Configuring internet access for workload VMs

You configure the internet access network service for your Google Cloud VMware Engine workloads on a per-region basis. You can direct internet-bound traffic from your VMware workloads by using Google Cloud's internet edge or an on-premises connection. By default, the internet access network service is disabled.

Before you begin

The steps in this document assume that you first do the following:

  • Create your private cloud. If you want to use an on-premises connection for workload internet access, your private cloud must exist before you enable VPC service controls. Otherwise, private cloud creation using the associated VPC might fail to respond or fail entirely.
  • Define an edge services CIDR address range. When you enable the internet access or public IP network services, gateways deploy in the service tenant context. Use the edge services CIDR address range for addressing VMware Engine internet and public IP gateways.

    The address range must meet the following requirements:

    • Comply with RFC 1918 as a private range.
    • Have no overlap with any other VMware Engine address ranges, such as the address range used for management appliances or NSX-T segments.
    • Have no overlap with any address ranges being advertised to VMware Engine, such as those used for Virtual Private Cloud (VPC) network subnets or on-premises networks.
    • Dedicate an IP address range with 26 subnet mask bits (/26).

Enabling the internet access service in a region

  1. Access the VMware Engine portal
  2. Go to Network > Regional settings.
  3. In the row corresponding to the region of interest, select Edit. If the region is not listed in the summary table, add the region by clicking Add region.
  4. Toggle Internet access to Enabled.
    • You can enable internet access and leave public IP service disabled. If you do so, point-to-site VPN and public IP allocation are not available.
  5. In the Edge Services CIDR field, enter the address range to use when addressing the VMware Engine internet gateway (/26 address range).
  6. Click Submit.

The status for the service changes to Enabled when the operation is complete, usually after several minutes.

Access to Google Cloud services using Private Google Access stays within Google Cloud networks and does not exit to the internet.

Disabling the internet access service in a region

  1. Access the VMware Engine portal
  2. Go to Network > Regional settings.
  3. In the row corresponding to the region of interest, select Edit.
  4. Toggle Internet access to Disabled.
    • You must disable public IP service before you can disable internet access.
    • You must delete any allocated public IP addresses and point-to-site VPN gateways before you can disable public IP service.
  5. Click Submit.

The status for the service changes to Disabled when the operation is complete, usually after several minutes.

Use an on-premises connection for workload internet access

To access Google Cloud services using Private Google Access methods, enable VPC service controls on your VPC peering connection.

  1. Ensure that default route (0.0.0.0/0) is advertised from on-premises over an on-premises connection (Cloud VPN or Cloud Interconnect). Check the Cloud VPN gateway or Cloud Router where the on-premises connection to your VPN terminates.
  2. Access the VMware Engine portal
  3. Go to Network > Regional settings.
  4. Click the Edit icon for the region where you want to enable internet access using an on-premises connection.
  5. Toggle Public IP to Disabled.

  6. Toggle Internet access to Disabled

  7. Click Submit.

  8. Enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:

    gcloud services vpc-peerings enable-vpc-service-controls \
       --network=VPC_NETWORK \
       --service=servicenetworking.googleapis.com

Disable internet access by using an on-premises connection

To disable routing internet traffic by using an on-premises connection, stop advertising the default route (0.0.0.0/0) and disable VPC service controls on the VPC peering connection.

To disable VPC service controls on the VPC peering connection between your VPC network and VMware Engine, use the gcloud services vpc-peerings disable-vpc-service-controls command:

gcloud services vpc-peerings disable-vpc-service-controls \
    --network=VPC_NETWORK \
    --service=servicenetworking.googleapis.com

What's next