VPC firewall rules block database connections over Private Service Access after subnet expansion

mrsqlninja · June 15, 2025, 8:44am

We’re experiencing intermittent connection failures to our Cloud SQL PostgreSQL instance after expanding our VPC subnet range. The database uses Private Service Access for connectivity from our GKE cluster.

The connections were stable before the VPC subnet expansion. Now we see:


ERROR: connection timeout to 10.128.5.42:5432
Failed to establish connection after 30s

We’ve verified the Private Service Access peering is active and the allocated IP range hasn’t changed. The firewall rules appear correct, but I suspect there might be an implicit deny rule interfering with the new subnet range. Has anyone dealt with firewall rule management issues after VPC changes that affected Private Service Access configuration?

pablo_arch · June 21, 2025, 4:51pm

Thanks Sara. I checked the firewall rules and found our main database access rule only covered the original /24 subnet. The expansion added a /20 range which wasn’t included. However, I’m not sure if I should modify the existing rule or create a new one specifically for Private Service Access traffic. Also concerned about the priority ordering - we have several rules and I don’t want to accidentally break other services.

pablo_arch · July 4, 2025, 7:09pm

I’ve seen this exact issue. The problem is that VPC subnet expansion creates a new subnet object, and your firewall rules might be targeting the old subnet by name rather than by CIDR. If you’re using subnet-based targeting in your firewall rules instead of IP ranges, the new subnet won’t be covered. Switch to CIDR-based rules for more flexibility. Also, check your Cloud SQL instance’s authorized networks - though with Private Service Access this shouldn’t matter, but worth verifying the configuration is consistent.

kevinsys · July 13, 2025, 11:08am

Update: I found the issue. Our firewall rule was using a tag-based target rather than IP ranges, and the new subnet wasn’t properly tagged. I’ve fixed it now and connections are stable. Appreciate all the help!

jose_creator · June 17, 2025, 11:24pm

Check if your firewall rules explicitly allow the new subnet CIDR range. When you expand VPC subnets, existing firewall rules don’t automatically update to include the new ranges. Run gcloud compute firewall-rules list --filter="network=YOUR_VPC" and verify that your ingress rules cover the expanded subnet. The Private Service Access peering itself might be fine, but the firewall layer could be blocking the new IPs.

ines_data · July 22, 2025, 3:22am

Perfect! Let me provide a comprehensive solution for anyone facing similar issues with VPC subnet expansion and Private Service Access.

VPC Subnet Expansion Impact: When you expand VPC subnets, existing firewall rules don’t automatically adapt. You need to explicitly update or create new rules covering the expanded ranges.

Firewall Rule Management Steps:

List current firewall rules and identify gaps:


gcloud compute firewall-rules list --filter="network=YOUR_VPC" --format="table(name,sourceRanges,allowed)"

Check Private Service Access allocated ranges:


gcloud services vpc-peerings list --service=servicenetworking.googleapis.com --network=YOUR_VPC

Create dedicated firewall rule for new subnet:


gcloud compute firewall-rules create allow-db-new-subnet \
  --network=YOUR_VPC \
  --allow=tcp:5432 \
  --source-ranges=10.128.0.0/20 \
  --priority=1000

Private Service Access Configuration Best Practices:

• Use CIDR-based firewall rules instead of tag-based targeting for subnet expansions - more flexible and automatic coverage

• Maintain separate firewall rules for Private Service Access traffic (priority 900-1000) vs application traffic (priority 1000-2000)

• Always verify the allocated IP range matches your firewall source ranges

• Document your firewall rule hierarchy and priorities to avoid conflicts

• Test connectivity from all subnets after VPC changes before deploying to production

Priority Guidelines:

Critical infrastructure (databases): 900-1000
Application services: 1000-2000
General access: 2000-3000
Explicit denies: 100-500 (use sparingly)

Verification: After updating firewall rules, test from multiple pods/instances in different subnets:


psql -h 10.128.5.42 -U dbuser -d production

Monitor Cloud SQL logs and VPC Flow Logs to confirm traffic is allowed. The key is maintaining explicit allow rules that cover all your subnet ranges, especially after infrastructure changes like VPC expansion.

matthewgcp · July 3, 2025, 3:12pm

For Private Service Access, you need to ensure your firewall rules allow traffic from both your application subnet AND the allocated range used for the private connection. The allocated range (typically something like 10.128.0.0/20 for the service) needs explicit ingress rules. Check your allocated ranges with gcloud services vpc-peerings list --service=servicenetworking.googleapis.com --network=YOUR_VPC. Create a dedicated firewall rule for this range with priority around 1000 to avoid conflicts. Don’t modify existing application rules - keep them separate for easier management.

techexpert · July 9, 2025, 8:28am

One thing to watch out for: implicit deny rules. GCP has an implicit deny all ingress rule at the lowest priority. When you add new subnets, make sure your allow rules have proper priority (lower number = higher priority). I typically use priority 1000 for application-level rules and 900 for critical infrastructure like database access. Also verify that you don’t have any explicit deny rules that might be catching the new subnet range before your allow rules.

Topic		Replies	Views
VPC peering shows intermittent packet loss between production networks Google Cloud Platform (GCP) question , compute , networking , gcp-2019 , network-troubleshooting , vpc-peering , firewall-rules , packet-loss , flow-logs	5	0	September 5, 2025
VPC peering blocks cross-region backup replication traffic for Cloud Storage Google Cloud Platform (GCP) question , networking , disaster-recovery , gcp-2020 , cloud-storage , cross-region , vpc-peering , firewall-rules , backup-disaster	4	0	June 19, 2025
Firewall policy blocking internal VPC traffic between subnets in same zone IBM Cloud question , networking , security , ic-2019 , vpc-routing , ibm-cloud-firewall , internal-block , service-disruption , firewall-policy	5	0	November 25, 2025
VPC firewall rule conflict blocks secure API access from on-premises IBM Cloud question , networking , security , hybrid-cloud , vpc , ic-2021 , firewall-rules , api-access	5	0	September 17, 2025
VPC peering causes ERP app timeouts between regions after network expansion Google Cloud Platform (GCP) question , compute , networking , timeout , erp-integration , gcp-2021 , cross-region , vpc-peering , firewall-rules	7	1	November 21, 2025
Cloud SQL REST API connection refused when authenticating with service accounts Google Cloud Platform (GCP) question , database , rest-api , gcp-2020 , iam-roles , network-config , apis , service-accounts , cloud-sql	3	0	October 23, 2025
VPC peering blocks ERP application traffic despite open security groups Amazon Web Services (AWS) question , networking , vpc , aws-2020 , security-groups , vpc-peering , route-tables , vpc-peering-block , integration-fail	7	0	February 15, 2025
Shared VPC design considerations for multi-team environments with different security requirements Google Cloud Platform (GCP) discussion , networking , gcp-2020 , quota-management , firewall-rules , shared-vpc , design-boundaries , network-segmentation , iam-management	3	0	December 2, 2025
VPC endpoint fails to connect to RDS instance despite correct security group rules Amazon Web Services (AWS) question , networking , routing , database , vpc , aws-2019 , security-groups , rds , connection-failure	3	0	April 17, 2025

VPC firewall rules block database connections over Private Service Access after subnet expansion

Related topics