Configure private services access

Private services access is a privateconnection between your VPCnetwork and a network owned by Google or a third party. Google or the thirdparty, entities who are offering services, are also known asserviceproducers. The private connection enables VM instances in yourVPC network and the services that you access to communicateexclusively by using internal IP addresses. VMinstances don't need internet access or external IP addresses to reach servicesthat are available through private services access.

To use private services access, you do the following:

• Create an allocated range.

  An allocated rangereserves an IP address range for use by theproducer, avoiding IP addressoverlaps between the service consumer and service producer networks.

• Create a private connection.

  The private connection uses VPC Network Peering toestablishconnectivity between the service consumer and service producernetworks.

For information about other private access options, seePrivate access optionsfor services.

Before you begin

To establish a private connection, complete the following prerequisites:

• Read theprivate services accessoverview, including whichservices aresupported,thereachability of serviceinstances, andlimitations.
• Create a Google Cloud project or choose an existing one. To learn how tocreate a Google Cloud project, seeCreating and managingprojects.
• EnabletheService Networking APIin your project. The API is required to create a private connection.
• Create or choose a VPC network to use to connectto the service producer's network. VM instances must use thisVPC network to connect to services over a private connection.
• Install theGoogle Cloud CLI if you want to run thegcloud CLI command-line examples in this guide.

Permissions

Project owners and IAM members with theCompute Network Adminrole(roles/compute.networkAdmin) can create allocated IP address ranges and manageprivate connections.

For more information about Compute Engine roles, seeCompute EngineIAM roles and permissions.

Choose an IP address range for the allocated range

Creating an allocated range reserves an IP address range for use by the serviceproducer. Consider the following when you choose a range for your allocation:

• Check the service producer documentation to see if they have anyrequirements or recommendations for the allocated range size.

  For Google services, the minimum size is a single/24 block, butthe recommended size is a/16 block.

• Select an allocated range that is completely separate from current andfuture subnet ranges, including subnet ranges from networks connected byusing VPC Network Peering, and subnet ranges from VPCspokes connected to the same NCC hub.

• Select a range that doesn't exactly match or contain the destinations of anycustom static or dynamic routes.

  When a service producer selects an unused portion of an allocated range touse as a candidate for new resources, it excludes all custom routedestinations that exactly match or fit within the allocated range. When aVPC network contains an allocated range and custom routeswith destinations that match or fit within the allocated range, the usableportion of the allocated range is reduced. This configuration can lead tounexpectedallocation exhausted errors.

  For example, if you create an allocated range for10.0.0.0/16, thefollowing applies:

  • If a custom route with a destination for10.0.0.0/16 exists or iscreated later, all of the10.0.0.0/16 range is considered unavailable.If a service producer attempts to use the allocated range,Google Cloud returns an allocation exhausted error.

  • If a custom route with a destination for10.0.0.0/20 exists or iscreated later, the10.0.0.0/20 portion of the10.0.0.0/16 allocatedrange is considered unavailable. If a service producer attempts to use theallocated range, and the available portion of your allocated range isinsufficient for a service producer, Google Cloud returns anallocation exhausted error.

  • If a custom route with a destination for10.0.0.0/8 exists or iscreated later, this doesn't affect the availability of the10.0.0.0/16 allocated range.

• Select a range that doesn't conflict with your other IP address needs:

  • Some Google and third-party products use172.17.0.0/16 for routingwithin the guest operating system. For example, thedefault Dockerbridgenetworkuses this range. If you depend on a product that uses172.17.0.0/16, don'tuse172.17.0.0/16 in an allocated range for private services access.
  • If you're using anauto modeVPC network, you can't create an allocated range thatmatches or overlaps with10.128.0.0/9. Google uses the10.128.0.0/9range forautomatically created subnets,including those in future regions.

• Select a CIDR block that is large enough to meet your current and futureneeds.

  If you later find that the range isn't sufficient in size,expand the range if possible. Although you can assignmultiple allocations to a single service producer, Google enforces aquota on the number of IP address ranges thatyou can allocate but not the size (netmask) of each range.

