This page describes how to set up private network access and route traffic within a Google Cloud network.
To set up private network access, configure the following projects:
- A Virtual Private Cloud (VPC) network project and virtual machine (VM) instances.
- A Service Directory service project. If the service is in a different project, the project could be in the Shared VPC network of the VPC network project.
- A Google Cloud service project with the configuration that invokes private network access. If the service is in a different project, configure the project to invoke private network access. An example of a Google Cloud service configuration is the Dialogflow service configuration.
The artifacts of the projects could be in the same project or in different projects.
Before you begin
Before you configure private network access, complete the following steps:
- In the Google Cloud console, on the APIs & Services page, click Enable APIs and services to enable the APIs that you want to use, including the Service Directory API.
- To link your VPC network to on-premises hosts, create a Cloud VPN tunnel or a Cloud Interconnect connection.
- Create a Service Directory namespace and service.
- Connect the Service Directory instance to the VPC network that is directly connected to the Cloud Interconnect connection. For example, in a hub-and-spoke model, connect the Service Directory instance to the hub VPC network and not to the spoke VPC network.
Configure the network project
To configure a network project, follow these steps:
Create a VPC network. If you want to use an existing VPC network, make sure that it supports subnets in auto mode or custom mode. Legacy networks are not supported.
If the target of your VPC network is a Compute Engine VM or an internal load balancer backend, configure a VPC network firewall rule. Create firewall rules to allow TCP ingress on the appropriate port (
443
or80
) from35.199.192.0/19
.Grant the Identity and Access Management (IAM) Service Directory network access to the Google Cloud service project. The Google Cloud project must be within the VPC Service Controls perimeter of the Google Cloud service and Service Directory project for
servicedirectory.googleapis.com
.Learn more about VPC Service Controls.
Configure the Service Directory project
To configure a Service Directory project, follow these steps:
- In the VPC network, create a VM or an internal load balancer.
- Create a Service Directory service that points to the VM or the internal load balancer that you created in the VPC network.
- Grant the IAM Service Directory Network Attacher role
(
roles/servicedirectory.networkAttacher
) to the Google Cloud service account. For more information about roles and permissions, see Service Directory permissions and roles.
Create an endpoint with private network access
Before you create the endpoint, in the Service Directory project, grant the
Service Directory Editor role (servicedirectory.editor
) to the
IAM principal that is responsible for creating the
Service Directory endpoint.
If the project that contains the VPC network is different from
the project that contains the Service Directory resource, then in the
VPC network project, grant the Service Directory Network Attacher
role (roles/servicedirectory.networkAttacher
) to the IAM
principal that is responsible for creating the Service Directory endpoint.
To create an endpoint with private network access configured, follow these steps:
Console
- In the Google Cloud console, go to the Service Directory namespaces page. Go to Service Directory namespaces
- Click a namespace.
- Click a service.
- Click Add endpoint.
- For Endpoint name, enter a name for the endpoint.
- For IP address, enter an IPv4 address, such as
192.0.2.0
. - For Port, enter a port number, such as
443
or80
. - To enable private network access, in Associated VPC network, select
the required option:
- To choose from a list of available networks, click Choose from the list, and then select the network.
- To specify a project and a network, click Specify by a project and network name, and then enter the project number and the network name.
- Click Create.
gcloud
Use the gcloud service-directory endpoints create
command with the
project ID and the network path specified.
gcloud service-directory endpoints create ENDPOINT_NAME \ --project=PROJECT_ID \ --location=REGION \ --namespace=NAMESPACE_NAME \ --service=SERVICE_ID \ --address=IP_ADDRESS \ --port=PORT_NUMBER \ --network=NETWORK_PATH
Replace the following:
ENDPOINT_NAME
: a name for the endpoint that you're creating in your service, such asmy-endpoint
PROJECT_ID
: the ID of the projectREGION
: the Google Cloud region that contains the namespaceNAMESPACE_NAME
: the name that you gave the namespace, such asmy-namespace
SERVICE_ID
: the ID of the serviceIP_ADDRESS
: the IP address of the endpoint, such as192.0.2.0
PORT_NUMBER
: the ports that the endpoints are running on, typically443
or80
NETWORK_PATH
: the URL to the network, such asprojects/PROJECT_NUMBER/locations/global/networks/NETWORK_NAME
Configure the Google Cloud service project
Before you configure the project, in the Service Directory project, grant the following roles to the IAM principal that is associated with the Google Cloud service project:
- Private Service Connect Authorized Service role
(
roles/servicedirectory.pscAuthorizedService
) - Service Directory Viewer role (
roles/servicedirectory.viewer
)
To configure the Google Cloud service project, follow these steps:
- Enable the Google Cloud service API.
- Configure your Google Cloud service by using the Service Directory service that you created in the network project.
- If you use VPC Service Controls, ensure that the VPC Service Controls perimeter allows Service Directory to access the network project and the Service Directory project.
Use cases
This section provides example use cases for configuring private network access.
Call an HTTP endpoint when a VPC network, a VM, and Service Directory are in the same project
In this use case, you set up Dialogflow, a Google Cloud service for natural language processing, to call an HTTP endpoint on your VM. While calling the endpoint, ensure that the traffic doesn't transition over the public internet.
In this use case, you create the following artifacts in the same project:
- A VPC network
- A VM
- A Service Directory service
- Dialogflow
Figure 1 shows how you can allow a Google service configuration of a project to egress to a network project VM. The VM resides in a Google Cloud service VPC network of the project.
