Cloud Composer 3 | Cloud Composer 2 | Cloud Composer 1
This page provides information about configuring your Google Cloud project networking for Private IP environments.
For Private IP environments, Cloud Composer assigns only private IP (RFC 1918) addresses to the managed Google Kubernetes Engine and Cloud SQL VMs in your environment.
As an option, you can also use privately used public IP addresses and the IP Masquerade agent to save the IP address space and to use non-RFC 1918 addresses.
For information about connecting to resources in your environment, see Private IP.
Before you begin
- Make sure that you have the appropriate user and service account permissions to create an environment.
- Check that Incompatible organization policies are not defined in your project.
Check network requirements
Verify that your project's VPC network meets the following requirements:
Make sure that there are no private IP block conflicts. If your VPC network and its established VPC peers have overlapping IP blocks with the VPC network in the Google-managed tenant project, Cloud Composer cannot create your environment. See the default IP ranges table for the defaults used in each region.
Make sure that there are sufficient secondary IP ranges for the Cloud Composer GKE pods and services. GKE searches for secondary IP ranges for IP Aliasing. If GKE cannot find a range, Cloud Composer cannot create your environment.
Make sure that the number of secondary ranges in your subnetwork does not exceed 30. Consider the following:
- The GKE cluster for your Private IP environment creates two secondary ranges in the subnetwork. You can create multiple subnetworks in the same region for the same VPC network.
- The maximum number of supported secondary ranges is 30. Each Private IP environment requires two secondary ranges for the Cloud Composer GKE pods and services.
Make sure that your project's network can accommodate the limit on the maximum number of connections to a single VPC network. The maximum number of Private IP environments you can create depends on the number of already existing VPC peering connections in your VPC network.
Each Private IP environment uses at most two VPC peerings per environment. Cloud Composer creates one VPC peering for the tenant project network. The second peering is created by the GKE cluster of your environment, and GKE clusters can reuse this connection.
Choose a network, subnetwork, and network ranges
Choose the network ranges for your Private IP environment (or use the default ones). You use these network ranges later when you create a Private IP environment.
To create a Private IP environment, you need to have the following information:
- Your VPC network ID
- Your VPC subnetwork ID
- Two secondary IP ranges in your VPC subnetwork:
- Secondary IP range for pods
- Secondary IP range for services
IP ranges for the components of the environment:
- GKE Control Plane IP range. IP range for
the GKE control plane.
- Web server IP range.
- Web server IP range. IP range for the Airflow web server instance.
Cloud SQL IP range. IP range for the Cloud SQL instance.
- GKE Control Plane IP range. IP range for
the GKE control plane.
See the default IP ranges table for the defaults used in each region.
Default IP ranges
Region | GKE control plane IP range | Web server IP range | Cloud SQL IP range |
---|---|---|---|
africa-south1 | 172.16.64.0/23 | 172.31.223.0/24 | 10.0.0.0/12 |
