation or
add a reserved range to an existing Redis instance.
Here is an example of an acceptable value for this parameter:
--reserved-ip-range=10.0.0.0/29
Communicating networking requirements
Usually the networking team and/or network admin for your organization is responsible for setting up a private services access connection. This allows the networking team to ensure that no IP addresses or ranges used for other Google Cloud resources overlap, which can cause connectivity issues.
We recommend that you contact the network\security team in your organization to set up the private service connection for you, especially if you encounter an error during the setup process. When reaching out to your networking team, send them the following information:
The Memorystore for Redis instance cannot be created due to the following error: "Google private services access is not enabled. Enable privates service access and try again." Before an instance can be created, a private service access connection needs to be established for network <project name: network>. Please refer to the following Memorystore documentation links for more information on how to create this connection: * Networking. * Establishing a private services access connection. * Verifying a private services access connection.
Required permissions to establish a private services access connection
In order to manage a private services access connection, the user should have the following IAM roles. If you do not have the required permissions you can get insufficient-permissions errors. For a list of common networking errors, see Networking error scenarios.
UI permissions
Permissions required to list local and host project networks in the UI:
compute.networks.list- Needed in both the local and host projects.
Permission required to check the private services access connection in the UI:
compute.networks.list- Needed in both the local and host projects.
Permission required to create a private services access connection in the UI:
serviceusage.services.enable- Needed to enable the Service Networking API.
compute.addresses.createcompute.addresses.listservicenetworking.services.addPeering
gcloud permissions
gcloud permissions required to check the private services access connection
compute.networks.list- Needed in both the local and host projects.
gcloud permissions required to create a private services access connection
serviceusage.services.enable- Needed to enable the Service Networking API.
compute.addresses.createcompute.addresses.listservicenetworking.services.addPeering
Supported networks and client IP ranges
The following network or instances with RFC 1918 IP addresses are supported:
- VPC networks except legacy networks
- Shared VPC networks
- on-premise systems
- Compute Engine VM instances except for 172.17.0.0/16 because this IP range is reserved for internal components