Create and run Connectivity Tests

Learn how to run Connectivity Tests by following the steps on this page.

To edit or delete one or more tests, see Update or delete tests.

To learn about Connectivity Tests, see the overview.

Before you begin

Before you can use Connectivity Tests, set up the following items in Google Cloud:

In the Google Cloud console, go to the project selector page.

Go to the project selector

Select or create a Google Cloud project.
Ensure that billing is enabled for your Google Cloud project.
Install the Google Cloud CLI, which is part of the Google Cloud CLI. To install the latest version of the gcloud CLI, see the gcloud CLI documentation.

For a list of all commands, see the gcloud command reference.
Enable the Network Management API. Enabling the API provides you with the following:
- Example API calls that use the Network Management API
  
  You can test Network Management API commands by using the API Explorer. In the Network Management API reference document, use the Try this API column to explore API fields and run a test.
- Sample code that uses the API Python client
  
  The example code assumes that you have constructed a resource named api to interact with the Network Management API. To construct a resource, use the build function. See the following example:
```
from googleapiclient.discovery import build
api = build('networkmanagement', 'v1')
```
  For more information about the API Python client, see the following:
  - Google API Client Library for Python Docs in GitHub, which includes installation and authentication instructions.
  - The Network Management API reference documentation for the API Python client.
Obtain the permissions that you need to run and view tests. For details, see Assign access.

Run Connectivity Tests

When you run a Connectivity Test, you provide test inputs as a 5-tuple without the source port.

The following sections show you how to run a test for source and destination endpoints described in Common use cases.

From the Google Cloud console, you can run Connectivity Tests by using either of the following:

The Connectivity Tests page, which is available from the Networking > Network Intelligence Center menu.
The Network interface details page for a network interface of a Compute Engine virtual machine (VM) instance. If you use this page, you must use the current network interface as either the Source or Destination of the test. This page only lists tests relevant to the current network interface.

Each test that you create runs immediately after you create it and is stored in the Connectivity Tests resource. A test exists until you delete it.

To check the status of a test operation while the operation runs, see Check a running test operation. Some examples of test operations are create and rerun.

When you use an IP address for the source or destination endpoint, you might need to specify additional fields.

Best practices

When you test an endpoint (a VM or IP address) located in a Shared VPC service project, it's more convenient to run the test from the service project. This is because you can select the VM or IP address from the drop-down box in the Google Cloud console.

However, you still must specify the host project before specifying the Virtual Private Cloud (VPC) network, because the network is in the host project. For details, see Test IP addresses in a Shared VPC network.
When running a test between your VPC network and your peer or on-premises network, it can help to run another Connectivity Test by using the on-premises IP address as the source, and a VM instance or IP address in your VPC network as the destination.

This type of test verifies that Google Cloud is advertising routes as expected to your on-premises network. However, Connectivity Tests doesn't verify that your on-premises network has received and implemented those routes.
It takes between 20 and 120 seconds for Connectivity Tests to receive a configuration update and incorporate it into analysis. If you run a test immediately after making a configuration change, you might not see the results that you expect. Make sure that you wait long enough between making the configuration change and running your tests.

This delay does not apply to live data plane analysis. Therefore, you might see a temporary mismatch between the results shown by live data plane analysis and configuration analysis. For example, if you add a firewall rule, it might be reachable for live data plane analysis. However, you might have to wait for some time before the firewall rule is reachable for configuration analysis.

Test to or from a VM with multiple network interfaces

This section describes how to test to or from a VM's non-primary network interface.

Console

If you specify a VM instance with multiple network interfaces as the source or destination of a test, Connectivity Tests prompts you to select a network interface from a list.

Alternatively, you can run a test from the Network interface details page for a network interface of a Compute Engine VM instance. If you use this page, you must use the current network interface as either the Source or Destination of the test.

gcloud and API

You must specify the network interface to use for the test in one of the following ways:

IP address and network URI
IP address and VM URI
Network URI and VM URI

Providing only the URI for a VM with multiple interfaces selects only the VM's primary interface.

List all tests for a project

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
At the top of the page, in the drop-down project menu, select a project.
The Connectivity Tests page refreshes and shows you the tests for that project.

gcloud

To list all tests owned by a project, enter the following gcloud command. This command shows tests in the currently selected project.

  gcloud network-management connectivity-tests list

To list tests in a specific project, specify the PROJECT_ID.

  gcloud network-management connectivity-tests list --project=PROJECT_ID

API

To list all existing tests owned by a project, use the networkmanagement.connectivitytests.list method.

GET https://networkmanagement.googleapis.com/v1/{parent=projects/PROJECT_ID/locations/global}/connectivityTests

Replace PROJECT_ID with the project ID of the project that contains the tests that you want to list.

Python

The following example code lists all existing tests owned by a project. For more information, see list in the API Python client reference documentation.

project_id = "PROJECT_ID"
parent = 'projects/%s/locations/global' % project_id
request = api.projects().locations().global_().connectivityTests().list(parent=parent)

print(json.dumps(request.execute(), indent=4))

Replace PROJECT_ID with the project ID of the project that contains the tests that you want to list.

Test between VM instances in a VPC network

These steps assume that both VM instances are in the same Google Cloud project.

Console

From the main Connectivity Tests page

In the Google Cloud console, go to the Connectivity Tests page.

Go to Connectivity Tests

The remaining steps appear automatically in the Google Cloud console.
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select VM instance.
2. In the Source VM instance menu, select the specific source VM instance.
3. In the Source network interface menu, select the network interface.
  
  If the VM instance has multiple network interfaces, select a VM network interface that uniquely identifies the source location.
4. Optional: Select the Source IP address from the list. The default is the IP address of the source VM instance.
For Destination, do the following:
1. In the Destination endpoint menu, select VM instance.
2. In the Destination VM instance menu, select the specific destination VM instance.
3. In the Destination network interface menu, select the network interface.
  
  If the VM instance has multiple network interfaces, select a VM network interface to identify the destination location uniquely.
4. Optional: Select the Destination IP address from the list. The default is the IP address of the destination VM instance.

Note: For a dual-stack instance, the source and the destination IP address must be of the same type. For example, you cannot test from a VM with an IPv4 address to a VM with an IPv6 address.

In the Destination port field, enter a destination port.
Click Create.

After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

From the Network interface details page

In the Google Cloud console, go to the VM instances page.
Go to VM instances
If it is not already selected, select the project that contains the instance for which you want to run a test.
Click the instance that you want to use to run a test.
For Network interfaces, select the network interface that you want to use to run a test.

If the VM instance has multiple network interfaces, select a VM network interface to uniquely identify the destination location.
For Network analysis, click Create Connectivity Test, and do the following:
1. In the Test name field, enter a name for the test.
2. In the Protocol list, select a protocol.
3. For Source, you can select either Current network interface or Other.
  
  If you select Current network interface, do the following:
  1. In the Destination endpoint menu, select VM instance.
  2. In the Destination VM instance menu, select the instance.
  3. In the Destination network interface menu, select the network interface.
  4. Optional: Select the Destination IP address from the list. The
    default is the IP address of the destination VM instance.
  If you select Other, do the following:
  1. In the Source endpoint menu, select VM instance.
  2. In the Source VM instance menu, select the instance.
  3. In the Source network interface menu, select the network interface.
  4. Optional: Select the Source IP address from the list. The default is the IP address of the source VM instance.
4. In the Destination port field, enter a destination port for your specified destination.
5. Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-instance=SOURCE_INSTANCE \
    --source-ip-address=SOURCE_IP_ADDRESS \
    --destination-instance=DESTINATION_INSTANCE \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Terraform

You can use a Terraform resource to create a test between two VM instances in a VPC network.

network_connectivity/network_connectivity_center/network_management_connectivity_test_instances/main.tf

View on GitHub Feedback

resource "google_network_management_connectivity_test" "instance_test" {
  name = "conn-test-instances"
  source {
    instance = google_compute_instance.source.id
  }

  destination {
    instance = google_compute_instance.destination.id
    port     = "80"
  }

  protocol = "TCP"
}

resource "google_compute_instance" "source" {
  name         = "source-vm"
  machine_type = "e2-medium"

  boot_disk {
    initialize_params {
      image = data.google_compute_image.debian_9.id
    }
  }

  network_interface {
    network = "default"
    access_config {
    }
  }
}

resource "google_compute_instance" "destination" {
  name         = "dest-vm"
  machine_type = "e2-medium"

  boot_disk {
    initialize_params {
      image = data.google_compute_image.debian_9.id
    }
  }

  network_interface {
    network = "default"
    access_config {
    }
  }
}

data "google_compute_image" "debian_9" {
  family  = "debian-11"
  project = "debian-cloud"
}

API

The following sample test determines if the existing network configuration allows VM instance1to ping VM instance2.

