Reputation: 9131
How can I prompt google to set up VPC peering from servicenetworking.googleapis.com?
I have some Cloud SQL instances that currently have public IP's. It would make certain security-minded people happy if I changed them to have private IP's.
I am following the instructions documented here: https://cloud.google.com/sql/docs/mysql/private-ip
A summary of those instructions:
- Ensure your shared VPC host has servicenetworking.googleapis.com enabled
- Ensure your project has servicenetworking.googleapis.com enabled
- Allocate an IP address range for your new private IP's
- Configure VPC network peering (https://cloud.google.com/sql/docs/mysql/configure-private-services-access)
- Create cloud sql instance without public IP
- Expect new instance's private IP to be in allocated range
I've completed these through step 4, and I'm seeing this:
My interpretation of that page is that I've done my part and now it's google's turn--but that was several days ago. Do I have do do something to prompt google to create the connection?
I think I'm focusing in the right place because if I try to use I private IP, gcloud tells me to go create the network that I'm waiting on:
❯ gcloud --project=my-project-name beta \
sql instances patch foo \
--network=my-network-name --no-assign-ip
The following message will be used for the patch API method.
{"name": "foo", "project": "my-project-name", "settings": {"ipConfiguration": {"ipv4Enabled": false, "privateNetwork": "https://compute.googleapis.com/compute/v1/projects/my-project-name/global/networks/my-network-name"}}}
Patching Cloud SQL instance...failed.
ERROR: (gcloud.beta.sql.instances.patch) [INTERNAL_ERROR] Failed to create subnetwork. Please create Service Networking connection with service 'servicenetworking.googleapis.com' from consumer project '11111111111' network 'my-network-name' again.
Upvotes: 3
Views: 5081
Answers (1)
Reputation: 475
In general private services access is implemented as a VPC peering connection between your VPC network and the Google services VPC network where your Cloud SQL instance resides. As @JohnHanley pointed out, the VPC peering should be created within minutes so it’s not expected you have to wait more than that.
To check the peering creation on Stackdriver you can use the following Advanced Filter:
jsonPayload.event_subtype="compute.networks.addPeering"
That said, it makes sense the error you are observing when trying to patch your SQL Instance as the Peering hasn’t been created. Instead of ‘Inactive’ it should be ‘Peer VPC network is connected’
To sum up, in your scenario the Cloud SQL instance cannot get an IP on the aforementioned network as it cannot reach it.
At this specific point I would suggest you focus on the Peering creation. As you mentioned you tried recreating it and the status remains the same, it’s possible that there’s something in your project preventing the peering to be established.
I would also suggest you check the peering limits quota in case it has been reached:
gcloud compute networks peerings list --network='your network'
Also it would be good to review the VPC Peering Restrictions.
All that being said, if you still experience the same issue when creating the VPC Peering, an internal investigation may be required and I would suggest you to you to report this using this link
I hope this helps.
Upvotes: 0
Related Questions
- Shared VPC and VPC Peering mix
- Serverless VPC Access connector with a "VPC with multiple Subnets"
- Implementing Vpc peering in GCP
- How to connect to Google cloud VPC from on-premise machine
- What is the GCP equivalent of AWS Client VPN Endpoint
- GCP VPC Peering (auto-mode)
- Cannot create Google Cloud Serverless VPC Connector using default parameters
- How to access a network though peering in GCP-AWS vpn?
- VPC Service Control for GCR
- Using 'gcloud services vpc-peerings connect' in Deployment Manager