Configure Private Google Access for on-premises hosts
Private Google Access for on-premises hosts provides a way for on-premises systems to connect to Google APIs and services by routing traffic through a Cloud VPN tunnel or a VLAN attachment for Cloud Interconnect. Private Google Access for on-premises hosts is an alternative to connecting to Google APIs and services over the internet.
This document describes how to enable Private Google Access for on-premises hosts.
Specifications and requirements
Private Google Access for on-premises hosts has the following requirements:
Private Google Access does not automatically enable any API. You must separately enable the Google APIs that you need to use from the APIs & Services page in the Google Cloud console.
You must direct Google APIs and services traffic sent by on-premises systems to the IP addresses associated with either the
private.googleapis.com
or therestricted.googleapis.com
special domain names. For details about what services can be accessed on each domain, see Domain options.Your on-premises network must be connected to a VPC network by using either Cloud VPN tunnels or VLAN attachments.
The VPC network to which your on-premises network is connected must have appropriate routes for either the
private.googleapis.com
orrestricted.googleapis.com
destination IP ranges. For details, see VPC network routing.The VPC network to which your on-premises network is connected must have appropriate routes to reach the on-premises network. The next hop Cloud VPN tunnels or VLAN attachments that connect to your on-premises network for these routes must be within the same region where the request originated. If the next hop is in a region different from where the request to Private Google Access originated, response from Private Google Access will not reach the on-premises network.
Your on-premises network must have routes for either the
private.googleapis.com
orrestricted.googleapis.com
destination IP ranges. These routes must direct traffic to the appropriate Cloud VPN tunnel or VLAN attachment that connects to your VPC network. For details, see on-premises routing with Cloud Router.To let IPv6 clients in your on-premises environment access Google APIs by using
private.googleapis.com
orrestricted.googleapis.com
, you must configure the connection to your VPC network to support IPv6. For more information, see the following pages:On-premises clients can send requests from any IPv6 GUA or ULA addresses, except for the ULA range
fda3:e722:ac3:cc00::/64
, which is reserved for internal use.
Permissions
Project owners, editors, and IAM principals with the Network Admin role can create or update subnets and assign IP addresses.
For more information about roles, read the IAM roles documentation.
Network configuration
Private Google Access for on-premises hosts has specific network requirements for on-premises systems and for the VPC network through which the on-premises systems send traffic to Google APIs and services.
Domain options
Private Google Access for on-premises hosts requires that you direct services to one of the following special domains. The special domain you choose determines which services you can access.
The private.googleapis.com
and restricted.googleapis.com
VIPs support
only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT
and ICMP, are not supported.
Domain and IP address ranges | Supported services | Example usage |
---|---|---|
|
Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the following list. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites. Domain names that match:
|
Use Choose
|
|
Enables API access to Google APIs and services that are supported by VPC Service Controls. Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs. |
Use Choose The |
restricted.googleapis.com
, as it provides additional risk mitigation for data
exfiltration. Using restricted.googleapis.com
denies access to
Google APIs and services that are not supported by VPC Service Controls. See
Setting up private
connectivity in the VPC Service Controls documentation for more details.
IPv6 support for private.googleapis.com
and restricted.googleapis.com
The following IPv6 address ranges can be used to direct traffic from IPv6 clients to Google APIs and services:
private.googleapis.com
:2600:2d00:0002:2000::/64
restricted.googleapis.com
:2600:2d00:0002:1000::/64
Consider configuring the IPv6 addresses if you want to use the private.googleapis.com
or restricted.googleapis.com
domain, and you
have clients that use IPv6 addresses. IPv6 clients that also have IPv4 addresses configured can
reach Google APIs and services by using the IPv4 addresses. Not all services accept traffic from
IPv6 clients.
DNS configuration
Your on-premises network must have DNS zones and records configured so that
Google domain names resolve to the set of IP addresses for either
private.googleapis.com
or restricted.googleapis.com
. You can create
Cloud DNS managed private zones and use a Cloud DNS inbound
server policy, or you can configure on-premises name servers. For example, you
can use
BIND or Microsoft
Active Directory
DNS.
The following sections describe how to use DNS zones to send packets to the IP addresses that are associated with your chosen VIP. Follow the instructions for all scenarios that apply to you:
- If you use services that have
*.googleapis.com
domain names, see Configure DNS forgoogleapis.com
. If you use services that have other domain names, see Configure DNS for other domains.
