Stay organized with collections Save and categorize content based on your preferences.

Public IP address service

The public (external) IP address network service allows you to connect from the internet to a workload virtual machine (VM), a management appliance, or a load balancer running in your private cloud. For example, if you run a web server on your workload VM, you can serve web traffic using a public IP address through the internet. By default, the public IP network service is disabled.

Allocating a public IP address to a resource also provides the following benefits:

  • Distributed denial of service (DDoS) attack prevention. This protection is automatically enabled for the public IP address.
  • Always-on traffic monitoring and real-time mitigation of common network-level attacks.
  • Protection and mitigation of attacks across the entire scale of the global network. The network can be used to distribute and mitigate attack traffic across regions.

Behavior

A public IP address can only be assigned to one private IP address, and the public IP address is dedicated to that private IP address until you unassign it. A resource associated with a public IP address always uses the public IP address for internet access. You can reserve up to 100 public IP addresses for the primary VPC network connected to VMware Engine.

By default, incoming traffic on a public IP address is denied, and only outbound internet access is allowed. To allow inbound traffic, create a firewall rule for the public IP address to the specific port.

gcloud and API prerequisites

To use the gcloud command line tool or the API to manage your VMware Engine resources, we recommend configuring the tools as described below.

gcloud

  1. Set your default project ID:

    gcloud config set project PROJECT_ID
    
  2. Set a default region and/or zone:

    gcloud config set compute/region REGION
    gcloud config set compute/zone ZONE

For more information on the gcloud vmware tool, reviewing the Cloud SDK reference docs.

API

API examples in this documentation set use the cURL command-line tool to query the API. A valid access token is required as part of the cURL request. There are many ways to get a valid access token; the following steps use the gcloud tool to generate a access token:

  1. Login to Google Cloud

    gcloud auth login
    
  2. Generate access token and export to TOKEN

    export TOKEN=`gcloud auth print-access-token`
    
  3. Verify that TOKEN is set properly

    echo $TOKEN
    
    Output:
    TOKEN
    

Now, use the authorization token in your requests to the API. For example:

curl -X GET -H "Authorization: Bearer \"$TOKEN\""  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations

Enabling the public IP network service in a region

Before you can allocate a public IP address to a workload VM, you must enable the public IP network service in the region:

Console

  1. Access the VMware Engine portal.
  2. Go to Network > Regional settings.
  3. In the row corresponding to the region of interest, select Edit. If the region is not listed in the summary table, add the region by clicking Add region.
  4. Toggle Public IP Service to Enabled.
    • To enable the public IP service, you must also enable the internet access network service.
    • It's possible to enable the internet access service and leave the public IP service disabled. If you do so, point-to-site VPN and public IP allocation are not available.
  5. In the Edge Services CIDR field, enter the address range to use when addressing the VMware Engine public IP gateway (/26 address range).
  6. Click Submit.

The status for the network service changes to Enabled when the operation is complete, usually after several minutes.

gcloud

Using the gcloud tool, run the following command to create network policy:

gcloud vmware network-policies create NETWORK_POLICY_NAME \
    --vmware-engine-network NETWORK_NAME --edge-services-cidr IP_RANGE \
    --location REGION --external-ip-access --internet-access

Replace the following:

  • NETWORK_POLICY_NAME: the name for this network policy
  • NETWORK_NAME: the network for this request, this must be in the format REGION-default
  • IP_RANGE: the CIDR range to use for internet access and external IP access gateways, in CIDR notation. An RFC 1918 CIDR block with a "/26" prefix is required
  • REGION: the region of the network

API

curl -X POST -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/networkPolicies?networkPolicyId=NETWORK_POLICY_NAME -d '{
  "vmwareEngineNetwork":"projects/PROJECT_ID/locations/REGION/vmwareEngineNetworks/NETWORK_NAME",
  "edgeServiceCidr":IP_RANGE,
  "internetAccess: {
    "enabled": true
   },
   "externalIp": {
     "enabled": true
   }
 }

Replace the following:

  • NETWORK_POLICY_NAME: the name for this network policy.
  • PROJECT_ID: the project ID for this request
  • REGION: the region of the network
  • IP_RANGE: the CIDR range to use for internet access and external IP access gateways, in CIDR notation. An RFC 1918 CIDR block with a "/26" prefix is required.
  • NETWORK_NAME: the network this network policy applies to, must be in the format >REGION-default

Allocating a public IP address

To allocate a public IP address for a workload VM, do the following:

  1. Access the Google Cloud VMware Engine portal
  2. Go to Network > Public IPs.
  3. Click Allocate.
  4. In the Name field, enter a name to identify the public IP address entry.
  5. Select the Private cloud that contains the workload VM.
  6. Select the Location where you want to serve the allocated public IP.
  7. In the Attached local address field, enter the local IP address of the VM that you want to assign this public IP address to.
  8. Click Submit to begin the task of allocating the public IP address.

You can check the status of the task on the Activity > Tasks page. When allocation is complete, the new entry appears on the Public IPs page with the Operational status.