This page explains how to use networking for Memorystore for Valkey. The page also describes the following information about networking:
Networking setup guidance
As a reader of this page, you likely fit into one of two roles. Each role has different tasks that you have to accomplish. However, there might be an overlap between the roles.
Knowing which role you fit into and your role's goals helps you accomplish your instance creation and networking tasks quickly and efficiently.
You might fit into the following roles:
Role 1: Valkey Admin
Your goal is to create a Memorystore for Valkey instance. You're reading this page to learn if you have the required prerequisites to create the instance.
After you know that a service connection policy is established for your network, get the full network name (that has the format of
projects/NETWORK_PROJECT_ID/global/networks/NETWORK_ID) from your Network Admin so that you can use it to create the instance.
Role 2: Network Admin
Your goal is to find out if a service connection policy is created for the network and if it's located in the region where the Valkey Admin wants to deploy a Memorystore for Valkey instance.
If the service connection policy isn't created, then create it. This policy lets Memorystore automate private connectivity to the Memorystore service.
To create a service connection policy, you must have the required roles. For more information about configuring and managing a service connection policy, see Configure service connection policies.
Your next goal is to provide the network name to the Valkey Admin so that they can use it to create the instance.
Memorystore for Valkey has the following networking characteristics:
The only networking connectivity method that you can use for Memorystore for Valkey is Private Service Connect service connectivity automation. This method is enabled by service connection policies. For more information, see About service connection policies.
If the correct service connection policy exists, then as you create the instance, service connectivity automation deploys connectivity for the instance automatically.
Prerequisites required before creating an instance
As described in About service connection policies, a service connection policy is unique to your project, network, region, and service class. If you want to create an instance, then make sure that the following conditions are met:
- The service connection policy must exist for your project, network, region,
and
gcp-memorystoreservice class. - You must enable the necessary APIs.
Communicate networking requirements
If you're reading this as a Valkey Admin, then ask your Network Admin if a
service connection policy exists for the region, network, and gcp-memorystore
service class where you want to create your instance. After your Network Admin
has created the policy, ask them for the full network name (that has the format
of projects/NETWORK_PROJECT_ID/global/networks/NETWORK_ID) so you can use it
to create a Memorystore for Valkey instance.
Send your Network Admin a link to this page so they can understand the service connection policy prerequisites needed for you to create an instance.
Enable APIs
As a Valkey Admin, before you can create a Memorystore for Valkey instance, you must enable all of the APIs listed in Before you begin.
Shared VPC
In addition to standard VPC networks, Memorystore for Valkey also supports Shared VPC networks.
Shared VPC setups have a host project and one or more service projects. The service connection policy for Memorystore for Valkey is defined in the host project by the Network Admin. Valkey Admins typically create Memorystore for Valkey instances in service projects.
For a quickstart on creating an instance with Shared VPC, see Instance provisioning on a Shared VPC network.
Reserved network addresses
After you create a Memorystore for Valkey instance, Memorystore reserves two network addresses for the instance. They are used to serve the traffic for your instance. One of these is the discovery endpoint that you use to connect to your instance.
Supported networking architectures
Memorystore for Valkey supports the network architectures described in this section.
Same network, project, and region client access example
In this example, the client and Memorystore endpoint IPs are located in the same network, project, and region.
Same network and project, but multi-region client access example
In this example, the client and Memorystore endpoint IPs are located in the same network and project, but in multiple regions.
Shared VPC client access example
In this example, the clients are located in different Shared VPC projects. Although clients in this example are in the same region, clients from different regions are also supported.
On-premises access example
This diagram shows an example of a client connecting to Memorystore from an on-premises network using Cloud Interconnect and Cloud Router. Although Cloud Interconnect and Cloud Router intfrastructure is used, the client machines in the on-premises network connect to Valkey using the Memorystore endpoint IP addresses. For example, in the diagram below, clients connect directly to 10.142.0.10 and 10.142.0.11.
For instruction on finding your instance's discovery endpoint IP address, see View your instance's discovery endpoint.
Multi VPC network access
If you want to connect to Memorystore for Valkey across multiple VPCs, you can do so by creating an internal VPN tunnel between the VPC that has the Private Service Connect endpoint and any other VPCs that require access. Since multiple VPCs cannot directly connect to Private Service Connect, VPN tunnel infrastructure must be used.
Frequently asked questions
This section covers networking FAQs for Memorystore for Valkey.
Do you need a service connection policy?
It depends. For network connectivity, you have two options: a service connection policy or user-registered Private Service Connect connections. If you choose a multi-VPC setup, then you can either use the second option or both options together.
User-registered Private Service Connect connections enable you to connect multiple VPC networks, if needed. If you don't need multiple VPC networks, then you can also establish connectivity by using a user-registered connection. However, we recommend using a service connection policy because the process is more straightforward.
Why must you enable the Network Connectivity and Service Consumer Management APIs?
Memorystore for Valkey uses Private Service Connect service connectivity automation to automate deployment and connectivity in the consumer network. For automation to work, you must enable these APIs. If you don't, then instance creation operations fail.
Which permissions do you need to set up networking in Memorystore for Valkey?
If you want to perform the Valkey Admin tasks described on this page, then you need the
memorystore.adminrole. To see which roles you need for different Memorystore for Valkey permissions, see Permissions and their roles.If you want to perform the Network Admin tasks described on this page, then you need the
compute.networkAdminrole.
Which ports do you need to set up networking in Memorystore for Valkey?
Your application connects to Memorystore for Valkey by using an IP address and the 6379 port. As part of this connection, it requests the topology of an instance.
The request's response contains a list of the data nodes in the instance and their associated ports. For each node, Memorystore for Valkey uses a port in the 11000-to-13047 range. Therefore, in your firewall, you must allow access to both the 6379 port and to all ports in this range.
How can you set up connectivity for your on-premises network?
In addition to the guidance on this page, you can learn about setting up on-premises connectivity by using the following links: