Configure private services access

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to configure private services access in your VPC network.

Private services access is implemented as a VPC peering connection between your VPC network and the underlying Google Cloud VPC network where your Cloud SQL instance resides. The private connection enables VM instances in your VPC network and the services that you access to communicate exclusively by using internal IP addresses. VM instances don't need Internet access or external IP addresses to reach services that are available through private services access.

Before you begin

Cloud SQL requires private services access for each VPC network that's used for private IP connections. To manage a private services access connection, the user should have the following IAM permissions:

  • compute.networks.list
  • compute.addresses.create
  • compute.addresses.list
  • servicenetworking.services.addPeering

If you don't have these permissions, then you can get insufficient-permissions errors.

If you're using a Shared VPC network, then you must also:

  • Add your user to the host project.
  • Assign the same four permissions to that user on the host project.
  • Grant the compute.globalAddresses.list IAM permission to the user.

Configure private services access for Cloud SQL

There are two parts to the private services access configuration process:

  • Selecting an existing, or allocating a new IP address range.

    You also have the option of allowing Google to allocate the range for you. In this case, Google will automatically allocate an IP range of prefix-length /20 and use the name default-ip-range.

    If you're going to create instances in multiple regions or for different database types, a /20 or larger range is recommended.

  • Creating a private connection from your VPC network to the underlying service producer network.

Allocate an IP address range

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Select the VPC network that you want to use.
  3. Select the Private service connection tab.
  4. Select the Allocated IP ranges for services tab.
  5. Click Allocate IP range.
  6. For the Name of the allocated range, specify google-managed-services-VPC_NETWORK_NAME, where VPC_NETWORK_NAME is the name of the VPC network you are connecting (for example, google-managed-services-default). The Description is optional.
  7. Select the Custom option, then enter the IP address range to allocate, in CIDR notation.
  8. Click Allocate to create the allocated range.

gcloud

Do one of the following:

  • To specify an address range and a prefix length (subnet mask), use the addresses and prefix-length flags. For example, to allocate the CIDR block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for the prefix length.
  •         gcloud compute addresses create google-managed-services-VPC_NETWORK_NAME \
            --global \
            --purpose=VPC_PEERING \
            --addresses=192.168.0.0 \
            --prefix-length=16 \
            --network=projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME
            
  • To specify a prefix length (subnet mask) only, use the prefix-length flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 16 bit prefix length.
  •         gcloud compute addresses create google-managed-services-VPC_NETWORK_NAME \
            --global \
            --purpose=VPC_PEERING \
            --prefix-length=16 \
            --network=projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME
            

Replace VPC_NETWORK_NAME with the name of your VPC network, such as my-vpc-network.

The following example allocates an IP range that allows resources in the VPC network my-vpc-network to connect to Cloud SQL instances using private IP.

    gcloud compute addresses create google-managed-services-my-vpc-network \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --network=projects/myprojectid/global/networks/myvpcnetwork \
    --project=my-project
    

Terraform

To allocate an IP address range, use a Terraform resource.

resource "google_compute_global_address" "private_ip_address" {
  name          = "private-ip-address"
  purpose       = "VPC_PEERING"
  address_type  = "INTERNAL"
  prefix_length = 16
  network       = google_compute_network.private_network.id
}

Apply the changes

To apply your Terraform configuration in a Google Cloud project, complete the following steps:

  1. Launch Cloud Shell.
  2. Set the Google Cloud project where you want to apply the Terraform configuration:
    export GOOGLE_CLOUD_PROJECT=PROJECT_ID
    
  3. Create a directory and open a new file in that directory. The filename must have the .tf extension, for example main.tf:
    mkdir DIRECTORY && cd DIRECTORY && nano main.tf
    
  4. Copy the sample into main.tf.
  5. Review and modify the sample parameters to apply to your environment.
  6. Save your changes by pressing Ctrl-x and then y.
  7. Initialize Terraform:
    terraform init
  8. Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
    terraform plan

    Make corrections to the configuration as necessary.

  9. Apply the Terraform configuration by running the following command and entering yes at the prompt:
    terraform apply

    Wait until Terraform displays the "Apply complete!" message.

  10. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

Delete the changes

Remove resources previously applied with your Terraform configuration by running the following command and entering yes at the prompt:

terraform destroy

Create a private connection

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Select the VPC network that you want to use.
  3. Select the Private service connection tab.
  4. Select the Private connections to services tab.
  5. Click Create connection to create a private connection between your network and a service producer.
  6. For the Assigned allocation, select one or more existing allocated ranges that are not being used by other service producers.
  7. Click Connect to create the connection.

gcloud

  1. Create a private connection.

    gcloud services vpc-peerings connect \
    --service=servicenetworking.googleapis.com \
    --ranges=google-managed-services-VPC_NETWORK_NAME \
    --network=VPC_NETWORK_NAME \
    --project=PROJECT_ID
    

    The command initiates a long-running Cloud SQL instance operation, returning an operation ID.

  2. Check whether the operation was successful.

    gcloud services vpc-peerings operations describe \
    --name=OPERATION_ID
    

You can specify more than one allocated range when you create a private connection. For example, if a range has been exhausted, you can assign additional allocated ranges. The service uses IP addresses from all the provided ranges in the order that you specified.

Terraform

To create a private connection, use a Terraform resource.

resource "google_service_networking_connection" "private_vpc_connection" {
  network                 = google_compute_network.private_network.id
  service                 = "servicenetworking.googleapis.com"
  reserved_peering_ranges = [google_compute_global_address.private_ip_address.name]
}

Change the private service access configuration

You can change the allocated address range of a private service connection without modifying any existing Cloud SQL instances. To change the private IP address of an existing Cloud SQL instance, follow these steps.

To change the allocated address range:

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Select the VPC network that you want to use.
  3. Select the Private service connection tab.
  4. Select the Allocated IP ranges for services tab.
  5. Select the name of the range you want to delete.
  6. Click Release.
  7. Click Allocate IP range.
  8. Create a new range with the same name and new range

    The name matters because the private connection has already been established using that address name.

gcloud services vpc-peerings update \
--network=VPC_NETWORK_NAME \
--ranges=ALLOCATED_RANGES \
--service=servicenetworking.googleapis.com \
--force

Change the private IP address of an existing Cloud SQL instance

To change the private IP address of an existing Cloud SQL instance, you need to move it to a temporary VPC network, then change the private service access configuration, and then move the Cloud SQL instance back.

To move to a different VPC network, follow all but the final step below (moving the instance back). The [TEMPORARY_VPC_NETWORK_NAME] is the new VPC network in this case. Also, delete the old private connection. It can take a few days for the deleted private connection to disappear from the Google Cloud console.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Create a temporary VPC network.
  3. Move the Cloud SQL instance to the temporary VPC network.

    gcloud beta sql instances patch INSTANCE_ID \
    --project=PROJECT_ID \
    --network=projects/PROJECT_ID/global/networks/TEMPORARY_VPC_NETWORK_NAME \
    --no-assign-ip
    
  4. Change the private service access configuration

  5. Move the Cloud SQL instance back to the original VPC network.

    gcloud beta sql instances patch INSTANCE_ID \
    --project=PROJECT_ID \
    --network=projects/PROJECT_ID/global/networks/ORIGINAL_VPC_NETWORK_NAME \
    --no-assign-ip