Configuring private services access

Private services access is a private connection between your VPC network and a network owned by Google or a third party. Google or the third party, entities who are offering services, are also known as service producers. The private connection enables VM instances in your VPC network and the services that you access to communicate exclusively by using internal IP addresses. VM instances don't need Internet access or external IP addresses to reach services that are available through private services access.

To learn more about private services access and other private access options, see Private Access Options for Services.

At a high level, to use private services access, you must allocate an IP address range (CIDR block) in your VPC network and then create a private connection to a service producer.

Before you begin

To establish a private connection, complete the following prerequisites:

  • Check that the service you're using supports private services access.
  • You must have an existing VPC network that you will use to connect to the service producer's network. VM instances must use this VPC network to connect to services over a private connection.
  • Activate the Service Networking API in your project. The API is required to create a private connection.
  • Create a Cloud project or choose an existing one. To learn how to create a Cloud project, see Creating and Managing Projects.
  • Install the Cloud SDK if you want to run the gcloud command-line examples in this guide.

Permissions

Project owners and IAM members with the Compute Network Admin role (roles/compute.networkAdmin) can create allocated IP address ranges and manage private connections.

For more information about roles, read the VPC IAM roles documentation.

Shared VPC scenario

If you are using Shared VPC, create the allocated IP range and private connection in the host project. Typically, a network administrator in the host project must do these tasks. After the host project is set up, VM instances in service projects can use the private connection.

Quotas and limits

Because a private connection is implemented as a VPC peering connection, the same quota and limits that apply to VPC Network Peering also apply to private services access.

Allocating IP address ranges

Before you create a private connection, you must allocate an IP address range to be used by the service producer's VPC network. This ensures that there's no IP address collision between your VPC network and the service producer's network. Create an allocated range for each service producer.

When you allocate a range in your VPC network, that range is ineligible for subnets (primary and secondary ranges) and destinations of custom static routes.

IP address range size

Private services access ranges (click to enlarge)

When a service producer creates a subnet on their side of the connection, an open range from the allocation is selected for the subnet's IP address range.

Each service producer requires a minimum IP address range size. For Google, the minimum size is a single /24 block (256 addresses), but the recommended size is a /16 block (65,536 addresses). The size you choose depends on factors such as the number of services and regions you use. You might use a single service in multiple regions for redundancy scenarios or to reduce latency.

For example, if you use two services in three different regions, the service producer must create 6 subnets, each with a /24 block. If you plan to use additional services or regions, you might quickly exhaust a /20 allocation. If you don't have a contiguous /16 block, you can start with a smaller allocation and add new ones if you need more IP addresses later.

About the service producer's subnet

When you establish a private connection and create a resource with a private IP address, the service creates a subnet in which to provision the resource. The service selects an available IP address range from the allocated range. You cannot select or modify the service producer's subnet IP address range. Even if you delete the private connection or the allocated IP address range, the subnet remains until you delete all resources in the subnet.

As you provision additional resources, the service provisions them in existing regional subnets that it previously created. If a subnet is full, the service creates a new one in that region.

Considerations

Before you allocate an IP address range, consider the following constraints:

  • Select a range that doesn't overlap with existing allocated ranges, subnets, or custom static routes. No two ranges can overlap.
  • If you're using an auto mode VPC network, you can't create an allocated range that matches or overlaps with 10.128.0.0/9. This range is for automatically created subnets.
  • Select a CIDR block that is large enough to meet your current and future needs. If you later find that the range isn't sufficient in size, expand the range if possible. Although you can assign multiple allocations to a single service producer, Google enforces a quota on the number of IP address ranges that you can allocate but not the size (netmask) of each range.
  • Don't reuse the same allocated range for multiple service producers. Although it's possible, doing so can lead to IP address overlap. Each service producer has visibility only into their network and can't know which IP addresses other service producers are using.
  • You can only assign one CIDR block to an allocated range when you create the allocation. If you need to expand the IP address range, you can't add more blocks to an allocation. Instead, you can create another allocation or recreate the existing one by using a larger block that encompasses the new and existing ranges.
  • If you create the allocation yourself instead of having Google do it (such as through Cloud SQL), you can use the same naming convention to signal to other users or Google services that an allocation for Google already exists. When a Google service allocates a range on your behalf, the service uses the following format to name the allocation: google-managed-services-[your network name]. If this allocation exists, Google services use the existing one instead of creating another one.

Creating an IP allocation

The following steps describe how to create an allocated IP address range.

