Stay organized with collections
Save and categorize content based on your preferences.
This page shows you how to create the Virtual Private Cloud (VPC) IP address ranges that
AlloyDB for PostgreSQL requires for private services
access. For an overview of how AlloyDB uses private services
access to let its internal resources communicate with each other, see
About private services access.
To create a private services access configuration in a
Virtual Private Cloud (VPC) network that resides in the same
Google Cloud project as your AlloyDB cluster, you perform two operations:
Create an allocated IP address range in the VPC network.
Create a private connection between the VPC network and the underlying Google Cloud VPC network.
You can also configure private services access to connect your
AlloyDB cluster to resources residing in a separate
Google Cloud project. To do this, you must merge the two projects'
VPC networks using Shared VPC.
To provide sufficient address space for AlloyDB, we
recommend a prefix length of 16 or less.
To specify an address range and a prefix length (subnet mask), use the
--addresses and --prefix-length flags. For example, to allocate the CIDR
block 192.168.0.0/16, specify 192.168.0.0 for the address and 16 for
the prefix length.
RESERVED_RANGE_NAME: a name for the allocated range,
such as my-allocated-range
DESCRIPTION: a description for the range, such as
allocated for my-service
VPC_NETWORK: the name of your VPC
network, such as my-vpc-network. In case of Shared VPC network, set to the fully qualified path of the VPC network—for example,
projects/cymbal-project/global/networks/shared-vpc-network.
To specify only a prefix length (subnet mask), use the
--prefix-length flag. When you omit the address range,
Google Cloud automatically selects an unused address range in
your VPC network.
The following example selects an unused
IP address range with a 16 bit prefix length:
The following example creates a private connection to Google so that the VM
instances in the default VPC network can use private
services access to reach Google services that support it.
gcloudcomputeaddressescreategoogle-managed-services-default\--global\--purpose=VPC_PEERING\--prefix-length=16\--description="peering range for Google"\--network=default
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis page details how to configure Virtual Private Cloud (VPC) IP address ranges necessary for AlloyDB for PostgreSQL's private services access, enabling internal resource communication.\u003c/p\u003e\n"],["\u003cp\u003eSetting up private services access involves creating an allocated IP address range within the VPC network and establishing a private connection between the VPC network and the underlying Google Cloud VPC network.\u003c/p\u003e\n"],["\u003cp\u003eUsers must have specific IAM roles (such as \u003ccode\u003eroles/alloydb.admin\u003c/code\u003e, \u003ccode\u003eroles/owner\u003c/code\u003e, or \u003ccode\u003eroles/editor\u003c/code\u003e) and permissions (including \u003ccode\u003ecompute.networks.list\u003c/code\u003e, \u003ccode\u003ecompute.addresses.create\u003c/code\u003e, and \u003ccode\u003eservicenetworking.services.addPeering\u003c/code\u003e) to configure private services access.\u003c/p\u003e\n"],["\u003cp\u003eYou can allocate IP ranges manually by entering the desired CIDR block, or automatically by specifying only a prefix length for Google Cloud to select a free range; a prefix length of 16 or less is recommended.\u003c/p\u003e\n"],["\u003cp\u003ePrivate services access configuration can also connect AlloyDB to resources in a different Google Cloud project by using Shared VPC to merge the two projects' VPC networks.\u003c/p\u003e\n"]]],[],null,["# Enable private services access\n\nThis page shows you how to create the Virtual Private Cloud (VPC) IP address ranges that\nAlloyDB for PostgreSQL requires for private services\naccess. For an overview of how AlloyDB uses private services\naccess to let its internal resources communicate with each other, see\n[About private services access](/alloydb/docs/about-private-services-access).\n\nTo create a private services access configuration in a\nVirtual Private Cloud (VPC) network that resides in the same\nGoogle Cloud project as your AlloyDB cluster, you perform two operations:\n\n- Create an allocated IP address range in the VPC network.\n\n- Create a private connection between the VPC network and the underlying Google Cloud VPC network.\n You can also configure private services access to connect your\n AlloyDB cluster to resources residing in a separate\n Google Cloud project. To do this, you must merge the two projects'\n VPC networks [using Shared VPC](/alloydb/docs/about-private-services-access#shared).\n\n\n### Before you begin\n\n- The Google Cloud project you are using must have been [enabled to access AlloyDB](/alloydb/docs/project-enable-access).\n- You must have one of these IAM roles in the Google Cloud project you are using:\n - `roles/alloydb.admin` (the AlloyDB Admin predefined IAM role)\n - `roles/owner` (the Owner basic IAM role)\n - `roles/editor` (the Editor basic IAM role)\n\n If you don't have any of these roles, contact your Organization Administrator to request\n access.\n- To create a private services access configuration, you also must have these IAM permissions:\n - `compute.networks.list`\n - `compute.addresses.create`\n - `compute.addresses.list`\n - `servicenetworking.services.addPeering`\n\n\u003cbr /\u003e\n\nCreate VPC IP address ranges\n----------------------------\n\n### Console\n\n1. Go to the VPC networks page.\n\n [Go to VPC networks](https://console.cloud.google.com/networking/networks/list)\n2. Select the project where AlloyDB and the\n VPC network reside.