Configure Private Google Access for on-premises hosts

Private Google Access for on-premises hosts provides a way for on-premises systems to connect to Google APIs and services by routing traffic through a Cloud VPN tunnel or a VLAN attachment for Cloud Interconnect. Private Google Access for on-premises hosts is an alternative to connecting to Google APIs and services over the internet.

This document describes how to enable Private Google Access for on-premises hosts.

Specifications and requirements

Private Google Access for on-premises hosts has the following requirements:

  • Private Google Access does not automatically enable any API. You must separately enable the Google APIs that you need to use from the APIs & Services page in the Google Cloud console.

  • You must direct Google APIs and services traffic sent by on-premises systems to the IP addresses associated with either the private.googleapis.com or the restricted.googleapis.com special domain names. For details about what services can be accessed on each domain, see Domain options.

  • Your on-premises network must be connected to a VPC network by using either Cloud VPN tunnels or VLAN attachments.

  • The VPC network to which your on-premises network is connected must have appropriate routes for either the private.googleapis.com or restricted.googleapis.com destination IP ranges. For details, see VPC network routing.

  • The VPC network to which your on-premises network is connected must have appropriate routes to reach the on-premises network. The next hop Cloud VPN tunnels or VLAN attachments that connect to your on-premises network for these routes must be within the same region where the request originated. If the next hop is in a region different from where the request to Private Google Access originated, response from Private Google Access will not reach the on-premises network.

  • Your on-premises network must have routes for either the private.googleapis.com or restricted.googleapis.com destination IP ranges. These routes must direct traffic to the appropriate Cloud VPN tunnel or VLAN attachment that connects to your VPC network. For details, see on-premises routing with Cloud Router.

  • To let IPv6 clients in your on-premises environment access Google APIs by using private.googleapis.com or restricted.googleapis.com, you must configure the connection to your VPC network to support IPv6. For more information, see the following pages:

  • On-premises clients can send requests from any IPv6 GUA or ULA addresses, except for the ULA range fda3:e722:ac3:cc00::/64, which is reserved for internal use.

Permissions

Project owners, editors, and IAM principals with the Network Admin role can create or update subnets and assign IP addresses.

For more information about roles, read the IAM roles documentation.

Network configuration

Private Google Access for on-premises hosts has specific network requirements for on-premises systems and for the VPC network through which the on-premises systems send traffic to Google APIs and services.

Domain options

Private Google Access for on-premises hosts requires that you direct services to one of the following special domains. The special domain you choose determines which services you can access.

The private.googleapis.com and restricted.googleapis.com VIPs support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP, are not supported.

Domain and IP address ranges Supported services Example usage

private.googleapis.com

199.36.153.8/30

2600:2d00:0002:2000::/64

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the following list. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.

Domain names that match:

  • accounts.google.com (only the paths needed for OAuth authentication)
  • *.aiplatform-notebook.cloud.google.com
  • *.aiplatform-notebook.googleusercontent.com
  • appengine.google.com
  • *.appspot.com
  • *.backupdr.cloud.google.com
  • backupdr.cloud.google.com
  • *.backupdr.googleusercontent.com
  • backupdr.googleusercontent.com
  • *.cloudfunctions.net
  • *.cloudproxy.app
  • *.composer.cloud.google.com
  • *.composer.googleusercontent.com
  • *.datafusion.cloud.google.com
  • *.datafusion.googleusercontent.com
  • *.dataproc.cloud.google.com
  • dataproc.cloud.google.com
  • *.dataproc.googleusercontent.com
  • dataproc.googleusercontent.com
  • dl.google.com
  • gcr.io or *.gcr.io
  • *.googleapis.com
  • *.gstatic.com
  • *.ltsapis.goog
  • *.notebooks.cloud.google.com
  • *.notebooks.googleusercontent.com
  • packages.cloud.google.com
  • pkg.dev or *.pkg.dev
  • pki.goog or *.pki.goog
  • *.run.app
  • source.developers.google.com

Use private.googleapis.com to access Google APIs and services using a set of IP addresses only routable from within Google Cloud.

Choose private.googleapis.com under these circumstances:

  • You don't use VPC Service Controls.
  • You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls. 1

restricted.googleapis.com

199.36.153.4/30

2600:2d00:0002:1000::/64

Enables API access to Google APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Use restricted.googleapis.com to access Google APIs and services using a set of IP addresses only routable from within Google Cloud.

Choose restricted.googleapis.com when you only need access to Google APIs and services that are supported by VPC Service Controls.

The restricted.googleapis.com domain does not permit access to Google APIs and services that do not support VPC Service Controls. 1

1 If you need to restrict users to just the Google APIs and services that support VPC Service Controls, use restricted.googleapis.com. Although VPC Service Controls are enforced for compatible and configured services, regardless of the domain you use, restricted.googleapis.com provides additional risk mitigation for data exfiltration. Using restricted.googleapis.com denies access to Google APIs and services that are not supported by VPC Service Controls. See Setting up private connectivity in the VPC Service Controls documentation for more details.

IPv6 support for private.googleapis.com and restricted.googleapis.com

The following IPv6 address ranges can be used to direct traffic from IPv6 clients to Google APIs and services:

  • private.googleapis.com: 2600:2d00:0002:2000::/64
  • restricted.googleapis.com: 2600:2d00:0002:1000::/64

Consider configuring the IPv6 addresses if you want to use the private.googleapis.com or restricted.googleapis.com domain, and you have clients that use IPv6 addresses. IPv6 clients that also have IPv4 addresses configured can reach Google APIs and services by using the IPv4 addresses. Not all services accept traffic from IPv6 clients.

DNS configuration

Your on-premises network must have DNS zones and records configured so that Google domain names resolve to the set of IP addresses for either private.googleapis.com or restricted.googleapis.com. You can create Cloud DNS managed private zones and use a Cloud DNS inbound server policy, or you can configure on-premises name servers. For example, you can use BIND or Microsoft Active Directory DNS.

The following section describes how to use DNS zones to send packets to the IP addresses that are associated with your chosen VIP.

When you configure DNS records for the VIPs, use only the IP addresses that are described in the following steps. Do not mix addresses from the private.googleapis.com and restricted.googleapis.com VIPs. This can cause intermittent failures because the services that are offered differ based on a packet's destination.

Create a DNS zone and records for googleapis.com:

  1. Create a private DNS zone for googleapis.com. Consider creating a Cloud DNS private zone for this purpose.
  2. In the googleapis.com zone, create the following DNS records for either private.googleapis.com or restricted.googleapis.com, depending on which domain you've chosen to use.

    • For private.googleapis.com:

      1. Create an A record for private.googleapis.com pointing to the following IP addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11.

      2. To connect to APIs using IPv6 addresses, also configure an AAAA record for private.googleapis.com pointing to 2600:2d00:0002:2000::.

    • For restricted.googleapis.com:

      1. Create an A record for restricted.googleapis.com pointing to the following IP addresses: 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7.

      2. To connect to APIs using IPv6 addresses, also create an AAAA record for restricted.googleapis.com pointing to 2600:2d00:0002:1000::.

    If you're using Cloud DNS, add the records to the googleapis.com private zone.

  3. In the googleapis.com zone, create a CNAME record for *.googleapis.com that points to the domain that you've configured: private.googleapis.com or restricted.googleapis.com.

Some Google APIs and services are provided using additional domain names, including *.gcr.io, *.gstatic.com, *.pkg.dev, pki.goog, and *.run.app. Refer to the domain and IP address ranges table in Domain options to determine if the additional domain's services can be accessed using private.googleapis.com or restricted.googleapis.com. Then, for each of the additional domains:

  1. Create a DNS zone for DOMAIN (for example, gcr.io). If you're using Cloud DNS, make sure this zone is located in the same project as your googleapis.com private zone.

  2. In this DNS zone, create the following DNS records for either private.googleapis.com or restricted.googleapis.com, depending on which domain you've chosen to use:

    • For private.googleapis.com:

      1. Create an A record for DOMAIN pointing to the following IP addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11.

      2. To connect to APIs using IPv6 addresses, also create an AAAA record for DOMAIN pointing to 2600:2d00:0002:2000::.

    • For restricted.googleapis.com:

      1. Create an A record for DOMAIN pointing to the following IP addresses: 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7.

      2. To connect to APIs using IPv6 addresses, also create an AAAA record for restricted.googleapis.com pointing to 2600:2d00:0002:1000::.

  3. In the DOMAIN zone, create a CNAME record for *.DOMAIN that points to DOMAIN. For example, create a CNAME record for *.gcr.io that points to gcr.io.

If you've implemented the DNS configuration using Cloud DNS, you'll need to configure on-premises systems so that they can make queries to your Cloud DNS managed private zones:

  • Create an inbound server policy in the VPC network to which your on-premises network connects.
  • Identify the inbound forwarder entry points, in the region(s) where your Cloud VPN tunnels and VLAN attachments are located, in the VPC network to which your on-premises network connects.
  • Configure on-premises systems and on-premises DNS name servers to forward googleapis.com and any of the additional domain names to an inbound forwarder entry point in the same region as the Cloud VPN tunnel or VLAN attachment that connects to the VPC network.