Console

  1. Go to the VPC networks page in the Google Cloud Console.
    Go to the VPC networks page
  2. Select the VPC network that will connect to a service producer.
  3. Select the Private service connection tab.
  4. In the Private service connection tab, select the Allocated IP ranges for services tab.
  5. Click Allocated IP range.
  6. Enter a Name and Description for the allocated range.

  7. Specify an IP range for the allocation:

    • To specify an IP address range, select Custom and then enter a CIDR block, such as 192.168.0.0/16.
    • To specify a prefix length and let Google select an available range, select Automatic and then enter a prefix length, such as 16.

  8. Click Allocate to create the allocated range.

gcloud

Create an allocated range in your VPC network.

  • To specify an address range and a prefix length (subnet mask), use the addresses and prefix-length flags. For example, to allocate the CIDR block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for the prefix length.

    gcloud compute addresses create RESERVED_RANGE_NAME \
    --global \
    --purpose=VPC_PEERING \
    --addresses=192.168.0.0 \
    --prefix-length=16 \
    --description="DESCRIPTION" \
    --network=VPC_NETWORK

  • To specify just a prefix length (subnet mask), just use the prefix-length flag. When you omit the address range, Google Cloud automatically selects an unused address range in your VPC network. The following example selects an unused IP address range with a 16 bit prefix length.

    gcloud compute addresses create RESERVED_RANGE_NAME \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --description="DESCRIPTION" \
    --network=VPC_NETWORK

Replace the following placeholders with relevant values:

  • RESERVED_RANGE_NAME: a name for the allocated range, such as my-allocated-range.

  • DESCRIPTION: a description for the range, such as allocated for my-service.

  • VPC_NETWORK the name of your VPC network, such as my-vpc-network.

The following example creates a private connection to Google so that the VM instances in the my-network VPC network can use private services access to reach Google services that support it.

gcloud compute addresses create google-managed-services-my-network \
    --global \
    --purpose=VPC_PEERING \
    --prefix-length=16 \
    --description="peering range for Google" \
    --network=my-network \
    --project=my-project

Listing allocated IP address ranges

You can list ranges with the --filter flag to see which ranges you can use for private services access. Filter for ranges with the purpose VPC_PEERING, as shown in the following example:

gcloud compute addresses list --global --filter="purpose=VPC_PEERING"

Deleting an allocated IP address range

Before you delete an allocated IP address range, check that no private connection is using it. You can delete or modify an existing private connection to disassociate the allocated range. If you don't, existing connections remain active, but there's nothing preventing your VPC from using IP addresses that overlap with the service producer's network. Also, the service can't create new subnets because there's no allocated IP address range to select from.

Console

  1. Go to the VPC networks page in the Google Cloud Console.
    Go to the VPC networks page
  2. Select the VPC network that contains the allocations to delete.
  3. Select the Private service connection tab.
  4. In the Private service connection tab, select the Allocated IP ranges for services tab.
  5. Select the allocation to delete.

  6. Click Release to return the allocated IP address range to network's pool of available internal IP addresses.

    If the allocated IP address range is still assigned to an existing connection, you must enter additional confirmation before you can release the allocation.

  7. Click Release again to confirm the deletion.

gcloud

Delete the allocation by specifying the name of your allocation.

gcloud compute addresses delete NAME \
    --global

Creating a private connection

After you create an allocated range, you can create a private connection to a service producer. The private connection establishes a VPC Network Peering connection between your VPC network and the service producer's network.

Private connections are a one-to-one relationship between your VPC network and a service producer. If a single service producer offers multiple services, you only need one private connection for all of the producer's services.

If you connect to multiple service producers, use a unique allocation for each service producer. This practice helps you manage your network settings, such as routes and firewall rules, for each service producer.

Console

  1. Go to the VPC networks page in the Google Cloud Console.
    Go to the VPC networks page
  2. Select the VPC network that will connect to a service producer.
  3. Select the Private service connection tab.
  4. In the Private service connection tab, select the Private connections to services tab.
  5. Click Create connection to create a private connection between your network and a service producer.
  6. For the Assigned allocation, select one or more existing allocated ranges that are not being used by other service producers.
  7. Click Connect to create the connection.

gcloud

  1. Create a private connection.

    gcloud services vpc-peerings connect \
    --service=servicenetworking.googleapis.com \
    --ranges=RESERVED_RANGE_NAME \
    --network=VPC_NETWORK \
    --project=PROJECT_ID

    Replace the following placeholders with relevant values:

    • RESERVED_RANGE_NAME: the name of one or more allocated ranges.