Use the networkmanagement.connectivitytests.create method.

 POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
   {
     "source": {
       "instance": "SOURCE_INSTANCE",
       "ipAddress": "SOURCE_IP_ADDRESS",
     },
     "destination": {
       "instance": "DESTINATION_INSTANCE",
       "ipAddress": "DESTINATION_IP_ADDRESS",
     },
     "protocol": "PROTOCOL",
   }'

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Python

The following example code creates a test between two VM instances. For more information, see create in the API Python client reference documentation.

test_input = {
  "source": {
      "instance":
          "SOURCE_INSTANCE",
      "ipAddress": 
          "SOURCE_IP_ADDRESS",
      "projectId":
          "SOURCE_INSTANCE_PROJECT_ID"
  },
  "destination": {
      "instance":
          "DESTINATION_INSTANCE",
      "ipAddress": 
          "DESTINATION_IP_ADDRESS",
      "projectId":
          "DESTINATION_INSTANCE_PROJECT_ID"
  },
  "protocol":
      "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
    parent="projects/PROJECT_ID/locations/global",
    testId="TEST_ID",
    body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
SOURCE_INSTANCE_PROJECT_ID: the project ID of the source VM
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
DESTINATION_INSTANCE_PROJECT_ID: the project ID of the destination VM
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

Test between private IP addresses in a VPC network

This example assumes that both IP addresses are private IP addresses in the same Google Cloud project and in the same VPC network.

If you are testing between peered VPC networks, select the source and destination networks for each peer.

Console

In the Google Cloud console, go to the Connectivity Tests page.

Go to Connectivity Tests
The remaining steps will appear automatically in the Google Cloud console.
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint list, select IP address.
2. In the Source IP address field, enter the source IP address.
3. If the VPC network of the source IP address is in the current project, clear the This is an IP address used in Google Cloud checkbox.
  
  If the VPC network is in another project, in the Source IP address or service project field, select the project where the network is located.
  
  If the IP address is outside of the RFC 1918 address space, select the I confirm that the source endpoint resides in a range outside of the RFC 1918 address space checkbox. Then, in the Source network list, select the network that contains the source IP address.
For Destination, do the following:
1. In the Destination endpoint list, select IP address.
2. In the Destination IP address field, enter the destination IP address.
3. If the VPC network of the destination IP address is in the current project, clear the This is an IP address used in Google Cloud checkbox.
  
  If the VPC network is in another project, in the Destination IP address or service project field, select the project where the network is located.
  
  If the IP address is outside of the RFC 1918 address space, select the I confirm that the destination endpoint resides in a range outside of the RFC 1918 address space checkbox. Then, in the Destination network list, select the network that contains the destination IP address.
In the Destination port field, enter a valid destination port number. The number must be between 0 and 65535, inclusive.
Click Create.

After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Replace variables for the command options with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-ip-address=SOURCE_IP_ADDRESS \
    --source-network=SOURCE_NETWORK \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --destination-network=DESTINATION_NETWORK \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK: the URI for the VPC network where the source IP address is located—for example, projects/myproject/global/networks/default
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
DESTINATION_NETWORK: the URI for the VPC network where the destination IP address is located—for example, projects/myproject/global/networks/network-a
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols; the default is port 80
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

If the network is unknown, or you don't have permission to access the network, you can specify the network as GCP_NETWORK, instead of providing a network URI.

You do not have to confirm whether your IP address is in Google Cloud or whether the source and destination endpoints are outside the RFC 1918 address space. These parameters are automatically selected based on your source and destination IP addresses.

gcloud network-management connectivity-tests create NAME \
    --source-ip-address=SOURCE_IP_ADDRESS \
    [--source-network-type=GCP_NETWORK] \
    --destination-instance=DESTINATION_INSTANCE  \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK_TYPE: the type of network where the source is located; in this case, use a value of GCP_NETWORK
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols; the default is port 80
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

When you specify a private IP address from outside of Google Cloud as the source IP address, you must specify a networkType of NON_GCP_NETWORK. Replace the values in the following command with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-ip-address=SOURCE_IP_ADDRESS \
    --source-network-type=NON_GCP_NETWORK \
    --destination-ip-address= DESTINATION_IP_ADDRESS \
    --destination-network=DESTINATION_NETWORK \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK_TYPE: the type of network where the source is located; in this case, use a value of NON_GCP_NETWORK
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
DESTINATION_NETWORK: a URI for the VPC network where the destination IP address is located—for example, projects/myproject/global/networks/default
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Terraform

You can use a Terraform resource to create a test between two IP addresses in a VPC network.

network_connectivity/network_connectivity_center/network_management_connectivity_test_addresses/main.tf

View on GitHub Feedback

resource "google_network_management_connectivity_test" "default" {
  name = "conn-test-addr"
  source {
    ip_address   = google_compute_address.source_addr.address
    project_id   = google_compute_address.source_addr.project
    network      = google_compute_network.default.id
    network_type = "GCP_NETWORK"
  }

  destination {
    ip_address = google_compute_address.dest_addr.address
    project_id = google_compute_address.dest_addr.project
    network    = google_compute_network.default.id
    port       = "80"
  }

  protocol = "UDP"
}

resource "google_compute_network" "default" {
  name                    = "connectivity-vpc"
  auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "default" {
  name          = "connectivity-vpc-subnet"
  ip_cidr_range = "10.0.0.0/8"
  region        = "us-central1"
  network       = google_compute_network.default.id
}

resource "google_compute_firewall" "default" {
  name    = "allow-incoming-all"
  network = google_compute_network.default.name

  allow {
    protocol = "all"
  }

  source_ranges = ["0.0.0.0/0"]
}

resource "google_compute_address" "source_addr" {
  name         = "src-addr"
  subnetwork   = google_compute_subnetwork.default.id
  address_type = "INTERNAL"
  address      = "10.0.0.42"
  region       = "us-central1"
}

resource "google_compute_address" "dest_addr" {
  name         = "dest-addr"
  subnetwork   = google_compute_subnetwork.default.id
  address_type = "INTERNAL"
  address      = "10.0.0.43"
  region       = "us-central1"
}

resource "google_compute_instance" "source" {
  name         = "source-vm1"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = data.google_compute_image.default.id
    }
  }

  network_interface {
    network    = google_compute_network.default.id
    subnetwork = google_compute_subnetwork.default.id
    network_ip = "10.0.0.42"
    access_config {
    }
  }
}

resource "google_compute_instance" "destination" {
  name         = "dest-vm1"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = data.google_compute_image.default.id
    }
  }

  network_interface {
    network    = google_compute_network.default.id
    subnetwork = google_compute_subnetwork.default.id
    network_ip = "10.0.0.43"
    access_config {
    }
  }
}

data "google_compute_image" "default" {
  family  = "debian-11"
  project = "debian-cloud"
}

API

This example tests the ability to ping from the source IP address to the destination IP address.

Use the networkmanagement.connectivitytests.create method.

  POST https://reachability.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
  {
    "source": {
      "ipAddress": "SOURCE_IP_ADDRESS",
      "network": "SOURCE_NETWORK"
    },
    "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "network": "DESTINATION_NETWORK",
      "port": "DESTINATION_PORT",
    },
      "protocol": "PROTOCOL".
  }'

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK: the URI for the VPC network where the source IP address is located—for example, projects/myproject/global/networks/default
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
DESTINATION_NETWORK: a URI for the VPC network where the destination IP address is located—for example, projects/myproject/global/networks/network-a
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

If the VPC network is unknown, or you don't have permission to access the network, you can specify the network as GCP_NETWORK, instead of providing a network URI.

