TechQA.

How to ensure gsutil copy does not use external Internet?

701 views Asked by At

I have a Minecraft server I built on GCP using this guide. It is running on GCP us-central1-f (Iowa) , with a regional storage bucket on us-central1 (Iowa). I have a cronjob set to run a bash script to back up the world files (about 2GB) every 4 hours to the bucket using gsutil. This is the backup script:

#!/bin/bash
FILENAME=$(date "+%Y%m%d-%H%M%S")-world.tar.gz 

screen -r mcs -X stuff 'save-all flush\nsave-off\n'
tar -zcvf /home/minecraft/$FILENAME /home/minecraft/world /home/minecraft/world_nether /home/minecraft/world_the_end
/usr/bin/gsutil cp /home/minecraft/$FILENAME gs://path-to-bucket-minecraft-backup/$FILENAME 
screen -r mcs -X stuff 'save-on\n'
rm /home/minecraft/$FILENAME

I've been running this way for about a month, and I noticed I was being charged for hundreds of GB of external network egress, and with only 5-10 users on the Minecraft server. I contacted GCP Support, and they confirmed the network data is the transfers to the storage bucket, which is apparently going over the Internet. Their recommendation was to configure Private Google Access to use gsutil.

I worked with another GCP Support rep to try to do this:

  • We edited the server VM instance and set "Cloud API access scopes" to "Allow full access to all Cloud APIs"
  • We went into the Default VPC Network and enabled "Private Google Access" for us-central1.
  • We disabled the external IP, and confirmed that I was able to copy files to the storage bucket, so it is possible for the backup to run over the internal network.

According to the documentation on Configuring Private Google Access, A VM with an external IP address assigned to its network interface doesn't need Private Google Access to connect to Google APIs and services. GCP Support didn't have a way to tell if the backup traffic would now go over the internal or external link. They pointed me to Stack Overflow for help.

So I guess my question is, what do I need to do to ensure my backups using gsutil cp ... are transferred over the internal network, and don't go over the internet? Do I need to adjust routing? I've read through the documentation on gsutil, and I haven't found anything on how to specify how the traffic flows.

google-cloud-platform google-cloud-storage google-compute-engine gsutil google-vpc
Original Q&A
1

There are 1 answers

0
marian.vladoi On

According to the official documentation :

Private Google Access

VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the external IP addresses of Google APIs and services. ...

Private Google Access has no effect on instances that have external IP addresses. Instances with external IP addresses can access the internet, according to the internet access requirements. They don't need any special configuration to send requests to the external IP addresses of Google APIs and services.

Therefore, I believe that you can use gsutil over the internal network only if your VM has internal IP address.

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-CLOUD-STORAGE

Related Questions in GOOGLE-COMPUTE-ENGINE

Related Questions in GSUTIL

Related Questions in GOOGLE-VPC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions