Configuring Private Google Access for on-premises hosts

Private Google Access for on-premises hosts provides a way for on-premises systems to connect to Google APIs and services by routing traffic through a Cloud VPN tunnel or a Cloud Interconnect attachment (VLAN). Private Google Access for on-premises hosts is an alternative to connecting to Google APIs and services over the internet.

This document describes how to enable Private Google Access for on-premises hosts.

These instructions also apply to host machines in a Bare Metal Solution region extension. Except in reference to name servers in the DNS configuration section, the term on-premises in these instructions is equivalent to Bare Metal Solution. For DNS name servers, the DNS name server that you use can be your own enterprise server in your actual on-premises environment, a DNS name server on Google Cloud, or, if you enable your Bare Metal Solution machines to connect to the internet, a public DNS name server.

Specifications and requirements

Private Google Access for on-premises hosts has the following requirements:

  • Private Google Access does not automatically enable any API. You must separately enable the Google APIs you need to use via the APIs & services page in the Google Cloud Console.

  • You must direct Google APIs and services traffic sent by on-premises systems to the IP addresses associated with either the private.googleapis.com or the restricted.googleapis.com special domain names. See Domain options for details about what services can be accessed on each domain.

  • Your on-premises network must be connected to a VPC network using either Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).

  • The VPC network to which your on-premises network is connected must have appropriate routes for either the private.googleapis.com or restricted.googleapis.com destination IP ranges. See VPC network routing for details.

  • Your on-premises network must have routes for either the private.googleapis.com or restricted.googleapis.com destination IP ranges. These routes must direct traffic to the appropriate Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) that connects to your VPC network. See on-premises routing with Cloud Router for details.

Permissions

Project owners, editors, and IAM members with the Network Admin role can create or update subnets and assign IP addresses.

For more information on roles, read the IAM roles documentation.

Network configuration

Private Google Access for on-premises hosts has specific network requirements for on-premises systems and for the VPC network through which the on-premises systems send traffic to Google APIs and services.

Domain options

Private Google Access for on-premises hosts requires that you direct services to one of the following special domains. The special domain you choose determines which services you can access:

  • private.googleapis.com (199.36.153.8/30) provides access to most Google APIs and services, including Cloud and Developer APIs that support VPC Service Controls and those that do not support VPC Service Controls. VPC Service Controls are enforced when you configure a service perimeter.

  • restricted.googleapis.com (199.36.153.4/30) only provides access to Cloud and Developer APIs that support VPC Service Controls. VPC Service Controls are enforced for these services if you've configured a service perimeter. Access to any Google API or service that does not support VPC Service Controls is prohibited.

The private.googleapis.com and restricted.googleapis.com VIPs support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP are not supported.

Domain and IP address ranges Supported services Example usage
private.googleapis.com

199.36.153.8/30		 Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications. Does not support any interactive websites.

Domain names that match:
  • accounts.google.com (only the paths needed for OAuth authentication)
  • appengine.google.com
  • *.appspot.com
  • *.cloudfunctions.net
  • *.cloudproxy.app
  • *.datafusion.cloud.google.com
  • *.datafusion.googleusercontent.com
  • gcr.io or *.gcr.io
  • *.googleadapis.com
  • *.googleapis.com
  • *.gstatic.com
  • *.ltsapis.goog
  • *.notebooks.cloud.google.com
  • *.notebooks.googleusercontent.com
  • packages.cloud.google.com
  • pkg.dev or *.pkg.dev
  • pki.goog or *.pki.goog
  • *.run.app
  • source.developers.google.com

Use private.googleapis.com to access Google APIs and services using a set of IP addresses only routable from within Google Cloud.

Choose private.googleapis.com under these circumstances:

  • You don't use VPC Service Controls.
  • You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.
restricted.googleapis.com

199.36.153.4/30		 Enables API access to Google APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace web applications or Google Workspace APIs.

Use restricted.googleapis.com to access Google APIs and services using a set of IP addresses only routable from within Google Cloud.

Choose restricted.googleapis.com when you only need access to Google APIs and services that are supported by VPC Service Controls — restricted.googleapis.com does not permit access to Google APIs and services that do not support VPC Service Controls.

DNS configuration

Your on-premises network must have DNS zones and records configured so that Google domain names resolve to the set of IP addresses for either private.googleapis.com or restricted.googleapis.com. You can create Cloud DNS managed private zones and use a Cloud DNS inbound server policy, or you can configure on-premises name servers. For example, you can use BIND or Microsoft Active Directory DNS.