For example, if you use Google Kubernetes Engine (GKE), you also need to configure
*.gcr.io
and*.pkg.dev
, or if you use Cloud Run, you need to configure*.run.app
.If you use Cloud Storage buckets, and you send requests to a Cloud Storage custom domain name, see Configure DNS for Cloud Storage custom domain names.
If you implement the DNS configuration using Cloud DNS, see Configure DNS for on-premises systems.
When you configure DNS records for the VIPs, use only the IP addresses that are
described in the following steps. Do not mix addresses from the
private.googleapis.com
and restricted.googleapis.com
VIPs. This can
cause intermittent failures because the services that are offered differ
based on a packet's destination.
Configure DNS for googleapis.com
Create a DNS zone and records for googleapis.com
:
- Create a private DNS zone for
googleapis.com
. Consider creating a Cloud DNS private zone for this purpose. In the
googleapis.com
zone, create the following private DNS records for eitherprivate.googleapis.com
orrestricted.googleapis.com
, depending on which domain you've chosen to use.For
private.googleapis.com
:Create an
A
record forprivate.googleapis.com
pointing to the following IP addresses:199.36.153.8
,199.36.153.9
,199.36.153.10
,199.36.153.11
.To connect to APIs using IPv6 addresses, also configure an
AAAA
record forprivate.googleapis.com
pointing to2600:2d00:0002:2000::
.
For
restricted.googleapis.com
:Create an
A
record forrestricted.googleapis.com
pointing to the following IP addresses:199.36.153.4
,199.36.153.5
,199.36.153.6
,199.36.153.7
.To connect to APIs using IPv6 addresses, also create an
AAAA
record forrestricted.googleapis.com
pointing to2600:2d00:0002:1000::
.
To create private DNS records in Cloud DNS, see add a record.
In the
googleapis.com
zone, create aCNAME
record for*.googleapis.com
that points to the domain that you've configured:private.googleapis.com
orrestricted.googleapis.com
.
Configure DNS for other domains
Some Google APIs and services are provided using additional domain names,
including *.gcr.io
, *.gstatic.com
, *.pkg.dev
, pki.goog
, and *.run.app
.
Refer to the domain and IP address ranges table in Domain options
to determine if the additional domain's services can be accessed using private.googleapis.com
or restricted.googleapis.com
. Then, for each of the additional domains:
Create a DNS zone for
DOMAIN
(for example,gcr.io
). If you're using Cloud DNS, make sure this zone is located in the same project as yourgoogleapis.com
private zone.In this DNS zone, create the following private DNS records for either
private.googleapis.com
orrestricted.googleapis.com
, depending on which domain you've chosen to use.For
private.googleapis.com
:Create an
A
record forDOMAIN
pointing to the following IP addresses:199.36.153.8
,199.36.153.9
,199.36.153.10
,199.36.153.11
.To connect to APIs using IPv6 addresses, also create an
AAAA
record forDOMAIN
pointing to2600:2d00:0002:2000::
.
For
restricted.googleapis.com
:Create an
A
record forDOMAIN
pointing to the following IP addresses:199.36.153.4
,199.36.153.5
,199.36.153.6
,199.36.153.7
.To connect to APIs using IPv6 addresses, also create an
AAAA
record forrestricted.googleapis.com
pointing to2600:2d00:0002:1000::
.
In the
DOMAIN
zone, create aCNAME
record for*.DOMAIN
that points toDOMAIN
. For example, create aCNAME
record for*.gcr.io
that points togcr.io
.
Configure DNS for Cloud Storage custom domain names
If you are using Cloud Storage buckets, and you send requests to a
Cloud Storage custom domain name,
configuring DNS records for the custom Cloud Storage domain name to point to
the IP addresses for private.googleapis.com
or restricted.googleapis.com
is
not sufficient to allow access to the Cloud Storage buckets.
If you want to send requests to a Cloud Storage custom domain name, you must also explicitly
set the HTTP request's Host header and TLS SNI to storage.googleapis.com
The
IP addresses for private.googleapis.com
and restricted.googleapis.com
do not
support custom Cloud Storage hostnames in HTTP request Host headers and TLS
SNIs.
Configure DNS for on-premises systems
If you've implemented the DNS configuration using Cloud DNS, you'll need to configure on-premises systems so that they can make queries to your Cloud DNS managed private zones:
- Create an inbound server policy in the VPC network to which your on-premises network connects.
- Identify the inbound forwarder entry points, in the region(s) where your Cloud VPN tunnels and VLAN attachments are located, in the VPC network to which your on-premises network connects.
- Configure on-premises systems and on-premises DNS name servers to forward
googleapis.com
and any of the additional domain names to an inbound forwarder entry point in the same region as the Cloud VPN tunnel or VLAN attachment that connects to the VPC network.
VPC network routing
The VPC network to which your on-premises network connects must
have routes for the IP address ranges used by private.googleapis.com
or
restricted.googleapis.com
. These routes must use the default internet gateway
next hop.
Google doesn't publish routes on the internet for the IP address ranges used
by the private.googleapis.com
or restricted.googleapis.com
domains.
Consequently, even though the routes in the VPC network send
traffic to the default internet gateway next hop, packets sent to those IP
address ranges remain within Google's network.
If the VPC network to which your on-premises network connects contains a default route whose next hop is the default internet gateway, that route meets the routing requirements for Private Google Access for on-premises hosts.
VPC network custom routing
If you've replaced or changed your default route, ensure that you have custom
static routes configured for the destination IP ranges used by
private.googleapis.com
or restricted.googleapis.com
. To check the
configuration of custom routes for Google APIs and services in a given network,
follow these directions.
Console
In the Google Cloud console, go to the Routes page.
Use the Filter table text field to filter the list of routes using the following criteria, replacing
NETWORK_NAME
with the name of the VPC network to which your on-premises network connects:- Network:
NETWORK_NAME
- Next hop type:
default internet gateway
- Network:
Look at the Destination IP range column for each route. Look for a route whose destination range matches:
199.36.153.8/30
if you choseprivate.googleapis.com
199.36.153.4/30
if you choserestricted.googleapis.com
gcloud
Use the following gcloud
command, replacing NETWORK_NAME
with
the name of the VPC network to which your on-premises network
connects:
gcloud compute routes list \ --filter="default-internet-gateway NETWORK_NAME"
Routes are listed in table format unless you customize the command with the
--format
flag. Look in the DEST_RANGE
column for a route whose
destination range matches:
199.36.153.8/30
if you choseprivate.googleapis.com
199.36.153.4/30
if you choserestricted.googleapis.com
If you need to create routes in your VPC network, see Adding a static route.
On-premises routing with Cloud Router
Routes in your on-premises network must be configured to direct traffic for the
IP address ranges used by the private.googleapis.com
or
restricted.googleapis.com
domains to the next hop Cloud VPN tunnels
or VLAN attachments that connect to your VPC network.
You can use Cloud Router Custom Route
Advertisements
to announce routes for the IP ranges used by the
private.googleapis.com
and restricted.googleapis.com
domains.
IPv6 routes are advertised only in BGP sessions where IPv6 is enabled.
Console
To update the route advertisement mode for all BGP sessions on a Cloud Router, except for those BGP sessions that use custom BGP advertisements themselves:
In the Google Cloud console, go to the Cloud Router page.
Select the Cloud Router that manages BGP sessions for the Cloud VPN tunnels or VLAN attachments that connect your on-premises network to your VPC network.
In the Cloud Router's detail page, select Edit.
Expand the Advertised routes section.
For the Routes, select Create custom routes.
If you want to advertise all subnet routes available to the Cloud Router, select Advertise all subnets visible to the Cloud Router. This setting replicates the default configuration to your custom configuration.
For each advertised route that you want to add, do the following:
- Select Add custom route.
- For Source, select Custom IP range.
- For IP address range, enter one of the ranges that you want to use:
- If you use
private.googleapis.com
:- For IPv4 connectivity:
199.36.153.8/30
- For IPv6 connectivity:
2600:2d00:0002:2000::/64
- For IPv4 connectivity:
- If you use
restricted.googleapis.com
:- For IPv4 connectivity:
199.36.153.4/30
- For IPv6 connectivity:
2600:2d00:0002:1000::/64
- For IPv4 connectivity:
- If you use
- Click Done.
After you're done adding routes, select Save.
To update the route advertisement mode for a particular BGP session:
In the Google Cloud console, go to the Cloud Router page.
Select the Cloud Router that manages the BGP session for a Cloud VPN tunnel or VLAN attachment that connects your on-premises network to your VPC network.
In the Cloud Router's detail page, select the BGP session to update.
In the BGP session details page, click Edit.
For the Routes, select Create custom routes.
Select Advertise all subnets visible to the Cloud Router to advertise all subnet routes available to the Cloud Router if you desire the Cloud Router's default behavior.
For each advertised route that you want to add, do the following:
- Select Add custom route.
- For Source, select Custom IP range.
- For IP address range, enter one of the ranges that you want to use:
- If you use
private.googleapis.com
:- For IPv4 connectivity:
199.36.153.8/30
- For IPv6 connectivity:
2600:2d00:0002:2000::/64
- For IPv4 connectivity:
- If you use
restricted.googleapis.com
:- For IPv4 connectivity:
199.36.153.4/30
- For IPv6 connectivity:
2600:2d00:0002:1000::/64
- For IPv4 connectivity:
- If you use
- Click Done.
After you're done adding routes, select Save.
gcloud
Identify the name and region of the Cloud Router that manages BGP sessions on the Cloud VPN tunnels or VLAN attachments that connect your on-premises network to your VPC network.
Use
compute routers update
to update the route advertisement mode on all the Cloud Router's BGP sessions, except for those BGP sessions that use custom BGP advertisements themselves:gcloud compute routers update ROUTER_NAME \ --region=REGION \ --advertisement-mode=CUSTOM \ --set-advertisement-groups=ALL_SUBNETS \ --set-advertisement-ranges=CUSTOM_RANGES
You can append new advertisement ranges if you're already using the
CUSTOM
advertisement mode for the Cloud Router. This updates the route advertisement mode on all the Cloud Router's BGP sessions, except for those BGP sessions that use custom BGP advertisements themselves:gcloud compute routers update ROUTER_NAME \ --region=REGION \ --add-advertisement-ranges=CUSTOM_RANGES
Alternatively, use
compute routers update-bgp-peer
to configure a specific BGP peer on the Cloud Router:If you are adding IPv6 custom ranges, and if IPv6 traffic is disabled for the BGP session, you can enable it with the
--enable-ipv6
flag.gcloud compute routers update-bgp-peer ROUTER_NAME \ --region=REGION \ --peer-name=PEER_NAME \ --advertisement-mode=CUSTOM \ --set-advertisement-groups=ALL_SUBNETS \ --set-advertisement-ranges=CUSTOM_RANGES
You can append new advertisement ranges if you're already using the
CUSTOM
advertisement mode for a BGP session on a Cloud RouterIf you are adding IPv6 custom ranges, and if IPv6 traffic is disabled for the BGP session, you can enable it with the
--enable-ipv6
flag.gcloud compute routers update-bgp-peer ROUTER_NAME \ --region=REGION \ --peer-name=PEER_NAME \ --add-advertisement-ranges=CUSTOM_RANGES
In the commands above, replace the following with valid values:
ROUTER_NAME
: The name of the Cloud RouterREGION
: The region of the Cloud RouterPEER_NAME
: The name of the BGP peer configured when you create a VLAN attachment for Dedicated Interconnect, when you create a VLAN attachment for Partner Interconnect, when you create an HA VPN tunnel, or when you create a Classic VPN tunnel using dynamic routing.- Leave
--set-advertisement-groups=ALL_SUBNETS
in order to advertise all subnet routes available to the Cloud Router. This is the Cloud Router's default behavior. CUSTOM_RANGES
: A comma-delimited list of custom ranges to advertise.- For
private.googleapis.com
:- For IPv4 connectivity:
199.36.153.8/30
- For both IPv4 and IPv6 connectivity:
199.36.153.8/30,2600:2d00:0002:2000::/64
- For IPv4 connectivity:
- For
restricted.googleapis.com
:- For IPv4 connectivity:
199.36.153.4/30
- For both IPv4 and IPv6 connectivity:
199.36.153.4/30,2600:2d00:0002:1000::/64
- For IPv4 connectivity:
- For
Firewall considerations
Google Cloud firewall rules in the VPC network to which your on-premises network connects have no effect upon:
- Packets sent through a Cloud VPN tunnel connected to the VPC network
- Packets sent through a VLAN attachment connected to the VPC network
- Incoming packets to Cloud DNS inbound forwarder IP addresses in the VPC network
You should ensure that the firewall configuration of on-premises systems allows outbound traffic to and established responses from the appropriate IP addresses:
- If you use
private.googleapis.com
:- For IPv4 connectivity:
199.36.153.8/30
- For IPv6 connectivity:
2600:2d00:0002:2000::/64
- For IPv4 connectivity:
- If you use
restricted.googleapis.com
:- For IPv4 connectivity:
199.36.153.4/30
- For IPv6 connectivity:
2600:2d00:0002:1000::/64
- For IPv4 connectivity:
- Any Cloud DNS inbound forwarder IP addresses, if you're using Cloud DNS for the DNS configuration
What's next
- If you need VMs in your Google Cloud VPC network to access Google APIs and services, see Configure Private Google Access for VPC.