Set up your network and target network
- Create a project, such
as
myproject
. Create a VPC network, such as
vpc-1
.While creating the VPC network, in Subnet creation mode, select Automatic.
Create a firewall rule, such as
firewall-1
.While creating the firewall rule, enter or select the following values:
- For Network, select
vpc-1
. - For Source IPv4 ranges, enter
35.199.192.0/19
. - For Protocols and ports, select TCP and enter
443
or80
.
- For Network, select
In the
us-central1
region, create a VM, such asvm-1
.While creating the VM, enter or select the following values:
- For Networking > Network Interfaces, select
vpc-1
. - For Firewall, select Allow HTTP traffic.
If you want to use HTTPS, select Allow HTTPS traffic. Also make sure that you install a Public Key Infrastructure (PKI) Transport Layer Security (TLS) certificate.
- For Networking > Network Interfaces, select
In the
us-central1
region, create a namespace, such asnamespace-1
.In the namespace, register a Service Directory service, such as
sd-1
.Create an endpoint in
sd-1
. For the endpoint address, use the internal IP address ofvm-1
on port443
. For more information, see Create an endpoint with private network access.Grant the following IAM roles to the Google Cloud service account:
- Service Directory Viewer role (
roles/servicedirectory.viewer
) - Private Service Connect Authorized Service role
(
roles/servicedirectory.pscAuthorizedService
)
- Service Directory Viewer role (
Optional: If you want to add more VMs, you can set up another VM, such as
vm-2
, and add its endpoint, such asendpoint-2
.
Set up a Google Cloud product
- Configure a Google Cloud product configuration, such as " Cloud Scheduler, call me every minute".
- Set up an HTTP request.
- Specify that requests should go over private networking, such as through
sd-1
. - Optional: Configure Certificate Authority Service settings.
The Google Cloud product can now invoke the HTTP request by using sd-1
.
Call an HTTP endpoint when a Shared VPC network, a VM, and Service Directory are in different projects
In this use case, you set up Dialogflow, a Google Cloud service for natural language processing, to call an HTTP endpoint on your VM. While calling the endpoint, ensure that the traffic doesn't transition over the public internet.
In this use case, you create the following artifacts in different projects:
- A Shared VPC network
- A VM
- A Service Directory service
- Dialogflow
Before you create the projects, note the following:
- Ensure that the API invocation respects the VPC Service Controls perimeter.
- Ensure that the configuration of the Google Cloud service project allows egress to a VM that resides in the VPC network project.
- The producer project might not be the same as the Google Cloud service project.
- Ensure that the VPC Service Controls perimeters of both projects are used.
- The Service Directory project and the network project don't need to be connected, but they must both be part of the same VPC Service Controls.
- In the network and the service, the firewall and IAM are disabled by default.
Figure 2 shows how you can send traffic by using private network access with VPC Service Controls perimeters enforced.
Create a network project
- Create a project, such
as
my-vpc-project
. Create a VPC network, such as
vpc-1
.While creating the VPC network, for Subnet creation mode, select Automatic.
Create a firewall rule, such as
firewall-1
.While creating the rule, enter or select the following values:
- For Network, select
vpc-1
. - For Source IPv4 ranges, enter
35.199.192.0/19
. - For Protocols and ports, select TCP and enter
443
or80
.
- For Network, select
In the
us-central1
region, create a VM, such asvm-1
.While creating the VM, enter or select the following values:
- For Networking > Network Interfaces, select
vpc-1
. - For Firewall, select Allow HTTP traffic.
If you want to use HTTPS, select Allow HTTPS traffic. Also make sure that you install a Public Key Infrastructure (PKI) Transport Layer Security (TLS) certificate.
- For Networking > Network Interfaces, select
If you're using VPC Service Controls, the VPC Service Controls perimeter enables Service Directory to connect to both the Google Cloud service project and the Service Directory project.
Configure the Service Directory project
Create a project, such as
my-sd-project
.You require an extra IAM permission because the VPC network project and the Service Directory project are different projects.
From the network project, grant the Service Directory Network Attacher role (
roles/servicedirectory.networkAttacher
) to the IAM principal that creates the Service Directory endpoint.Create a Service Directory endpoint that points to the VM in the VPC network:
- In the
us-central1
region, create a namespace, such asnamespace-1
. - In the namespace, register a Service Directory service, such as
sd-1
. - Create an endpoint in
sd-1
. For the endpoint address, use the internal IP address ofvm-1
on port443
. For more information, see Create an endpoint with private network access.
- In the
Grant the following IAM roles to the Google Cloud service account:
- Service Directory Viewer role (
roles/servicedirectory.viewer
) - Private Service Connect Authorized Service role
(
roles/servicedirectory.pscAuthorizedService
)
- Service Directory Viewer role (
If you're using VPC Service Controls, the VPC Service Controls perimeter enables Service Directory to connect to both the Google Cloud service project and the Service Directory project.
Configure the Google Cloud service project
- Enable the API for the Google Cloud service that you're using.
- To configure the Google Cloud service
PUSH
, use the Service Directory service from the Service Directory project.
If you're using VPC Service Controls, the VPC Service Controls perimeter enables Service Directory to connect to both the network project and the Service Directory project.
Use Service Directory private network access with Dialogflow
For instructions about how you can use Service Directory private network access with Dialogflow, see Using Service Directory for private network access.
What's next
- To get an overview of Service Directory, see the Service Directory overview.
- To learn more about Private Service Connect, see Private Service Connect.
- To find solutions for common issues that you might experience when using Service Directory, see Troubleshooting.