Setting up private services access

Private services access is a private connection between your Virtual Private Cloud (VPC) network and networks in VMware Engine. This page explains how to set up private services access to Google Cloud VMware Engine and connect your VPC network to your private cloud.

Private services access enables the following behavior:

  • Exclusive communication by internal IP address for virtual machine (VM) instances in your VPC network and VMware VMs. VM instances don't need internet access or external IP addresses to reach services that are available through private services access.
  • Communication between VMware VMs and Google Cloud-supported services, which support private services access using internal IP addresses.
  • Use of existing on-premises connections to connect to your VMware Engine private cloud, if you have on-premises connectivity using Cloud VPN or Cloud Interconnect to your VPC network.

You can set up private services access independently of VMware Engine private cloud creation. The private connection can be created before or after creation of the private cloud to which you want to connect your VPC network.

Before you begin

  1. You must have an existing VPC network to use when connecting to VMware Engine.
  2. If you have on-premises connectivity based on Cloud VPN, select the VPC network that is connected to your Cloud VPN session. If you have on-premises connectivity based on Cloud Interconnect, select the VPC network where your Cloud Interconnect VLAN attachment terminates.
  3. Activate the Service Networking API in your project.
  4. Project owners and IAM principals with the Compute Network Admin role (roles/compute.networkAdmin) can create allocated IP ranges and manage private connections.
  5. You must allocate address ranges for the private service connection, for private cloud management, and for workload network segments. This ensures that there are no IP address conflicts between your VPC network subnets and the IP addresses you use in VMware Engine.

Multi-VPC connectivity

VMware Engine lets you access the same private cloud from different VPC networks without the need to change any existing VPC architectures deployed in Google Cloud. For example, multi-VPC connectivity is useful when you have separate VPC networks for testing and development. This situation requires VPC networks to communicate with VMware VMs or other destination addresses in separate vSphere resource groups on the same private cloud or across multiple private clouds.

By default, you can peer 3 VPC networks per region. This peering limit includes the VPC peering used by the internet access network service. To increase this limit, contact Cloud Customer Care.

Shared VPC

If you use Shared VPC, create the allocated IP range and private connection in the host project. Typically, a network administrator in the host project must do these tasks. VM instances in service projects can use the private connection after the host project is set up.

Create a private connection

  1. Allocate address ranges for VPC networks shared between Google Cloud service producers, as described in Configuring private services access.
  2. Follow the steps described in Creating a private connection.
  3. When you successfully create a private connection, a connection with the name servicenetworking-googleapis-com is listed in your VPC network's private service connections table.
  4. Enable import/export custom routes on the servicenetworking-googleapis-com private connection. For more information, see Updating a peering connection.

Complete private connection creation in the VMware Engine portal

  1. In the Google Cloud console, go to VPC network > VPC network peering. A VPC network peering connection with name servicenetworking-googleapis-com is listed in the peering table.
  2. Copy the Peered project ID so that you can use it while setting up a private connection in the VMware Engine portal.
  3. Access the VMware Engine portal
  4. Go to Network > Private connection.
  5. Click Add Private Connection.
  6. In the Peer Project ID and Peer Project Number fields, enter the project ID and number of the Google Cloud project containing the VPC network you want to peer. For details on getting these values, see Identifying projects.
  7. In the Peer VPC ID field, enter the name of the VPC network you want to peer to. See Viewing networks for details on getting the ID of your VPC network.
  8. In the Tenant project ID field, paste the Peered project ID that you copied in step 2.
  9. Select the VMware Engine region to connect to.
  10. Select the routing mode for this VPC network peering connection. In most cases, we recommend the global routing mode. If you don't want Google services peered with your VPC network to communicate across regions, select the regional routing mode instead. This selection overrides the existing routing mode.
  11. Click Submit.

When the Region status is Connected, you can select the private connection for the corresponding region. The Private connection details page displays the routing mode of the private connection and any routes learned over VPC peering.

Exported routes shows private clouds learned from the region and exported over VPC peering. When multiple VPC networks are peered to the same VMware Engine regional network, routes received from one VPC network are not advertised to the other VPC network.

Removing private services access

To delete your private connection, first delete the private connections in the VMware Engine portal:

  1. In the Google Cloud console, go to VPC network > VPC network peering. A VPC network peering connection with name servicenetworking-googleapis-com is listed in the peering table.
  2. Make a note of the Peered project ID.
  3. In the VMware Engine portal, go to Network > Private connection.
  4. Find and delete the private connections with a Tenant project that match the Peered project ID you noted in step 2.

After the private connections you deleted are no longer visible in the list of private connections, you can delete the private connection in the Google Cloud console. Performing this step out of order can result in stale DNS entries in both Cloud projects.

Routing limits

The maximum number of routes that a private cloud can receive is 200. For example, those routes can come from on-premises networks, peered VPC networks, and other private clouds in the same VPC network. This route limit corresponds to the Cloud Router maximum number of custom route advertisements per BGP session limit.

In a given region, you can advertise at most 100 unique routes from VMware Engine to your VPC network using private services access. For example, those unique routes include private cloud management IP address ranges, NSX-T workload network segments, and HCX network IP address ranges. This route limit includes all private clouds in the region and corresponds to the Cloud Router learned route limit.

For information about routing limits, see Cloud Router Quotas and limits.