Networking

This page explains how to use networking for Memorystore for Valkey. The page alsodescribes the following information about networking:

Note: Memorystore for Valkey also supports networking for multiple VPCs. Formore information about multiple VPC networks, see About multiple VPC networking.

Networking setup guidance

As a reader of this page, you likely fit into one of two roles. Each role hasdifferent tasks that you have to accomplish. However, there might be an overlapbetween the roles.

Knowing which role you fit into and your role's goals helps you accomplish yourinstance creation and networking tasks quickly and efficiently.

You might fit into the following roles:

Role 1:Valkey Admin
- Your goal is tocreate a Memorystore for Valkey instance. You're reading this page to learn if you have therequired prerequisites to create the instance.
- After you know that a service connection policy is established for yournetwork, get the full network name (that has the format ofprojects/NETWORK_PROJECT_ID/global/networks/NETWORK_ID) from your NetworkAdmin so that you can use it to create the instance.
Role 2:Network Admin
- Your goal is to find out if a service connection policy is created for thenetwork and if it's located in the region where the Valkey Admin wants todeploy a Memorystore for Valkey instance.
  If the service connection policy isn't created, thencreate it. This policy letsMemorystore automate private connectivity to theMemorystore service.
  To create a service connection policy, you must have therequired roles. For more information aboutconfiguring and managing a service connection policy, seeConfigure service connection policies.
  Note: When you create the service connectionpolicy, use thegcp-memorystore service class. For eachcombination of a network, region, and service class, you can create onlyone policy.
  When creating the service connection policy, you can use the connectionlimit to ensure enough address space for your instances. Here's how toestimate this limit.
  To determine the connection limit, multiply the number of instancesthat you want to create in the region where you're defining the serviceconnection policy by two. So, if you want to create five instances in theregion, then specify 10 for the connection limit.
  If you don't know how many instances you plan to create, then don'tspecify a connection limit. Also, if the limit is reached, then you canincrease it by updating the service connection policy.
- Your next goal is to provide the network name to the Valkey Admin so thatthey can use it to create the instance.

Memorystore for Valkey has the following networking characteristics:

The only networking connectivity method that you can use forMemorystore for Valkey is Private Service Connect serviceconnectivity automation. This method is enabled by service connectionpolicies. For more information, seeAbout service connection policies.
If the correct service connection policy exists, then as you create theinstance, service connectivity automationdeploys connectivity for theinstance automatically.

Prerequisites required before creating an instance

As described inAbout service connection policies,a service connection policy is unique to your project, network, region, andservice class. If you want to create an instance, then make sure that thefollowing conditions are met:

The service connection policy must exist for your project, network, region,andgcp-memorystore service class.
You must enable the necessary APIs.

Note: For more information about how Memorystore for Valkey creates aPrivate Service Connect endpoint and the lifecycle of thatendpoint, see Deploy a managed service instance and configure connectivity.

Communicate networking requirements

If you're a Valkey Admin, then ask your Network Admin if a service connectionpolicy exists for the region, network, andgcp-memorystore service class whereyou want tocreate your instance.After your Network Admin creates the policy, ask them for the full network name(that has the format ofprojects/NETWORK_PROJECT_ID/global/networks/NETWORK_ID)so that you can use it to create the instance.

Send your Network Admin a link to this page so that they can understand theservice connection policy prerequisites that they need for you to createthe instance.

Important: Make sure that your Network Admin doesn't configure the serviceinstance scope in the service connection policy. Instead, the Network Adminmust leave the default settings for the policy.

Memorystore for Valkey doesn't support custom service instance scopes. Itsupports deploying only Private Service Connect endpointsautomatically through the authorization of a service connection policy that'sin the same Google Cloud project as the instance.

For more information about deploying Private Service Connectendpoints in Google Cloud projects other than the project that hosts theinstance, seeSet up multiple VPC networks using user-registeredPrivate Service Connect connections andSet up multiple VPCnetworks for instances provisioned with automatically registeredconnections.

Enable APIs

As a Valkey Admin, before you can create a Memorystore for Valkey instance, youmust enable all of the APIs listed inBefore you begin.

Shared VPC

In addition to standardVPC networks,Memorystore for Valkey supportsShared VPCnetworks.

Shared VPC setups have a host project and one or more service projects.The Network Admin defines the service connection policy forMemorystore for Valkey in the host project. Valkey Admins use service projectsto create Memorystore for Valkey instances.

For a quickstart on creating an instance with Shared VPC, seeInstance provisioning on a Shared VPC network.

Reserved network addresses

After youcreate an instance,Memorystore for Valkey reserves the following network addresses for theinstance:

Discovery endpoint: the primary network address that your application usestoconnect to your instance.
Internal backend: the Memorystore for Valkey backend service uses thisnetwork address for management and operational purposes.

Memorystore for Valkey uses both network addresses to serve the traffic for yourinstance.

Supported networking architectures

Memorystore for Valkey supports the network architectures described in thissection.

Same network, project, and region client access example

In this example, the client and Memorystore for Valkey endpoint IP addresses arelocated in the same network, project, and region.

Shows clients in the consumer project connecting to a Memorystore for Valkey in a producer project through a private service connect intermediary.

Same network and project, but multi-region client access example

In this example, the client and Memorystore for Valkey endpoint IP addresses arelocated in the same network and project, but in multiple regions.

Shows clients in different regions in the consumer project connecting to a Memorystore for Valkey in a producer project through a private service connect intermediary.

Shared VPC client access example

In this example, the clients are located in different Shared VPCprojects. Although clients in this example are in the same region,Memorystore for Valkey supports clients from different regions.

IP1 andIP2 are IP addresses created on the Consumer VPC 1 network. This isa Shared VPC network across the VPC 1 host project, Consumer serviceproject 1, and Consumer service project 2. ThePrivate Service Connect endpoints in this example are resources(forwarding rules) that are created in Consumer service project 2.

Shows clients in various Shared VPC consumer projects connecting to a Memorystore for Valkey in a producer project through a private service connect intermediary.

On-premises access example

This diagram shows an example of a client connecting toMemorystore for Valkey from an on-premises network using Cloud Interconnectand Cloud Router. Although the Cloud Interconnect andCloud Router infrastructure is used, the client machines in theon-premises network connect to Valkey using the Memorystore for Valkey endpointIP addresses. For example, in the diagram in this section, clients connect to10.142.0.10 and 10.142.0.11 directly.

For more information about finding your instance's discovery endpoint IPaddress, seeView your instance's discovery endpoint.

Shows clients in an on-premises network connecting to a Memorystore for Valkey in a producer project through Cloud Interconnect and private service connect intermediaries.

Multi VPC network access

To connect to Memorystore for Valkey across multiple VPCs,create an internal VPN tunnel between the VPC that has the Private Service Connect endpoint andany other VPCs that require access. Because multiple VPCs can't connect to Private Service Connect directly, you must use a VPN tunnelinfrastructure.

Shows client connectivity using multiple VPC networks connecting to an endpoint using a VPN tunnel.

Frequently asked questions

This section covers networking FAQs for Memorystore for Valkey.

Do you need a service connection policy?

It depends. For network connectivity, you have two options: aservice connection policy oruser-registered Private Service Connect connections. If you choose a multi-VPCsetup, then you can either use the second option or both options together.

User-registered Private Service Connect connections enable you toconnect multiple VPC networks, if needed. If you don't need multiple VPCnetworks, then you can also establish connectivity by using a user-registeredconnection. However, we recommend using a service connection policy because theprocess is more straightforward.

Why must you enable the Network Connectivity and Service Consumer Management APIs?

Memorystore for Valkey uses Private Service Connect serviceconnectivity automation to automate deployment and connectivity in the consumernetwork. For automation to work, you must enable these APIs. If you don't, theninstance creation operations fail.

Which permissions do you need to set up networking in Memorystore for Valkey?

If you want to perform the Valkey Admin tasks described on this page, thenyou need thememorystore.adminrole. To see which roles you need for different Memorystore for Valkeypermissions, seePermissions and their roles.
If you want to perform the Network Admin tasks described on this page, thenyou need thecompute.networkAdminrole.

Which ports do you need to set up networking in Memorystore for Valkey?

Your application connects to Memorystore for Valkey by using an IP address andthe 6379 port. As part of this connection, it requests the topology of aninstance.

The request's response contains a list of the data nodes in the instance andtheir associated ports. For each node, Memorystore for Valkey uses a port in the11000-to-13047 range. Therefore, in your firewall, you must allow access to boththe 6379 port and to all ports in this range.

How can you set up connectivity for your on-premises network?

In addition to the guidance on this page, you can learn about setting upon-premises connectivity by using the following links:

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.

Movatterモバイル変換

Networking Stay organized with collections Save and categorize content based on your preferences.