Direct connectivity is a connection solution that allows high-performance,authenticated, direct gRPC network connections between a Google Cloud clientlibrary and Cloud Storage, resulting in lower latency and connectionoverhead. When you use gRPC to connect to Google Cloudusing direct connectivity, requests initiated through supported Google Cloudclient libraries are routed directly to Cloud Storage, bypassingGoogle Front Ends (GFEs).

Direct connectivity is only available for requests made from Compute Enginevirtual machines (VMs).

Requirements for direct connectivity

Direct connectivity is enabled by default when you use supportedCloud Storage client libraries to connect to Cloud Storage, but becomesavailable only if the following conditions are all met:

• The Compute Engine VMs interacting with Cloud Storage must have anattached service account, even if the service account has no permissions.The service account is used to represent the Compute Engine VM in theApplication Layer Transport Security handshake process.

• The Compute Engine VMs interacting with a Cloud Storage bucket mustbe co-located with the bucket. For example, if the bucket is inus-central1,the VM can be located inus-central1-a. If the bucket is in a multi-regionor dual-region, the VM must be located in a region that makes up themulti-region or dual-region. For example, if a bucket is located in theusmulti-region, the VM can be located inus-east4-c.

  For more information about bucket locations, seeLocations.

• Yourroutes andfirewall rules allow IPv4 traffic to reach34.126.0.0/18 and IPv6 traffic to reach2001:4860:8040::/42. In addition,traffic must be allowed to reach the endpointsstorage.googleapis.com:443 anddirectpath-pa.googleapis.com:443.

  To learn how to check whether a connection can be made to these endpoints, seeCheck network configurations. For information about setting up routes,seeConfigure routes.

• Cloud Storage client libraries have specific credential requirements inorder to authenticate applications to Cloud Storage and have directconnectivity be available:

  • The Java client library requires either user account credentials or serviceaccount credentials.

  • The C++ client library requires service account credentials.

  • The Go client library requires service account credentials. Versions before1.52.0 require thedefault service account credentials of the VMaccessing your bucket.

  To view the name of the account that your VM uses toauthenticate to Cloud Storage, use thegcloud auth list command:

  gcloud auth list --filter=status:ACTIVE --format="value(account)"

  If you're using the Go client library and need to checkif the Google account being used to authenticate matches your VM'sdefault service account, use thegcloud compute instances describe command:

  gcloud compute instances describeINSTANCE_NAME --format='yaml(serviceAccounts)'

  ReplaceINSTANCE_NAME with the name of your instance.

  For more information about authentication, seeOverview of Google identity management.

Check connectivity by using the Google Cloud CLI

The Google Cloud CLI can test the diagnostics of direct connectivity on yourbucket by issuing aGET call to the bucket usinggcloud storage buckets describe gs://example-bucket. Thissection describes how to perform a diagnostic test for direct connectivity byusing the Google Cloud CLI.

Before you begin

1. Make sure you have thestorage.buckets.get IAM permissionon the bucket, which can begranted using the Storage Legacy BucketReader (roles/storage.legacyBucketReader) role.

2. Thegcloud alpha storage diagnose command is only available in theGoogle Cloud CLI version 531.0.0 or later. To use this command, we recommendupgrading to the latest Google Cloud CLI version.

Run the diagnosis

To check whether direct connectivity is available, rungcloud alpha storage diagnose with the argument--test-type=DIRECT_CONNECTIVITY:

gcloud alpha storage diagnose --test-type=DIRECT_CONNECTIVITY gs://BUCKET_NAME

Replace the following:

• BUCKET_NAME: the name of your bucket. For example,my-bucket.

If a connection can be made, you receive a response similar to the following:

Using my-bucket bucket for the diagnostic tests.Bucket location : USBucket storage class : STANDARDRunning diagnostic: Direct Connectivity Diagnostic...WARNING: This diagnostic is experimental. The output may change, and checks may be added or removed at any time. Please do not rely on the diagnostic being present.Finished running diagnostic: Direct Connectivity DiagnosticGenerating diagnostic report...NAMEDirect Connectivity Diagnostic    ┌────────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────┐    │            NAME            │                           PAYLOAD_DESCRIPTION                           │  RESULT  │    ├────────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────┤    │ Direct Connectivity Call   │ Able to get bucket metadata using Direct Connectivity network path.     │ Success. │    └────────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────┘

Check network configurations

If you encounter anUnable to connect to Traffic Director error while checkingfor direct connectivity using the Google Cloud CLI, use the followinginstructions to ensure that your network configurations allow traffic to passfrom your VMs to the required endpoints.

Direct connectivity requires a service hosted atdirectpath-pa.googleapis.com:443 and atstorage.googleapis.com:443. To checkwhether a connection can be made to the service, make a curl call todirectpath-pa.googleapis.com:443 orstorage.googleapis.com:443. For example:

curldirectpath-pa.googleapis.com:443

If a connection can be made, you receive an empty response withouterrors:

curl:(52)Emptyreplyfromserver

If a connection cannot be made, you receive an error similar to the following:

curl:(56)Recvfailure:Connectionresetbypeer

Limitations

Direct connectivity doesn't support Private Service Connect.