Configure internet access for workload VMs

You configure the internet access network service for VMware workloads in Google Cloud VMware Engine on a per-region basis. You can direct internet-bound traffic from your workload VMs by using Google Cloud's internet edge or an on-premises connection.

Workload VMs that can access the internet can also access Google Cloud services using Private Google Access. Access to Google Cloud services using Private Google Access stays within Google Cloud networks and does not exit to the internet.

The internet access network service supports the following:

  • Up to 100 public IP addresses for each region
  • Up to 300 firewall rules per firewall table
  • Throughput of up to 2 Gbps across 128k concurrent connections for each region
  • TCP, UDP, and ICMP protocols

The internet access network service doesn't support Application Level Gateway (ALG) functionality.

Before you begin

To make changes to the internet access settings of your private cloud, you must have admin access to VMware Engine.

To enable internet access, you need an edge services CIDR address range. When you enable the internet access or public IP network services, gateways deploy in the service tenant context.

Use the edge services CIDR address range for addressing VMware Engine internet and public IP gateways. The address range must meet the following requirements:

  • Comply with RFC 1918 as a private range.
  • Have no overlap with any other VMware Engine address ranges, such as the address range used for management appliances or NSX-T segments.
  • Have no overlap with any address ranges being advertised to VMware Engine, such as those used for Virtual Private Cloud (VPC) network subnets or on-premises networks.
  • Dedicate an IP address range with 26 subnet mask bits (/26).

Google Cloud CLI and API requirements

To use the gcloud command line tool or the API to manage your VMware Engine resources, we recommend configuring the tools as described below.

gcloud

  1. Set your default project ID:

    gcloud config set project PROJECT_ID
    
  2. Set a default region and/or zone:

    gcloud config set compute/region REGION
    gcloud config set compute/zone ZONE

For more information on the gcloud vmware tool, reviewing the Cloud SDK reference docs.

API

API examples in this documentation set use the cURL command-line tool to query the API. A valid access token is required as part of the cURL request. There are many ways to get a valid access token; the following steps use the gcloud tool to generate a access token:

  1. Login to Google Cloud

    gcloud auth login
    
  2. Generate access token and export to TOKEN

    export TOKEN=`gcloud auth print-access-token`
    
  3. Verify that TOKEN is set properly

    echo $TOKEN
    
    Output:
    TOKEN
    

Now, use the authorization token in your requests to the API. For example:

curl -X GET -H "Authorization: Bearer \"$TOKEN\""  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations

Python

Python code samples in this documentation use the VMware Engine library to communicate with the API. To be able to use this approach, the library needs to be installed and the Application Default Credentials should be configured.

  1. Download and install the Python library

     pip install google-cloud-vmwareengine
    
  2. Configure the ADC information by executing those command in your shell

      gcloud auth application-default login
    

    or use a Service Account key file

      export GOOGLE_APPLICATION_CREDENTIALS="FILE_PATH"
    

For more information about the library, visit the reference page or view code samples on GitHub.

Configure the internet access service

You can allow your workload VMs to have access to the internet by creating or update a network policy.

By default, the internet access network service is disabled.

Enable the internet access service in a region

Console

To enable the internet access service in a region, do the following:

  1. Access the Google Cloud console.
  2. From the main navigation, go to Network Policies.
  3. Click Create to create a new policy. If you want to edit an existing network policy, click the More icon at the end of a row and select Edit.
  4. Fill out the details of your network policy, including choosing the network and region that the policy applies to.
  5. Toggle Internet access to Enabled and, optionally, enable External IP address service.

  6. In the Edge Services CIDR field, enter the address range to use when addressing the VMware Engine internet gateway (/26 address range).

  7. Click Create.

The status for the service changes to Enabled when the operation is complete, usually after several minutes.

gcloud

Using the gcloud tool, run the following command to create a network policy:

gcloud vmware network-policies create NETWORK_POLICY_NAME \
    --vmware-engine-network projects/PROJECT_ID/locations/LOCATIONS/vmwareEngineNetworks/NETWORK_ID \
    --edge-services-cidr=IP_RANGE \
    --location=LOCATION \
    --internet-access

Replace the following:

  • NETWORK_POLICY_NAME: the name for this network policy.
  • NETWORK_ID: the network this network policy applies to
  • IP_RANGE: the CIDR range to use for internet access and external IP access gateways, in CIDR notation. An RFC 1918 CIDR block with a "/26" prefix is required.
  • LOCATION: global for legacy networks or the region of a standard network

API

curl -X POST -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies?networkPolicyId=NETWORK_POLICY_NAME

'{
  "vmwareEngineNetwork":"projects/PROJECT_ID/locations/LOCATION/vmwareEngineNetworks/NETWORK_ID",
  "edgeServiceCidr":IP_RANGE,
  "internetAccess: {
    "enabled": true
   },
   "externalIp": {
     "enabled": true
   }
}"

