Connect an environment to a VPC network

Cloud Composer 3 | Cloud Composer 2 | Cloud Composer 1

This page explains how your environment can access a VPC network inCloud Composer 3, provides instructions for connecting an environment to a VPCnetwork, and describes how to disable a previously configured connection.

About VPC network access

In Cloud Composer 3, you can enable access to a VPC network for anenvironment.

If you enable access to a VPC network for an environment:

  • Airflow components of your environmentcan access private network endpoints in your VPC network. For example,your DAG code can access resources located in your VPC network through aconfiguredAirflow connection.

  • If your environment usesPrivate IP networking,all internal traffic is routed to your VPC network, except the trafficto Google APIs, services, and domains thatare available to Private IP environmentsthrough Private Google Access.

  • Depending on how you configure your VPC network, a Private IPenvironmentcan gain access to the internet through you VPC network.

  • Private DNS Zones defined in your VPCnetwork are automatically available to your environment's Airflowcomponents.

    Note: Cloud Composer 3 doesn't support a user-defined.internal DNS zone. If you create a DNS zone for.internal, it won't be possible to reach that zone.

  • The environment reserves two IP addresses in your VPC subnetwork and uses twoextra IP addresses during maintenance and upgrades. Make sure thatfour IP addresses per environment are available in your VPC subnetwork.

Cloud Composer uses anetwork attachment to connect yourenvironment to a VPC network:

  • If you specify a VPC network and subnetwork, then Cloud Composercreates a new network attachment in your project. This attachment is deletedafter youdelete an environment,disable connection to a VPC network, or overwrite the VPCconnection parameters.

  • If you specify anexisting network attachment,then it must be located in the same project with the environment. Thisattachment is not deleted after you delete an environment, disable connection, or overwrite the VPC connection parameters.

  • In Shared VPC networking:

    • Make sure that you configured Shared VPC networking forCloud Composer. SeeConfigure Shared VPC for information about configuringprojects and permissions for Cloud Composer.

    • After Shared VPC networking is configured, you can connect yourenvironment to a VPC network from the host project. If you use anexisting network attachment, it must be created in the service project(where the environment is located), and attached to a Shared VPCnetwork.

Limitations for transitive DNS peering in Cloud Composer 3

Limitations for transitive DNS peering apply to aCloud Composer 3 environment in the following way:

  • Cloud DNS has a limitation of one transitive hop, whichmeans that only two hops are supported in total.
  • In Cloud Composer 3, your environment's components run in thetenant project and communicate with the project where theenvironment is located through a DNS peering. The transitive hop is used bythe DNS peering of the tenant project, so it's possible to use only one hopin total.

About the environment's internal IP range

Cloud Composer 3 environments require several IP addresses for itscomponents that run in thetenant project, such as yourenvironment's cluster and Cloud SQL proxy. These IP addresses aretaken from theenvironment's internal IP range.

  • The default internal IP range is100.64.128.0/20.

  • You can specify a different internal IP range when you create anenvironment. This range must use a/20 mask.

  • You cannot change the internal IP range of an existing environment.

The internal IP range interacts with your VPC network in the following ways:

  • The internal IP range must not conflict with the VPC subnetwork that theCloud Composer environment is connected to. It's not possibleto enable a connection with a VPC subnetwork that overlaps with theinternal IP range.

  • If the internal IP range of an environment overlaps with your VPCnetwork ranges, thenendpoints from your VPC network that haveoverlapping IP addresses are not accessible from the environment.

    For example, if the internal range is100.64.128.0/20 then any requestto the100.64.128.1 endpoint in your VPC network fails because therequest does not leave the tenant project.

  • The internal IP range is not reserved. You can use the same internal IPrange for several environments without any additional setup because theinternal VPC networks used by different environments are separated.

  • You can use the internal range IP addresses for other purposes, as long asDAGs and tasks in your environment do not make requests to them.