asia-east1 | 172.16.42.0/23 | 172.31.255.0/24 | 10.0.0.0/12 |
asia-east2 | 172.16.0.0/23 | 172.31.255.0/24 | 10.0.0.0/12 |
asia-northeast1 | 172.16.2.0/23 | 172.31.254.0/24 | 10.0.0.0/12 |
asia-northeast2 | 172.16.32.0/23 | 172.31.239.0/24 | 10.0.0.0/12 |
asia-northeast3 | 172.16.30.0/23 | 172.31.240.0/24 | 10.0.0.0/12 |
asia-south1 | 172.16.4.0/23 | 172.31.253.0/24 | 10.0.0.0/12 |
asia-south2 | 172.16.50.0/23 | 172.31.230.0/24 | 10.0.0.0/12 |
asia-southeast1 | 172.16.40.0/23 | 172.31.235.0/24 | 10.0.0.0/12 |
asia-southeast2 | 172.16.44.0/23 | 172.31.233.0/24 | 10.0.0.0/12 |
australia-southeast1 | 172.16.6.0/23 | 172.31.252.0/24 | 10.0.0.0/12 |
australia-southeast2 | 172.16.56.0/23 | 172.31.227.0/24 | 10.0.0.0/12 |
europe-central2 | 172.16.36.0/23 | 172.31.237.0/24 | 10.0.0.0/12 |
europe-north1 | 172.16.48.0/23 | 172.31.231.0/24 | 10.0.0.0/12 |
europe-southwest1 | 172.16.58.0/23 | 172.31.226.0/24 | 10.0.0.0/12 |
europe-west1 | 172.16.8.0/23 | 172.31.251.0/24 | 10.0.0.0/12 |
europe-west10 | 172.16.62.0/23 | 172.31.224.0/24 | 10.0.0.0/12 |
europe-west12 | 172.16.62.0/23 | 172.31.224.0/24 | 10.0.0.0/12 |
europe-west2 | 172.16.10.0/23 | 172.31.250.0/24 | 10.0.0.0/12 |
europe-west3 | 172.16.12.0/23 | 172.31.249.0/24 | 10.0.0.0/12 |
europe-west4 | 172.16.42.0/23 | 172.31.234.0/24 | 10.0.0.0/12 |
europe-west6 | 172.16.14.0/23 | 172.31.248.0/24 | 10.0.0.0/12 |
europe-west8 | 172.16.60.0/23 | 172.31.225.0/24 | 10.0.0.0/12 |
europe-west9 | 172.16.46.0/23 | 172.31.232.0/24 | 10.0.0.0/12 |
me-central1 | 172.16.58.0/23 | 172.31.226.0/24 | 10.0.0.0/12 |
me-central2 | 172.16.64.0/23 | 172.31.223.0/24 | 10.0.0.0/12 |
me-west1 | 172.16.54.0/23 | 172.31.228.0/24 | 10.0.0.0/12 |
northamerica-northeast1 | 172.16.16.0/23 | 172.31.247.0/24 | 10.0.0.0/12 |
northamerica-northeast2 | 172.16.46.0/23 | 172.31.232.0/24 | 10.0.0.0/12 |
northamerica-south1 | 172.16.68.0/23 | 172.31.221.0/24 | 10.0.0.0/12 |
southamerica-east1 | 172.16.18.0/23 | 172.31.246.0/24 | 10.0.0.0/12 |
southamerica-west1 | 172.16.58.0/23 | 172.31.226.0/24 | 10.0.0.0/12 |
us-central1 | 172.16.20.0/23 | 172.31.245.0/24 | 10.0.0.0/12 |
us-east1 | 172.16.22.0/23 | 172.31.244.0/24 | 10.0.0.0/12 |
us-east4 | 172.16.24.0/23 | 172.31.243.0/24 | 10.0.0.0/12 |
us-east5 | 172.16.52.0/23 | 172.31.229.0/24 | 10.0.0.0/12 |
us-south1 | 172.16.56.0/23 | 172.31.227.0/24 | 10.0.0.0/12 |
us-west1 | 172.16.38.0/23 | 172.31.236.0/24 | 10.0.0.0/12 |
us-west2 | 172.16.34.0/23 | 172.31.238.0/24 | 10.0.0.0/12 |
us-west3 | 172.16.26.0/23 | 172.31.242.0/24 | 10.0.0.0/12 |
us-west4 | 172.16.28.0/23 | 172.31.241.0/24 | 10.0.0.0/12 |
(Optional) Configure connectivity to Google APIs and services
As an option, you might want to route all traffic to Google APIs and services
through several IP addresses that belong to the private.googleapis.com
domain. In this configuration, your environment accesses Google APIs and
services through IP addresses only routable from within Google Cloud.
If your Private IP environment also uses VPC Service Controls, use instructions for environments with VPC Service Controls instead.
Cloud Composer environments use the following domains:
*.googleapis.com
is used to access other Google services.*.pkg.dev
is used to get environment images, such as when creating or updating an environment.*.gcr.io
GKE requires connectivity to Container Registry domain regardless of Cloud Composer version.
Configure connectivity to the private.googleapis.com
endpoint:
Domain | DNS name | CNAME Record | A Record |
---|---|---|---|
*.googleapis.com
|
googleapis.com. |
DNS Name: *.googleapis.com. Resource record type: CNAME Canonical name: googleapis.com. |
Resource record type: A IPv4 addresses: 199.36.153.8 , 199.36.153.9 , 199.36.153.10 , 199.36.153.11
|
*.pkg.dev
|
pkg.dev. |
DNS Name: *.pkg.dev. Resource record type: CNAME Canonical name: pkg.dev. |
Resource record type: A IPv4 addresses: 199.36.153.8 , 199.36.153.9 , 199.36.153.10 , 199.36.153.11
|
*.gcr.io
|
gcr.io. |
DNS Name: *.gcr.io. Resource record type: CNAME Canonical name: gcr.io. |
Resource record type: A IPv4 addresses: 199.36.153.8 , 199.36.153.9 , 199.36.153.10 , 199.36.153.11
|
To create a DNS rule:
Create a new DNS zone and use DNS name as DNS name of this zone.
Example:
pkg.dev.
Add a record set for CNAME Record.
Example:
- DNS Name:
*.pkg.dev.
- Resource record type:
CNAME
- Canonical name:
pkg.dev.
- DNS Name:
Add a record set with for A Record:
Example:
- Resource record type:
A
- IPv4 addresses:
199.36.153.8
,199.36.153.9
,199.36.153.10
,199.36.153.11
- Resource record type:
For more information, see Setting up private connectivity to Google APIs and services.
(Optional) Configure firewall rules
Perform this step only if your project has non-default firewall rules, such as rules that override implied firewall rules, or modify pre-populated rules in the default network.
For example, Cloud Composer might fail to create an environment if
you have a firewall rule that denies all egress traffic. To avoid issues,
define selective allow
rules that follow the list and have higher priority
than the global deny
rule.
Configure your VPC network to allow traffic from your environment:
- See Using firewall rules to learn how to check, add and update rules for your VPC network.
- Use Connectivity Tool to validate the connectivity between IP ranges.
- You can use networking tags to further limit access. You can set these tags when you create an environment.
Description | Direction | Action | Source or Destination | Protocols | Ports |
---|---|---|---|---|---|
DNS | Egress | Allow | Any destination (0.0.0.0/0 ), or DNS server IP addresses |
TCP, UDP | 53 |
Google APIs and services | Egress | Allow | IP address range of the domain you chose for Google APIs and services. See IP addresses for default domains if you use defaults. | TCP | 443 |
Environment's cluster Nodes | Egress | Allow | Environment's subnetwork primary IP address range | TCP, UDP | all |
Environment's cluster Pods | Egress | Allow | Secondary IP address range for Pods in the environment's subnetwork | TCP, UDP | all |
Environment's cluster Control Plane | Egress | Allow | GKE Control Plane IP range | TCP, UDP | all |
Web server | Egress | Allow | Web server network IP range | TCP | 3306, 3307 |
To obtain IP ranges:
Pod, Service, and Control Plane address ranges are available on the Clusters page of your environment's cluster:
In Google Cloud console, go to the Environments page.
In the list of environments, click the name of your environment. The Environment details page opens.
Go to the Environment configuration tab.
Follow the view cluster details link.
You can see environment's web server IP range on the Environment configuration tab.
You can see environment's network ID on the Environment configuration tab. To get IP ranges for a subnetwork, go to VPC Networks page and click on the network's name to see details:
VPC-native cluster configuration
Cloud Composer supports VPC-native GKE clusters in your environment.
During environment creation, you can enable VPC Native (using alias IP) and configure networking, such as IP allocation, without enabling private IP.
Because a VPC native cluster is required for Airflow tasks to communicate with other VMs that are reachable through private IPs, you must also enable VPC Native to configure a private IP environment.
Configure proxy server settings
You can set HTTP_PROXY
and HTTPS_PROXY
environment variables
in your environment. These standard Linux variables are used by web clients
that run in containers of your environment's cluster to route traffic through
the specified proxies.
The NO_PROXY
variable by default is set to a list of Google domains so that
they are excluded from proxying:
.google.com,.googleapis.com,metadata.google.internal
. This configuration
makes it possible to create an environment with set HTTP_PROXY
and
HTTPS_PROXY
environment variables in cases when the proxy is not configured
to handle traffic to Google services.