Setting up private service access

Private service access is a private connection between your VPC network and networks in VMware Engine. This page explains how to set up private service access to Google Cloud VMware Engine and connect your VPC to your private cloud.

Private service access enables the following behavior:

  • Exclusive communication by internal IP address for virtual machine (VM) instances in your VPC network and the VMware VMs. VM instances don't need internet access or external IP addresses to reach services that are available through private service access.
  • Communication between VMware VMs and Google Cloud-supported services, which support private service access using internal IP addresses.
  • Use of existing on-premises connections to connect to your VMware Engine private cloud, if you have on-premises connectivity using Cloud VPN or Cloud Interconnect to your VPC network.

You can set up private service access independently of VMware Engine private cloud creation. The private connection can be created before or after creation of the private cloud to which you want to connect your VPC.

In a given region, you can set up at most 100 unique routes from VMware Engine to your VPC network using private service access. This includes, for example, private cloud management addresses, NSX-T workload segments, and HCX network addresses.

Before you begin

  1. You must have an existing VPC network to use when connecting to VMware Engine.
  2. If you have on-premises connectivity based on Cloud VPN, select the VPC network that is connected to your Cloud VPN session. If you have on-premises connectivity based on Cloud Interconnect, select the VPC network where your Cloud Interconnect VLAN attachment terminates.
  3. Activate the Service Networking API in your project.
  4. Project owners and IAM members with the Network Admin role can create allocated IP ranges and manage private connections. For more information, see IAM roles and permissions.
  5. You must allocate address ranges for the private service connection, for private cloud management, and for workload network segments. This ensures that there are no IP address conflicts between your VPC and network subnets and the IP addresses you use in VMware Engine.

Shared VPC

If you use Shared VPC, create the allocated IP range and private connection in the host project. Typically, a network administrator in the host project must do these tasks. VM instances in service projects can use the private connection after the host project is set up.

Create a private connection

  1. Allocate address ranges for VPC networks shared between Google Cloud private service access services, as described in Configuring private service access.
  2. Follow the steps described in Creating a private connection.
  3. When you successfully create a private connection, a connection with the name servicenetworking-googleapis-com is listed in your VPC's private service connections table.
  4. Enable import/export custom routes on the servicenetworking-googleapis-com private connection. For more information, see Updating a peering connections.

Complete private connection creation in the VMware Engine portal

  1. Navigate to the VPC Network Peering screen. A VPC network peering connection with name servicenetworking-googleapis-com is listed in the peering table.
  2. Copy the Peered project ID so that you can use it while setting up a private connection in the VMware Engine portal.
  3. Access the VMware Engine portal
  4. Navigate to Network > Private connection.
  5. Click Add network connection.
  6. In the Tenant project ID field, paste the Peered project ID that you copied earlier.
  7. Select the VMware Engine region to connect to.
  8. Click Submit.

When the Region status is Connected, you can select the private connection by its Tenant project ID for the corresponding region. The Private connection details page displays the routes learned over VPC peering. Exported routes shows private clouds learned from the region and exported over VPC peering.