Create private uptime checks

This document describes how to configure a private uptime check.Private uptime checks enable HTTP or TCP requests into a customerVirtual Private Cloud (VPC) network while enforcingIdentity and Access Management (IAM) restrictions andVPC Service Controls perimeters.Private uptime checks can send requests over the private network to resourceslike a virtual machine (VM) or an L4 internal load balancer (ILB).

The internal IP addresses for resources on the private network are recorded byService Directory services withprivate network access enabled. To use private uptimechecks, you must configure private network access by using theService Directory product.

The Google Cloud project that stores the private uptime check andthe Google Cloud project that stores the Service Directoryservice can be different projects. Cloud Monitoring lets you monitorresources in multipleGoogle Cloud projects from one project by using a metrics scope.The project in which the uptime check is defined is thescoping project of a metrics scope; the metrics scope is a list of all projectsthe scoping project monitors.The Service Directory service might be defined in thescoping project or in a project in the metrics scope.For more information about metrics scopes, seeMetrics scopes overview.

The private network and its resources, like VMs or load balancers, canalso be in a different Google Cloud project. This project does not haveto be in the metrics scope of the uptime check's scoping project.The Service Directory service collects the uptime metrics, soit must be in the metrics scope, but the resources it encapsulates don't.

This document describes how to set up a private network and configureService Directory resources for it by using the Google Cloud consoleor the API. The API examples assume thatthe private network and the Service Directory service are inthe scoping project of the uptime check. However,Create a privateuptime check also describes how to use the API tocreate an uptime check that uses a Service Directory service inthe metrics scope.

For information about how to configure uptime checks that use publicIP addresses, seeCreate public uptime checks.For information about managing and monitoring your uptime checks, see theWhat's next section of this document.

This feature is supported only for Google Cloud projects.ForApp Hubconfigurations, select the App Hub host project or management project.

Before you begin

  1. Enable the following APIs:

    • Cloud Monitoring API:monitoring.googleapis.com
    • Service Directory API:servicedirectory.googleapis.com
    • Service Networking API:servicenetworking.googleapis.com
    • Compute Engine API:compute.googleapis.com

    You can enable the APIs by using the gcloud CLI or theGoogle Cloud console. The following tabs describe how to install thegcloud CLI and enable the Cloud Monitoring API:

    Google Cloud console

    1. In the Google Cloud console, select the Google Cloud project forwhich you want to enable the API,and then go to theAPIs & Services page:

      Go toAPIs & Services

    2. Click theEnable APIs and Service button.

    3. Search for "Monitoring".

    4. In the search results, click through to "Stackdriver Monitoring API".

    5. If "API enabled" is displayed, then the API is already enabled. Ifnot, then clickEnable.

    gcloud CLI

    1. If you have not already installed the Google Cloud CLI on yourworkstation, seeInstalling the gcloud CLI.

    2. To see if the Monitoring API is enabled, run the followingcommand on your workstation, after replacingPROJECT_ID with theID of the project for which you want to enable the API:

      gcloud services list --project=PROJECT_ID

      Ifmonitoring.googleapis.com appears in the output, the API isenabled.

    3. If the API is not enabled, then run the following command to enable it:

      gcloud services enable monitoring --project=PROJECT_ID

      For more information, seegcloud services.

    You can use the same steps for enabling the other APIs:

    • To use the Google Cloud console, search for the display name, for example,"Service Directory API".
    • To use the gcloud CLI, specify the first element of thegoogleapis.com name, for example,servicedirectory.

  2. Configure the notification channels that you want to use to receivenotifications. We recommend that you create multiple types of notificationchannels. For more information, seeCreate and manage notification channels.

  3. Configure a private network and configure a VM or ILB to haveaccess to that private network.For more information, seePrivate services access.