Create a DNS zone and records for *.googleapis.com:

  1. Create a DNS zone for googleapis.com. Consider creating a Cloud DNS private zone for this purpose.

  2. In the googleapis.com zone, create one of the following A records, depending on the chosen domain:

    • An A record for private.googleapis.com pointing to the following IP addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11
    • An A record for restricted.googleapis.com pointing to the following IP addresses: 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7

    If you're using Cloud DNS, add the records to the googleapis.com private zone.

  3. In the googleapis.com zone, create a CNAME record for *.googleapis.com that points to the A record you created in the previous step.

Some Google APIs and services are provided using additional domain names, including *.gcr.io, *.gstatic.com, *.pkg.dev, and pki.goog. Refer to the domain and IP address ranges table in network requirements to determine if the additional domain's services can be accessed using private.googleapis.com or restricted.googleapis.com. Then, for each of the additional domains:

  1. Create a DNS zone for the additional domain (for example, gcr.io). If you're using Cloud DNS, make sure this zone is located in the same project as your googleapis.com private zone.
  2. In this DNS zone:
    • Create an A record for the domain (zone) name itself; for example, gcr.io. Point this A record to the same four IP addresses for the custom domain name you chose (either private.googleapis.com or restricted.googleapis.com).
    • Create a CNAME record for all of the additional domain's possible host names by using an asterisk and a dot followed by the domain (zone) name; for example, *.gcr.io. Point this CNAME record to the A record in the same zone. For example, point *.gcr.io to gcr.io.

If you've implemented the DNS configuration using Cloud DNS, you'll need to configure on-premises systems so that they can make queries to your Cloud DNS managed private zones:

  • Create an inbound server policy in the VPC network to which your on-premises network connects.
  • Identify the inbound forwarder entry points, in the region(s) where your Cloud VPN tunnels and Cloud Interconnect attachments (VLANs) are located, in the VPC network to which your on-premises network connects.
  • Configure on-premises systems and on-premises DNS name servers to forward googleapis.com and any of the additional domain names to an inbound forwarder entry point in the same region as the Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) that connects to the VPC network.

VPC network routing

The VPC network to which your on-premises network connects must have routes for the IP address ranges used by private.googleapis.com or restricted.googleapis.com. These routes must use the default internet gateway next hop.

Google doesn't publish routes on the internet for the IP address ranges used by the private.googleapis.com or restricted.googleapis.com domains. Consequently, even though the routes in the VPC network send traffic to the default internet gateway next hop, packets sent to 199.36.153.8/30 and 199.36.153.4/30 remain within Google's network.

If the VPC network to which your on-premises network connects contains a default route whose next hop is the default internet gateway, that route meets the routing requirements for Private Google Access for on-premises hosts.

VPC network custom routing

If you've replaced or changed your default route, ensure that you have custom static routes configured for the destination IP ranges used by private.googleapis.com or restricted.googleapis.com. To check the configuration of custom routes for Google APIs and services in a given network, follow these directions.

Console

  1. Go to the Routes page in the Google Cloud Console.
    Go to the Routes page
  2. Use the Filter table text field to filter the list of routes using the following criteria, replacing NETWORK_NAME with the name of the VPC network to which your on-premises network connects:
    • Network: NETWORK_NAME
    • Next hop type: default internet gateway
  3. Look at the Destination IP range column for each route. Look for a route whose destination range matches:
    • 199.36.153.8/30 if you chose private.googleapis.com
    • 199.36.153.4/30 if you chose restricted.googleapis.com

gcloud

Use the following gcloud command, replacing NETWORK_NAME with the name of the VPC network to which your on-premises network connects:

gcloud compute routes list \
    --filter="default-internet-gateway NETWORK_NAME"

Routes are listed in table format unless you customize the command with the --format flag. Look in the DEST_RANGE column for a route whose destination range matches:

  • 199.36.153.8/30 if you chose private.googleapis.com
  • 199.36.153.4/30 if you chose restricted.googleapis.com

If you need to create routes in your VPC network, see Adding a static route.

On-premises routing with Cloud Router

Routes in your on-premises network must be configured to direct traffic for the IP address ranges used by the private.googleapis.com or restricted.googleapis.com domains to the next hop Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) that connect to your VPC network.

