Configuring private services access

This page describes how to configure private services access in your VPC network.

Google Cloud and third parties (together known as service producers) can offer services with internal IP addresses that are hosted in a VPC network. Private services access enables you to reach those internal IP addresses. This is useful if you want your VM instances in your VPC network to use internal IP addresses instead of external IP addresses. Cloud SQL uses internal IP addresses for private IP.

Before you begin

If you are using private IP for any of your Cloud SQL instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Cloud SQL instance.

If your Google Cloud project has a Cloud SQL instance, you can either configure it yourself or let Cloud SQL do it for you to use private IP.

Cloud SQL configures private services access for you when all the conditions below are true:

  • You have not yet configured private services access in the Google Cloud project.
  • You are enabling private IP for the first time for any Cloud SQL instance in the Google Cloud project.
  • When enabling private IP in the instance's Connections page, you select both the default associated networking and Use an automatically allocated IP range options.

You can see the results in the the VPC networks page by selecting the default VPC network, and then selecting the Private service connection link.

Otherwise, you need to configure private services access manually, as described in the sections below.

Configuring private services access for Cloud SQL

You can configure private services access in the default or your own VPC network. This is recommended if:

  • You want to control the size of the IP address range that is allocated. For example, if you anticipate creating many Cloud SQL instances, you might choose in advance to allocate an IP range that can hold them all. If instances are going to be created in multiple regions or different database types, a /20 or larger range is recommended.

  • You want to set up private services access from the command line (using gcloud).

  • You are using Shared VPC and your organization has a network administrator (IAM roles/compute.networkAdmin) in the host project. The network administrator can perform the steps below in the host project to configure private services access. Users who were delegated privileges in the service project(s) can launch Cloud SQL instances by following the instructions in the earlier sections.

Private services access is implemented as a VPC peering connection between your VPC network and the underlying Google services VPC network where your Cloud SQL instance resides. Even though multiple ip ranges can be allocated, the IP range used for the private IP will always be done by Google.

There are two parts to the private services access configuration process:

  • Allocating an IP address range.
  • Creating a private connection from your VPC network to the service producer network.

Allocating an IP address range

Console

  1. Go to the VPC networks page in the Google Cloud Console.
  2. Select the VPC network that you want to use.
  3. Select the Private service connection tab.
  4. Select the Allocated IP ranges for services tab.
  5. Click Allocated IP range.
  6. For the Name of the allocated range, specify google-managed-services-VPC_NETWORK_NAME, where VPC_NETWORK_NAME is the name of the VPC network you are connecting (for example, google-managed-services-default). The Description is optional.

  7. Click Allocate to create the allocated range.

gcloud

Do one of the following:

  • To specify an address range and a prefix length (subnet mask), use the addresses and prefix-length flags. For example, to allocate the CIDR block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for the prefix length.

    gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \
        --global \
        --purpose=VPC_PEERING \
        --addresses=192.168.0.0 \
        --prefix-length=16 \
        --network=[VPC_NETWORK_NAME]
    
  • To specify a prefix length (subnet mask) only, use the prefix-length flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 16 bit prefix length.

    gcloud compute addresses create google-managed-services-[VPC_NETWORK_NAME] \
        --global \
        --purpose=VPC_PEERING \
        --prefix-length=16 \
        --network=[VPC_NETWORK_NAME]
    

Replace [VPC_NETWORK_NAME] with the name of your VPC network, such as my-vpc-network.

The following example allocates an IP range that allows resources in the VPC network my-vpc-network to connect to Cloud SQL instances using private IP.

gcloud compute addresses create google-managed-services-my-vpc-network \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --network=my-vpc-network \
    --project=my-project

Creating a private connection

Console

  1. Go to the VPC networks page in the Google Cloud Console.
  2. Select the VPC network that you want to use.
  3. Select the Private service connection tab.
  4. Select the Private connections to services tab.
  5. Click Create connection to create a private connection between your network and a service producer.
  6. For the Assigned allocation, select one or more existing allocated ranges that are not being used by other service producers.
  7. Click Connect to create the connection.

gcloud

  1. Create a private connection.

    gcloud services vpc-peerings connect \
        --service=servicenetworking.googleapis.com \
        --ranges=google-managed-services-[VPC_NETWORK_NAME] \
        --network=[VPC_NETWORK_NAME] \
        --project=[PROJECT_ID]
    

    Replace [VPC_NETWORK_NAME] with the name of your VPC network and [PROJECT_ID] with the ID of the project that contains your VPC network.

    The command initiates a long-running Cloud SQL instance operation, returning an operation name.

  2. Check whether the operation was successful.

    gcloud services vpc-peerings operations describe \
        --name=[OPERATION_NAME]
    

    Replace [OPERATION_NAME] with the operation name that was returned from the previous step.

You can specify more than one allocated range when you create a private connection. For example, if a range has been exhausted, you can assign additional allocated ranges. The service uses IP addresses from all the provided ranges in the order that you specified.

Changing the private service access configuration

You can change the allocated address range of a private service connection without modifying any existing Cloud SQL instances. To change the private IP address of an existing Cloud SQL instance, follow these steps.

To change the allocated address range:

Console

  1. Go to the VPC networks page in the Google Cloud Console.
  2. Select the VPC network that you want to use.
  3. Select the Private service connection tab.
  4. Select the Allocated IP ranges for services tab.
  5. Select the name of the range you want to delete.
  6. Click Release.
  7. Click Allocate IP range.
  8. Create a new range with the same name and new range

    The name matters because the private connection has already been established using that address name.

Changing the private IP address of an existing Cloud SQL instance

To change the private IP address of an existing Cloud SQL instance, you need to move it to a temporary VPC network, then change the private service access configuration, and then move the Cloud SQL instance back:

Console

  1. Go to the VPC networks page in the Google Cloud Console.
  2. Create a temporary VPC network.
  3. Move the Cloud SQL instance to the temporary VPC network.
    gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE_ID]
    --network=[TEMPORARY_VPC_NETWORK_NAME] --no-assign-ip
  4. Change the private service access configuration
  5. Move the Cloud SQL instance back to the original VPC network.
    gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE_ID]
    --network=[ORIGINAL_VPC_NETWORK_NAME] --no-assign-ip

Granting the compute.networkAdmin role

gcloud beta services identity create --service=servicenetworking.googleapis.com --project=project-id
gcloud projects add-iam-policy-binding project-id --member="service-account-prefix@service-networking.iam.gserviceaccount.com" --role="roles/servicenetworking.serviceAgent"