  POST https://reachability.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?connectivityTestId=TEST_ID'
  {
    "source": {
      "ipAddress": "SOURCE_IP_ADDRESS",
      "networkType": "GCP_NETWORK"
    },
    "destination": {
      "instance": "DESTINATION_INSTANCE",
      "ipAddress": "DESTINATION_IP_ADDRESS"
    },
    "protocol": "PROTOCOL"
  }'

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK_TYPE: the type of network where the source is located; in this case, use a value of GCP_NETWORK
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

  POST https://reachability.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
  {
    "source": {
      "ipAddress": "SOURCE_IP_ADDRESS",
      "networkType": "NON_GCP_NETWORK",

    },
    "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "network": "DESTINATION_NETWORK",
      "port": "DESTINATION_PORT",
    },
    "protocol": "PROTOCOL",
  }'

Python

The following example code creates a test between two IP addresses. For more information, see create in the API Python client reference documentation.

test_input = {
  "source": {
      "ipAddress": "SOURCE_IP_ADDRESS",
      "projectId": "SOURCE_IP_PROJECT_ID"
  },
  "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "port": "DESTINATION_PORT",
      "projectId": "DESTINATION_IP_PROJECT_ID"
  },
  "protocol": "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
    parent="projects/PROJECT_ID/locations/global",
    testId="TEST_ID",
    body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_IP_PROJECT_ID: the project ID for the source IP address
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
DESTINATION_IP_PROJECT_ID: the project ID for the destination IP address
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

If the VPC network is unknown, or you don't have permission to access the network, you can specify the network as GCP_NETWORK, instead of providing a network URI.

The following example creates a test between two IP addresses:

test_input = {
    "source": {
        "ipAddress": "SOURCE_IP_ADDRESS",
        "networkType": "GCP_NETWORK"
    },
    "destination": {
        "ipAddress": "DESTINATION_IP_ADDRESS",
        "port": "DESTINATION_PORT",
        "projectId": "DESTINATION_IP_PROJECT_ID"
    },
    "protocol": "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
  parent="projects/PROJECT_ID/locations/global",
  testId="TEST_ID",
  body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK_TYPE: the type of network where the source is located; in this case, use a value of GCP_NETWORK
DESTINATION_IP_ADDRESS: the IP address of the destination VM
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
DESTINATION_IP_PROJECT_ID: the project ID for the destination IP address
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

When you specify a private IP address from outside of Google Cloud as the source IP address, you must specify a networkType of NON_GCP_NETWORK.

Test IP addresses in a Shared VPC network

When you have a Shared VPC network, you can create and run a test from the host project or from the service project.

The following example shows both cases and uses a destination IP address allocated in the service project. The field values in the Google Cloud console are slightly different for each case. However, the command options for the Google Cloud CLI and for API calls are the same.

Console: from host

In the Google Cloud console, from the host project, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select IP address.
2. Enter the Source IP address.
3. Select the This is an IP address used in Google Cloud checkbox.
4. If this is an internal IP address that is not accessible from the internet, select the VPC network where the address is located.
5. If your private IP address is outside of the RFC 1918 address space, select the checkbox labeled I confirm that the source endpoint resides in a range outside of the RFC 1918 address space, and then select the destination network that contains the IP address.
For Destination, do the following:
1. In the Destination endpoint menu, select IP address.
2. Enter the Destination IP address.
3. Select the This is an IP address used in Google Cloud checkbox.
4. If this is an internal IP address that is not accessible from the internet, select the VPC network where the address is located.
5. If your private IP address is outside of the RFC 1918 address space, select the checkbox labeled I confirm that the source endpoint resides in a range outside of the RFC 1918 address space, and then select the destination network that contains the IP address.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

Console: from service

In the Google Cloud console, from the service project, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select IP address.
2. Enter the Source IP address.
3. Select the This is an IP address used in Google Cloud checkbox.
4. If this is an internal IP address that is not accessible from the internet, select the VPC network where the address is located.
For Destination, do the following:
1. In the Destination endpoint menu, select IP address.
2. Enter the Destination IP address.
3. Select the This is an IP address used in Google Cloud checkbox.
4. Specify the Destination IP address or service project where the IP address is located.
5. If your private IP address is outside of the RFC 1918 address space, select the checkbox labeled I confirm that the source endpoint resides in a range outside of the RFC 1918 address space, and then select the destination network that contains the IP address.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Enter the following command to test between two private IP addresses in a host and in a service project where the destination IP address is located in the service project. Replace variables for the command options with values from your VPC network.

Because the destination IP address is in the service project, specify the service project and the network URI of the host project. In this case, default represents the default VPC network for the host-project.

gcloud network-management connectivity-tests create NAME \
    --source-ip-address=SOURCE_IP_ADDRESS \
    --source-project=SOURCE_PROJECT \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --destination-network=DESTINATION_NETWORK  \
    --destination-project=DESTINATION_PROJECT \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_PROJECT: the project ID of the source endpoint
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to in the service project
DESTINATION_NETWORK: a URI for the VPC network for the host project—for example, projects/host-project/global/networks/default
DESTINATION_PROJECT: the project ID of the destination endpoint—for example, a project called service-project that represents the service project used for this Shared VPC network
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

API

Use the networkmanagement.connectivitytests.create method.

  POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
    {
      "source": {
        "ipAddress": "SOURCE_IP_ADDRESS",
        "projectId": "SOURCE_PROJECT",
      },
      "destination": {
        "ipAddress": "DESTINATION_IP_ADDRESS",
        "projectId": "DESTINATION_PROJECT",
        "network": "DESTINATION_NETWORK",
        "port": "DESTINATION_PORT",
      },
      "protocol": "PROTOCOL",
    }'

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_PROJECT: the project ID of the source endpoint
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to in the service project
DESTINATION_PROJECT: the project ID of the destination endpoint—for example, a project called service-project that represents the service project used for this Shared VPC network
DESTINATION_NETWORK: a URI for the VPC network for the host project—for example, projects/host-project/global/networks/default
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Python

The following example code creates a test between two IP addresses. For more information, see create in the API Python client reference documentation.

test_input = {
  "source": {
      "ipAddress": "SOURCE_IP_ADDRESS",
      "projectId": "SOURCE_IP_PROJECT_ID"
  },
  "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "projectId": "DESTINATION_IP_PROJECT_ID",
      "network": "DESTINATION_NETWORK",
      "port": "DESTINATION_PORT",
  },
  "protocol": "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
    parent="projects/PROJECT_ID/locations/global",
    testId="TEST_ID",
    body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_IP_PROJECT_ID: the project ID of the source endpoint
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to in the service project
DESTINATION_IP_PROJECT_ID: the project ID of the destination endpoint—for example, a project called service-project that represents the service project used for this Shared VPC network
DESTINATION_NETWORK: a URI for the VPC network for the host project—for example, projects/host-project/global/networks/default
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

Test from a VM to a Google-managed service

This section describes how to test from a VM in your VPC network to a service that runs in a Google-owned VPC network. For example, you can follow the steps in this section to test connectivity to a Cloud SQL instance or a GKE control plane (master). You can also run a test by using a Google-managed service endpoint as the source and an endpoint in your VPC network as the destination.

By default, Connectivity Tests attempts to run a test by using the private IP address of the Google-managed service endpoint. If the endpoint does not have a private IP address, Connectivity Tests uses the public IP address. Connectivity Tests analyzes whether the packet can reach the endpoint, which includes analyzing the configuration within the Google-owned VPC network. If configuration issues are detected within your project, the analysis stops before analyzing the Google-owned network configuration.

To test from a VM to a Google-managed service, see the following instructions.

Console

From the main Connectivity Tests page

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select VM instance.
2. In the Source VM instance menu, select the specific source VM instance.
3. In the Source network interface menu, select the network interface.
  
