This page explains networking for Memorystore for Valkey.
On this page:
Networking setup guidance
As a reader of this page, you likely fit into one of two roles, each having different tasks to accomplish (you may have overlap between these roles). Knowing which role you fit in and your role's goals helps you accomplish your networking and instance creation tasks quickly and efficiently.
Two possible roles you may fit are as follows:
Role 1 – Valkey Admin
Your goal is to create a Memorystore for Valkey instance. You are reading this page to learn if you have the required prerequisites necessary to create the instance.
Once you know the proper service connection policy has been established for your network, your goal is to get the full network name (that has the format
projects/NETWORK_PROJECT_ID/global/networks/NETWORK_ID) from your Network Admin so you can use it to Create an instance.
Role 2 – Network Admin
Your goal is to find out if the proper service connection policy has been created for the network and in the region on which the Valkey Admin wants to deploy a Memorystore for Valkey instance.
If the service connection policy hasn't been created, then create it. This policy lets Memorystore automate private connectivity to the Memorystore service. For more information about configuring and managing a service connection policy, see Configure service connection policies.
Your next goal is to provide the network name to the Valkey Admin so they can use it to create an instance.
If you are the Network Admin, you must have the required roles to create a service connection policy.
Memorystore for Valkey has the following networking characteristics:
The only networking connectivity method that can be used for Memorystore for Valkey is Private Service Connect service connectivity automation (enabled by service connection policies). For more details, see Service connection policies.
If the correct service connection policy exists, service connectivity automation automatically deploys connectivity for a Memorystore for Valkey instance during instance creation.
Prerequisites required before creating an instance
As described in Service connection policies,
a service connection policy is unique to your project, network, region, and service class.
A service connection policy must exist for your region, network, and
gcp-memorystore service class before you can create a
Memorystore for Valkey instance. You must also make sure the necessary APIs
are enabled before you can create an instance. For additional details about
how the Memorystore for Valkey service creates a
Private Service Connect endpoint and the lifecycle of that endpoint,
see Deploy a managed service and configure connectivity.
Communicate networking requirements
If you are reading this as a Valkey Admin, ask your Network Admin if a service
connection policy exists for the region, network, and gcp-memorystore
service class where you want to create your instance. Once your Network Admin
has created the policy, ask them for the full network name (that has the format projects/NETWORK_PROJECT_ID/global/networks/NETWORK_ID) so you can use it
to create a Memorystore for Valkey instance.
Send your Network Admin a link to this page so they can understand the service connection policy prerequisites needed for you to create an instance.
Enable APIs
As a Valkey Admin, before you can create a Memorystore for Valkey instance, you must enable all of the APIs listed in Before you begin.
Shared VPC
In addition to standard VPC networks, Memorystore for Valkey also supports Shared VPC networks.
Shared VPC setups have a host project and one or more service projects. The service connection policy for Memorystore for Valkey is defined in the host project by the Network Admin. Valkey Admins typically create Memorystore for Valkey instances in service projects.
For a quickstart on creating an instance with Shared VPC, see Instance provisioning on a Shared VPC network.
Reserved network addresses
After you successfully create a Memorystore for Valkey instance, Memorystore reserves two network addresses for the instance. They are used to serve the traffic for your instance. One of these is the discovery endpoint that you use to connect to your instance.
Supported networking architecture
Memorystore for Valkey supports the network architectures described in this section.
Same network, project, and region client access example
In this example the client and Memorystore endpoint IPs are located in the same network, project, and region.
Same network and project, but multi region client access example
In this example the client and Memorystore endpoint IPs are located in the same network and project, but in multiple regions.
Shared VPC client access example
In this example the clients are located in different Shared VPC projects. Although clients in this example are in the same region, clients from different regions are also supported.
On-premises access example
This diagram shows an example of a client connecting to Memorystore from an on-premises network using Cloud Interconnect and Cloud Router. Although Cloud Interconnect and Cloud Router intfrastructure is used, the client machines in the on-premises network connect to Valkey using the Memorystore endpoint IP addresses. For example, in the diagram below, clients connect directly to 10.142.0.10 and 10.142.0.11.
For instruction on finding your instance's discovery endpoint IP address, see View your instance's discovery endpoint.
Multi VPC network access
If you want to connect to Memorystore for Valkey across multiple VPCs, you can do so by creating an internal VPN tunnel between the VPC that has the Private Service Connect endpoint and any other VPCs that require access. Since multiple VPCs cannot directly connect to Private Service Connect, VPN tunnel infrastructure must be used.
Frequently asked questions
This section covers networking FAQs for Memorystore for Valkey.
Do you need a service connection policy?
It depends. For network connectivity, you have two options: a service connection policy or user-registered Private Service Connect connections. If you choose a multi-VPC setup, then you can either use the second option or both options together.
User-registered Private Service Connect connections enable you to connect multiple VPC networks, if needed. If you don't need multiple VPC networks, then you can also establish connectivity by using a user-registered connection. However, we recommend using a service connection policy because the process is more straightforward.
Why must you enable the Network Connectivity and Service Consumer Management APIs?
Memorystore for Valkey uses Private Service Connect service connectivity automation to automate deployment and connectivity in the consumer network. For automation to work, you must enable these APIs. If you don't, then instance creation operations fail.
Which permissions do you need to set up networking in Memorystore for Valkey?
If you want to perform the Valkey Admin tasks described on this page, then you need the
memorystore.adminrole. To see which roles you need for different Memorystore for Valkey permissions, see Permissions and their roles.If you want to perform the Network Admin tasks described on this page, then you need the
compute.networkAdminrole.
Which ports do you need to set up networking in Memorystore for Valkey?
Your application connects to Memorystore for Valkey by using an IP address and the 6379 port. As part of this connection, it requests the topology of an instance.
The request's response contains a list of the data nodes in the instance and their associated ports. For each node, Memorystore for Valkey uses a port in the 11000-to-13047 range. Therefore, in your firewall, you must allow access to both the 6379 port and to all ports in this range.
How can you set up connectivity for your on-premises network?
In addition to the guidance on this page, you can learn about setting up on-premises connectivity by using the following links: