Configuring Private Google Access for on-premises hosts

Private Google Access enables on-premises hosts to reach Google APIs and services using an internal, private IP address rather than an external, public IP address across a Cloud VPN or Cloud Interconnect connection.

The Cloud and Developer APIs and services that on-premises hosts can reach using Private Google Access are the following.

Reached using Private Google Access and secured by VPC Service Controls:

  • BigQuery
  • Dataflow (only to Cloud Storage)
  • Dataproc (only create instance call)
  • Cloud Deployment Manager
  • Cloud Storage JSON API

Reached using Private Google Access but not secured by VPC Service Controls:

  • Cloud DNS
  • Logging
  • Monitoring
  • Pub/Sub
  • Resource Manager error reporting
  • Error Reporting
  • Cloud Runtime Configuration API

This document describes how to enable Private Google Access for on-premises hosts.

Requirements

The following are requirements for Private Google Access:

  • You must enable the APIs you want to access through the APIs & services page in the Google Cloud Console.
  • You must configure routes so that Google API traffic is forwarded through your Cloud VPN or Cloud Interconnect connection, firewall rules on your on-premises firewall to allow the outgoing traffic, and DNS so that traffic to Google APIs resolves to the IP range you've added to your routes. The rest of this document describes that process.

Configuring routes

You can use Cloud Router Custom Route Advertisement to announce the Restricted Google APIs IP addresses through Cloud Router to your on-premises network. The Restricted Google APIs IP range is 199.36.153.4/30. While this is technically a public IP range, Google does not announce it publicly. This IP range is only accessible to hosts that can reach your Google Cloud projects through internal IP ranges, such as through a Cloud VPN or Cloud Interconnect connection.

To specify advertisements on an existing Cloud Router:

Console


  1. Go to the Cloud Router page in the Google Cloud Console.
    Cloud Router list
  2. Select the Cloud Router to update.
  3. In the Cloud Router's detail page, select Edit.
  4. Expand the Advertised routes section.
  5. For the Routes, select Create custom routes.
  6. Select Advertise all subnets visible to the Cloud Router to continue advertising the subnets available to the Cloud Router. Enabling this option mimics the Cloud Router's default behavior.
  7. Select Add custom route to add an advertised route.
  8. Configure the route advertisement.
    • Source — Select Custom IP range to specify a custom IP range.
    • IP address range — Specify 199.36.153.4/30.
    • Description — Add a description of Restricted Google APIs IPs.
  9. After you're done adding routes, select Save.

gcloud


Run the update command, using the --set-advertisement-ranges or --add-advertisement-ranges flag to specify the custom IP ranges:

  • To set custom IP ranges, use the --set-advertisement-ranges flag. Any existing custom advertisements are replaced. The following example updates the my-router Cloud Router to advertise all subnets and the Restricted Google APIs IPs range 199.36.153.4/30:

    gcloud compute routers update my-router \
        --advertisement-mode custom \
        --set-advertisement-groups all_subnets \
        --set-advertisement-ranges 199.36.153.4/30
    

    The --set-advertisement-groups flag accepts Google-defined groups that Cloud Router dynamically advertises. You can remove the --set-advertisement-groups flag to exclude subnet advertisements. For a list of all advertisements groups, see the advertisement-groups flag in the Google SDK documentation.

  • To append custom IP ranges to an existing advertisement, use the --add-advertisement-ranges flag. Note that this flag requires the Cloud Router's advertisement mode to already be set to custom. The following example adds the Restricted Google APIs IPs custom IP to the Cloud Router's advertisements:

    gcloud beta compute routers update my-router \
        --add-advertisement-ranges Restricted Google APIs IPs
    

To specify advertisements on an existing BGP session:

Console


  1. Go to the Cloud Router page in the Google Cloud Console.
    Cloud Router list
  2. Select the Cloud Router that contains the BGP session to update.
  3. In the Cloud Router's detail page, select the BGP session to update.
  4. In the BGP session details page, click Edit.
  5. For the Routes, select Create custom routes.
  6. Select Advertise all subnets visible to the Cloud Router to continue advertising the subnets available to the Cloud Router. Enabling this option mimics the Cloud Router's default behavior.
  7. Select Add custom route to add an advertised route.
  8. Configure the route advertisement.
    • Source — Select Custom IP range to specify a custom IP range.
    • IP address range — Specify 199.36.153.4/30.
    • Description — Add a description of Restricted Google APIs IPs.
  9. After you're done adding routes, select Save.

gcloud


Run the update-bgp-peer command, using the --set-advertisement-ranges or --add-advertisement-ranges flag to specify the custom IP ranges.

  • To set custom IP ranges, use the --set-advertisement-ranges flag. Any existing custom advertisements are replaced. The following example updates the my-bgp-session BGP session on the my-router Cloud Router to advertise all subnets and the custom IP range 199.36.153.4/30:

    gcloud beta compute routers update-bgp-peer my-router \
        --peer-name my-bgp-session \
        --advertisement-mode custom \
        --set-advertisement-groups all_subnets \
        --set-advertisement-ranges 199.36.153.4/30
    

    The --set-advertisement-groups flag accepts Google-defined groups that the BGP session dynamically advertises. You can remove the --set-advertisement-groups flag to exclude subnet advertisements. For a list of all advertisements groups, see the advertisement-groups flag in the Google SDK documentation.