  If the VM instance has multiple network interfaces, select a VM network interface that uniquely identifies the source location.
4. Optional: Select the Source IP address from the list. The default is the IP address of the source VM instance.
For Destination, select a type of Google-managed service resource from the Destination endpoint list, such as GKE cluster control plane.
Use the additional list to the right to select the specific endpoint. For example, if you selected GKE cluster control plane, select the cluster for which you want to test connectivity to the GKE control plane.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

From the Network interface details page

In the Google Cloud console, go to the VM instances page.
Go to VM instances
If it is not already selected, select the project that contains the instance for which you want to run a test.
Click the instance that you want to use to run a test.
For Network interfaces, select the network interface that you want to use to run a test.
For Network analysis, click Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, select Current network interface.
For Destination, select a type of Google-managed service resource from the Destination endpoint list, such as GKE cluster control plane.
Use the additional list to the right to select the specific endpoint. For example, if you selected GKE cluster control plane, select the cluster for which you want to test connectivity to the GKE control plane.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Replace the variables for the command options according to the following guidance:

gcloud network-management connectivity-tests create NAME \
    --source-instance=SOURCE_INSTANCE \
    --source-ip-address=SOURCE_IP_ADDRESS \
      DESTINATION_RESOURCE_FLAG=DESTINATION_ENDPOINT \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
DESTINATION_RESOURCE_FLAG: the flag that specifies the type of Google-managed service resource

For available options, see the following:
- --destination-gke-master-cluster
- --destination-cloud-sql-instance
For more information, see the gcloud network-management connectivity-tests create reference.
DESTINATION_ENDPOINT: the URI for the destination endpoint—for example, projects/myproject/locations/us-central1/clusters/cluster-1 for the flag --destination-gke-master-cluster
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

API

Use the networkmanagement.connectivitytests.create method.

 POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
   {
     "source": {
       "instance": "SOURCE_INSTANCE",
       "ipAddress": "SOURCE_IP_ADDRESS",
     },
     "destination": {
       "DESTINATION_RESOURCE_FIELD": "DESTINATION_ENDPOINT",
       "port": DESTINATION_PORT
     },
     "protocol": "PROTOCOL",
   }'

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
DESTINATION_RESOURCE_FIELD: the field that specifies the type of Google-managed service resource

For available options, see the following:
- gkeMasterCluster
- cloudSqlInstance
For more information, see the Endpoint reference.
DESTINATION_ENDPOINT: the URI for the destination endpoint—for example, projects/myproject/locations/us-central1/clusters/cluster-1 for the field gkeMasterCluster
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Python

The following example code creates a test between a VM instance and a Google-managed service endpoint. For more information, see create in the API Python client reference documentation.

test_input = {
  "source": {
      "instance":
          "SOURCE_INSTANCE",
      "ipAddress": 
          "SOURCE_IP_ADDRESS",    
      "projectId":
          "SOURCE_INSTANCE_PROJECT_ID"
  },
  "destination": {
      "DESTINATION_RESOURCE_FIELD":
          "DESTINATION_ENDPOINT",
      "port":
          "DESTINATION_PORT"
  },
  "protocol":
      "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
    parent="projects/PROJECT_ID/locations/global",
    testId="TEST_ID",
    body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
SOURCE_INSTANCE_PROJECT_ID: the project ID of the source VM
DESTINATION_RESOURCE_FIELD: the field that specifies the type of Google-managed service resource

For available options, see the following:
- gkeMasterCluster
- cloudSqlInstance
For more information, see the Endpoint reference.
DESTINATION_ENDPOINT: the URI for the destination endpoint—for example, projects/myproject/locations/us-central1/clusters/cluster-1 for the field gkeMasterCluster
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

Test from a VM or an IP address to Private Service Connect endpoints or backends

This section describes how to test from a VM or an IP address to a Private Service Connect endpoint or backend.

For example, you can follow the steps in this section to test if a packet could be delivered to a published service that uses Private Service Connect. Connectivity Tests analyzes whether a packet can reach the endpoint or backend, which includes analyzing connected endpoints, backends, published services, and the proxy connection. The analysis ends early if the connection to a published service that uses Private Service Connect is not accepted.

You can test connectivity to the following:

Test from a VM to a Private Service Connect endpoint or backend

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select VM instance.
2. In the Source VM instance menu, select the specific source VM instance.
3. In the Source network interface menu, select the network interface.
  
  If the VM instance has multiple network interfaces, select a VM network interface that uniquely identifies the source location.
4. Optional: Select the Source IP address from the list. The default is the IP address of the source VM instance.
For Destination, select IP address, and then enter the IP address of the endpoint or backend that you want to test.
1. If the IP address is used in Google Cloud, select the This is an IP address used in Google Cloud checkbox.
2. Select the project that contains the IP address that you entered.
3. If your internal IP address is outside of the RFC 1918 address space, select the checkbox labeled I confirm that the source endpoint resides in a range outside of the RFC 1918 address space.
4. Select the destination network that contains the IP address.
Note: If your destination is a backend, provide the virtual IP address (VIP) of the HTTP(S) load balancer. To access Google APIs, provide an internal VIP and select the destination network. To access managed services, provide an external VIP. You can get the VIP address by using the Google Cloud CLI, the Google Cloud console, or the REST API. For more information, see Interfaces.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-instance=SOURCE_INSTANCE \
    --source-ip-address=SOURCE_IP_ADDRESS \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --destination-network=DESTINATION_NETWORK \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
DESTINATION_IP_ADDRESS: the IP address of the endpoint or backend that you want to test
DESTINATION_NETWORK: a URI for the VPC network where the destination IP address is located—for example,projects/myproject/global/networks/default
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

If the endpoint or backend is used to access published services, you must specify the DESTINATION_NETWORK because the endpoint or backend has an internal IP address.

API

The following sample test determines if the existing network configuration allows VM instance1 to ping the IP address of thePrivate Service Connect endpoint or backend.

Use the networkmanagement.connectivitytests.create method.

 POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
   {
     "source": {
       "instance": "SOURCE_INSTANCE",
       "ipAddress": "SOURCE_IP_ADDRESS",
     },
    "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "network": "DESTINATION_NETWORK",
      "port": "DESTINATION_PORT",
     },
     "protocol": "PROTOCOL",
   }'

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
DESTINATION_IP_ADDRESS: the IP address of the endpoint or backend that you want to test
DESTINATION_NETWORK: a URI for the VPC network where the destination IP address is located—for example,projects/myproject/global/networks/default
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

If the endpoint or backend is used to access published services, you must specify the DESTINATION_NETWORK because the endpoint or backend has an internal IP address.

Python

The following example code creates a test between a VM instance and an endpoint or backend. For more information, see create in the API Python client reference documentation.

test_input = {
  "source": {
      "instance":
          "SOURCE_INSTANCE",
      "ipAddress": 
          "SOURCE_IP_ADDRESS",
      "projectId":
          "SOURCE_INSTANCE_PROJECT_ID"
  },
  "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "network": "DESTINATION_NETWORK",
      "port": "DESTINATION_PORT",
  },
  "protocol":
      "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
    parent="projects/PROJECT_ID/locations/global",
    testId="TEST_ID",
    body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
SOURCE_INSTANCE_PROJECT_ID: the project ID of the source VM
DESTINATION_IP_ADDRESS: the IP address of the endpoint or backend that you want to test
DESTINATION_NETWORK: a URI for the VPC network where the destination IP address is located—for example,projects/myproject/global/networks/default
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

If the endpoint or backend is used to access published services, you must specify the DESTINATION_NETWORK because the endpoint or backend has an internal IP address.

Test from an external IP address to a Private Service Connect endpoint or backend

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, select IP address, and then enter an external IP address.
For Destination, select IP address, and then enter the IP address of the endpoint or backend that you want to test.
1. If the IP address used in Google Cloud, select the This is an IP address used in Google Cloud checkbox.
2. Select the project that contains the IP address that you entered.
3. If your internal IP address is outside of the RFC 1918 address space, select I confirm that the source endpoint resides in a range outside of the RFC 1918 address space.
4. Select the destination network that contains the IP address.
Note: If your destination is a backend, provide the virtual IP address (VIP) of the HTTP(S) load balancer. To access Google APIs, provide an internal VIP and select the destination network. To access managed services, provide an external VIP. You can get the VIP address by using the Google Cloud CLI, the Google Cloud console, or the REST API. For more information, see Interfaces.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

When you specify an external IP address from outside of Google Cloud as the source IP address, you must specify a networkType of NON_GCP_NETWORK. Replace the values in the following command with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-ip-address=SOURCE_IP_ADDRESS \
    --source-network-type=NON_GCP_NETWORK \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --destination-network=DESTINATION_NETWORK \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_IP_ADDRESS: the IP source IP address that you are testing from
SOURCE_NETWORK_TYPE: the type of network where the source is located; in this case, use a value of NON_GCP_NETWORK
DESTINATION_IP_ADDRESS: the IP address of the endpoint or backend that you want to test
DESTINATION_NETWORK: a URI for the VPC network where the destination IP address is located—for example,projects/myproject/global/networks/default
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

If the endpoint or backend is used to access managed services or services in another VPC network, you must specify the DESTINATION_NETWORK because the endpoint or backend has an internal IP address.

API

This example tests the ability to ping from the source IP address to an endpoint or backend.

Use the networkmanagement.connectivitytests.create method.

  POST https://reachability.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
  {
    "source": {
      "ipAddress": "SOURCE_IP_ADDRESS",
      "networkType": "NON_GCP_NETWORK",
    },
    "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "network": "DESTINATION_NETWORK",
      "port": "DESTINATION_PORT",
    },
    "protocol": "PROTOCOL",
  }'

Replace the following values:

SOURCE_IP_ADDRESS: the source IP address that you are testing from
DESTINATION_IP_ADDRESS: the IP address of the endpoint or backend that you want to test
DESTINATION_NETWORK: a URI for the VPC network where the destination IP address is located—for example, projects/myproject/global/networks/network-a
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

If the endpoint or backend is used to access published services, you must specify the DESTINATION_NETWORK because the endpoint or backend has an internal IP address.

Python

The following example code creates a test between an IP address to an endpoint or backend. For more information, see create in the API Python client reference documentation.

When you specify a private IP address from outside of Google Cloud as the source IP address, you must specify a networkType of NON_GCP_NETWORK.

test_input = {
    "source": {
        "ipAddress": "SOURCE_IP_ADDRESS",
        "networkType": "NON_GCP_NETWORK"
    },
    "destination": {
        "ipAddress": "DESTINATION_IP_ADDRESS",
        "network": "DESTINATION_NETWORK",
        "port": "DESTINATION_PORT",
        "projectId": "DESTINATION_IP_PROJECT_ID"
    },
    "protocol": "PROTOCOL",
}

  request = api.projects().locations().global_().connectivityTests().create(
  parent="projects/PROJECT_ID/locations/global",
  testId="TEST_ID",
  body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK_TYPE: the type of network where the source is located; in this case, use a value of NON_GCP_NETWORK
DESTINATION_IP_ADDRESS: the IP address of the endpoint or backend that you want to test
DESTINATION_NETWORK: a URI for the VPC network where the destination IP address is located—for example, projects/myproject/global/networks/network-a
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
DESTINATION_IP_PROJECT_ID: the project ID for the destination IP address
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

If the endpoint or backend is used to access published services, you must specify the DESTINATION_NETWORK because the endpoint or backend has an internal IP address.

You do not have to confirm whether your IP address is in Google Cloud or whether the source and destination endpoints or endpoints are outside the RFC 1918 address space. These parameters are automatically selected based on your source and destination IP addresses.

Test from an App Engine standard environment version to a destination

This section describes how to test connectivity from an App Engine standard environment version to a VM instance, an IP address, or a Google-managed service.

An App Engine standard environment app is made up of a single application resource that consists of one or more services. Within each service, you deploy versions of that service. You can test reachability from a version of an App Engine standard environment service to a VM instance, an IP address, or a Google-managed service.

To see a detailed configuration analysis, you must configure your service to use a Serverless VPC Access connector. A Connectivity Test result might be different for each version of the service. You can only test reachability for test packets that use the UDP or the TCP protocol.

Test connectivity from a version of an App Engine standard environment service to a VM instance

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
Enter a name for the test.
Select a protocol.
In the Source endpoint menu, select App Engine.
1. In the App Engine service menu, select the specific App Engine standard environment service from which you want to test connectivity. For example, select helloworld-service.
  1. If the source endpoint is in a project other than the current project, select the Endpoint is in a project other than "PROJECT_NAME" checkbox.
  2. Select a project where the endpoint exists.
2. In the App Engine version menu, select a version of the App Engine standard environment service from which you want to test connectivity.
For Destination, select a Destination VM instance from the list.

If the VM instance has multiple network interfaces, select a VM network interface to uniquely identify the destination location.
Optional: Select the Destination IP address from the list. The
default is the IP address of the destination VM instance.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-app-engine-version=APP_ENGINE_VERSION \
    --destination-instance=DESTINATION_INSTANCE \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
APP_ENGINE_VERSION: the URI for the source App Engine standard environment version—for example, apps/myproject/services/service-name/versions/version-name
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

API

Use the networkmanagement.connectivitytests.create method.

  POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
  {
    "source": {
      "appEngineVersion": {
        "uri": "APP_ENGINE_VERSION",
        },
    },
    "destination": {
      "instance": "DESTINATION_INSTANCE",
      "ipAddress": "DESTINATION_IP_ADDRESS",
    },
    "protocol": "PROTOCOL",
  }'

Replace the following values:

PROJECT_ID: the project ID of the source Cloud Function
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
APP_ENGINE_VERSION: the URI for the source App Engine standard environment version—for example, apps/myproject/services/service-name/versions/version-name
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

Test connectivity from a version of an App Engine standard environment service to an IP address

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
Enter a name for the test.
Select a protocol.
In the Source endpoint menu, select an App Engine.
1. In the App Engine service menu, select the specific App Engine standard environment service from which you want to test connectivity. For example, select helloworld-service.
  1. If the source endpoint is in a project other than the current project, select the Endpoint is in a project other than "PROJECT_NAME" checkbox.
  2. Select a project where the endpoint exists.
2. In the App Engine version menu, select a version of the App Engine standard environment service from which you want to test connectivity.
For Destination, select IP address, and then enter an IP address.
Enter a destination port.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-app-engine-version=APP_ENGINE_VERSION \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
APP_ENGINE_VERSION: the URI for the source App Engine standard environment version—for example, apps/myproject/services/service-name/versions/version-name
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

API

Use the networkmanagement.connectivitytests.create method.

  POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
  {
    "source": {
      "appEngineVersion": {
        "uri": "APP_ENGINE_VERSION",
        },
    },
    "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
    },
    "protocol": "PROTOCOL",
  }'

Replace the following values:

PROJECT_ID: the project ID of the source Cloud Function
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
APP_ENGINE_VERSION: the URI for the source App Engine standard environment version—for example, apps/myproject/services/service-name/versions/version-name
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

Test connectivity from a version of an App Engine standard environment service to Google-managed service

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
Enter a name for the test.
Select a protocol.
In the Source endpoint menu, select an App Engine.
1. In the App Engine service menu, select the specific App Engine standard environment service from which you want to test connectivity. For example, select helloworld-service.
  1. If the source endpoint is in a project other than the current project, select the Endpoint is in a project other than "PROJECT_NAME" checkbox.
  2. Select a project where the endpoint exists.
2. In the App Engine version menu, select a version of the App Engine standard environment service from which you want to test connectivity.
For Destination, select a type of Google-managed service resource from the Destination endpoint list, such as GKE master cluster.
Use the additional list to the right to select the specific endpoint. For example, if you selected GKE master cluster, select the cluster for which you want to test connectivity to the GKE control plane.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-app-engine-version=APP_ENGINE_VERSION \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
      DESTINATION_RESOURCE_FLAG=DESTINATION_ENDPOINT \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
APP_ENGINE_VERSION: the URI for the source App Engine standard environment version—for example, apps/myproject/services/servicename/versions/version-number
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
DESTINATION_RESOURCE_FLAG: the flag that specifies the type of Google-managed service resource

For available options, see the following:
- --destination-gke-master-cluster
- --destination-cloud-sql-instance
For more information, see the gcloud network-management connectivity-tests create reference.
DESTINATION_ENDPOINT: the URI for the destination endpoint—for example, projects/myproject/locations/us-central1/clusters/cluster-1 for the flag --destination-gke-master-cluster
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols; the default is port 80
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

API

Use the networkmanagement.connectivitytests.create method.

  POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
  {
    "source": {
      "appEngineVersion": {
        "uri": "APP_ENGINE_VERSION",
        },
    },
    "destination": {
      "DESTINATION_RESOURCE_FIELD": "DESTINATION_ENDPOINT",
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "port": DESTINATION_PORT,
    },
    "protocol": "PROTOCOL",
  }'

Replace the following values:

PROJECT_ID: the project ID of the source Cloud Function
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
APP_ENGINE_VERSION: the URI for the source App Engine standard environment version—for example, apps/myproject/services/servicename/versions/version-number
DESTINATION_RESOURCE_FIELD: the field that specifies the type of Google-managed service resource

For available options, see the following:
- gkeMasterCluster
- cloudSqlInstance
For more information, see the Endpoint reference.
DESTINATION_ENDPOINT: the URI for the destination endpoint—for example, projects/myproject/locations/us-central1/clusters/cluster-1 for the field gkeMasterCluster
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols; the default is port 80
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Test from a Cloud Function to a destination

This section describes how to test connectivity from a Cloud Function that is deployed in a specific Google Cloud region to a VM instance, an IP address, or a Google-managed service. For example, you can follow the steps in this section to test connectivity from a Cloud Function that is deployed in us-central1 as the source to an endpoint in your VPC network as the destination.

To see a detailed configuration analysis, ensure that your Cloud Function is active and that you have configured a Serverless VPC Access connector for your Cloud Function.

Egress settings for Cloud Functions control the routing of outbound HTTP requests from a Cloud Function and control the traffic types routed through the connector to your VPC network. For more information, see Cloud Functions egress settings.

Test connectivity from a Cloud Function to a VM instance

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select Cloud Function 1st gen.
2. In the Cloud Function menu, select the specific Cloud Function from which you want to test connectivity. For example, select function-1.
3. In the Cloud Function location menu, select the Google Cloud region where you have deployed the Cloud Function. You can deploy Cloud Functions to multiple regions that have different configurations but have the same name.
For Destination, do the following:
1. In the Destination endpoint menu, select VM instance.
2. In the Destination VM instance menu, select a VM instance.
3. In the Destination network interface menu, select the network interface.
  
  If the VM instance has multiple network interfaces, select a VM network interface that uniquely identifies the destination location.
4. Optional: Select the Destination IP address from the list. The default is the IP address of the destination VM instance.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-cloud-function=SOURCE_CLOUD_FUNCTION \
    --destination-instance=DESTINATION_INSTANCE \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_CLOUD_FUNCTION: the URI of the Cloud Function—for example, projects/myproject/locations/us-central1/functions/function-1
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

API

Use the networkmanagement.connectivitytests.create method.

POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
{
  "source": {
    "cloudFunction": {
      "uri": "SOURCE_CLOUD_FUNCTION",
      },
  },
  "destination": {
    "instance": "DESTINATION_INSTANCE",
    "ipAddress": "DESTINATION_IP_ADDRESS",
  },
  "protocol": "PROTOCOL",
}'

Replace the following values:

PROJECT_ID: the project ID of the source Cloud Function
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_CLOUD_FUNCTION: the URI of the Cloud Function—for example, projects/myproject/locations/us-central1/functions/function-1
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Test connectivity from a Cloud Function to an IP address

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select Cloud Function 1st gen.
2. In the Cloud Function menu, select the specific Cloud Function from which you want to test connectivity. For example, select function-1.
3. In the Cloud Function location menu, select the Google Cloud region where you have deployed the Cloud Function. You can deploy Cloud Functions to multiple regions that have different configurations but have the same name.
For Destination, select IP address, and then enter an IP address.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to the View test results section later on this page.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-cloud-function=SOURCE_CLOUD_FUNCTION \
    --destination-ip-address==DESTINATION_IP_ADDRESS \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_CLOUD_FUNCTION: the URI of the Cloud Function—for example, projects/myproject/locations/us-central1/functions/function-1
DESTINATION_IP_ADDRESS: the destination IP address that you are testing to
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

API

Use the networkmanagement.connectivitytests.create method.

POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
{
  "source": {
    "cloudFunction": {
      "uri": "SOURCE_CLOUD_FUNCTION",
    },
  },
  "destination": {
    "ipAddress": "DESTINATION_IP_ADDRESS",
  },
  "protocol": "PROTOCOL",
}'

Replace the following values:

PROJECT_ID: the project ID of the source Cloud Function
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_CLOUD_FUNCTION: the URI of the Cloud Function—for example, projects/myproject/locations/us-central1/functions/function-1
DESTINATION_IP_ADDRESS: the destination IP address that you are testing to
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Test connectivity from a Cloud Function to a Google-managed service

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select Cloud Function 1st gen.
2. In the Cloud Function menu, select the specific Cloud Function from which you want to test connectivity. For example, select function-1.
3. In the Cloud Function location menu, select the Google Cloud region where you have deployed the Cloud Function. You can deploy Cloud Functions to multiple regions that have different configurations but have the same name.
For Destination, select a type of Google-managed service resource in the Destination endpoint menu, such as Cloud SQL instance.

Use the additional menu to the right to select the specific endpoint. For example, if you selected Cloud SQL instance, select the Cloud SQL instance from which you want to test connectivity.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to the View test results section later on this page.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-cloud-function=SOURCE_CLOUD_FUNCTION \
      DESTINATION_RESOURCE_FLAG=DESTINATION_ENDPOINT \
    --destination-ip-address=DESTINATION_IP_ADDRESS \  
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_CLOUD_FUNCTION: the URI of the Cloud Function—for example, projects/myproject/locations/us-central1/functions/function-1
DESTINATION_RESOURCE_FLAG: the flag that specifies the type of Google-managed service resource

For available options, see the following:
- --destination-gke-master-cluster
- --destination-cloud-sql-instance
For more information, see the gcloud network-management connectivity-tests create reference.
DESTINATION_ENDPOINT: the URI for the destination endpoint—for example, projects/myproject/locations/us-central1/clusters/cluster-1 for the flag --destination-gke-master-cluster
DESTINATION_IP_ADDRESS: the internal or external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols; the default is port 80
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Test from a Cloud Run revision to a destination

This section describes how to test connectivity from a Cloud Run revision to a VM instance, an IP address, or a Google-managed service.

You can deploy multiple Cloud Run services in a single project. Every Cloud Run service has an HTTPS endpoint on a unique subdomain of the *.run.app domain. Each deployment of the Cloud Run service creates a new immutable revision. You can test reachability from a revision to a VM instance, an IP address, or a Google-managed service. To see a detailed configuration analysis, you must configure a Serverless VPC Access connector for your revision. The Connectivity Tests results might be different for each revision.

For example, a Cloud Run service named cloud_run_test has a revision first-revision configured to use a Serverless VPC Access connector, and another revision second-revision that isn't configured to use a Serverless VPC Access connector. The overall reachability result might be reachable for first-revision but unreachable for second-revision.

When you create a Connectivity Test, you can select from a list of revisions for a Cloud Run service.

Test connectivity from a revision of a Cloud Run service to a VM instance

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
Enter a name for the test.
Select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select Cloud Run.
2. In the Cloud Run service menu, select the specific Cloud Run service from which you want to test connectivity. For example, select helloworld-run.
  1. If the source endpoint is in a project other than the current project, select the Endpoint is in a project other than "PROJECT_NAME" checkbox.
  2. Select a project where the endpoint exists.
3. In the Cloud Run revision menu, select a Cloud Run revision that you are testing from.
For Destination, do the following:
1. In the Destination endpoint menu, select VM instance.
2. In the Destination VM instance menu, select the specific destination VM instance.
3. In the Destination network interface menu, select the network interface.
  
