Set up private services access
Private services access is a private connection between your Virtual Private Cloud (VPC) network and networks in VMware Engine. This page explains how to set up private services access to Google Cloud VMware Engine and connect your VPC network to your private cloud.
Private services access enables the following behavior:
- Exclusive communication by internal IP address for virtual machine (VM) instances in your VPC network and VMware VMs. VM instances don't need internet access or external IP addresses to reach services that are available through private services access.
- Communication between VMware VMs and Google Cloud-supported services, which support private services access using internal IP addresses.
- Use of existing on-premises connections to connect to your VMware Engine private cloud, if you have on-premises connectivity using Cloud VPN or Cloud Interconnect to your VPC network.
You can set up private services access independently of VMware Engine private cloud creation. The private connection can be created before or after creation of the private cloud to which you want to connect your VPC network.
-
Make sure that you have the following role or roles on the project: Compute > Network Admin
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
-
Before you begin
- Locate the Peered project ID of your VPC network by doing the following:
- In the Google Cloud console, go to VPC network peering. A VPC network peering connection with name servicenetworking-googleapis-com is listed in the peering table.
- Copy the Peered project ID so that you can use it while setting up a private connection in the VMware Engine portal.
- Select a VPC network to connect to your private service access from the
available options.
- If you use Cloud VPN for on-premises connectivity: select the VPC network that is connected to your Cloud VPN session.
- If you use Cloud Interconnect for on-premises connectivity: select the VPC network where your Cloud Interconnect VLAN attachment terminates.
- Activate the Service Networking API]service networking getting started in your project.
- Project owners and IAM principals with the
Compute Network Admin role
(
roles/compute.networkAdmin
) can create allocated IP ranges and manage private connections. - Enter address ranges for the private service connection, for private cloud management, and for workload network segments. This ensures that there are no IP address conflicts between your VPC network subnets and the IP addresses you use in VMware Engine.
Multi-VPC connectivity
VMware Engine lets you access the same private cloud from different VPC networks without the need to change any existing VPC architectures deployed in Google Cloud. For example, multi-VPC connectivity is useful when you have separate VPC networks for testing and development.
This situation requires VPC networks to communicate with VMware VMs or other destination addresses in separate vSphere resource groups on the same private cloud or across multiple private clouds.
By default, you can peer 3 VPC networks per region. This peering limit includes the VPC peering used by the internet access network service. To increase this limit, contact Cloud Customer Care.
Shared VPC
If you use Shared VPC, create the allocated IP range and private connection in the host project. Typically, a network administrator in the host project must do these tasks. VM instances in service projects can use the private connection after the host project is set up.
Create a private connection
To create a private connection, you must first create a Compute Engine VPC and a private service access connection. You can do this using the Google Cloud CLI:
Create a Compute Engine VPC and a private service access connection using the Google Cloud CLI.
To create a Compute Engine VPC and a private service access connection using the Google Cloud CLI, do the following:
Create a VPC by running the
gcloud compute networks create
command:gcloud compute networks create NETWORK_ID-vpc \ --subnet-mode=custom
Replace the following:
NETWORK_ID
: the network ID for this request.
Create a reserved range by running the
gcloud compute addresses create
command:gcloud compute instances create VM_NAME \ [--image=IMAGE | --image-family=IMAGE_FAMILY] \ --image-project=IMAGE_PROJECT \ --machine-type=MACHINE_TYPE
gcloud compute addresses create RESERVED_RANGE_ID-range \ --global \ --purpose=VPC_PEERING \ --prefix-length=24 \ --description="DESCRIPTION" \ --network=RESERVED_RANGE_ID-vpc
Replace the following:
RESERVED_RANGE_ID
: the reserved range ID for this request.DESCRIPTION
: a description for this reserved range.
Optional: If you want to extract a service networking tenant project (SNTP) and vpc for the private connection, run the
gcloud compute networks peerings list
command:gcloud compute networks peerings list \ --network=NETWORK_ID
Find the SNTP in the PEER_PROJECT column and SNVPC in PEER_NETWORK.
Create a private connection with PRIVATE_SERVICE_ACCESS
type and GLOBAL
routing mode using the Google Cloud CLI or VMware Engine API:
gcloud
Create a private connection by running the
gcloud vmware private-connections create
command:gcloud vmware private-connections create PRIVATE_CONNECTION_ID \ --location=REGION\ --description="" \ --vmware-engine-network=REGION-default \ --service-project=SERVICE_NETWORKING_TENANT_PROJECT\ --type=PRIVATE_SERVICE_ACCESS \ --routing-mode=GLOBAL
Replace the following:
PRIVATE_CONNECTION_ID
: the private connection ID for this request.REGION
: the region to create this network in.SERVICE_NETWORKING_TENANT_PROJECT
: the project name for this service networking tenant VPC. You can find the SNTP in the PEER_PROJECT column of the peering nameservicenetworking-googleapis-com
.