Connect to a VPC network

Console

  1. In the Google Cloud console, go to theEnvironments page.

    Go to Environments

  2. In the list of environments, click the name of your environment.TheEnvironment details page opens.

  3. Go to theEnvironment configuration tab.

  4. In theNetwork configuration section, find theNetwork attachment item and clickEdit.

  5. In theNetwork attachment dialog:

    • To create a new network attachment, in theNetwork attachmentlist, selectCreate a new network attachment. In theNetworkandSubnetwork lists, select a VPC network and a subnetwork.

    • To use an existing network attachment, in theNetwork attachmentlist, select an attachment.

  6. ClickSave.

gcloud

The following Google Cloud CLI arguments specify VPC network connectionparameters:

  • --network: VPC network ID.
  • --subnetwork: VPC subnetwork ID.
  • --network-attachment: Use an existing network attachment instead.

New network attachment

To connect your environment to a VPC network through a new networkattachment, run the following Google Cloud CLI command:

gcloudbetacomposerenvironmentsupdateENVIRONMENT_NAME\--locationLOCATION\--networkNETWORK_ID\--subnetworkSUBNETWORK_ID

Replace the following:

  • ENVIRONMENT_NAME: the name of the environment
  • LOCATION: the region where the environment is located
  • NETWORK_ID: VPC network ID
  • SUBNETWORK_ID: VPC subnetwork ID

Example:

gcloudbetacomposerenvironmentsupdateexample-environment\--locationus-central1\--networkprojects/example-project/global/networks/example-network\--subnetworkprojects/example-project/regions/us-central1/subnetworks/example-subnetwork

Existing network attachment

To connect your environment to a VPC network through a new networkattachment, run the following Google Cloud CLI command:

gcloudbetacomposerenvironmentsupdateENVIRONMENT_NAME\--locationLOCATION\--network-attachmentNETWORK_ATTACHMENT_ID

Replace the following:

  • ENVIRONMENT_NAME: the name of the environment
  • LOCATION: the region where the environment is located
  • NETWORK_ATTACHMENT_ID: the network attachment in theprojects/{project}/regions/{region}/networkAttachments/{networkAttachment}format.

Example:

gcloudbetacomposerenvironmentsupdateexample-environment\--locationus-central1\--network-attachmentprojects/example-project/regions/us-central1/networkAttachments/example-network-attachment

API

  1. Create anenvironments.patch API request.

  2. In this request:

    • To create a new network attachment:

      1. In theupdateMask parameter, specifytheconfig.node_config.network,config.node_config.subnetworkmask.

      2. In the request body, in thenetwork andsubnetworkfields, specify your VPC network and subnetwork IDs.

    • To use an existing network attachment:

      1. In theupdateMask parameter, specifytheconfig.node_config.composer_network_attachmentmask.

      2. In the request body, provide a value for the existing networkattachment in theprojects/{project}/regions/{region}/networkAttachments/{networkAttachment}format.

Example (new network attachment):

// PATCH https://composer.googleapis.com/v1beta1/projects/example-project/// locations/us-central1/environments/example-environment?updateMask=// config.node_config.network,config.node_config.subnetwork"config":{"nodeConfig":{"network":"projects/example-project/global/networks/example-network","subnetwork":"projects/example-project/regions/us-central1/subnetworks/example-subnetwork"}}

Example (existing network attachment):

// PATCH https://composer.googleapis.com/v1beta1/projects/example-project/// locations/us-central1/environments/example-environment?updateMask=// config.node_config.composer_network_attachment"config":{"nodeConfig":{"composerNetworkAttachment":"projects/example-project/regions/us-central1/networkAttachments/example-network-attachment"}}

Terraform

The following fields in thenode_config block specify VPC networkconnection parameters:

  • network: VPC network ID.
  • subnetwork: VPC subnetwork ID.
  • composer_network_attachment: Use an existing network attachment instead.

