You can use VPC Service Controls to control access to Google APIs and services from hosts that use private IP addresses. These hosts can be VM instances in a VPC network or clients in an on-premises network.
To restrict Private Google Access within a service perimeter to only
VPC Service Controls supported Google APIs and services,
hosts must send their requests to the restricted.googleapis.com domain name
instead of *.googleapis.com. The restricted.googleapis.com domain resolves
to a VIP (virtual IP address) range 199.36.153.4/30. This IP address range is
not announced to the Internet.
The following sections describe how to set up private connectivity for hosts in a VPC network or on-premises network. For an overview and example topology diagrams, refer to Private Google Access with VPC Service Controls.
Before you begin
- You must enable the APIs that you want to access through the APIs & services page in the Google Cloud Console.
- Project owners, editors, and IAM members with the Network Admin role can create or update subnets and assign IP addresses. For more information on roles, read the IAM roles documentation.
- Private Google Access and Private Google Access for on-premises hosts requires a VPC network. Both auto and custom mode VPC networks are supported. Legacy networks are not supported.
- For VM instances in a VPC network, they must have a private IP address only (no public IP address) and be in subnet with Private Google Access enabled.
- For on-premises hosts, you must have an existing Cloud VPN tunnel or an Cloud Interconnect connection to your VPC network.
Overview of procedure
To set up private connectivity, complete the following tasks:
- Configure routes for the destination
199.36.153.4/30. For more information, see Configuring routes. - Configure firewall rules to allow the appropriate traffic to the restricted Google APIs IP address range. For more information, see Configuring firewall rules.
- Configure DNS so that traffic to Google APIs resolves to the Restricted Google APIs IP address range. For more information, see Configuring DNS.
Configure a route to restricted.googleapis.com
For both Private Google Access and Private Google Access for on-premises
hosts, your VPC network must include a route for with a
destination to 199.36.153.4/30 whose next hop is the default Internet gateway.
Even though the next hop is a default Internet gateway, traffic sent to
199.36.153.4/30 remains within Google's network. Your VPC
network might already have a default
route whose next hop is the default
Internet gateway. If not, you can create a custom static route whose destination
is 199.36.153.4/30 and whose next hop is the default Internet gateway.
In addition to the custom static route, Private Google Access for on-premises hosts requires a custom route advertisement so that hosts in the on-premises network can learn about the restricted VIP. You can create a custom dynamic route using Cloud Router to announce the restricted VIP.
For more information about working with VPC routes, see Using Routes in the VPC documentation.
Configuring a custom static route in a VPC network
Add a custom static route to enable access to Google managed services that are supported by VPC Service Controls.
Add a custom route that allows access only to Google managed services secured by VPC Service Controls.
gcloud compute routes create ROUTE_NAME \ --network=NETWORK_NAME \ --destination-range=199.36.153.4/30 \ --next-hop-gateway=default-internet-gateway
Where:
ROUTE_NAME is a name for the custom route.
NETWORK_NAME is the name of your VPC network.
Announcing the restricted route to hosts in an on-premises network
If you're using Private Google Access for on-premises hosts, configure routes
so that Google API traffic is forwarded through your Cloud VPN or
Cloud Interconnect connection. To announce the restricted VIP
(199.36.153.4/30) to your on-premises network, use Cloud Router Custom
Route Advertisement. This IP address
range is only accessible to on-premises hosts that can reach your
VPC network through private IP addresses.
You can add this custom route advertisement to a Cloud Router (for all BGP sessions on the router) or a select BGP session (for a single Cloud VPN tunnel or VLAN attachment).
To create a custom route advertisement for the restricted range for all BGP sessions on an existing Cloud Router:
Console
- Go to the Cloud Router page in the Google Cloud Console.
Cloud Router list - Select the Cloud Router to update.
- In the Cloud Router's detail page, select Edit.
- Expand the Advertised routes section.
- For the Routes, select Create custom routes.
- Select Advertise all subnets visible to the Cloud Router to continue advertising the subnets available to the Cloud Router. Enabling this option mimics the Cloud Router's default behavior.
- Select Add custom route to add an advertised route.
- Configure the route advertisement.
- Source — Select Custom IP range to specify a custom IP range.
- IP address range — Specify
199.36.153.4/30. - Description — Add a description of
Restricted Google APIs IPs.