Optional: If you want to list your private connections, run the
gcloud vmware private-connections create
command:gcloud vmware private-connections list \ --location=REGION
Replace the following:
REGION
: the region of the network to list.
API
To create a Compute Engine VPC and a private service access connection using the VMware Engine API, do the following:
Create a private connection by making a
POST
request:POST "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/privateConnections?private_connection_id=PRIVATE_CONNECTION_ID" -d '{ "description": "My first private connection", "vmware_engine_network": "projects/PROJECT_ID/locations/REGION/vmwareEngineNetworks/REGION -default", "type": "PRIVATE_SERVICE_ACCESS", "routing_mode": "GLOBAL", "service_network": "projects/SERVICE_NETWORKING_TENANT_PROJECT/global/networks/servicenetworking" }'
Replace the following:
PRIVATE_CONNECTION_ID
: the private connection ID for this request.REGION
: the region to create this private connection in.SERVICE_NETWORKING_TENANT_PROJECT
: the project name for this service networking tenant VPC. You can find the SNTP in the PEER_PROJECT column of the peering nameservicenetworking-googleapis-com
.
Optional: If you want to list your private connections, make a
GET
request:
GET "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/privateConnections"
Replace the following:
PROJECT_ID
: the project name for this request.REGION
: the region to list the private connections in.
Edit a private connection
You can edit a private connection using the Google Cloud CLI or VMware Engine API. The following example changes the description and updates the routing mode to REGIONAL:
gcloud
Edit a private connection by running the gcloud vmware private-connections
update
command:
gcloud vmware private-connections update PRIVATE_CONNECTION_ID \ --location=REGION \ --description="Updated description for the private connection" \ --routing-mode=REGIONAL
Replace the following:
PROJECT_ID
: the project name for this request.REGION
: the region to update this private connection in.PRIVATE_CONNECTION_ID
: the private connection ID for this request.
API
To edit a private connection using the VMware Engine API, make a PATCH
request:
PATCH "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/privateConnections/PRIVATE_CONNECTION_ID?update_mask=description, routing_mode" -d '{ "description": "Updated description for the private connection", "routing_mode": "REGIONAL" }'
Replace the following:
PROJECT_ID
: the project name for this request.REGION
: the region to update this private connection in.PRIVATE_CONNECTION_ID
: the private connection ID for this request.
Describe a private connection
To can get a description of any private connection using the Google Cloud CLI or VMware Engine API, do the following:
gcloud
Get a description of a private connection by running the gcloud vmware
private-connections describe
command:
gcloud vmware private-connections describe PRIVATE_CONNECTION_ID \ --location=REGION
Replace the following:
PRIVATE_CONNECTION_ID
: the private connection ID for this request.REGION
: the region of the private connection.
API
To get a description of a private connection using the
VMware Engine API, make a GET
request:
GET "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/privateConnections/PRIVATE_CONNECTION_ID"
Replace the following:
PROJECT_ID
: the project name for this request.PRIVATE_CONNECTION_ID
: the private connection ID for this request.REGION
: the region of the private connection.
List peering routes for a private connection
To list peering routes exchanged for a private connection using the Google Cloud CLI or VMware Engine API, do the following:
gcloud
List peering routes exchanged for a private connection by running the
gcloud vmware private-connections routes list
command:
gcloud vmware private-connections routes list \ --private-connection=PRIVATE_CONNECTION_ID \ --location=REGION
Replace the following:
PRIVATE_CONNECTION_ID
: the private connection ID for this request.REGION
: the region of the private connection.
API
To list peering routes exchanged for a private connection using the
VMware Engine API, create a GET
request:
GET "https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/privateConnections/PRIVATE_CONNECTION_ID/peeringRoutes"
Replace the following:
PROJECT_ID
: the project name for this request.REGION
: the region of the private connection.PRIVATE_CONNECTION_ID
: the private connection ID for this request.
Routing limits
The maximum number of routes that a private cloud can receive is 200. For example, those routes can come from on-premises networks, peered VPC networks, and other private clouds in the same VPC network. This route limit corresponds to the Cloud Router maximum number of custom route advertisements per BGP session limit.
In a given region, you can advertise at most 100 unique routes from VMware Engine to your VPC network using private services access. For example, those unique routes include private cloud management IP address ranges, NSX-T workload network segments, and HCX network IP address ranges. This route limit includes all private clouds in the region and corresponds to the Cloud Router learned route limit.
For information about routing limits, see Cloud Router Quotas and limits.
Troubleshooting
The following video will show you how to verify and troubleshoot peering connection issues between Google Cloud VPC and Google Cloud VMware Engine.