    Private checks that target ILBs are limited tothe regions with uptime checkers. The uptime-check regionUSA includes theUSA_OREGON,USA_IOWA, andUSA_VIRGINIA regions. Each of theUSA_*regions has one checker, andUSA includes all three. The other uptime-check regions,EUROPE,SOUTH_AMERICA, andASIA_PACIFIC, each have onechecker. To removethis limitation, you must configure global access to your load balancer.For more information about how to configure global access, see the ILB tabin theConfigure Service Directory resourcessection of this document.

    If you plan to check an ILB that doesn't permit global access, thenselect one of the following regions for your ILB:

    • us-east4
    • us-central1
    • us-west1
    • europe-west1
    • southamerica-east1
    • asia-southeast1

  4. Determine which interface to use:

    • Google Cloud console: Lets you create an uptimecheck when a VM is servicing requests. This interface guides youthrough configuring Service Directory resources,authorizing the service account, and configuring the network firewallrules.

    • Command line interfaces: You can use Google Cloud CLI and theCloud Monitoring API to create private uptime checks when ILBs and VMsare servicing requests.

  5. If you plan to use the command line to configure your private uptime checks,then complete thePrerequisite steps.

Create a private uptime check

This section explains how to create and configure private uptime checksof Service Directory services:

  • To use the Google Cloud console, select theGoogle Cloud console tab.

  • To use the Cloud Monitoring API and to configure theService Directory service to be in the same Google Cloud project asthe uptime check, select theAPI: Scoping project tab.

  • To use the Cloud Monitoring API and to configure theService Directory service to be in a project monitoredby the metrics scope of theuptime check's project, select theAPI: Monitored project tab.

Google Cloud console

To create an uptime check by using the Google Cloud console, do the following:

  1. In the Google Cloud console, go to the Uptime checks page:

    Go toUptime checks

    If you use the search bar to find this page, then select the result whose subheading isMonitoring.

  2. In the toolbar of the Google Cloud console,select your Google Cloud project. ForApp Hubconfigurations, select the App Hub host project or management project.

  3. ClickCreate Uptime Check.

    Create an uptime check dialog.

  4. Specify a private uptime check:

    1. Select the protocol, which can beHTTP,HTTPS, orTCP.

    2. Choose theInternal IP resource type.

  5. If you don't have a Service Directory service configuredfor your project or if you want to create aService Directory service, then clickView and complete thePrivate Uptime Check Prerequisites pane:

    1. If prompted, enable the Compute Engine API or theService Directory API.Enabling the APIs might take a minute to complete.

    2. ExpandService Account, if shown,and then clickCreate Service Account.

      When a Monitoring service account doesn't exist, oneis created. Then, Monitoring grants the service accounttwo Service Directory roles.

    3. ExpandService Directory menu andthen do the following:

      1. ExpandRegion andthen select the region of the VM that is serving requests.
      2. ExpandNamespace and then either select anexisting Service Directory namespace orclickCreate namespace and create a namespace.
      3. ClickService name and enter a servicename. Services are the targets of private uptime checks.
      4. ClickEndpoint name and enter a name for the endpoint name.An endpoint is a pair of IP address and port values thata service can use to handle requests.When your service contains multipleendpoints, one endpoint is chosen at random.
      5. ExpandNetwork and thenselect your private network.
      6. ExpandInstance and then select the VMon the private network that is serving requests. After you selectthe instance, its internal IP address is displayed.
      7. ClickDone.

    4. ExpandFirewall rules:

      1. ExpandNetwork and select the networkto which the network rule is attached.

      2. ClickCreate Firewall Rules.

        The firewall rule enables inbound TCP traffic from routes35.199.192.0/19.A route from 35.199.192.0/19 supports connectivity to forwardingtargets that use private routing.For more information, seeVPC routes.

  6. In thePrivate Uptime Check pane, to specify theService Directory service to use, do one of the following:

    • SelectUse fully qualified service name and then enter the fullyqualified name of the service:

      projects/SERVICE_DIRECTORY_PROJECT_ID/locations/REGION/namespaces/PRIVATE_NAMESPACE/services/PRIVATE_SERVICE

    • Select theRegion,Namespace, andService by using themenus. If you created a service, then these fields are selected for you.

  7. In thePrivate Uptime Check pane, complete the description of thetarget of the uptime check:

    1. Optional: Enter a path component for the request.

      Private uptime checks that use the HTTP or HTTPS protocol send a request tohttp://target/path. In this expression, thetarget is the internal IP address configured in the Service Directory endpoint.

      If you leave thePath field blank or if you set the value to/, then the request is issued tohttp://target/.

    2. Optional: To set how often the uptime check executes, use theCheck frequency field.

    3. Optional: To select checker regions, or to configureauthentication, headers for HTTP and HTTPS checks, and other values,clickMore target options:

      • Regions: Select the regions where the uptime checks are toreceive requests. An uptime check must have at least three checkers.There's one checker in all regions except theUnited States,which has three checkers. The default setting,Global,includes all regions.
      • Request Method: SelectGET orPOST.
      • Body: For HTTPPOST checks, enter the URL-encoded body; youmust do the encoding yourself. For all other checks, leave thisfield empty.
      • Host header: Don't set this field when configuringprivate uptime checks.
      • Port: Any value you set here overrides the port in yourService Directory endpoint configuration. Don't seta value here if you want the endpoint configuration to be used.
      • Custom Headers: Supply custom headers, and optionally,encrypt them. Encryption hides the values in the header in the form.Use encryption for headers related to authentication that youdon't want visible to others.
      • Authentication: Provide a single username and password. Thesevalues are sent as an Authorization header. If you set values here,don't set a separate Authorization header; if you set anAuthorization header, don't set values here. Passwords are alwayshidden in the form.

  8. ClickContinue and configure the response requirements.All settings in this section have default values:

    • To set a timeout period for the uptime check, use theResponse Timeout field. An uptime check fails when noresponse is received from more than one location within this period.

    • To configure the uptime check to perform content matching,ensure that the toggle label isContent matching is enabled:

      • Select theResponse Content Match Type from the menu of options.This field determines how the response content is compared to thereturned data. For example, assume that the response content isabcd and the content match type isContains. The uptime checkis successful only when the response data containsabcd.For more information, seeValidate response data.
      • Enter theResponse content. The response content must be a stringno longer than 1024 bytes. In the API, this field is theContentMatcher object.

    • To prevent log entries from being created due to uptime checks,clearLog check failures.

    • For the HTTP uptime checks, configure the acceptable response codes.By default, HTTP uptime checks mark any2xx response as a successful response.

  9. ClickContinue and configure alerting policies and notifications.

    To be notified when an uptime check fails, create analerting policy andconfigurenotification channels for that policy:

    1. Optional: Update the name of the alerting policy.
    2. Optional: In theDuration field, select how long the uptime checksmust fail before notifications are sent. By default, notifications aresent when at least two regions report uptime check failures for aduration of at least one minute.

    3. In the box labeledNotification channels,expandMenu, select the channels to add,and then clickOK.

      In the menu, the notification channels are grouped alphabetically foreach channel type.

    If you don't want to create an alerting policy, then ensurethat the text of the toggle button isDo not create an alert.

  10. ClickContinue and complete the uptime check:

    1. Enter a descriptive title for the uptime check.

    2. Optional: To add user-defined labels to your uptime check,do the following:

      1. ClickShow user labels.
      2. In theKey field, enter a name for the label.Label names must start with a lowercase letter, and they can containlowercase letters, numerals, underscores, and dashes. For example,enterseverity.
      3. In theValue field, enter a value for your label. Label valuescan containlowercase letters, numerals, underscores, and dashes. For example,entercritical.
      4. For each additional label, clickAdd user label and then enterthe key and value of the label.

    3. To verify your uptime check configuration, clickTest.If the result isn't what you expect, seeTroubleshooting,correct your configuration, and then repeat the verification step.

    4. ClickCreate.

API: Scoping project

To create the configuration for a private uptime check, you create anUptimeCheckConfig object and pass thatobject to theuptimeCheckConfigs.create methodin the Cloud Monitoring API.

TheUptimeCheckConfig object for a private uptime check differsfrom the object for a public uptime check in the following ways:

  • The monitored resource specified in the uptime-check configuration must beof typeservicedirectory_service. This resource typehas the following labels:

    • project_id: The project ID associated with theService Directory service.
    • location: The cloud region associated with the service.
    • namespace_name: The Service Directory namespace.
    • service_name: The name of the Service Directory service.
    Note: The values for these labels are determined when youConfigureService Directory resources.

  • You don't need to specify aport value in the uptime-check configuration.The port value from the Service Directory endpoint overridesany value set in the uptime-check configuration, and the check fails ifno port is specified in the Service Directory configuration.

  • The uptime-check configuration must specify thechecker_type fieldwith the valueVPC_CHECKERS. This value is required for private uptimechecks. By default, uptime checks are public, so public uptime checksdon't need to specify this field.

The following JSON code illustrates anUptimeCheckConfig object for aprivate uptime check using the Service Directory resourcesconfigured for a VM instance on a private network:

{  "displayName": "private-check-demo",  "monitoredResource": {    "type": "servicedirectory_service",    "labels": {      "project_id": "SERVICE_DIRECTORY_PROJECT_ID",      "service_name": "PRIVATE_SERVICE",      "namespace_name": "PRIVATE_NAMESPACE",      "location": "REGION"    }  },  "httpCheck": {    "requestMethod": "GET"  },  "period": "60s",  "timeout": "10s",  "checker_type": "VPC_CHECKERS"}'

To create a private uptime check when theService Directory serviceis in the same Google Cloud project as the uptime check, do the following:

  1. Set the default Google Cloud project for the gcloud CLI:

    gcloud config set projectPROJECT_ID

  2. Create an environment variable to store your project ID:

    export PROJECT_ID=$(gcloud config get-value core/project)

  3. Create an environment variable hold an access token:

    export TOKEN=`gcloud auth print-access-token`

  4. Use thecurl tool to invoke theuptimeCheckConfigs.create methodand post a configuration object to it:

    curl https://monitoring.googleapis.com/v3/projects/${PROJECT_ID}/uptimeCheckConfigs \-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \--request POST --data '{"displayName": "private-check-demo","monitoredResource": {  "type": "servicedirectory_service",  "labels": {    "project_id": "'"$PROJECT_ID"'",    "service_name": "PRIVATE_SERVICE",    "namespace_name": "PRIVATE_NAMESPACE",    "location": "REGION"  }},"httpCheck": {  "requestMethod": "GET"},"period": "60s","timeout": "10s","checker_type": "VPC_CHECKERS"}'

If the creation of the uptime check fails, then verify that theservice account has the necessary roles. For more information,seeCreate of uptime check fails.

API: Monitored project

To create the configuration for a private uptime check, you create anUptimeCheckConfig object and pass thatobject to theuptimeCheckConfigs.create methodin the Cloud Monitoring API.

TheUptimeCheckConfig object for a private uptime check differsfrom the object for a public uptime check in the following ways:

  • The monitored resource specified in the uptime-check configuration must beof typeservicedirectory_service. This resource typehas the following labels:

    • project_id: The project ID associated with theService Directory service.
    • location: The cloud region associated with the service.
    • namespace_name: The Service Directory namespace.
    • service_name: The name of the Service Directory service.
    Note: The values for these labels are determined when youConfigureService Directory resources.

  • You don't need to specify aport value in the uptime-check configuration.The port value from the Service Directory endpoint overridesany value set in the uptime-check configuration, and the check fails ifno port is specified in the Service Directory configuration.

  • The uptime-check configuration must specify thechecker_type fieldwith the valueVPC_CHECKERS. This value is required for private uptimechecks. By default, uptime checks are public, so public uptime checksdon't need to specify this field.