Replace the following:

  • NETWORK_POLICY_NAME: the name for this network policy. This must be in the format REGION-default.
  • PROJECT_ID: the project ID for this request
  • LOCATION: global for legacy networks or the region of a standard network
  • IP_RANGE: the CIDR range to use for internet access and external IP access gateways, in CIDR notation. An RFC 1918 CIDR block with a "/26" prefix is required.
  • NETWORK_ID: the network for this this network policy

Python

from google.api_core import operation
from google.cloud import vmwareengine_v1


def create_network_policy(
    project_id: str,
    region: str,
    ip_range: str,
    internet_access: bool,
    external_ip: bool,
) -> operation.Operation:
    """
    Creates a new network policy in a given network.

    Args:
        project_id: name of the project you want to use.
        region: name of the region you want to use. I.e. "us-central1"
        ip_range: the CIDR range to use for internet access and external IP access gateways,
            in CIDR notation. An RFC 1918 CIDR block with a "/26" suffix is required.
        internet_access: should internet access be allowed.
        external_ip: should external IP addresses be assigned.

    Returns:
        An operation object representing the started operation. You can call its .result() method to wait for
        it to finish.

    Raises:
        ValueError if the provided ip_range doesn't end with /26.
    """
    if not ip_range.endswith("/26"):
        raise ValueError(
            "The ip_range needs to be an RFC 1918 CIDR block with a '/26' suffix"
        )

    network_policy = vmwareengine_v1.NetworkPolicy()
    network_policy.vmware_engine_network = f"projects/{project_id}/locations/{region}/vmwareEngineNetworks/{region}-default"
    network_policy.edge_services_cidr = ip_range
    network_policy.internet_access.enabled = internet_access
    network_policy.external_ip.enabled = external_ip

    request = vmwareengine_v1.CreateNetworkPolicyRequest()
    request.network_policy = network_policy
    request.parent = f"projects/{project_id}/locations/{region}"
    request.network_policy_id = f"{region}-default"

    client = vmwareengine_v1.VmwareEngineClient()
    return client.create_network_policy(request)

Disable the internet access service in a region

To disable the internet access service in a region, do the following:

Console

  1. Access the Google Cloud console.
  2. From the main navigation, go to Network Policies.
  3. In the row corresponding to the relevant network policy, click the More icon.
  4. Toggle Internet access to Disabled.

    • You must disable public IP service before you can disable internet access.
    • You must delete any allocated public IP addresses and point-to-site VPN gateways before you can disable public IP service.
  5. Click Save.

The status for the service changes to Disabled when the operation is complete, usually after several minutes.

gcloud

Using the gcloud tool, run the following command to update network policy:

gcloud vmware network-policies update NETWORK_POLICY_NAME \
  --no-internet-access \
  --location LOCATION

Replace the following:

  • NETWORK_POLICY_NAME: the name for this network policy
  • LOCATION: global for legacy networks or the region of a standard network

API

curl -X PATCH -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies/NETWORK_POLICY_NAME?updateMask=internetAccess.enabled,externalIp.enabled -d "{
  "internetAccess: {
    "enabled": false
 },
  "externalIp": {
    "enabled": false
   }
}"

Replace the following:

  • PROJECT_ID: the project ID for this request
  • LOCATION: global for legacy networks or the region of a standard network
  • NETWORK_POLICY_NAME: the name for this network policy

Python

from google.api_core import operation
from google.cloud import vmwareengine_v1


def update_network_policy(
    project_id: str, region: str, internet_access: bool, external_ip: bool
) -> operation.Operation:
    """
    Updates a network policy in a given network.

    Args:
        project_id: name of the project you want to use.
        region: name of the region you want to use. I.e. "us-central1".
        internet_access: should internet access be allowed.
        external_ip: should external IP addresses be assigned.

    Returns:
        An operation object representing the started operation. You can call its .result() method to wait for
        it to finish.
    """

    client = vmwareengine_v1.VmwareEngineClient()
    request = vmwareengine_v1.UpdateNetworkPolicyRequest()
    request.update_mask = "internetAccess.enabled,externalIp.enabled"
    network_policy = vmwareengine_v1.NetworkPolicy()
    network_policy.name = (
        f"projects/{project_id}/locations/{region}/networkPolicies/{region}-default"
    )
    network_policy.vmware_engine_network = f"projects/{project_id}/locations/{region}/vmwareEngineNetworks/{region}-default"
    network_policy.internet_access.enabled = internet_access
    network_policy.external_ip.enabled = external_ip

    request.network_policy = network_policy

    return client.update_network_policy(request)

Use an on-premises connection for workload internet access

You can optionally direct internet-bound traffic from your workload VMs in VMware Engine through an on-premises connection. Traffic is directed based on the state of the following:

  • Default route (0.0.0.0/0) advertisement from on-premises
  • VMware Engine public IP service
  • VMware Engine internet access service
  • VPC Service Controls on the VPC peering connection between your VPC network and VMware Engine

Enable routing internet traffic through an on-premises connection

To access the internet from your workload VMs through an on-premises connection, you must complete two steps:

  1. Advertise the default route (0.0.0.0/0) from on-premises over an on-premises connection (Cloud VPN or Cloud Interconnect). Check the Cloud VPN gateway or Cloud Router where the on-premises connection to your VPN terminates.
  2. Disable the internet access and public IP service for the VMware Engine network.

Console

  1. Access the Google Cloud console.
  2. From the main navigation, go to Network Policies.
  3. In the row corresponding to the relevant network policy, click the More icon.
  4. Toggle Public IP to Disabled.

  5. Toggle Internet access to Disabled.

  6. Click Save.

  7. If using a Legacy VMware Engine network: enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:

    gcloud services vpc-peerings enable-vpc-service-controls \
       --network=VPC_NETWORK \
       --service=servicenetworking.googleapis.com

gcloud

Using the gcloud tool, run the following command to update network policy:

gcloud vmware network-policies update NETWORK_POLICY_NAME \
  --no-internet-access \
  --no-external-ip-address \
  --location LOCATION

Replace the following:

  • NETWORK_POLICY_NAME: the name for this network policy
  • LOCATION: global for legacy networks or the region of a standard network

If using a Legacy VMware Engine network: enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:

gcloud services vpc-peerings enable-vpc-service-controls \
   --network=VPC_NETWORK \
   --service=servicenetworking.googleapis.com

API

curl -X PATCH -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies/NETWORK_POLICY_NAME?updateMask=internetAccess.enabled,externalIp.enabled

"{
  "internetAccess: {
    "enabled": false
   },
  "externalIp: {
    "enabled": false
   }
}"

If using a Legacy VMware Engine network: enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:

gcloud services vpc-peerings enable-vpc-service-controls \
   --network=VPC_NETWORK_NAME \
   --service=servicenetworking.googleapis.com

Python

Set the internet_access and external_ip to False.

from google.api_core import operation
from google.cloud import vmwareengine_v1


def update_network_policy(
    project_id: str, region: str, internet_access: bool, external_ip: bool
) -> operation.Operation:
    """
    Updates a network policy in a given network.

    Args:
        project_id: name of the project you want to use.
        region: name of the region you want to use. I.e. "us-central1".
        internet_access: should internet access be allowed.
        external_ip: should external IP addresses be assigned.

    Returns:
        An operation object representing the started operation. You can call its .result() method to wait for
        it to finish.
    """

    client = vmwareengine_v1.VmwareEngineClient()
    request = vmwareengine_v1.UpdateNetworkPolicyRequest()
    request.update_mask = "internetAccess.enabled,externalIp.enabled"
    network_policy = vmwareengine_v1.NetworkPolicy()
    network_policy.name = (
        f"projects/{project_id}/locations/{region}/networkPolicies/{region}-default"
    )
    network_policy.vmware_engine_network = f"projects/{project_id}/locations/{region}/vmwareEngineNetworks/{region}-default"
    network_policy.internet_access.enabled = internet_access
    network_policy.external_ip.enabled = external_ip

    request.network_policy = network_policy

    return client.update_network_policy(request)

If using a Legacy VMware Engine network: enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:

gcloud services vpc-peerings enable-vpc-service-controls \
   --network=VPC_NETWORK \
   --service=servicenetworking.googleapis.com

Enabling VPC Service Controls is essential for routing internet traffic through either an on-premises connection or VPC in your project.

When VPC Service Controls are enabled, Google Cloud makes the following routing changes in the service producer VPC network (in this case, the service tenant project peered with VMware Engine):

  • Removes the IPv4 default route (destination 0.0.0.0/0, next hop default internet gateway).
  • Begins forwarding internet traffic using the VPC peering default route.

Example:

To enable VPC Service Controls for a connection peering a network named "my-network" on the current project, use the gcloud services vpc-peerings enable-vpc-service-controls command:

gcloud services vpc-peerings enable-vpc-service-controls \
    --network=my-network \
    --service=servicenetworking.googleapis.com

Disable routing internet traffic through an on-premises connection

To disable routing internet traffic from your workload VMs through an on-premises connection, stop advertising the default route (0.0.0.0/0) and disable VPC Service Controls on the VPC peering connection.

If using a Legacy VMware Engine network: disable VPC Service Controls on the VPC peering connection between your VPC network and VMware Engine, use the gcloud services vpc-peerings disable-vpc-service-controls command:

gcloud services vpc-peerings disable-vpc-service-controls \
    --network=VPC_NETWORK_NAME \
    --service=servicenetworking.googleapis.com

What's next