Create an allocated range

The following steps describe how to create an allocated IP address range.

When a Google service allocates a range on your behalf, the service uses thefollowing format to name the allocation:google-managed-services-CONSUMER_NETWORK_NAME. Ifthis allocation exists, Google services use the existing one instead of creatinganother one. You can use the same naming convention that Google uses to signalto other users or Google services that an allocation for Google already exists.

resource "google_compute_global_address" "private_ip_address" {  name          = "private-ip-address"  purpose       = "VPC_PEERING"  address_type  = "INTERNAL"  prefix_length = 16  network       = google_compute_network.peering_network.id}

If you see an error about thecompute.globalAddresses.list permission forthe project, seeService account permissions.

To list allocated IP address ranges, use thegcloud compute addresses list command.

gcloud compute addresses list --global --filter="purpose=VPC_PEERING"

Create a private connection

After you create an allocated range, you can create a private connection to aservice producer. The private connection establishes aVPC Network Peering connection between yourVPC network and the service producer's network.

Consider the following when you create a private connection:

• If a single service producer offers multiple services, you only need oneprivate connection for all of the producer's services.
• If a single service producer offers multiple services and you want tocontrol which allocated ranges are used for different service resources, youcan use multiple VPC networks each with their own privateconnections. This configuration lets you select a particular network whencreating a new managed service resource to ensure that the associatedallocated ranges are used for the new resource.

• Don't reuse the same allocated range for multiple service producers. If youconnect to multiple service producers, use a unique allocated range for eachservice producer. Using different allocated ranges avoids IP addressoverlap, and helps you manage your network settings, such as routes andfirewall rules, for each service producer.

resource "google_service_networking_connection" "default" {  network                 = google_compute_network.peering_network.id  service                 = "servicenetworking.googleapis.com"  reserved_peering_ranges = [google_compute_global_address.private_ip_address.name]}

List private connections

After you create a private connection, you can list it to check that it exists.The list also shows the list of allocated ranges that are associated with eachconnection. For example, if you don't remember which allocated range youassigned to a connection, view the list to find out.

gcloud services vpc-peerings list \    --network=VPC_NETWORK

Modify a private connection

You can't modify an allocated range, but you can update a private connection toadd or remove allocated ranges without disrupting traffic.

• Add ranges: as you scale, you might add or replace an allocated rangeif you're close to exhausting the existing one. If you add anotherallocated range to a private connection, more IPaddresses are available to the service producer when creating new serviceresources for any service they provide. You can't reserve a specificallocated range within a private connection for use by a particular service.

  For more information about adding or replacing ranges, seeIP address rangeexhaustion.

• Remove ranges: when you remove a range from a private connection, thefollowing applies:

  • The allocated range is no longer associated with the private connection,but it isn't deleted.

    • If a removed range is no longer in use you candelete theallocation.

  • Existing service producer resources might continue to use the removedrange.

  • Private services access doesn't use the removed ranges to allocate newsubnets.

gcloud services vpc-peerings update \    --service=servicenetworking.googleapis.com \    --ranges=RESERVED_RANGE_NAME \    --network=VPC_NETWORK \    [--force]

Delete an allocated IP address range

Before you delete an allocated IP address range,checkif the range is in use by a private connection.

If the allocated IP address range is in use, firstmodify the private connection to remove the range.Then delete the allocated IP address range.

If you delete an allocated IP address that is in use, and you don't modify theprivate connection, the following applies:

• Existing connections remain active, but there's nothingpreventing your VPC network from using IP addresses that overlapwith the service producer's network.

• If you delete the only allocated IP addressrange that is associated with a private connection, the service can't create newsubnets because there's no allocated IP address range to select from.

• If you later create an allocated IP address range that matches or overlapsthe deleted range, adding the range to a private connection fails.

