Configuring internet access and public IP service

You can configure internet access and public IP services for your Google Cloud VMware Engine workloads on a per-region basis. You can direct internet-bound traffic from your VMware workloads by using Google Cloud's internet edge or an on-premises connection. This page describes how to configure these options and explains the dependency between internet access and public IP service.

Before you begin

  • Make sure that you have admin access to VMware Engine.
  • To enable internet access, an Edge services CIDR is required. Allocate a /26 CIDR address range. When you enable internet access and public IP service, gateways deploy in the service tenant context. Use this Edge services CIDR for addressing VMware Engine internet and public IP gateways.

Enabling internet access and public IP service in a region

  1. Access the Google Cloud VMware Engine portal
  2. Select Network > Regional settings. Internet access and public IP service are disabled by default.
  3. In the row corresponding to the region of interest, select Edit. If the region of interest is not listed in the summary table, add the region by clicking Add region.
  4. Toggle the Internet access and Public IP buttons to Enabled.
    • If you want to enable public IP service, internet access must be enabled.
    • You can enable internet access and leave public IP service disabled. If you do so, point-to-site VPN and public IP allocation are not available.
  5. Provide the Edge services CIDR (/26 address range).
  6. Click Submit.

The status for the services changes to Enabled when the operation is complete, usually after several minutes.

Access to Google Cloud services using Private Google Access stays within Google Cloud networks and does not exit to the internet.

Disabling internet access and public IP service in a region

  1. Access the Google Cloud VMware Engine portal
  2. Select Network > Regional settings. Internet access and public IP service are disabled by default.
  3. In the row corresponding to the region of interest, select Edit.
  4. Toggle the Internet access and Public IP buttons to Disabled.
    • You must disable public IP service before you can disable internet access.
    • You must delete any allocated public IP addresses and point- to-site VPN gateways before you can disable public IP service.
  5. Click Submit.

The status for the services changes to Disabled when the operation is complete, usually after several minutes.

Enable internet access by using an on-premises connection

To access Google Cloud services using Private Google Access methods, enable VPC service controls on your VPC peering connection.

  1. Ensure that default route (0.0.0.0/0) is advertised from on-premises over an on-premises connection (Cloud VPN or Cloud Interconnect). Check the Cloud VPN gateway or Cloud Router where the on-premises connection to your VPN terminates.
  2. Access the Google Cloud VMware Engine portal
  3. Select Network > Regional settings.
  4. Toggle the Internet access and Public IP buttons to Disabled.
    • You must disable public IP service before you can disable internet access.
    • You must delete any allocated public IP addresses and point- to-site VPN gateways before you can disable public IP service.
  5. Click Submit.
  6. Enable VPC service controls on the VPC peering connection between your VPC and VMware Engine by executing the following gcloud command:

    gcloud alpha services vpc-peerings enable-vpc-service-controls \
        --network=VPC_NETWORK \
        --service=servicenetworking.googleapis.com

Disable internet access by using an on-premises connection

To disable VPC service controls on the VPC peering connection between your VPC and VMware Engine, execute the following gcloud command:

gcloud alpha services vpc-peerings disable-vpc-service-controls \
    --network=VPC_NETWORK \
    --service=servicenetworking.googleapis.com

What's next