  If the VM instance has multiple network interfaces, select a VM network interface to uniquely identify the destination location.
4. Optional: Select the Destination IP address from the list. The default is the IP address of the destination VM instance.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-cloud-run-revision=CLOUD_RUN_REVISION \
    --destination-instance=DESTINATION_INSTANCE \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
CLOUD_RUN_REVISION: the URI for the source Cloud Run revision—for example, projects/myproject/locations/us-central1/revisions/cloudrun-revision
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

API

Use the networkmanagement.connectivitytests.create method.

POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
{
  "source": {
    "cloudRunRevision": {
      "uri": "CLOUD_RUN_REVISION",
      },
  },
    "destination": {
      "instance": "DESTINATION_INSTANCE",
      "ipAddress": "DESTINATION_IP_ADDRESS"
      },
    "protocol": "PROTOCOL",
  }'

Replace the following values:

PROJECT_ID: the project ID of the source Cloud Function
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
CLOUD_RUN_REVISION: the URI for the source Cloud Run revision—for example, projects/myproject/locations/us-central1/revisions/cloudrun-revision
DESTINATION_INSTANCE: the URI for the destination VM—for example, projects/myproject/zones/us-east1-b/instances/instance-2
DESTINATION_IP_ADDRESS: the IP address of the destination VM instance that you are testing to; the IP address should be one of the IP addresses of the destination VM instance
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

Test connectivity from a revision of a Cloud Run service to an IP address

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
Enter a name for the test.
Select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select Cloud Run.
2. In the Cloud Run service menu, select the specific Cloud Run service from which you want to test connectivity. For example, select helloworld-run.
  1. If the source endpoint is in a project other than the current project, select the Endpoint is in a project other than "PROJECT_NAME" checkbox.
  2. Select a project where the endpoint exists.
3. In the Cloud Run revision menu, select a Cloud Run revision that you are testing from.
For Destination, select IP address, and then enter an IP address.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-cloud-run-revision=CLOUD_RUN_REVISION \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
CLOUD_RUN_REVISION: the URI for the source Cloud Run revision—for example, projects/myproject/locations/us-central1/revisions/cloudrun-revision
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

API

Use the networkmanagement.connectivitytests.create method.

POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
{
  "source": {
    "cloudRunRevision": {
      "uri": "CLOUD_RUN_REVISION",
      },
  },
    "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      },
    "protocol": "PROTOCOL",
  }'

Replace the following values:

PROJECT_ID: the project ID of the source Cloud Function
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
CLOUD_RUN_REVISION: the URI for the source Cloud Run revision—for example, projects/myproject/locations/us-central1/revisions/cloudrun-revision
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

Test connectivity from a revision of a Cloud Run service to a Google-managed service

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
Enter a name for the test.
Select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select Cloud Run.
2. In the Cloud Run service menu, select the specific Cloud Run service from which you want to test connectivity. For example, select helloworld-run.
  1. If the source endpoint is in a project other than the current project, select the Endpoint is in a project other than "PROJECT_NAME" checkbox.
  2. Select a project where the endpoint exists.
3. In the Cloud Run revision menu, select a Cloud Run revision that you are testing from.
For Destination, select a type of Google-managed service resource from the Destination endpoint list, such as GKE master cluster.
Use the additional list to the right to select the specific endpoint. For example, if you selected GKE master cluster, select the cluster for which you want to test connectivity to the GKE control plane.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Use the gcloud network-management connectivity-tests create command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-cloud-run-revision=CLOUD_RUN_REVISION \
      DESTINATION_RESOURCE_FLAG=DESTINATION_ENDPOINT \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
CLOUD_RUN_REVISION: the URI for the source Cloud Run revision—for example, projects/myproject/locations/us-central1/revisions/cloudrun-revision
PROJECT_NAME: the project name where the endpoint is located—for example, myproject
DESTINATION_RESOURCE_FLAG: the flag that specifies the type of Google-managed service resource

For available options, see the following:
- --destination-gke-master-cluster
- --destination-cloud-sql-instance
For more information, see the gcloud network-management connectivity-tests create reference.
DESTINATION_ENDPOINT: the URI for the destination endpoint—for example, projects/myproject/locations/us-central1/clusters/cluster-1 for the flag --destination-gke-master-cluster
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols; the default is port 80
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

API

Use the networkmanagement.connectivitytests.create method.

POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
{
  "source": {
    "cloudRunRevision": {
      "uri": "CLOUD_RUN_REVISION",
      },
  },
    "destination": {
      "DESTINATION_RESOURCE_FIELD": "DESTINATION_ENDPOINT",
      "port": DESTINATION_PORT,
    },
    "protocol": "PROTOCOL",
  }'

Replace the following values:

PROJECT_ID: the project ID of the source Cloud Function
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
CLOUD_RUN_REVISION: the URI for the source Cloud Run revision—for example, projects/myproject/locations/us-central1/revisions/cloudrun-revision
DESTINATION_RESOURCE_FIELD: the field that specifies the type of Google-managed service resource

For available options, see the following:
- gkeMasterCluster
- cloudSqlInstance
For more information, see the Endpoint reference.
DESTINATION_ENDPOINT: the URI for the destination endpoint—for example, projects/myproject/locations/us-central1/clusters/cluster-1 for the field gkeMasterCluster
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols; the default is port 80
PROTOCOL: the networking protocols supported by Serverless VPC Access connectors—TCP or UDP

Test from a VPC network to a non-Google Cloud network

To test from a VPC network to a non-Google Cloud network, follow these steps.

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, select IP address, and then enter an IP address.
1. Select the This is an IP address used in Google Cloud checkbox.
2. If this is an internal IP address, not accessible from the internet, select the VPC network where the address is located.
3. If your private IP address is outside of the RFC 1918 address space, check the box labeled I confirm that the source endpoint resides in a range outside of the RFC 1918 address space, and select the source network that contains the IP address.
For Destination, select IP address, and then enter an external IP address.
Clear This is an IP address used in Google Cloud.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

Enter the following command to test between an internal and external IP addresses. Replace variables for the command options with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-ip-address=SOURCE_IP_ADDRESS \
    --source-network=SOURCE_NETWORK \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK: the URI for the VPC network where the source IP address is located—for example, projects/myproject/global/networks/default
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

API

This example tests the ability to ping from the source IP address to the destination IP address.

Use the networkmanagement.connectivitytests.create method.

  POST https://reachability.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
  {
    "source": {
      "ipAddress": "SOURCE_IP_ADDRESS",
      "network": "SOURCE_NETWORK"
    },
    "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "port": "DESTINATION_PORT",
    },
      "protocol": "PROTOCOL".
  }'

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK: the URI for the VPC network where the source IP address is located—for example, projects/myproject/global/networks/default
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Python

The following example code creates a test between two IP addresses. For more information, see create in the API Python client reference documentation.

test_input = {
  "source": {
      "ipAddress": "SOURCE_IP_ADDRESS",
      "projectId": "SOURCE_IP_PROJECT_ID"
  },
  "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "port": "DESTINATION_PORT",
  },
  "protocol": "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
    parent="projects/PROJECT_ID/locations/global",
    testId="TEST_ID",
    body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_IP_PROJECT_ID: the project ID for the source IP address
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

The following example creates a test between two IP addresses:

test_input = {
    "source": {
        "ipAddress": "SOURCE_IP_ADDRESS",
        "networkType": "GCP_NETWORK"
    },
    "destination": {
        "ipAddress": "DESTINATION_IP_ADDRESS",
        "port": "DESTINATION_PORT",
    },
    "protocol": "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
  parent="projects/PROJECT_ID/locations/global",
  testId="TEST_ID",
  body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_IP_ADDRESS: the source IP address that you are testing from
SOURCE_NETWORK_TYPE: the type of network where the source is located; in this case, use a value of GCP_NETWORK
DESTINATION_IP_ADDRESS: the IP address of the destination VM
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

Test from a VM to a non-Google Cloud network

This test analyzes connectivity from the source VM to a Google network edge location.