To avoid these problems, always modify your private connections when you deletean in-use allocated IP address range.

gcloud compute addresses deleteNAME \    --global

Delete a private connection

To delete a private connection, complete the procedure in this section. Don'tattempt to delete a private connection by deleting its associatedVPC Network Peering connection directly.

Before you delete a private connection, you must delete all the serviceinstances that you access through the connection.

• Service instance deletion behavior can vary based on the service. Theservice's resources might be deleted immediately, or they might be deletedafter a waiting period. If there is a waiting period, you can't delete theprivate connection until the waiting period has passed and the serviceproducer's resources are deleted.

  For example, if youdelete a Cloud SQLinstance, you receive a success response,but the service waits for four days before deleting the serviceproducer resources. The waiting period means that if you change your mindabout deleting the service, you can request torestore theresources.If you try to delete the connection during the waiting period, the deletionfails with a message that the resources are still in use by the serviceproducer.

• You can't delete a private connection that's in use by aproducer VPCspoke.To delete the connection, first delete the producer VPCspoke.

gcloud services vpc-peerings delete \    --service=servicenetworking.googleapis.com \    --network=VPC_NETWORK

Share private DNS zones with service producers

Cloud DNS private zones are private to your VPC network.If you want to let a service producer network resolve names from your privatezone, you can configure DNS peering between the two networks.

When you configure DNS peering, you provide a VPC network and aDNS suffix. If the service producer needs to resolve an address with that DNSsuffix, the service producer forwards those queries to your VPCnetwork to be resolved.

Thesesupportedservicessupport DNS peering, with the exception of Cloud SQL.

If you want to enable DNS peering, you mustenable theCloud DNS API in your project.

Peer DNS with a service producer

gcloud services peered-dns-domains createPEERING_NAME \    --network=VPC_NETWORK \    --dns-suffix=DNS_SUFFIX

## Uncomment this block after adding a valid DNS suffix# resource "google_service_networking_peered_dns_domain" "default" {#   name       = "example-com"#   network    = google_compute_network.peering_network.name#   dns_suffix = "example.com."#   service    = "servicenetworking.googleapis.com"# }

List DNS peering configurations

gcloud services peered-dns-domains list \    --network=VPC_NETWORK

Delete a DNS peering configuration

gcloud services peered-dns-domains deletePEERING_NAME \    --network=VPC_NETWORK

Configure hybrid connectivity

By default, the service producer's network only learns the subnet routes fromyour VPC network. Therefore, any request that's not from a subnetIP range is dropped by the service producer.

To configure connectivity between your on-premises hosts and theservice producer's network, do the following:

• In your VPC network,update the peeringconnection to exportcustom routes to the service producer's network. Exporting routes sends alleligible static and dynamicroutes that are in yourVPC network, such as routes to your on-premises network, tothe service producer's network. The service producer's network automaticallyimports them and then can send traffic back to your on-premises networkthrough the VPC network.

• Ensure that the prefixes that include the allocated IP ranges for privateservices access are being correctly advertised to your on-premises network.To understand how you can advertise custom IPv4 prefixes usingCloud Router, seeAdvertisedroutes.

• Check that the VLAN attachment or Cloud VPN tunnel terminates inthe same VPC network (or Shared VPC network) as theprivate connection because VPC Network Peering doesn't providetransitive routing.

Troubleshooting

The following sections contain troubleshooting information for private servicesaccess.

How much of my allocation is being used?

When you create a private connection with a service producer, you allocate an IPaddress range for them to use. If you use multiple services from a serviceproducer, each service reserves a chunk of IP addresses from that allocatedrange. You can check which services are using which IP addresses so that, forexample, you can see which services are using large blocks of IP addresses andavoid IP address exhaustion.

To view the allocation ratio for your allocated ranges, use Network Analyzer.For more information, seePrivate services access IP address utilization summary.

Alternatively, to view which service is using a particular IP address range:

1. List your private connections.
2. Find the peering connection name that connects you to the relevant serviceproducer.
3. List the routes for yourVPC network.
4. Find the routes with a next hop that match the peering connection name. Thedestination range of the routes indicates which IP addresses each service isusing.

