Configuring Private Google Access for on-premises hosts

Private Google Access for on-premises enables your on-premises hosts to reach Google APIs and services through a Cloud VPN tunnel or Cloud Interconnect connection. Hosts don't need an external IP address. For details about Private Google Access for on-premises hosts and other private access options, see Private Access Options for Services.

To view the eligible APIs and services that you can use with Private Google Access for on-premises hosts, see supported services in the Private Google Access for on-premises hosts overview.

Requirements

  • You must enable the APIs that you want to access through the APIs & services page in the Google Cloud Platform Console.
  • Project owners, editors, and IAM members with the Network Admin role can create or update subnets and assign IP addresses. For more information on roles, read the IAM roles documentation.
  • Private Google Access requires a VPC network. Both auto and custom mode VPC networks are supported. Legacy networks are not supported.
  • Your VPC network must route traffic destined to 199.36.153.4/30 by using a route whose next hop is the default Internet gateway. You can accomplish this using the default route or a custom static route.

Setting up Private Google Access for on-premises hosts

To set up Private Google Access for on-premises hosts, you must complete the following tasks:

  • You must configure routes so that Google API traffic is forwarded through your Cloud VPN or Cloud Interconnect connection. For more information, see Configuring routes.
  • You must configure firewall rules on your on-premises firewall to allow traffic from your on-premises hosts to reach the Restricted Google APIs IP range. For more information, see Configuring firewall rules.
  • You must configure DNS so that traffic to Google APIs resolves to the Restricted Google APIs IP range. For more information, see Configuring DNS.

Configuring routes

Cloud Router custom advertisements

You can use Cloud Router Custom Route Advertisement to announce the Restricted Google APIs IP addresses to your on-premises network. The Restricted Google APIs IP address range is 199.36.153.4/30. Even though this is a public IP address range, Google doesn't advertise its routes publicly. This IP address range is only accessible to on-premises hosts that can reach your VPC network through internal IP addresses, such as through a Cloud VPN tunnel or Cloud Interconnect connection.

To announce the restricted address range, add a custom route advertisement by using Cloud Router. You can add this advertisement to the Cloud Router or a select BGP session (for example, for a single Cloud VPN tunnel or VLAN attachment).

To create a custom route advertisement for the restricted range for all BGP sessions on an existing Cloud Router:

Console


  1. Go to the Cloud Router page in the Google Cloud Platform Console.
    Cloud Router list
  2. Select the Cloud Router to update.
  3. In the Cloud Router's detail page, select Edit.
  4. Expand the Advertised routes section.
  5. For the Routes, select Create custom routes.
  6. Select Advertise all subnets visible to the Cloud Router to continue advertising the subnets available to the Cloud Router. Enabling this option mimics the Cloud Router's default behavior.
  7. Select Add custom route to add an advertised route.
  8. Configure the route advertisement.
    • Source — Select Custom IP range to specify a custom IP range.
    • IP address range — Specify 199.36.153.4/30.
    • Description — Add a description of Restricted Google APIs IPs.
  9. After you're done adding routes, select Save.

gcloud


Run the update command, using either the --set-advertisement-ranges or --add-advertisement-ranges flag to specify the custom IP ranges:

  • To set custom IP ranges, use the --set-advertisement-ranges flag. Any existing custom advertisements are replaced. The following example updates the my-router Cloud Router to advertise all subnets and the Restricted Google APIs IPs range 199.36.153.4/30:

    gcloud beta compute routers update my-router \
        --advertisement-mode CUSTOM \
        --set-advertisement-groups ALL_SUBNETS \
        --set-advertisement-ranges 199.36.153.4/30
    

  • To append custom IP ranges to an existing advertisement, use the --add-advertisement-ranges flag. Note that this flag requires the Cloud Router's advertisement mode to already be set to custom. The following example adds the Restricted Google APIs IPs custom IP to the Cloud Router's advertisements:

    gcloud beta compute routers update my-router \
        --add-advertisement-ranges 199.36.153.4/30
    

