Configuring Private Google Access for VPC

Private Google Access enables VM instances with only internal (private) IP addresses (no external IP addresses) to reach the public IP addresses of Google APIs and services. You enable Private Google Access at the subnet level. When enabled, instances in the subnet that only have private IP addresses can send traffic to Google APIs and services through the default route (0.0.0.0/0).

This document describes how to enable and use Private Google Access.

Specifications

Eligible APIs and services

Private Google Access permits access to Cloud and Developer APIs and most GCP services, including:

  • BigQuery
  • Cloud Bigtable
  • Container Registry
  • Cloud Dataproc
  • Cloud Datastore
  • Cloud Pub/Sub
  • Cloud Spanner
  • Cloud Storage

Permissions

Project owners, editors, and IAM members with the Network Admin role can create or update subnets and assign IP addresses.

For more information on roles, read the VPC IAM roles documentation.

DNS resolution for APIs and services

DNS resolution for domains associated with Google APIs or services, including *.googleapis.com and gcr.io, does not change when Private Google Access is enabled for a subnet. The DNS records for Google APIs and services always point to external IP addresses. The pool of external IP addresses they use is subject to change, but can be determined by querying _spf.google.com and the TXT records it references.

For example:

dig -t TXT _spf.google.com

Private Google Access simply works in conjunction with a default Internet route to allow VMs with internal IP addresses to reach the external IP addresses of Google APIs and services.

Logging

Stackdriver Logging captures all API requests made from VM instances in subnets that have Private Google Access enabled. Log entries identify the source of the API request using the private IP of the instance.

You can configure daily usage and monthly rollup reports to be delivered to a Cloud Storage bucket. See the Viewing Usage Reports page for details.

Requirements

Private Google Access has the following requirements:

  • Private Google Access does not automatically enable any API. You must enable the Google APIs you need to use via the APIs & services page in the Google Cloud Platform Console separately.

  • Private Google Access requires a VPC network. Both auto and custom mode VPC networks are supported. Legacy networks are not supported.

  • Private Google Access only applies to instances that only have internal IP addresses. Enabling or disabling Private Google Access has no effect on instances with external IP addresses.

  • You enable Private Google Access on a subnet-by-subnet basis, either when you create a subnet or by editing the subnet later on. When enabled for a subnet, Private Google Access applies to new and existing VM instances in that subnet that do not have external IP addresses.

  • Private Google Access requires a route to the public IP addresses used by Google APIs and services. The default route provides this path. Refer to the routing section for additional details.

Routing

Private Google Access requires a default internet gateway route. With Private Google Access turned off, the default internet gateway route only applies to instances that have external IP addresses. When you enable Private Google Access for a subnet, instances in the subnet use the route to send traffic to Google APIs and GCP services.

See the routes overview page for background information about how routing works in a VPC network.

To determine whether a default internet gateway route exists for a given network, use the GCP Console or the gcloud command line tool:

Console

  1. Go to the Routes page in the Google Cloud Platform Console.
    Go to the Routes page
  2. Filter the list of routes to show just the routes for the network you need to inspect.
  3. Look for a route whose destination is 0.0.0.0/0 and whose next hop is default internet gateway.

gcloud

Use the following gcloud command, replacing [NETWORK-NAME] with the name of the network to inspect:

gcloud compute routes list --filter="default-internet-gateway [NETWORK-NAME]"

To re-create a default Internet gateway route, use the following gcloud command, replacing [NETWORK] with the name of the network:

gcloud compute routes create default-internet-gateway-[NETWORK] \
--destination-range=0.0.0.0/0 \
--next-hop-gateway=default-internet-gateway \
--network=[NETWORK]

Firewall rules

The default allow egress firewall rule allows VMs to send outbound traffic. When Private Google Access is enabled, this rule allows instances with private IP addresses to access the various servers for Google APIs and GCP services.

You must allow egress traffic from your instances to the default route. If you have a firewall rule that denies egress traffic, you can either selectively apply that rule to certain instances or override it by creating a higher priority allow rule. If you choose to create a higher priority allow rule, consider these options:

  • Create a firewall rule whose destination is any (0.0.0.0/0) and targets are specific instances by network tag or service account. Creating a rule that applies only to specific targets without external IP addresses compensates for the broad destination range.

  • If you choose to create firewall rules with specific destinations, you will need to periodically update them to include new IP address destinations for Google servers. See DNS resolution for APIs and services for how to determine IP ranges are used by Google APIs and services.

Configuration steps

By default, Private Google Access isn't enabled. You can enable it when you create a subnet, and you can enable or disable it by editing a subnet.

Enabling Private Google Access

Follow these steps to enable Private Google Access:

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name of the network that contains the subnet for which you need to enable Private Google Access.
  3. For an existing subnet:
    1. Click the name of the subnet. The Subnet details page is displayed.
    2. Click Edit.
    3. In the Private Google Access section, select On.
    4. Click Save.
  4. For a new subnet:
    1. Click Add subnet.
    2. Specify the Name and Region of the new subnet.
    3. Specify the IP address range of the subnet. This range can't overlap with any subnets in the current VPC network or any networks connected through VPC Network Peering or VPN.
    4. If you want to create a secondary range for this subnet, click Create secondary IP range.
    5. Select On in the Private Google Access section.
    6. Click Add.

gcloud

For an existing subnet:

  1. Determine the name and region of the subnet. To list the subnets for a particular network, use the following command, replacing [NETWORK-NAME] with the name of the network:

    gcloud compute networks subnets list --filter=[NETWORK-NAME]
    

  2. Run the following command to enable Private Google Access, replacing [SUBNET-NAME] with the name of the subnet and [REGION] with its region:

    gcloud compute networks subnets update [SUBNET-NAME] \
    --region [REGION] \
    --enable-private-ip-google-access
    

  3. Run the following command to verify that Private Google Access is enabled:

    gcloud compute networks subnets describe [SUBNET-NAME] \
    --region [REGION] \
    --format="get(privateIpGoogleAccess)"
    

When creating a new subnet, add the --enable-private-ip-google-access parameter. The following example creates a new subnet:

gcloud compute networks subnets create [SUBNET-NAME] \
--region [REGION] \
--network [NETWORK] \
--range [IP-RANGE] \
--enable-private-ip-google-access

Where:

  • [SUBNET-NAME] is the name of the subnet.
  • [NETWORK] is the name of the VPC network that will contain the subnet.
  • [IP-RANGE] is the primary IP address range of the subnet.
  • [REGION] is the region for the subnet.

Disabling Private Google Access

Follow these steps to disable Private Google Access for an existing subnet:

Console

  1. Go to the VPC networks page in the Google Cloud Platform Console.
    Go to the VPC networks page
  2. Click the name of the network that contains the subnet for which you need to disable Private Google Access.
  3. Click the name of an existing subnet. The Subnet details page is displayed.
  4. Click Edit.
  5. In the Private Google Access section, select Off.
  6. Click Save.

gcloud

  1. Determine the name and region of the subnet. To list the subnets for a particular network, use the following command, replacing [NETWORK-NAME] with the name of the network:

    gcloud compute networks subnets list --filter=[NETWORK-NAME]
    

  2. Run the following command to disable Private Google Access, replacing [SUBNET-NAME] with the name of the subnet and [REGION] with its region:

    gcloud compute networks subnets update [SUBNET-NAME] \
    --region [REGION] \
    --no-enable-private-ip-google-access
    

  3. Run the following command to verify that Private Google Access is enabled:

    gcloud compute networks subnets describe [SUBNET-NAME] \
    --region [REGION] \
    --format="get(privateIpGoogleAccess)"
    

Removing external IPs from instances

Because Private Google Access is only relevant for VMs without external IP addresses, you might need to modify running VMs after you enable Private Google Access for a subnet. To remove an external IP address from an instance, see Unassigning a static external IP address in the Compute Engine documentation.

For more information about instance IP addresses, see IP addresses in the Compute Engine documentation.

Example

In the following example, the example project contains a single VPC network with two subnets. Private Google Access is enabled for subnet-a but not for subnet-b.

Implementation of Private Google Access (click to enlarge)
  • The VPC network meets the routing requirement because it has an Internet gateway route.

  • Firewall rules in the VPC network allow egress to 0.0.0.0/0 (or at least to the server IPs for Google APIs and services).

  • Private Google Access is enabled for subnet-a but not for subnet-b.

  • VM A1 can access Google APIs and services, including Cloud Storage, because its network interface is located in subnet-a, which has Private Google Access enabled. Private Google Access applies to the instance because it only has a private IP address.

  • VM B1 cannot access Google APIs and services because it only has a private IP address, Private Google Access is disabled for subnet-b.

  • VM A2 and VM B2 can both access Google APIs and services, including Cloud Storage, because they each have public IP addresses. Private Google Access has no effect on whether or not these instances can access Google APIs and services because both have public IP addresses.

Was this page helpful? Let us know how we did:

Send feedback about...