VPC network routing

The VPC network to which your on-premises network connects must have routes for the IP address ranges used by private.googleapis.com or restricted.googleapis.com. These routes must use the default internet gateway next hop.

Google doesn't publish routes on the internet for the IP address ranges used by the private.googleapis.com or restricted.googleapis.com domains. Consequently, even though the routes in the VPC network send traffic to the default internet gateway next hop, packets sent to those IP address ranges remain within Google's network.

If the VPC network to which your on-premises network connects contains a default route whose next hop is the default internet gateway, that route meets the routing requirements for Private Google Access for on-premises hosts.

VPC network custom routing

If you've replaced or changed your default route, ensure that you have custom static routes configured for the destination IP ranges used by private.googleapis.com or restricted.googleapis.com. To check the configuration of custom routes for Google APIs and services in a given network, follow these directions.

Console

  1. In the Google Cloud console, go to the Routes page.

    Go to Routes

  2. Use the Filter table text field to filter the list of routes using the following criteria, replacing NETWORK_NAME with the name of the VPC network to which your on-premises network connects:

    • Network: NETWORK_NAME
    • Next hop type: default internet gateway
  3. Look at the Destination IP range column for each route. Look for a route whose destination range matches:

    • 199.36.153.8/30 if you chose private.googleapis.com
    • 199.36.153.4/30 if you chose restricted.googleapis.com

gcloud

Use the following gcloud command, replacing NETWORK_NAME with the name of the VPC network to which your on-premises network connects:

gcloud compute routes list \
    --filter="default-internet-gateway NETWORK_NAME"

Routes are listed in table format unless you customize the command with the --format flag. Look in the DEST_RANGE column for a route whose destination range matches:

  • 199.36.153.8/30 if you chose private.googleapis.com
  • 199.36.153.4/30 if you chose restricted.googleapis.com

If you need to create routes in your VPC network, see Adding a static route.

On-premises routing with Cloud Router

Routes in your on-premises network must be configured to direct traffic for the IP address ranges used by the private.googleapis.com or restricted.googleapis.com domains to the next hop Cloud VPN tunnels or VLAN attachments that connect to your VPC network.

You can use Cloud Router Custom Route Advertisements to announce routes for the IP ranges used by the private.googleapis.com and restricted.googleapis.com domains.

IPv6 routes are advertised only in BGP sessions where IPv6 is enabled.

Console

To update the route advertisement mode for all BGP sessions on a Cloud Router, except for those BGP sessions that use custom BGP advertisements themselves:

  1. In the Google Cloud console, go to the Cloud Routers page.

    Go to Cloud Routers

  2. Select the Cloud Router that manages BGP sessions for the Cloud VPN tunnels or VLAN attachments that connect your on-premises network to your VPC network.

  3. In the Cloud Router's detail page, select Edit.

  4. Expand the Advertised routes section.

  5. For the Routes, select Create custom routes.

  6. If you want to advertise all subnet routes available to the Cloud Router, select Advertise all subnets visible to the Cloud Router. This setting replicates the default configuration to your custom configuration.

  7. For each advertised route that you want to add, do the following:

    1. Select Add custom route.
    2. For Source, select Custom IP range.
    3. For IP address range, enter one of the ranges that you want to use:
      • If you use private.googleapis.com:
        • For IPv4 connectivity: 199.36.153.8/30
        • For IPv6 connectivity: 2600:2d00:0002:2000::/64
      • If you use restricted.googleapis.com:
        • For IPv4 connectivity: 199.36.153.4/30
        • For IPv6 connectivity: 2600:2d00:0002:1000::/64
    4. Click Done.
  8. After you're done adding routes, select Save.

To update the route advertisement mode for a particular BGP session:

  1. In the Google Cloud console, go to the Cloud Routers page.

    Go to Cloud Routers

  2. Select the Cloud Router that manages the BGP session for a Cloud VPN tunnel or VLAN attachment that connects your on-premises network to your VPC network.

  3. In the Cloud Router's detail page, select the BGP session to update.

  4. In the BGP session details page, click Edit.

  5. For the Routes, select Create custom routes.

  6. Select Advertise all subnets visible to the Cloud Router to advertise all subnet routes available to the Cloud Router if you desire the Cloud Router's default behavior.

