OnSeptember 15, 2026, all Cloud Composer 1 versions and versions 2.0.x of Cloud Composer 2 willreach their planned end of life. You will not be able to use environments with these versions. We recommend planningmigration to Cloud Composer 3. Cloud Composer 2 versions 2.1.x and later are still supported and are not impacted by this change.
IP masqueradingis a form of network address translation (NAT) used to
perform many-to-one IP address translations. This allows multiple clients to
access a destination from a single IP address.
Cloud Composer runs your workloads on GKE. For
correct function, it requires IP ranges for nodes (VMs) as well as
GKE Pods and Services. When Airflow DAGs and tasks
communicate with other services, they use Pod IPs and these Pod IP ranges need
to be routable to and from any destinations that the tasks interact with.
With the IP Masquerade agent, you have the option to translate Pod IP
addresses to node IP addresses, so that destinations and services targeted
from Airflow DAGs and tasks only receive packets from node IP addresses
instead of Pod IP addresses. This is useful in environments that expect to
only receive packets from node IP addresses or where Pod IP ranges are not
routable outside of the cluster.
In addition, you can use the IP Masquerade agent to save network ranges in
your networking configuration. For example, you can use a separate network
range for Pods inside your environment's cluster and masquerade this traffic
as coming from the node IP address range. In this way, you save IP address
space in one range by using IP addresses from a different range for Pods in
your environment's cluster.
For example:
You use the10.0.0.0/8range for VMs and only this range is allowed by
your firewall rules.
To save network ranges, you use a different range (for example,192.168.0.0/16) for Pods in your environment's cluster.
To be able to connect to any service from a Pod (Airflow worker), IP
masquerading is needed; otherwise the service receives traffic from192.168.0.0/16and drops it because of a firewall rule. With the IP
Masquerade agent enabled and configured, the service gets requests from10.0.0.0/8, which are accepted.
Before you begin
It is not possible to enable the IP Masquerade agent in Google Cloud console.
Enable the IP Masquerade agent for an existing environment
It is not possible to enable the IP Masquerade agent for an existing
environment.
Enable the IP Masquerade agent when creating an environment
You can enable the IP Masquerade agent when you create an environment.
For more information about creating Cloud Composer environments,
seeCreate environment.
Console
It is not possible to enable the IP Masquerade agent in Google Cloud console.
gcloud
When you create an environment, the--enable-ip-masq-agentargument
enables the IP Masqerade agent.
You must also enable IP alias with the--enable-ip-aliasargument.
LOCATIONwith the region where the environment is located.
ENVIRONMENT_NAMEwith the environment name.
Example:
// POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments{"name":"projects/example-project/locations/us-central1/environments/example-environment","config":{"softwareConfig":{"imageVersion":"composer-1.20.12-airflow-1.10.15"},"nodeConfig":{"ipAllocationPolicy":{"useIpAliases":true,},"enableIpMasqAgent":true}}}
Terraform
When you create an environment, theenable_ip_masq_agentfield in thenode_configblock enables the IP Masqerade agent.
You must also enable IP alias with theuse_ip_aliasesfield in theip_allocation_policyblock.
resource"google_composer_environment""example_environment"{provider=google-betaname="ENVIRONMENT_NAME"region="LOCATION"config{software_config{image_version="composer-1.20.12-airflow-1.10.15"}node_config{ip_allocation_policy=[{use_ip_aliases=true// Other networking configuration}]enable_ip_masq_agent=true}}
Replace:
ENVIRONMENT_NAMEwith the name of the environment.
LOCATIONwith the region where the environment is located.