You can use Cloud Router Custom Route Advertisements to announce routes for the following destinations:

  • 199.36.153.8/30 if you chose private.googleapis.com
  • 199.36.153.4/30 if you chose restricted.googleapis.com

Console

To update the route advertisement mode for all BGP sessions on a Cloud Router, except for those BGP sessions that use custom BGP advertisements themselves:

  1. Go to the Cloud Router page in the Google Cloud Console.
    Cloud Router list
  2. Select the Cloud Router that manages BGP sessions for the Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) that connect your on-premises network to your VPC network.
  3. In the Cloud Router's detail page, select Edit.
  4. Expand the Advertised routes section.
  5. For the Routes, select Create custom routes.
  6. Select Advertise all subnets visible to the Cloud Router to advertise all subnet routes available to the Cloud Router if you desire the Cloud Router's default behavior.
  7. Select Add custom route to add an advertised route.
  8. Configure the route advertisement.
    • Source — Select Custom IP range to specify a custom IP range.
    • IP address range — Specify:
      • 199.36.153.8/30 if you chose private.googleapis.com
      • 199.36.153.4/30 if you chose restricted.googleapis.com
    • Description — Add a description.
  9. After you're done adding routes, select Save.

To update the route advertisement mode for a particular BGP session:

  1. Go to the Cloud Router page in the Google Cloud Console.
    Cloud Router list
  2. Select the Cloud Router that manages the BGP session for a Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) that connects your on-premises network to your VPC network.
  3. In the Cloud Router's detail page, select the BGP session to update.
  4. In the BGP session details page, click Edit.
  5. For the Routes, select Create custom routes.
  6. Select Advertise all subnets visible to the Cloud Router to advertise all subnet routes available to the Cloud Router if you desire the Cloud Router's default behavior.
  7. Select Add custom route to add an advertised route.
  8. Configure the route advertisement.
    • Source — Select Custom IP range to specify a custom IP range.
    • IP address range — Specify:
      • 199.36.153.8/30 if you chose private.googleapis.com
      • 199.36.153.4/30 if you chose restricted.googleapis.com
    • Description — Add a description.
  9. After you're done adding routes, select Save.

gcloud

  1. Identify the name and region of the Cloud Router that manages BGP session(s) on the Cloud VPN tunnel(s) or Cloud Interconnect attachment(s) (VLANs) that connect your on-premises network to your VPC network.

  2. Use compute routers update to update the route advertisement mode on all the Cloud Router's BGP sessions, except for those BGP sessions that use custom BGP advertisements themselves:

    gcloud compute routers update ROUTER_NAME \
    --region=REGION \
    --advertisement-mode=CUSTOM \
    --set-advertisement-groups=ALL_SUBNETS \
    --set-advertisement-ranges=CUSTOM_RANGES

    You can append new advertisement ranges if you're already using the CUSTOM advertisement mode for the Cloud Router. This updates the route advertisement mode on all the Cloud Router's BGP sessions, except for those BGP sessions that use custom BGP advertisements themselves:

    gcloud compute routers update ROUTER_NAME \
    --region=REGION \
    --add-advertisement-ranges=CUSTOM_RANGES

  3. Alternatively, use compute routers update-bgp-peer to configure a specific BGP peer on the Cloud Router:

    gcloud compute routers update ROUTER_NAME \
    --region=REGION \
    --peer-name=PEER_NAME \
    --advertisement-mode=CUSTOM \
    --set-advertisement-groups=ALL_SUBNETS \
    --set-advertisement-ranges=CUSTOM_RANGES

    You can append new advertisement ranges if you're already using the CUSTOM advertisement mode for a BGP session on a Cloud Router

    gcloud compute routers update ROUTER_NAME \
    --region=REGION \
    --peer-name=PEER_NAME \
    --add-advertisement-ranges=CUSTOM_RANGES

    In the commands above, replace the following with valid values:

Firewall considerations

Google Cloud firewall rules in the VPC network to which your on-premises network connects have no effect upon:

  • Packets sent through a Cloud VPN tunnel connected to the VPC network
  • Packets sent through a Cloud Interconnect attachment (VLAN) connected to the VPC network
  • Incoming packets to Cloud DNS inbound forwarder IP addresses in the VPC network

You should ensure that the firewall configuration of on-premises systems allows outbound traffic to and established responses from:

  • 199.36.153.8/30 if you use private.googleapis.com
  • 199.36.153.4/30 if you use restricted.googleapis.com
  • any Cloud DNS inbound forwarder IP addresses, if you're using Cloud DNS for the DNS configuration

What's next