  7. For each advertised route that you want to add, do the following:

    1. Select Add custom route.
    2. For Source, select Custom IP range.
    3. For IP address range, enter one of the ranges that you want to use:
      • If you use private.googleapis.com:
        • For IPv4 connectivity: 199.36.153.8/30
        • For IPv6 connectivity: 2600:2d00:0002:2000::/64
      • If you use restricted.googleapis.com:
        • For IPv4 connectivity: 199.36.153.4/30
        • For IPv6 connectivity: 2600:2d00:0002:1000::/64
    4. Click Done.
  8. After you're done adding routes, select Save.

gcloud

  1. Identify the name and region of the Cloud Router that manages BGP sessions on the Cloud VPN tunnels or VLAN attachments that connect your on-premises network to your VPC network.

  2. Use compute routers update to update the route advertisement mode on all the Cloud Router's BGP sessions, except for those BGP sessions that use custom BGP advertisements themselves:

    gcloud compute routers update ROUTER_NAME \
        --region=REGION \
        --advertisement-mode=CUSTOM \
        --set-advertisement-groups=ALL_SUBNETS \
        --set-advertisement-ranges=CUSTOM_RANGES
    

    You can append new advertisement ranges if you're already using the CUSTOM advertisement mode for the Cloud Router. This updates the route advertisement mode on all the Cloud Router's BGP sessions, except for those BGP sessions that use custom BGP advertisements themselves:

    gcloud compute routers update ROUTER_NAME \
        --region=REGION \
        --add-advertisement-ranges=CUSTOM_RANGES
    
  3. Alternatively, use compute routers update-bgp-peer to configure a specific BGP peer on the Cloud Router:

    If you are adding IPv6 custom ranges, and if IPv6 traffic is disabled for the BGP session, you can enable it with the --enable-ipv6 flag.

    gcloud compute routers update-bgp-peer ROUTER_NAME \
        --region=REGION \
        --peer-name=PEER_NAME \
        --advertisement-mode=CUSTOM \
        --set-advertisement-groups=ALL_SUBNETS \
        --set-advertisement-ranges=CUSTOM_RANGES
    

    You can append new advertisement ranges if you're already using the CUSTOM advertisement mode for a BGP session on a Cloud Router

    If you are adding IPv6 custom ranges, and if IPv6 traffic is disabled for the BGP session, you can enable it with the --enable-ipv6 flag.

    gcloud compute routers update-bgp-peer ROUTER_NAME \
        --region=REGION \
        --peer-name=PEER_NAME \
        --add-advertisement-ranges=CUSTOM_RANGES
    

    In the commands above, replace the following with valid values:

    • ROUTER_NAME: The name of the Cloud Router
    • REGION: The region of the Cloud Router
    • PEER_NAME: The name of the BGP peer configured when you create a VLAN attachment for Dedicated Interconnect, when you create a VLAN attachment for Partner Interconnect, when you create an HA VPN tunnel, or when you create a Classic VPN tunnel using dynamic routing.
    • Leave --set-advertisement-groups=ALL_SUBNETS in order to advertise all subnet routes available to the Cloud Router. This is the Cloud Router's default behavior.
    • CUSTOM_RANGES: A comma-delimited list of custom ranges to advertise.
      • For private.googleapis.com:
        • For IPv4 connectivity: 199.36.153.8/30
        • For both IPv4 and IPv6 connectivity: 199.36.153.8/30,2600:2d00:0002:2000::/64
      • For restricted.googleapis.com:
        • For IPv4 connectivity: 199.36.153.4/30
        • For both IPv4 and IPv6 connectivity: 199.36.153.4/30,2600:2d00:0002:1000::/64

Firewall considerations

Google Cloud firewall rules in the VPC network to which your on-premises network connects have no effect upon:

  • Packets sent through a Cloud VPN tunnel connected to the VPC network
  • Packets sent through a VLAN attachment connected to the VPC network
  • Incoming packets to Cloud DNS inbound forwarder IP addresses in the VPC network

You should ensure that the firewall configuration of on-premises systems allows outbound traffic to and established responses from the appropriate IP addresses:

  • If you use private.googleapis.com:
    • For IPv4 connectivity: 199.36.153.8/30
    • For IPv6 connectivity: 2600:2d00:0002:2000::/64
  • If you use restricted.googleapis.com:
    • For IPv4 connectivity: 199.36.153.4/30
    • For IPv6 connectivity: 2600:2d00:0002:1000::/64
  • Any Cloud DNS inbound forwarder IP addresses, if you're using Cloud DNS for the DNS configuration

What's next