  • To append custom IP ranges to existing ones, use the --add-advertisement-ranges flag. Note that this flag requires the Cloud Router's advertisement mode to already be set to custom. The following example, adds the 199.36.153.4/30 Restricted Google APIs IPs to the Cloud Router's advertisements:

    gcloud beta compute routers update-bgp-peer my-router \
        --peer-name my-bgp-session \
        --add-advertisement-ranges 199.36.153.4/30
    

Configuring firewall rules

You must configure your on-premises firewall to allow traffic from your on-premises hosts to reach 199.36.153.4/30.

Configuring DNS

To use the Restricted Google APIs IP addresses, configure your own DNS server to resolve *.googleapis.com as a CNAME to restricted.googleapis.com. There are two ways to do this, which are Cloud DNS Private DNS zones and custom BIND.

Configuring DNS with Cloud DNS

You can use Cloud DNS to enable DNS resolution for Private Google Access.

gcloud


gcloud alpha dns managed-zones create apis \
    --visibility private \
    --networks https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/[NETWORK] \
    --dns-name googleapis.com
gcloud dns record-sets transaction start -z apis
gcloud dns record-sets transaction add --name=*.googleapis.com. \
    --type=CNAME restricted.googleapis.com. --zone apis --ttl 300
gcloud dns record-sets transaction add --name=restricted.googleapis.com. \
    --type=A 199.36.153.4 199.36.153.5 199.36.153.6 199.36.153.7 \
    --zone apis --ttl 300
gcloud dns record-sets transaction execute --zone apis

Configuring DNS with BIND

If you use BIND for your on-premises DNS resolution, you can configure it to make use of response policy zones (RPZ). Here is an example BIND configuration:

  1. Add the following lines to /etc/bind/named.conf:

    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    
  2. Add the following lines to /etc/bind/named.conf.options:

    options {
      directory "/var/cache/bind";
    
      dnssec-validation no;
    
      auth-nxdomain no;    # conform to RFC 1035
      listen-on-v6 { any; };
      listen-on { any; };
    };
    
  3. Add the following lines to /etc/bind/named.conf.local:

    include "/etc/bind/named.conf.default-zones";
    
    allow-query { any;};
    
    response-policy { zone "googleapis.zone"; };
    
    zone "googleapis.zone" {
      type master;
      file "/etc/bind/db.googleapis.zone";
      allow-query {none;};
    };
    
  4. Add the following lines to /etc/bind/db.googleapis.zone:

    $TTL 1H
    @                       SOA LOCALHOST. noreply.localhost(1 1h 15m 30d 2h)
                            NS  LOCALHOST.
    
    *.googleapis.com CNAME restricted.googleapis.com.
    restricted.googleapis.com CNAME rpz-passthru.
    

Use case: Cloud Storage API connectivity and policy setup in a hybrid cloud scenario

Consider the following scenario in the diagram below, in which you want to have the following behavior:

  • On-premises hosts can access Cloud Storage APIs privately, but can only access storage buckets in the given project.
  • Project "sensitive-buckets" can only be accessed from the VPC network VMs and privately connected on-premises applications.
Private Google Accessfor hybrid cloud use case (click to enlarge)

Here are the steps required to create this setup:

  1. Announce Restricted Google APIs IPs through Cloud Router

    If you have an existing Cloud Router in which you are updating the advertisement for access to Google APIs, you could either configure the access for a single specific peer or all the peers of an existing Cloud Router.

    In order to configure only for a single specific peer of an existing Cloud Router

    gcloud compute routers update-bgp-peer [CLOUD_ROUTER] \
        --region=[CLOUD_ROUTER_REGION] \
        --peer-name=[BGP_PEER] \
        --advertisement-mode=custom \
        --set-advertisement-groups=all_subnets \
        --set-advertisement-ranges=199.36.153.4/30=access-to-secure-gcp-apis
    

    In order to configure it to all peers in an existing Cloud Router

    gcloud compute routers update [CLOUD_ROUTER] \
    --region=[CLOUD_ROUTER_REGION] \
    --add-advertisement-ranges=199.36.153.4/30=access-to-secure-gcp-apis
    

    If you do not have an existing Cloud Router and you need to configure the access to the private Google APIs:

    gcloud compute routers create [CLOUD_ROUTER] \
        --region=[CLOUD_ROUTER_REGION] \
        --advertisement-mode=custom \
        --set-advertisement-groups=all_subnets \
        --set-advertisement-ranges=199.36.153.4/30=access-to-secure-gcp-apis
    
  2. Configure your on-premises application and DNS such that Google API storage requests are made and resolved for storage.restricted.googleapis.com.

  3. Configure VPC Service Controls according to the user guide. For VPC Service Controls, this means reaching out to your customer engineer and providing them with information on the projects you would like to protect.

What's next