    • VPC_NETWORK: the name of your VPC network.

    • PROJECT_ID: the ID of the project that contains your VPC network.

    The command initiates a long-running operation, returning an operation name.

  2. Check whether the operation was successful.

    gcloud services vpc-peerings operations describe \
    --name=OPERATION_NAME

    Replace OPERATION_NAME with the operation name that was returned from the previous step.

You can specify more than one allocated range when you create a private connection. For example, if a range has been exhausted, you can assign additional allocated ranges. The service will use IP addresses from all of the provided ranges in the order that you specified.

Listing private connections

After you create a private connection, you can list it to check that it exists. The list also shows the list of allocated ranges that are associated with each connection. For example, if you don't remember which allocated range you assigned to a connection, view the list to find out.

Console

  1. Go to the VPC networks page in the Google Cloud Console.
    Go to the VPC networks page
  2. Select the VPC network that contains the connections.
  3. Select the Private service connection tab.
  4. In the Private service connection tab, select the Private connections to services tab to view all the network's private connections.

gcloud

List private connections in your VPC network.

gcloud services vpc-peerings list \
    --network=VPC_NETWORK \
    --project=PROJECT_ID

Replace VPC_NETWORK and PROJECT_ID with the name of your VPC network and the project ID.

Modifying a private connection

For existing private connections, you can add or remove allocated IP address ranges without disrupting traffic. For example, as you scale, you might add an allocated range if you're close to exhausting the existing one.

You cannot remove allocated IP ranges using Google Cloud Console. If you want to remove an allocated range, use the gcloud instructions to modify the connection. When you remove a range from a private connection, the following applies:

  • The allocated range is no longer associated with the private connection, but it is not deleted.

  • Existing service producer resources might continue to use the removed range.

  • Private services access will not use the removed ranges to allocate new subnets.

You can also use these gcloud instructions to recreate a deleted private connection using different allocated IP ranges. See recreate a deleted private connection for more information.

Console

  1. Go to the VPC networks page in the Google Cloud Console.
    Go to the VPC networks page
  2. Select the VPC network that contains the connections.
  3. Select the Private service connection tab.
  4. In the Private service connection tab, select the Private connections to services tab to view all the network's private connections.
  5. Click a connection name in the list.
  6. In the Assigned allocation pull-down menu, select the ranges you want allocated.
  7. Click OK.

gcloud

Add or remove assigned allocated IP address ranges on an existing private connection.

gcloud services vpc-peerings update \
    --service=servicenetworking.googleapis.com \
    --ranges=RESERVED_RANGE_NAME \
    --network=VPC_NETWORK \
    --project=PROJECT_ID \
    [--force]

Replace the following placeholders with relevant values:

  • RESERVED_RANGE_NAME: a list of one or more names of allocated ranges to assign to the private connection.

    RESERVED_RANGE_NAME replaces the previous list of allocated ranges. If you omit a range that was previously associated with this private connection, the range is removed from the connection. You must use the --force option to remove a range.

  • VPC_NETWORK: the name of your VPC network.

  • PROJECT_ID: is the name of your network's project ID.

Deleting a private connection

To delete a private connection, you must delete the corresponding VPC peering connection. Your VPC network is disconnected from the service producer's VPC network, and existing resources in both networks remain but lose private services access.

Console

  1. Go to the VPC networks page in the Google Cloud Console.
    Go to the VPC networks page
  2. Select the VPC network that contains the connections to delete.
  3. Select the Private service connection tab.
  4. In the Private service connection tab, select the Private connection to services tab.
  5. Select the private connection to delete.
  6. Click Delete to delete.
  7. Click Delete again to confirm the deletion.

gcloud

Delete the private connection's VPC Network Peering connection.

gcloud compute networks peerings delete CONNECTION_NAME \
    --network VPC_NETWORK

Replace CONNECTION_NAME and VPC_NETWORK with the name of your private connection and VPC network.

Recreating a deleted private connection

You can recreate a private connection that you have deleted.

If you want to use the same allocated IP ranges that were used previously, you can create the private connection again. Specify the same allocated IP ranges that you used for the private connection before you deleted it. If you specify different allocated IP ranges, Google Cloud returns a Cannot modify allocated ranges error.

If you want to recreate the connection using different allocated IP ranges, you must use the gcloud services vpc-peerings update command to modify the private connection.

For example, if you had previously set up a private connection using range1 you can recreate it with a different allocated IP range configuration, such as range1 and range2.

gcloud services vpc-peerings update \
    --service=servicenetworking.googleapis.com \
    --ranges=range1,range2 \
    --network=vpc1 \
    --project=my-project-123

You can also recreate the connection using range2. Because this excludes range1, which was part of the previous private connection configuration, you must use the --force option.

gcloud services vpc-peerings update \
    --service=servicenetworking.googleapis.com \
    --ranges=range2 \
    --network=vpc1 \
    --project=my-project-123 \
    --force

Sharing private DNS zones with service producers

Cloud DNS private zones are private to your VPC network. If you want to let a service producer network resolve names from your private zone, you can configure DNS peering between the two networks.

When you configure DNS peering, you provide a VPC network and a DNS suffix. If the service producer needs to resolve an address with that DNS suffix, the service producer forwards those queries to your VPC network to be resolved.

DNS peering is supported for the following services:

If you want to enable DNS peering, you must enable the Cloud DNS API in your project

Peering DNS with a service producer

gcloud

Set up DNS peering between your VPC network and the service provider network.

gcloud services peered-dns-domains create PEERING_NAME \
    --network=VPC_NETWORK \
    --dns-suffix=DNS_SUFFIX

Replace the following placeholders with relevant values:

  • PEERING_NAME: a name for this DNS peering configuration.

  • VPC_NETWORK: the name of your VPC network that is connected to the service producer using private services access.

  • DNS_SUFFIX: the DNS suffix you want to peer with the service producer. You must provide a complete DNS domain name, including the dot. For example, example.com. is a valid DNS suffix.

Listing DNS peering configurations

gcloud

List the peered DNS domains in a VPC network.

gcloud services peered-dns-domains list \
    --network=VPC_NETWORK

Replace the following placeholders with relevant values:

  • VPC_NETWORK: the name of your VPC network.

Deleting a DNS peering configuration

gcloud

Delete a peered DNS domain.

gcloud services peered-dns-domains delete PEERING_NAME \
    --network=VPC_NETWORK

Replace the following placeholders with relevant values:

  • PEERING_NAME: the name of the DNS peering configuration.

  • VPC_NETWORK: the name of the VPC network.

Troubleshooting

How much of my allocation is being used?

When you create a private connection with a service producer, you allocate an IP address range for them to use. If you use multiple services from a service producer, each service will reserve a chunk of IP addresses from that allocated range. You can check which services are using which IP addresses so that, for example, you can see which services are using large blocks of IP addresses and avoid IP address exhaustion.

To view which service is using a particular IP address range:

  1. List your private connections.
  2. Find the peering connection name that connects you to the relevant service producer.
  3. List the routes for your VPC network.
  4. Find the routes with a next hop that match the peering connection name. The destination range of the routes indicates which IP addresses each service is using.

IP address range exhaustion

For a given private connection, if you exhaust your allocated IP address space, Google Cloud will return this error: Failed to create subnetwork. Couldn't find free blocks in allocated IP ranges.

You can expand the existing allocation or add new ones. The expanded allocation must be a contiguous IP address range that includes the existing range. Expanding an allocation is recommended because there's no limit on the size of an allocation, but there is a limit on the number of allocations that you can create.

To expand an existing allocation:

  1. List your private connections and record the name of the allocated range you need to expand.
  2. Delete the existing allocated range.
  3. Create a new allocated range by using the same name as the deleted range. Specify an IP address range that includes the deleted IP address range. That way, existing peered resources that are using the old allocated range can continue to use the same IP addresses without colliding with resources in your VPC network. For example, if the previous allocated range was 192.168.0.0/20, create a new allocated range as 192.168.0.0/16.

To add allocated ranges to an existing private connection:

  1. Create a new allocated range. This range doesn't have to be contiguous with existing allocated ranges.
  2. Add the allocated range to the existing private connection.

On-premises hosts can't communicate with the service producer's network

The service producer's network might not have the correct routes to direct traffic to your on-premises network. By default, the service producer's network only learns the subnet routes from your VPC network. Therefore, any request that's not from a subnet IP range is dropped by the service producer.

In your VPC network, update the peering connection to export custom routes to the service producer's network. Exporting routes sends all eligible static and dynamic routes that are in your VPC network, such as routes to your on-premises network, to the service producer's network. The service producer's network automatically imports them and then can send traffic back to your on-premises network through the VPC network.