Console

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select Create Connectivity Test.
In the Test name field, enter a name for the test.
In the Protocol list, select a protocol.
For Source, do the following:
1. In the Source endpoint menu, select VM instance.
2. In the Source VM instance menu, select the specific source VM instance.
3. In the Source network interface menu, select the network interface.
  
  If the VM instance has multiple network interfaces, select a VM network interface that uniquely identifies the source location.
4. Optional: Select the Source IP address from the list. The default is the IP address of the source VM instance.
For Destination, do the following:
1. In the Destination endpoint menu, select IP address.
2. Enter an external Destination IP address.
3. Clear the This is an IP address used in Google Cloud checkbox.
In the Destination port field, enter a destination port for your specified destination.
Click Create.
After the test finishes, the main Connectivity Tests page loads and shows a list that contains this test and other tests. Continue to View test results.

gcloud

To test between a VM and an external IP address, enter the following command. Replace the sample values with values from your VPC network.

gcloud network-management connectivity-tests create NAME \
    --source-instance=SOURCE_INSTANCE \
    --source-ip-address=SOURCE_IP_ADDRESS \
    --destination-ip-address=DESTINATION_IP_ADDRESS \
    --destination-port=DESTINATION_PORT \
    --protocol=PROTOCOL

Replace the following values:

NAME: the name of the Connectivity Test
SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

API

The following sample test determines if the existing network configuration allows VM instance1to ping the destination IP address.

Use the networkmanagement.connectivitytests.create method.

 POST https: //networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/connectivityTests?testId=TEST_ID'
   {
     "source": {
       "instance": "SOURCE_INSTANCE",
       "ipAddress": "SOURCE_IP_ADDRESS",
     },
    "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "port": "DESTINATION_PORT",
     },
     "protocol": "PROTOCOL",
   }'

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running
SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP

Python

The following example code creates a test between a VM instance and an external IP address. For more information, see create in the API Python client reference documentation.

test_input = {
  "source": {
      "instance":
          "SOURCE_INSTANCE",
      "ipAddress": 
          "SOURCE_IP_ADDRESS",    
      "projectId":
          "SOURCE_INSTANCE_PROJECT_ID"
  },
  "destination": {
      "ipAddress": "DESTINATION_IP_ADDRESS",
      "port": "DESTINATION_PORT",
  },
  "protocol":
      "PROTOCOL",
}

request = api.projects().locations().global_().connectivityTests().create(
    parent="projects/PROJECT_ID/locations/global",
    testId="TEST_ID",
    body=test_input)

print(json.dumps(request.execute(), indent=4))

Replace the following values:

SOURCE_INSTANCE: the URI for the source VM—for example, projects/myproject/zones/us-east1-b/instances/instance-1
SOURCE_IP_ADDRESS: the IP address of the source VM instance that you are testing from; the IP address should be one of the IP addresses of the source VM instance
SOURCE_INSTANCE_PROJECT_ID: the project ID of the source VM
DESTINATION_IP_ADDRESS: the external destination IP address that you are testing to
DESTINATION_PORT: the IP protocol port of the destination; this option is valid only for TCP or UDP protocols
PROTOCOL: a supported protocol for Connectivity Tests; the default protocol is TCP
PROJECT_ID: the project ID of the project in which you are creating the test
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

Test from a non-Google Cloud network to a VPC network

This procedure is the same as the Test between private IP addresses in a VPC network procedure except for the following steps. Use this procedure for the Google Cloud console, the Google Cloud CLI, API examples, and Python examples.

If the source address is not located in Google Cloud but is not from your peer (on-premises) network, specify an external IP address.
If the source address is from your peer (on-premises) network, you must select Other non-Google Cloud network.

Test from a non-Google Cloud network to a non-Google Cloud network

Specify external IP addresses for the source IP address and destination IP address.
In the Google Cloud console, leave the This is an IP address used in Google Cloud checkbox cleared.

View test results

This section describes how to view the results of a Connectivity Test.

Console

You can view a test from several different pages.

From the main Connectivity Tests page

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
In the Result details column, choose a test, and then click View.
The info panel for the test appears. You can view the overall result and the result cards for each Google Cloud resource in the testing path. You can click a link to the details page for some Google Cloud resources, such as VM instances or routes. If the test contains multiple traces, you can select a trace from the Trace result list.

If the test is eligible for live data plane analysis, you can view packet loss and latency metrics.
To expand or close a results card, click the arrow at the right of the card.
To interpret test results, see Configuration analysis states.
To close the info panel, at the top right of the page, click Hide info panel.

From the Connectivity Test details page

Alternatively, from the main Google Cloud console page, click the name of a test and view its results on the Connectivity Test details page.

From the Network interface details page

You can also view results from the Network interface details page for a network interface of a Compute Engine VM instance. This page only lists tests that use the current network interface as a source or destination.

To view results, you can select View in the Result details column or click the name of the test.

gcloud

To view the results of a test, enter the following command. Use the test ID that you want to view.

gcloud network-management connectivity-tests describe NAME

Replace NAME with the name of the Connectivity Test.

API

Use the networkmanagement.connectivitytests.get method to view the results of a test.

  GET https://networkmanagement.googleapis.com/v1/{name=projects/PROJECT_ID/locations/global/connectivityTests/TEST_ID

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

Python

The following example code prints the results of a test. For more information, see get in the API Python client reference documentation.

project_id = "PROJECT_ID"
test_id= "TEST_ID"
request = api.projects().locations().global_().connectivityTests().get(
      name='projects/%s/locations/global/connectivityTests/%s' %
      (project_id, test_id))

print(json.dumps(request.execute(), indent=4))

Replace the following values:

PROJECT_ID: the project ID of the project in which the test was created
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

Rerun one or more tests

You might want to rerun a Connectivity Test if you make configuration changes to the Google Cloud resources in the testing path and want to see results for the latest network configuration. You can rerun one or more tests at the same time.

A Connectivity Test is based on a snapshot of the network configuration at the time of execution. Rerunning a test overwrites the previous test results. If you want to preserve older results, create a new test instead.

To check the status of the rerun test operation while it's running, see Check a running test operation.

Console

From the main Connectivity Tests page

In the Google Cloud console, go to the Connectivity Tests page.
Go to Connectivity Tests
Select the checkbox to the left of one or more tests that you want to rerun.
At the top of the page, click Rerun .

From the Connectivity Test details page

From the preceding main Connectivity Tests page, click the name of a test.
At the top of the Connectivity Test details page, click Rerun .

From the Network interface details page

In the Google Cloud console, go to the VM instances page.
Go to VM instances
If it is not already selected, select the project that contains the instance for which you want to rerun a test.
Click the instance that you want to use to rerun a test.
For Network interfaces, select the network interface that you want to use to rerun a test.
For Network analysis, click Connectivity Tests.
Select the checkbox to the left of one or more tests that you want to rerun.
At the top of the list of tests, click Rerun .

gcloud

To rerun a Connectivity Test, enter the following command. Use the test ID that you want to rerun.

gcloud network-management connectivity-tests rerun NAME

Replace NAME with the name of the Connectivity Test.

API

When the Network Management API creates a connectivityTests resource, it retains that test resource until you delete it. Because of this, you can rerun tests.

If you don't want to create persistent tests, you can use the API to create a test and delete it after viewing the test result.

Use the networkmanagement.connectivitytests.rerun method to rerun a test.

  POST https://networkmanagement.googleapis.com/v1/{name=projects/*/locations/global/connectivityTests/*}:rerun
    {
      "name": {projects/PROJECT_ID/connectivityTests/{TEST_ID}
    }

Replace the following values:

PROJECT_ID: the project ID of the source VM
TEST_ID: the ID of the Connectivity Tests object (test) that you are running

Python

The following example code reruns a test. For more information, see rerun in the API Python client reference documentation.

project_id = "PROJECT_ID"
test_id = "TEST_ID"
request = api.projects().locations().global_().connectivityTests().rerun(name='projects/%s/locations/global/connectivityTests/%s' % (project_id, test_id))

print(json.dumps(request.execute(), indent=4))

Replace the following values:

PROJECT_ID: the project ID of the project in which the test was created
TEST_ID: the ID of the Connectivity Tests object (test) that you are running