The following JSON code illustrates anUptimeCheckConfig object for aprivate uptime check using the Service Directory resourcesconfigured for a VM instance on a private network:

{  "displayName": "private-check-demo",  "monitoredResource": {    "type": "servicedirectory_service",    "labels": {      "project_id": "SERVICE_DIRECTORY_PROJECT_ID",      "service_name": "PRIVATE_SERVICE",      "namespace_name": "PRIVATE_NAMESPACE",      "location": "REGION"    }  },  "httpCheck": {    "requestMethod": "GET"  },  "period": "60s",  "timeout": "10s",  "checker_type": "VPC_CHECKERS"}'

To create a private uptime check when theService Directory service is in a Google Cloud projectthat is monitored by the metrics scope of the uptime check'sGoogle Cloud project, do the following:

  1. Configure the gcloud CLI to default to the Google Cloud projectwhere the uptime check is to be created:

    gcloud config set projectPROJECT_ID

  2. Create an environment variable to store your project ID:

    export PROJECT_ID=$(gcloud config get-value core/project)

  3. Create an environment variable to store the project ID of theGoogle Cloud projectin which the Service Directory service is defined:

    export MONITORED_PROJECT_ID=MONITORED_PROJECT_ID

    This project must be in the metrics scope of the uptime check'sproject.

  4. Create an environment variable hold an access token:

    export TOKEN=`gcloud auth print-access-token`

  5. Use thecurl tool to invoke theuptimeCheckConfigs.create methodand post a configuration object to it:

    curl https://monitoring.googleapis.com/v3/projects/${PROJECT_ID}/uptimeCheckConfigs \-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \--request POST --data '{"displayName": "private-check-demo","monitoredResource": {  "type": "servicedirectory_service",  "labels": {    "project_id": "'"$MONITORED_PROJECT_ID"'",    "service_name": "PRIVATE_SERVICE",    "namespace_name": "PRIVATE_NAMESPACE",    "location": "REGION"  }},"httpCheck": {  "requestMethod": "GET"},"period": "60s","timeout": "10s","checker_type": "VPC_CHECKERS"}'

If the creation of the uptime check fails, then verify that theservice account has the necessary roles. For more information,seeCreate of uptime check fails.

There can be a delay of up to 5 minutesbefore the uptime check results start to flow into Monitoring.During that time, the uptime check dashboard reports the status as"no data available."

Prerequisite steps

If you plan to use the Google Cloud console interface,then go toCreate a private uptime check. TheGoogle Cloud console guides you through all prerequisite steps.

If you plan to use thecommand line to configure your private uptime checks, then you mustcomplete the following steps before you can create the uptime check:

  1. Configure Service Directory resources
  2. Authorize the service account
  3. Configure firewall rules

Configure Service Directory resources

Private uptime checks determine the availability of a resource by using aninternal IP address that is recorded by aService Directory service. You can configure aService Directory for the following resources:

  • VMs on a private network
  • L4 internal load balancers (ILBs)

To use private uptime checks, you must configure the followingService Directory resources:

  • Endpoint: An endpoint is a pair of IP address and port values thata service can use to handle requests. When your service contains multipleendpoints, one endpoint is chosen at random.
  • Service: A service is a collection of endpoints that provide a setof behaviors. Services are the targets of private uptime checks.
  • Namespace: A namespace holds a set of service names and their associatedendpoints. Namespaces let you group services together for consistentmanagement.

You can configure these resources with the gcloud CLI or theGoogle Cloud console. When you use the console, the configuration stepsare included in theCreate Uptime Check dialog.

Google Cloud console

When you use the Google Cloud console, after you selectInternal IP as theresource type for an uptime check, you are prompted to create aService Directory and a service.

gcloud CLI - VM

For information about the commands used in this document for services,namespaces, and endpoints, see thegcloud service-directory command group.