- After you're done adding routes, select Save.
gcloud
Run the update command, using either the --set-advertisement-ranges or
--add-advertisement-ranges flag to specify the custom IP ranges:
To set custom IP ranges, use the
--set-advertisement-rangesflag. Any existing custom advertisements are replaced. The following example updates themy-routerCloud Router to advertise all subnets and the Restricted Google APIs IPs range199.36.153.4/30:gcloud compute routers update my-router \ --advertisement-mode CUSTOM \ --set-advertisement-groups ALL_SUBNETS \ --set-advertisement-ranges 199.36.153.4/30To append custom IP ranges to an existing advertisement, use the
--add-advertisement-rangesflag. Note that this flag requires the Cloud Router's advertisement mode to already be set tocustom. The following example adds theRestricted Google APIs IPscustom IP to the Cloud Router's advertisements:gcloud compute routers update my-router \ --add-advertisement-ranges 199.36.153.4/30
To create a custom route advertisement for the restricted range on a specific BGP session of an existing Cloud Router:
Console
- Go to the Cloud Router page in the Google Cloud Console.
Cloud Router list - Select the Cloud Router that contains the BGP session to update.
- In the Cloud Router's detail page, select the BGP session to update.
- In the BGP session details page, select Edit.
- For the Routes, select Create custom routes.
- Select Advertise all subnets visible to the Cloud Router to continue advertising the subnets available to the Cloud Router. Enabling this option mimics the Cloud Router's default behavior.
- Select Add custom route to add an advertised route.
- Configure the route advertisement.
- Source — Select Custom IP range to specify a custom IP range.
- IP address range — Specify
199.36.153.4/30. - Description — Add a description of
Restricted Google APIs IPs.
- After you're done adding routes, select Save.
gcloud
Run the update-bgp-peer command, using either the
--set-advertisement-ranges or --add-advertisement-ranges flag to specify
the custom IP ranges.
To set custom IP ranges, use the
--set-advertisement-rangesflag. Any existing custom advertisements are replaced. The following example updates themy-bgp-sessionBGP session on themy-routerCloud Router to advertise all subnets and the custom IP range199.36.153.4/30:gcloud compute routers update-bgp-peer my-router \ --peer-name my-bgp-session \ --advertisement-mode CUSTOM \ --set-advertisement-groups ALL_SUBNETS \ --set-advertisement-ranges 199.36.153.4/30To append custom IP ranges to existing ones, use the
--add-advertisement-rangesflag. Note that this flag requires the Cloud Router's advertisement mode to already be set tocustom. The following example adds the199.36.153.4/30Restricted Google APIs IPs to the Cloud Router's advertisements:gcloud compute routers update-bgp-peer my-router \ --peer-name my-bgp-session \ --add-advertisement-ranges 199.36.153.4/30For more information about custom advertisements, refer to Custom Router Advertisements.
Configure firewall rules
For Private Google Access, VM instances use internal IP addresses and don't require external IP addresses to reach protected Google API resources. However, it's possible for VM instances to possess external IP addresses or otherwise meet the requirements for Internet access. In addition to custom routes, you can restrict egress traffic from VM instances in your VPC network by creating firewall rules to deny egress traffic.
By default, the implied allow egress firewall
rule permits VM instances to send
traffic to any destination if an applicable route exists. You can create an
egress deny rule to block all outbound traffic, and then create higher
priority egress allow rules to permit traffic to selected destinations in your
VPC network and to the 199.36.153.4/30
(restricted.googleapis.com) IP address range. All communication to
restricted.googleapis.com is on TCP port 443.
For more information about working with VPC firewall rules, see Using Firewall Rules in the VPC documentation.
Firewall rules in on-premises networks
You must configure your on-premises firewall rules to allow traffic from your
on-premises hosts to reach 199.36.153.4/30.
Configuring DNS
To make use of the Restricted Google APIs IP addresses, configure your DNS
server to resolve *.googleapis.com as a CNAME to restricted.googleapis.com,
and configure an A record for restricted.googleapis.com. For general use of
VPC Service Controls, we recommend that you use Cloud DNS managed
private zones for your VPC networks.