New network attachment

resource"google_composer_environment""example"{provider=google-betaname="ENVIRONMENT_NAME"region="LOCATION"config{node_config{network=NETWORK_IDsubnetwork=SUBNETWORK_ID}}}

Replace the following:

  • ENVIRONMENT_NAME: the name of your environment.
  • LOCATION: the region where the environment is located.
  • NETWORK_ID: VPC network ID
  • SUBNETWORK_ID: VPC subnetwork ID

Example (new network attachment):

resource"google_composer_environment""example"{provider=google-betaname="example-environment"region="us-central1"config{node_config{network="projects/example-project/global/networks/example-network"subnetwork="projects/example-project/regions/us-central1/subnetworks/example-subnetwork"}...otherconfigurationparameters}}

Existing network attachment

Caution: If you specify an existing network attachment that you also manage inTerraform, thenTerraform will revert changes to the attachment done byCloud Composer when you apply configuration changes.

As a result, the environment will no longer use the attachment. To addressthis, make sure that Terraform ignores changes to theproducer_accept_listsparameter of the attachment, as follows:

resource"google_compute_network_attachment""NETWORK_ATTACHMENT_ID"{lifecycle{ignore_changes=[producer_accept_lists]}  # ... other configuration parameters}

Afterwards, specify this attachment for an environment. You can also specifyan attachment that is not managed in Terraform, see the example.

resource"google_composer_environment""example"{name="example-environment"region="us-central1"config{node_config{composer_network_attachment=google_compute_network_attachment.NETWORK_ATTACHMENT_ID.id}    # ... other configuration parameters}}

Replace the following:

  • ENVIRONMENT_NAME: the name of your environment.
  • LOCATION: the region where the environment is located.
  • NETWORK_ATTACHMENT_ID: the network attachment ID.

Example (existing network attachment):

resource"google_compute_network_attachment""example"{lifecycle{ignore_changes=[producer_accept_lists]}  # ... other configuration parameters}resource"google_composer_environment""example"{provider=google-betaname="example-environment"region="us-central1"config{node_config{      # Attachment is managed in Terraform:composer_network_attachment=google_compute_network_attachment.NETWORK_ATTACHMENT_ID.id      # Attachment is not managed in Terraform:      # composer_network_attachment = projects/example-project/regions/us-central1/networkAttachments/example-network-attachment}    # ... other configuration parameters}}

Disable connection to a VPC network

Console

  1. In the Google Cloud console, go to theEnvironments page.

    Go to Environments

  2. In the list of environments, click the name of your environment.TheEnvironment details page opens.

  3. Go to theEnvironment configuration tab.

  4. In theNetwork configuration section, find theNetwork attachment item and clickEdit.

  5. In theNetwork attachment dialog, selectNone and clickSave.

gcloud

The--disable-vpc-connectivity arguments disables the VPC networkconnection of your environment:

gcloudbetacomposerenvironmentsupdateENVIRONMENT_NAME\--locationLOCATION\--disable-vpc-connectivity

Replace the following:

  • ENVIRONMENT_NAME: the name of the environment
  • LOCATION: the region where the environment is located

Example:

gcloudbetacomposerenvironmentsupdateexample-environment\--locationus-central1\--disable-vpc-connectivity

API

  1. Create anenvironments.patch API request.

  2. In this request:

    1. In theupdateMask parameter, specifytheconfig.node_config.network,config.node_config.subnetworkmask.

    2. In the request body, in thenetwork andsubnetwork fields,specify empty values.

Example:

// PATCH https://composer.googleapis.com/v1beta1/projects/example-project/// locations/us-central1/environments/example-environment?updateMask=// config.node_config.network,config.node_config.subnetwork"config":{"nodeConfig":{"network":"","subnetwork":""}}

Terraform

It's not possible to detach a VPC network using Terraform. Instead, you canattach a different VPC network in its place, or detach the network usingother tools like Google Cloud CLI.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.