\n\n3. Click the name of VPC network that you want to use for private\n services access.\n\n | **Note:** The default VPC network is created for most consumer projects, and is best suited if you're beginning your experimentation with AlloyDB.\n4. On the **VPC network details** page, scroll through the list of tabs to\n the **Private service access** tab and then click it.\n\n5. In the **Private service access** tab, click the **Allocated IP\n ranges for services** tab.\n\n6. Click **Allocate IP range**.\n\n7. In the **Name** and **Description** fields, enter a name and a\n description for the allocated range.\n\n8. Specify an **IP range** value for the allocation:\n\n - To specify an IP address range, click **Custom** , and then enter a CIDR\n block, such as `192.168.0.0/16`.\n\n To provide sufficient address space for AlloyDB,\n we recommend a prefix length of `16` or less.\n - To specify a prefix length and let Google select an available range,\n follow these steps:\n\n 1. Click **Automatic**.\n\n 2. Enter a prefix length as a plain number, such as `16`.\n\n9. Click **Allocate** to create the allocated range.\n\n10. In the **Private service access** tab, click the **Private\n connections to services** tab.\n\n11. Click **Create connection** to create a private connection between your\n network and a service producer.\n\n12. Make sure that Google Cloud Platform is the\n **Connected service producer**.\n\n13. For the **Assigned allocation**, select the allocated IP range you\n created earlier.\n\n14. Click **Connect** to create the connection.\n\n### gcloud\n\n\nTo use the gcloud CLI, you can\n[install and initialize](/sdk/docs/install) the Google Cloud CLI, or you\ncan use [Cloud Shell](/shell/docs/using-cloud-shell).\n\n\u003cbr /\u003e\n\n1. Use the [`gcloud config set`](/sdk/gcloud/reference/config/set)\n command to set the default project\n to the one where AlloyDB and the VPC\n network reside.\n\n gcloud config set project \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the ID of the project where\n AlloyDB and the VPC network reside.\n2. Use the [`gcloud compute addresses create`](/sdk/gcloud/reference/compute/addresses/create) command to create an\n allocated IP\n address range.\n\n To provide sufficient address space for AlloyDB, we\n recommend a prefix length of `16` or less.\n - To specify an address range and a prefix length (subnet mask), use the\n `--addresses` and `--prefix-length` flags. For example, to allocate the CIDR\n block `192.168.0.0/16`, specify `192.168.0.0` for the address and `16` for\n the prefix length.\n\n gcloud compute addresses create \u003cvar translate=\"no\"\u003eRESERVED_RANGE_NAME\u003c/var\u003e \\\n --global \\\n --purpose=VPC_PEERING \\\n --addresses=192.168.0.0 \\\n --prefix-length=16 \\\n --description=\"\u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e\" \\\n --network=\u003cvar translate=\"no\"\u003eVPC_NETWORK\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eRESERVED_RANGE_NAME\u003c/var\u003e: a name for the allocated range,\n such as `my-allocated-range`\n\n - \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: a description for the range, such as\n `allocated for my-service`\n\n - \u003cvar translate=\"no\"\u003eVPC_NETWORK\u003c/var\u003e: the name of your VPC\n network, such as `my-vpc-network`. In case of Shared VPC network, set to the fully qualified path of the VPC network---for example,\n `projects/cymbal-project/global/networks/shared-vpc-network`.\n\n - To specify only a prefix length (subnet mask), use the\n `--prefix-length` flag. When you omit the address range,\n Google Cloud automatically selects an unused address range in\n your VPC network.\n\n The following example selects an unused\n IP address range with a `16` bit prefix length: \n\n gcloud compute addresses create \u003cvar translate=\"no\"\u003eRESERVED_RANGE_NAME\u003c/var\u003e \\\n --global \\\n --purpose=VPC_PEERING \\\n --prefix-length=16 \\\n --description=\"\u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e\" \\\n --network=\u003cvar translate=\"no\"\u003eVPC_NETWORK\u003c/var\u003e\n\n The following example creates a private connection to Google so that the VM\n instances in the `default` VPC network can use private\n services access to reach Google services that support it. \n\n gcloud compute addresses create google-managed-services-default \\\n --global \\\n --purpose=VPC_PEERING \\\n --prefix-length=16 \\\n --description=\"peering range for Google\" \\\n --network=default\n\n3. Use the [`gcloud services vpc-peerings connect`](/sdk/gcloud/reference/services/vpc-peerings/connect)\n command to create a private\n connection.\n\n gcloud services vpc-peerings connect \\\n --service=servicenetworking.googleapis.com \\\n --ranges=\u003cvar translate=\"no\"\u003eRESERVED_RANGE_NAME\u003c/var\u003e \\\n --network=\u003cvar translate=\"no\"\u003eVPC_NETWORK\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eRESERVED_RANGE_NAME\u003c/var\u003e: the name of the allocated IP\n address range you created\n\n - \u003cvar translate=\"no\"\u003eVPC_NETWORK\u003c/var\u003e: the name of your VPC\n network\n\n The command initiates a long-running operation, returning an operation name.\n4. Check whether the operation was successful.\n\n gcloud services vpc-peerings operations describe\n --name=\u003cvar translate=\"no\"\u003eOPERATION_NAME\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eOPERATION_NAME\u003c/var\u003e with the operation name that was\n returned from the previous step.\n\nWhat's Next\n-----------\n\n- [Create a cluster and its primary instance.](/alloydb/docs/cluster-create)"]]