To create a custom route advertisement for the restricted range on a specific BGP session of an existing Cloud Router:

Console


  1. Go to the Cloud Router page in the Google Cloud Platform Console.
    Cloud Router list
  2. Select the Cloud Router that contains the BGP session to update.
  3. In the Cloud Router's detail page, select the BGP session to update.
  4. In the BGP session details page, select Edit.
  5. For the Routes, select Create custom routes.
  6. Select Advertise all subnets visible to the Cloud Router to continue advertising the subnets available to the Cloud Router. Enabling this option mimics the Cloud Router's default behavior.
  7. Select Add custom route to add an advertised route.
  8. Configure the route advertisement.
    • Source — Select Custom IP range to specify a custom IP range.
    • IP address range — Specify 199.36.153.4/30.
    • Description — Add a description of Restricted Google APIs IPs.
  9. After you're done adding routes, select Save.

gcloud


Run the update-bgp-peer command, using either the --set-advertisement-ranges or --add-advertisement-ranges flag to specify the custom IP ranges.

  • To set custom IP ranges, use the --set-advertisement-ranges flag. Any existing custom advertisements are replaced. The following example updates the my-bgp-session BGP session on the my-router Cloud Router to advertise all subnets and the custom IP range 199.36.153.4/30:

    gcloud beta compute routers update-bgp-peer my-router \
        --peer-name my-bgp-session \
        --advertisement-mode CUSTOM \
        --set-advertisement-groups ALL_SUBNETS \
        --set-advertisement-ranges 199.36.153.4/30
    

  • To append custom IP ranges to existing ones, use the --add-advertisement-ranges flag. Note that this flag requires the Cloud Router's advertisement mode to already be set to custom. The following example adds the 199.36.153.4/30 Restricted Google APIs IPs to the Cloud Router's advertisements:

    gcloud compute routers update-bgp-peer my-router \
        --peer-name my-bgp-session \
        --add-advertisement-ranges 199.36.153.4/30
    

    For more information about custom advertisements, refer to Custom Router Advertisements.

VPC network route requirement

Your VPC network must be configured to route traffic to 199.36.153.4/30 that uses the default internet gateway as the next hop. In a newly created VPC network, this is accomplished by the default route; however, you can also create a custom static route whose destination is 199.36.153.4/30 and whose next hop is the default Internet gateway. Creating a custom static route is required if you remove the default route.

Configuring firewall rules

You must configure your on-premises firewall rules to allow traffic from your on-premises hosts to reach 199.36.153.4/30.

Configuring DNS

Configure your own DNS server to resolve *.googleapis.com as a CNAME to restricted.googleapis.com. You can use BIND to configure DNS.

Configuring DNS with BIND

If you use BIND for your on-premises DNS resolution, you can configure it to resolve Google API requests to the restricted Google APIs by using response policy zones (RPZ), as shown in the following BIND configuration:

  1. Add the following lines to /etc/bind/named.conf:

    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    

  2. Add the following lines to /etc/bind/named.conf.options:

    options {
      directory "/var/cache/bind";

    dnssec-validation no;

    auth-nxdomain no; # conform to RFC 1035 listen-on-v6 { any; }; listen-on { any; }; };

  3. Add the following lines to /etc/bind/named.conf.local:

        include "/etc/bind/named.conf.default-zones";

    allow-query { any;};

    response-policy { zone "googleapis.zone"; };

    zone "googleapis.zone" { type master; file "/etc/bind/db.googleapis.zone"; allow-query {none;}; };

  4. Add the following lines to /etc/bind/db.googleapis.zone:

        $TTL 1H
        @                       SOA LOCALHOST. noreply.localhost(1 1h 15m 30d 2h)
                                NS  LOCALHOST.

    *.googleapis.com CNAME restricted.googleapis.com. restricted.googleapis.com CNAME rpz-passthru.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...