IP address range exhaustion

For a given private connection, if you exhaust your allocated IP addressspace, Google Cloud returns this error:Failed to create subnetwork.Couldn't find free blocks in allocated IP ranges.

You might see this error because the allocated range isn't sufficient for yourusage, or because a custom static or dynamic route is preventing the allocatedrange from being fully used. For more information about routing considerations,seeChoose an IP address range for the allocated range.

You can expand the existing allocation or add new ones. The expandedallocation must be a contiguous IP address range that includes the existingrange. We recommend expanding an allocation because there's no limit on the sizeof an allocation, but there is a limit on the number of allocations thatyou can create per project and per connection. For more information, seeStatic global internal IPv4 addressesandAllocated IP address ranges per private connection.

To expand an existing allocation:

1. List your private connections and record the name ofthe allocated range you need to expand.
2. Delete the existing allocated range that you want toexpand.
3. Create a new allocated range by using the same name asthe deleted range. Specify an IP address range that includes the deleted IPaddress range. That way, existing peered resources that are using the oldallocated range can continue to use the same IP addresses without collidingwith resources in your VPC network. For example, if theprevious allocated range was192.168.0.0/20, create a new allocated range

To add allocated ranges to an existing private connection:

1. Create a new allocated range. This range doesn't have tobe contiguous with existing allocated ranges.
2. Add the allocated range to the existing privateconnection.

If you see an error about thecompute.globalAddresses.list permission for aproject when creating an allocated range, or if you experience errors such asError 400: Precondition check failed while creating, listing, or modifyingprivate connections, it might be a problem with Identity and Access Management (IAM) rolesfor your Service Networking APIserviceaccount. This service accountis created automatically after you enable the Service Networking API. It cantake time for the account to be provisioned and display on theIAM page.

gcloudprojectsadd-iam-policy-bindingHOST_PROJECT_NAME\--member=serviceAccount:service-HOST_PROJECT_NUMBER@service-networking.iam.gserviceaccount.com\--role=roles/servicenetworking.serviceAgent

Peering subnet route persists after updating allocated range

After you update the allocated IP address range of a private servicesconnection, the old peering subnet route might still appear in the routing tableof your VPC network. The route persists because the IP addressrange is still in use.

To resolve this issue, do the following:

• Make sure that if youdelete an allocated range, thatyou alsoupdate the private connection.
• Delete or update any resources that use the old IP address range.

The peering subnet route is removed automatically after the IP address range isno longer in use. There might be a delay between deleting the resource, andthe service producer fully deleting the resource. For example, if the old IPaddress range is being used by a Cloud SQL instance, it can take up to fourdays for the service producer to fully delete your instance. The peering subnetroute is removed after the deletion is complete.

Unable to create a new private connection

If you attempt to create a new private connection after deleting the VPC Network Peeringconnection associated with a previous private connection, Google Cloudmight return an error. For troubleshooting information, see the followingerror messages.

To prevent this issue from happening, follow the procedure todelete a privateconnection instead of deleting theassociated VPC Network Peering connection directly.

• Cannot modify allocated ranges error:

  ERROR: Cannot modify allocated ranges in CreateConnection. Please use UpdateConnection. Existing allocated IP ranges:ALLOCATED_RANGE_NAMES.

  If you get this error, do the following:

  1. Recreate the private connection that you deleted and use theallocated range names returned by the error. You must use the sameallocated range names when recreating the connection, but thecorresponding IP address ranges (CIDR blocks) can be the same or different.

     To create the private connection, seeCreate a private connection.

  2. If necessary, modify the private connection to add or remove allocatedranges. You might want to use different allocated ranges than theallocated ranges that you specified when you recreated theprivate connection in the previous step.

     To modify the private connection, seeModify a private connection.

• Transient internal error:

  ERROR: (gcloud.services.vpc-peerings.connect) The operation "operations/OPERATION_ID"resulted in a failure "encountered some transient internal error, please try again later"

  If you get this error, contactCloud Support.