Example:
resource"google_composer_environment""example_environment"{provider=google-betaname="example-environment"region="us-central1"config{software_config{image_version="composer-1.20.12-airflow-1.10.15"}node_config{ip_allocation_policy=[{use_ip_aliases=true// Other networking configuration}]enable_ip_masq_agent=true}}}
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-05 UTC."],[[["\u003cp\u003eThe IP Masquerade agent in Cloud Composer allows translating Pod IP addresses to node IP addresses, enabling communication with external services using the environment's cluster IP addresses.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the IP Masquerade agent is recommended if your project faces IP address shortages, as it performs many-to-one IP address translations, conserving IP address space.\u003c/p\u003e\n"],["\u003cp\u003eThe IP Masquerade agent must be enabled during environment creation, as it cannot be enabled for existing environments.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the IP Masquerade agent requires also enabling IP alias using the \u003ccode\u003egcloud\u003c/code\u003e, \u003ccode\u003eAPI\u003c/code\u003e, or \u003ccode\u003eTerraform\u003c/code\u003e methods.\u003c/p\u003e\n"],["\u003cp\u003eWhen configuring the IP Masquerade agent, you must include at least the cluster's node and Pod IP address ranges as non-masquerade destinations, due to Cloud Composer's use of intranode visibility on GKE clusters.\u003c/p\u003e\n"]]],[],null,["\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/change-networking-type#comparison \"View this page for Cloud Composer 3\") \\| [Cloud Composer 2](/composer/docs/composer-2/enable-ip-masquerade-agent \"View this page for Cloud Composer 2\") \\| **Cloud Composer 1**\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to enable the IP Masquerade agent for your environment.\n| **Important:** Consider using the IP Masquerade agent if your project is impacted by the shortage of IP addresses. By enabling the IP Masquerade agent, you can use your environment's cluster IP addresses to communicate with external services.\n\nAbout the IP Masquerade agent in Cloud Composer\n\nCloud Composer supports\nthe [IP Masquerade agent](/kubernetes-engine/docs/how-to/ip-masquerade-agent) for your environments.\n\n*IP masquerading* is a form of network address translation (NAT) used to\nperform many-to-one IP address translations. This allows multiple clients to\naccess a destination from a single IP address.\n\nCloud Composer runs your workloads on GKE. For\ncorrect function, it requires IP ranges for nodes (VMs) as well as\nGKE Pods and Services. When Airflow DAGs and tasks\ncommunicate with other services, they use Pod IPs and these Pod IP ranges need\nto be routable to and from any destinations that the tasks interact with.\n\nWith the IP Masquerade agent, you have the option to translate Pod IP\naddresses to node IP addresses, so that destinations and services targeted\nfrom Airflow DAGs and tasks only receive packets from node IP addresses\ninstead of Pod IP addresses. This is useful in environments that expect to\nonly receive packets from node IP addresses or where Pod IP ranges are not\nroutable outside of the cluster.\n\nIn addition, you can use the IP Masquerade agent to save network ranges in\nyour networking configuration. For example, you can use a separate network\nrange for Pods inside your environment's cluster and masquerade this traffic\nas coming from the node IP address range. In this way, you save IP address\nspace in one range by using IP addresses from a different range for Pods in\nyour environment's cluster.\n\nFor example:\n\n1. You use the `10.0.0.0/8` range for VMs and only this range is allowed by\n your firewall rules.\n\n2. To save network ranges, you use a different range (for example,\n `192.168.0.0/16`) for Pods in your environment's cluster.\n\n3. To be able to connect to any service from a Pod (Airflow worker), IP\n masquerading is needed; otherwise the service receives traffic from\n `192.168.0.0/16` and drops it because of a firewall rule. With the IP\n Masquerade agent enabled and configured, the service gets requests from\n `10.0.0.0/8`, which are accepted.\n\nBefore you begin\n\n- It is not possible to enable the IP Masquerade agent in Google Cloud console.\n\nEnable the IP Masquerade agent for an existing environment\n\nIt is not possible to enable the IP Masquerade agent for an existing\nenvironment.\n\nEnable the IP Masquerade agent when creating an environment\n\nYou can enable the IP Masquerade agent when you create an environment.\n\nFor more information about creating Cloud Composer environments,\nsee [Create environment](/composer/docs/composer-1/create-environments). \n\nConsole\n\nIt is not possible to enable the IP Masquerade agent in Google Cloud console.\n\ngcloud\n\nWhen you create an environment, the `--enable-ip-masq-agent` argument\nenables the IP Masqerade agent.\n\nYou must also enable IP alias with the `--enable-ip-alias` argument. \n\n gcloud composer environments create \u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e \\\n --location \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --image-version composer-1.20.12-airflow-1.10.15 \\\n --enable-ip-alias \\\n --enable-ip-masq-agent\n\nReplace:\n\n- `ENVIRONMENT_NAME` with the name of the environment.\n- `LOCATION` with the region where the environment is located.\n\nExample: \n\n gcloud composer environments create example-environment \\\n --location us-central1 \\\n --image-version composer-1.20.12-airflow-1.10.15 \\\n --enable-ip-alias \\\n --enable-ip-masq-agent\n\nAPI\n\nConstruct an [`environments.create`](/composer/docs/reference/rest/v1/projects.locations.environments/create) API request.\nSpecify the configuration in the [`Environment`](/composer/docs/reference/rest/v1/projects.locations.environments#Environment)\nresource. \n\n {\n \"name\": \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/environments/\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e\",\n \"config\": {\n \"softwareConfig\": {\n \"imageVersion\": \"composer-1.20.12-airflow-1.10.15\"\n },\n \"nodeConfig\": {\n \"ipAllocationPolicy\": {\n \"useIpAliases\": true,\n },\n \"enableIpMasqAgent\": true\n }\n }\n }\n\nReplace:\n\n- `PROJECT_ID` with the [Project ID](/resource-manager/docs/creating-managing-projects).\n- `LOCATION` with the region where the environment is located.\n- `ENVIRONMENT_NAME` with the environment name.\n\nExample: \n\n // POST https://composer.googleapis.com/v1/{parent=projects/*/locations/*}/environments\n\n {\n \"name\": \"projects/example-project/locations/us-central1/environments/example-environment\",\n \"config\": {\n \"softwareConfig\": {\n \"imageVersion\": \"composer-1.20.12-airflow-1.10.15\"\n },\n \"nodeConfig\": {\n \"ipAllocationPolicy\": {\n \"useIpAliases\": true,\n },\n \"enableIpMasqAgent\": true\n }\n }\n }\n\nTerraform\n\nWhen you create an environment, the `enable_ip_masq_agent`\nfield in the `node_config` block enables the IP Masqerade agent.\n\nYou must also enable IP alias with the `use_ip_aliases` field in the\n`ip_allocation_policy` block. \n\n resource \"google_composer_environment\" \"example_environment\" {\n provider = google-beta\n name = \"\u003cvar translate=\"no\"\u003eENVIRONMENT_NAME\u003c/var\u003e\"\n region = \"\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n\n config {\n software_config {\n image_version = \"composer-1.20.12-airflow-1.10.15\"\n }\n node_config {\n ip_allocation_policy = [{\n use_ip_aliases = true\n // Other networking configuration\n }]\n enable_ip_masq_agent = true\n }\n }\n\nReplace:\n\n- `ENVIRONMENT_NAME` with the name of the environment.\n- `LOCATION` with the region where the environment is located.\n\nExample: \n\n resource \"google_composer_environment\" \"example_environment\" {\n provider = google-beta\n name = \"example-environment\"\n region = \"us-central1\"\n\n config {\n software_config {\n image_version = \"composer-1.20.12-airflow-1.10.15\"\n }\n node_config {\n ip_allocation_policy = [{\n use_ip_aliases = true\n // Other networking configuration\n }]\n enable_ip_masq_agent = true\n }\n }\n }\n\nConfigure the IP Masquerade agent **Caution:** Cloud Composer enables [intranode visibility](/kubernetes-engine/docs/how-to/intranode-visibility) on GKE clusters. Therefore, non-masquerade destinations must at least include the cluster's node and Pod IP address range(s).\n\n\u003cbr /\u003e\n\nFor more information about using and configuring the IP Masquerade agent in\nCloud Composer 1, see\n[Configuring an IP masquerade agent in Standard clusters](/kubernetes-engine/docs/how-to/ip-masquerade-agent).\n\nWhat's next\n\n- [Create an environment](/composer/docs/composer-1/create-environments)\n- [Configure Shared VPC networking](/composer/docs/composer-1/configure-shared-vpc)\n- [Configure Private IP networking](/composer/docs/composer-1/configure-private-ip)"]]