To create Service Directory resources for a VM,do the following:

  1. Configure the Google Cloud CLI to default to the Google Cloud project wherethe Service Directory resources are to be created:

    gcloud config set projectPROJECT_ID

  2. Create environment variables to store your project ID and project number:

    export PROJECT_ID=$(gcloud config get-value core/project)export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format='get(projectNumber)')

  3. Create a Service Directory namespace:

    gcloud service-directory namespaces createPRIVATE_NAMESPACE --location=REGION

  4. Create a Service Directory service in the namespace:

    gcloud service-directory services createPRIVATE_SERVICE \--namespacePRIVATE_NAMESPACE --location=REGION

  5. Create an environment variable to hold the IP address of the VM on theprivate network:

    export INTERNAL_IP=$(gcloud compute instances describe --zone=ZONE \PRIVATE_SERVICE_INSTANCE --format='get(networkInterfaces[0].networkIP)')

  6. Create a Service Directory endpoint that contains theinternal IP address and a port:

    gcloud service-directory endpoints createPRIVATE_ENDPOINT \--location=REGION --namespace=PRIVATE_NAMESPACE \--service=PRIVATE_SERVICE \--network=projects/$PROJECT_NUMBER/locations/global/networks/PRIVATE_CHECK_NETWORK \--address=$INTERNAL_IP --port=80

gcloud CLI - L4 ILB

For information about the commands used in this document for services,namespaces, and endpoints, see thegcloud service-directory command group.

You can use private uptime checks to monitor availability of an L4 internalload balancer (ILB) by creating Service Directory resourcesfor the L4 ILB.

When you create new L4 ILBs, you can use the automatic integration provided byService Directory; for more information, seeConfigureinternal load balancers in Service Directoryfor more information.

If you have L4 ILBs that were created without using the automatic integrationprovided by Service Directory, then you can manually configurethe Service Directory resources by doing the following:

  1. Configure the Google Cloud CLI to default to the Google Cloud project wherethe Service Directory resources are to be created:

    gcloud config set projectPROJECT_ID

  2. Create environment variables to store your project ID and project number:

    export PROJECT_ID=$(gcloud config get-value core/project)export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format='get(projectNumber)')

  3. To permit all uptime checkers to transfer data to your L4 ILB,enable global access to the ILB:

    gcloud compute forwarding-rules updateILB_FORWARDING_RULE_NAME \--region=ILB_REGION --allow-global-access

    If your L4 ILB does not permit global access, then uptime metrics areavailable only ifILB_REGION is one of the following:

    • us-east4
    • us-central1
    • us-west1
    • europe-west1
    • southamerica-east1
    • asia-southeast1

  4. Create a Service Directory namespace:

    gcloud service-directory namespaces createPRIVATE_NAMESPACE_FOR_ILB\--location=REGION

  5. Create a Service Directory service in the namespace:

    gcloud service-directory services createPRIVATE_SERVICE_FOR_ILB \--namespacePRIVATE_NAMESPACE_FOR_ILB --location=REGION

  6. Create an environment variable to hold the IP address of the load balanceron the private network:

    export INTERNAL_IP=$( gcloud compute forwarding-rules describeILB_FORWARDING_RULE_NAME\--region=ILB_REGION --format='get(IPAddress)')

  7. Create a Service Directory endpoint that contains theinternal IP address and a port:

    gcloud service-directory endpoints createPRIVATE_ENDPOINT_FOR_ILB \--location=ILB_REGION --namespace=PRIVATE_NAMESPACE_FOR_ILB \--service=PRIVATE_SERVICE_FOR_ILB \--network=projects/$PROJECT_NUMBER/locations/global/networks/PRIVATE_CHECK_NETWORK \--address=$INTERNAL_IP --port=80

Authorize the service account

Uptime checks use a Monitoring-owned service account tomanage interactions with the Service Directory service. Theservice account name has the following format:

service-PROJECT_NUMBER@gcp-sa-monitoring-notification.iam.gserviceaccount.com

When this service account doesn't exist, Monitoring createsthe service account when you create the private uptime check. Youcan't create this service account.

When you create a private uptime check, Monitoring attemptsto grant the service account two Service Directory roles.However, when you use the API, your Google Cloud project settings mightprevent Monitoring from granting roles to the service account.In this situation, the creation of the uptime check fails.

This section describes how you can grant the required roles to anexisting service account:

Google Cloud console

When you use the Google Cloud console, after you selectInternal IP as theresource type for an uptime check, you are prompted to authorize theservice account.

API: Scoping project

To grant theService Directory roles toan existing service account, do the following:

  1. Configure the gcloud CLI to default to the Google Cloud projectwhere the uptime check is to be created:

    gcloud config set projectPROJECT_ID

  2. Create environment variables to store the project ID and project number:

    export PROJECT_ID=$(gcloud config get-value core/project)export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format='get(projectNumber)')

  3. Run the following commands:

    gcloud projects add-iam-policy-binding $PROJECT_ID \--member='serviceAccount:service-'$PROJECT_NUMBER'@gcp-sa-monitoring-notification.iam.gserviceaccount.com' \--role='roles/servicedirectory.viewer'
    gcloud projects add-iam-policy-binding $PROJECT_ID \--member='serviceAccount:service-'$PROJECT_NUMBER'@gcp-sa-monitoring-notification.iam.gserviceaccount.com' \--role='roles/servicedirectory.pscAuthorizedService'

    The previous commands grant the following roles to the service account:

    • roles/servicedirectory.viewer
    • roles/servicedirectory.pscAuthorizedService

API: Monitored project

To grant theService Directory roles toan existing service account, do the following:

  1. Configure the gcloud CLI to default to the Google Cloud projectwhere the uptime check is to be created:

    gcloud config set projectPROJECT_ID

  2. Create environment variables to store the project ID and project number:

    export PROJECT_ID=$(gcloud config get-value core/project)export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format='get(projectNumber)')

  3. Create an environment variable hold the project ID of the projectin which the Service Directory service is defined:

    export MONITORED_PROJECT_ID=MONITORED_PROJECT_ID

    This project must be in the metrics scope of the uptime check'sproject.

  4. Create an environment variable hold the project ID of the projectwhere the network is defined:

    export NETWORK_PROJECT_ID=NETWORK_PROJECT_ID

    This project does not need to be in the metrics scope of theuptime check's project.

  5. Run the following commands:

    gcloud projects add-iam-policy-binding $MONITORED_PROJECT_ID \--member='serviceAccount:service-'$PROJECT_NUMBER'@gcp-sa-monitoring-notification.iam.gserviceaccount.com' \--role='roles/servicedirectory.viewer'
    gcloud projects add-iam-policy-binding $NETWORK_PROJECT_ID \--member='serviceAccount:service-'$PROJECT_NUMBER'@gcp-sa-monitoring-notification.iam.gserviceaccount.com' \--role='roles/servicedirectory.pscAuthorizedService'

    The previous commands grant the following roles to the service account:

    • roles/servicedirectory.viewer for the monitored project in which theService Directory service is configured,$SERVICE_MONITORED_PROJECT_ID.
    • roles/servicedirectory.pscAuthorizedService for the project in whichthe private network is configured,$NETWORK_PROJECT_ID.

Configure firewall rules

You must create a firewall rule that enables inbound TCP traffic from routes35.199.192.0/19. A route from 35.199.192.0/19 supports connectivity toforwarding targets that use private routing. For moreinformation, seeVPC routes.

Google Cloud console

When you use the Google Cloud console, after you selectInternal IP as theresource type for an uptime check, you are prompted to configure thefirewall rules.

gcloud CLI

To create a firewall rule that permits inbound TCP trafficthrough the firewall for private network access, run the following command:

  1. Configure the gcloud CLI to default to the Google Cloud projectwhere the uptime check is to be created:

    gcloud config set projectPROJECT_ID

  2. Create environment variables to store the project ID and project number:

    export PROJECT_ID=$(gcloud config get-value core/project)

  3. Create the network rule:

    gcloud compute firewall-rules createPRIVATE_CHECK_NETWORK_HOPE_RULE \--network="PRIVATE_CHECK_NETWORK"  \--action=allow   --direction=ingress   --source-ranges="35.199.192.0/19" \--rules=tcp   --project="$PROJECT_ID"

    In the previous command,PRIVATE_CHECK_NETWORK is the network to which this rule isattached whilePRIVATE_CHECK_NETWORK_HOPE_RULE is the name of the firewall rule.

For more information about this step, seeConfigure the network project.

Limitations

When using private uptime checks, validation of SSL certificates is disabled,regardless of configuration.

Private uptime checks don't support endpoints that have redirections.

Troubleshooting

This section describes some errors you might encounter when usingprivate uptime checks and provides information for resolving them.

Create of uptime check fails

Your Google Cloud project settings might prevent modification of the roles assignedto the service account that uptime checks use tomanage interactions with the Service Directory service.In this situation, the creation of the uptime check fails.

This section describes how you can grant the roles that the service accountrequires:

Google Cloud console

When you use the Google Cloud console to create the private uptime check,the Google Cloud console issues the commands to grant theService Directory roles to the service account.

For information about how to grant roles to a service account,seeAuthorize the service account.

API: Scoping project

The first time you create a private uptime check for aService Directory service and private resourcesin a single Google Cloud project,the request might succeed or fail. The result depends on whether youhave disabledautomatic role grants for service accountsin your project:

  • The first uptime-check creation succeeds if your project permitsautomatic role grants for service accounts. A service account iscreated for you and is granted the necessary roles.

  • The first uptime-check creation fails if your project doesn't permitautomatic role grants for service accounts. A service account iscreated, but no roles are granted.

If the creation of the uptime check fails, then do the following:

  1. Authorize the service account.
  2. Wait a few minutes for the permissions to propagate.
  3. Try creating the private uptime check again.

API: Monitored project

The first time you create a private uptime check that targets aService Directory service in a monitored project orprivate resources in different Google Cloud project,the request fails and results in the creation of aMonitoring service account.

How you authorize the service account depends on the number ofGoogle Cloud projects you are using and their relationships.You might have up to four projects involved:

  • The project in which you defined the private uptime check.
  • The monitored project in which you configured theService Directory service.
  • The project in which you configured the VPC network.
  • The project in which network resources like VMs or load balancers areconfigured. This project has no role in the service-account authorizationdiscussed here.

When the creation of the first uptime check fails, do the following:

  1. Authorize the service account.
  2. Wait a few minutes for the permissions to propagate.
  3. Try creating the private uptime check again.

Access denied

Your uptime checks are failing withVPC_ACCESS_DENIED results. This resultmeans that some aspect of your network configuration or service-accountauthorization isn't correct.

Check your service-account authorization for using a scopingproject or a monitored project as described inCreate of uptime check fails.

For more information about accessing private networks, seeConfigure the network project.

Anomalous results from private uptime checks

You have a Service Directory service withmultiple VMs, and your service configuration contains multiple endpoints.When you shut down one of the VMs, your uptime check still indicates success.

When your service configuration contains multiple endpoints, one ischosen at random. If the VM associated with the chosen endpoint is running,the uptime check succeeds even though one of the VMs is down.

Default headers

Your uptime checks are returning errors or unexpected results. This mightoccur if you have overridden default header values.

When a request is sent for a private uptime check to a target endpoint,the request includes the following headers and values:

HeaderValue
HTTP_USER_AGENTGoogleStackdriverMonitoring-UptimeChecks(https://cloud.google.com/monitoring)
HTTP_CONNECTIONkeep-alive
HTTP_HOSTIP of Service Directory endpoint
HTTP_ACCEPT_ENCODINGgzip,deflate,br
CONTENT_LENGTHCalculated from uptime post data

If you attempt to override these values, the following might happen:

  • The uptime check reports errors
  • The override values are dropped and replace with the values in the table

No data visible

You don't see any data on the uptime check dashboard when youruptime check is in a different Google Cloud project than theService Directory service.

Ensure that the Google Cloud project that contains the uptime checkmonitors the Google Cloud project that contains theService Directory service.

For more information about how to list monitored projects and add additionalones, seeConfigure a metrics scope for multiple projects.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.