Configuring Private Google Access

By default, only virtual machine (VM) instances with external IP addresses can access Google APIs. Private Google access enables instances that do not have external IP addresses to access Google APIs and Services using an internal IP address.

This document describes how to enable Private Google access. You configure this on a subnet level so that any VMs on a subnet where this feature is enabled can use internal IP addresses to reach other Google services.

Requirements

The following are requirements for Private Google access:

  • You can only enable Private Google access on auto subnetworks and custom subnetworks. All VM instances that are part of the subnet can use this feature.
  • Private Google access is not supported on legacy networks.
  • Create any instances that will use this feature without external IP addresses.
  • You must enable the APIs you want to access through the API Managers page in the Google Cloud Platform Console.
  • You must ensure that any instance sending traffic to a Google API has a matching default-internet-gateway route set in its GCP network.

Permissions

You need either the compute.networkAdmin role in order to be able to create or update a subnet and assign IP addresses. Alternatively, you can be either a project editor or project owner.

For more information on roles, read the Compute Engine IAM roles documentation.

DNS resolution

After you enable Private Google access, VMs with internal IP addresses can reach the external IP addresses of Google APIs.

DNS resolution of Google domains, for example *.googleapis.com and gcr.io, does not change with the Private Google access feature enabled. Both external and internal IP instances will resolve Google domains to external IP addresses.

Ensuring that routing is properly configured

Before your VM instances can start sending traffic from internal IPs, you must first determine whether you have the proper routes configured in your routing table. VM instances that send traffic to a Google API must have a matching default-internet-gateway route set in their GCP networks.

To determine whether this route exists in your networks, check the routing table by running the following command in the gcloud command line tool:

gcloud compute routes list

If you already have this route configured for networks containing external IP instances, you do not need to make changes. If you do not, add a default-internet-gateway route when you enable access to Google services using internal IP addresses.

For more information about the default route, see Network routes.

Configuring access to Google services from internal IPs

You add this feature to your projects when you create a subnetwork or by modifying an existing subnetwork.

By default, newly created subnetworks do not have this feature enabled.

To enable Private Google access using the gcloud command line tool, use the compute networks subnets create and compute networks subnets update commands with the --enable-private-ip-google-access flag.

To disable Private Google access using gcloud command line tool, use the compute networks subnets update command with the --no-enable-private-ip-google-access flag.

Console

To enable access to Google services from internal IP addresses:

  1. For a new or existing network, go to the Network Details page in the Google Cloud Platform Console.
    Go to the Network details page
  2. Click the name of a subnetwork. The Subnetwork details page is displayed.
  3. Click Edit.
  4. On the Private Google access dropdown list, select Enabled.
  5. Click Save.

  6. For a new network, on the Add subnetwork pop-up, select Enabled on the Private Google access dropdown list.

To disable access in an existing subnetwork:

  1. Go to the Network Details page in the Google Cloud Platform Console. Go to the Network details page
  2. Click the name of a subnetwork. The Subnetwork details page is displayed.
  3. Click Edit.
  4. On the Private Google access dropdown list, select Disable.
  5. Click Save.

gcloud

If you want to enable or disable Google API access for internal IPs in an existing subnetwork, first, list the existing subnetworks:

gcloud beta compute networks subnets list

Use the following commands to determine whether a particular subnet is configured for this feature:

gcloud beta compute networks subnets describe [SUBNET_NAME]
creationTimestamp: '2016-06-16T12:39:05.341-07:00'
gatewayAddress: 10.128.0.1
id: '4206205236430159542'
ipCidrRange: 10.128.0.0/20
kind: compute#subnetwork
name: [SUBNET_NAME]
network: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/global/networks/[NETWORK]
privateIpGoogleAccess: false

region: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/[REGION] selfLink: https://www.googleapis.com/compute/beta/projects/[PROJECT_ID]/regions/[REGION]/subnetworks/[SUBNET_NAME]

Look for the value of the privateIpGoogleAccess field.

To enable access to Google services from internal IP addresses, use the --enable-private-ip-google-access flag when you create a subnet:

gcloud beta compute networks subnets create [SUBNET_NAME] \
    --network [NETWORK] \
    --range [IP_RANGE] \
    --enable-private-ip-google-access \
    --region [REGION]

Where:

  • [SUBNET_NAME] is the name of the subnetwork to create.
  • [NETWORK] is the name of the existing Compute Engine network that will contain this subnetwork.
  • [IP_RANGE] is the IP address range of the subnetwork.
  • [REGION] is the region of the Compute Engine network contain this subnetwork.

To disable Google access for internal IPs, use the --no-enable-private-ip-google-access flag with the subnet update command:

gcloud beta compute networks subnets update [SUBNET_NAME] \
    --no-enable-private-ip-google-accesss \
    --region [REGION]

Logging

Google Cloud Logging will log all API requests made from VM instances that have Private Google access enabled. These log entries will appear to originate from the instance's internal IP address. Use the existing usage visualization functionality for Google Cloud Storage buckets to see traffic and usage patterns for that service.

Example

The following example shows how a Google Cloud Platform project with two subnetworks, subnet-a and subnet-b, might implement Private Google access. In this example, you want VM instances in subnet-a to have only internal (private) IP addresses and you also want those VMs to have access to the Google Storage bucket called myBucket in the diagram.

Implementation of Private Google access (click to enlarge)

First, ensure that there is a default route with next-hop default-internet-gateway in the virtual network. All GCP networks have a default-internet-gateway route, unless the route has been manually deleted.

View the network routes by running the following command:

gcloud compute routes list

route1  vnet-1   0.0.0.0/0  default-internet-gateway  1000 filter_google_VIPs_to_private_path

If the default route with next-hop default-internet-gateway in vnet-1 is missing, use the following command to add it:

gcloud compute routes create default-route-foobar \
    --destination-range=0.0.0.0/0 \
    --next-hop-gateway=default-internet-gateway \
    --network=[NETWORK]

To create the above configuration, first set subnet-a to allow VM instances without external IPs to access Cloud Storage APIs:

gcloud beta compute networks subnets update subnet-a \
    --enable-private-ip-google-access

After you follow the above instructions, the VM instance without an external IP in subnet-a can access Google Cloud Storage myBucket. For example, VM instance uploads into the bucket myBucket will succeed as long as the credentials used for the request have the IAM permissions for such bucket.

Send feedback about...

Compute Engine Documentation