For on-premises access, you can configure a Cloud DNS inbound forwarding policy to enable on-premises name servers to query a Cloud DNS managed private zone, or you can configure an on-premises name server, such as one using BIND:
- Cloud DNS private DNS zones enable you to host a DNS zone accessible from
authorized VPC networks and, if you configure forwarding, from
certain on-premises name servers. You can create a private zone for
googleapis.comwith an A record forrestricted.googleapis.comand appropriate CNAME records for each*.googleapis.comname. Cloud DNS private zones do not support partial overrides, which means that you can only choose to redirect all requests to*.googleapis.comtorestricted.googleapis.com. As a result, you won't be able to use any Google APIs and services that do not support use of therestricted.googleapis.comVIP. For more information, see Managing Zones. - Custom BIND and the
restricted.googleapis.comVIP cannot be used for Dataflow because DNS resolution of Dataflow can't be customized.
Configuring DNS with Cloud DNS
Use Cloud DNS to enable DNS resolution for VM instances in your VPC network, hosts in an on-premises network, or both. If you're using Shared VPC, see Private zones and Shared VPC in the Cloud DNS documentation. Additionally, if you're using Shared VPC, ensure that the Shared VPC network host project is included in the same service perimeter as projects that connect to the network.
Create a managed private zone for your VPC network.
gcloud beta dns managed-zones create ZONE_NAME \ --visibility=private \ --networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME \ --description=DESCRIPTION \ --dns-name=googleapis.com
ZONE_NAME is a name for the zone that you are creating. For example,
vpc. This name will be used in each of the following steps.PROJECT_ID is the ID of the project that hosts your VPC network.
NETWORK_NAME is the name of your VPC network.
DESCRIPTION is an optional, human-readable description of the managed zone.
Start a transaction.
gcloud dns record-sets transaction start --zone=ZONE_NAME
- ZONE_NAME is the name of the zone you created in the first step.
Add DNS records.
gcloud dns record-sets transaction add --name=*.googleapis.com. \ --type=CNAME restricted.googleapis.com. \ --zone=ZONE_NAME \ --ttl=300- ZONE_NAME is the name of the zone you created in the first step.
gcloud dns record-sets transaction add --name=restricted.googleapis.com. \ --type=A 199.36.153.4 199.36.153.5 199.36.153.6 199.36.153.7 \ --zone=ZONE_NAME \ --ttl=300- ZONE_NAME is the name of the zone you created in the first step.
Execute the transaction.
gcloud dns record-sets transaction execute --zone=ZONE_NAME
- ZONE_NAME is the name of the zone you created in the first step.
Optional. To enable on-premises hosts to reach the restricted VIP, complete the following steps:
Create a DNS policy and enable inbound DNS forwarding to make VPC network's name resolution services externally available to systems in on-premises networks,
gcloud beta dns policies create POLICY_NAME \ --networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME \ --enable-inbound-forwarding \ --description=DESCRIPTION
POLICY_NAME is a name for the policy that you are creating. For example,
apipolicy.PROJECT_ID is the ID of the project that hosts your VPC network.
NETWORK_NAME is the name of your VPC network.
DESCRIPTION is an optional, human-readable description of the managed zone.
In your on-premises network, point your on-premises DNS to the Cloud DNS forwarder IP address. To find the forwarder IP address, use the
compute addresses listcommand:gcloud compute addresses list --filter='name ~ ^dns-forwarding.*' \ --format='csv[no-heading](address, subnetwork)'
Configuring DNS with BIND
If you use BIND for DNS resolution, you can configure it to resolve Google API requests to the restricted Google APIs. Use the following example BIND configuration, which makes use of response policy zones (RPZ) to achieve this behavior:
Add the following lines to
/etc/bind/named.conf:include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local";
Add the following lines to
/etc/bind/named.conf.options:options { directory "/var/cache/bind"; dnssec-validation no; auth-nxdomain no; # conform to RFC 1035 listen-on-v6 { any; }; listen-on { any; }; response-policy { zone "googleapis.zone"; }; allow-query { any;}; };Add the following lines to
/etc/bind/named.conf.local:include "/etc/bind/named.conf.default-zones";
zone "googleapis.zone" { type master; file "/etc/bind/db.googleapis.zone"; allow-query {none;}; };
Add the following lines to
/etc/bind/db.googleapis.zone:$TTL 1H @ SOA LOCALHOST. noreply.localhost(1 1h 15m 30d 2h) NS LOCALHOST.*.googleapis.com CNAME restricted.googleapis.com. restricted.googleapis.com CNAME rpz-passthru.