Private Google Access for on-premises hosts provides a way for on-premises systems to connect to Google APIs and services by routing traffic through a Cloud VPN tunnel or a Cloud Interconnect attachment (VLAN). Private Google Access for on-premises hosts is an alternative to connecting to Google APIs and services over the internet.
This document describes how to enable Private Google Access for on-premises hosts.
These instructions also apply to host machines in a Bare Metal Solution region extension. Except in reference to name servers in the DNS configuration section, the term on-premises in these instructions is equivalent to Bare Metal Solution. For DNS name servers, the DNS name server that you use can be your own enterprise server in your actual on-premises environment, a DNS name server on Google Cloud, or, if you enable your Bare Metal Solution machines to connect to the internet, a public DNS name server.
Specifications and requirements
Private Google Access for on-premises hosts has the following requirements:
Private Google Access does not automatically enable any API. You must separately enable the Google APIs you need to use via the APIs & services page in the Google Cloud Console.
You must direct Google APIs and services traffic sent by on-premises systems to the IP addresses associated with either the private.googleapis.com or the restricted.googleapis.com special domain names. See Domain options for details about what services can be accessed on each domain.
Your on-premises network must be connected to a VPC network using either Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).
The VPC network to which your on-premises network is connected must have appropriate routes for either the private.googleapis.com or restricted.googleapis.com destination IP ranges. See VPC network routing for details.
Your on-premises network must have routes for either the private.googleapis.com or restricted.googleapis.com destination IP ranges. These routes must direct traffic to the appropriate Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) that connects to your VPC network. See on-premises routing with Cloud Router for details.
Permissions
Project owners, editors, and IAM members with the Network Admin role can create or update subnets and assign IP addresses.
For more information on roles, read the IAM roles documentation.
Network configuration
Private Google Access for on-premises hosts has specific network requirements for on-premises systems and for the VPC network through which the on-premises systems send traffic to Google APIs and services.
Domain options
Private Google Access for on-premises hosts requires that you direct services to one of the following special domains. The special domain you choose determines which services you can access:
private.googleapis.com (
199.36.153.8/30
) provides access to most Google APIs and services, including Cloud and Developer APIs that support VPC Service Controls and those that do not support VPC Service Controls. VPC Service Controls are enforced when you configure a service perimeter.restricted.googleapis.com (
199.36.153.4/30
) only provides access to Cloud and Developer APIs that support VPC Service Controls. VPC Service Controls are enforced for these services if you've configured a service perimeter. Access to any Google API or service that does not support VPC Service Controls is prohibited.
Domain and IP address ranges | Supported services | Example usage |
---|---|---|
private.googleapis.com 199.36.153.8/30 |
Enables API access to most Google APIs and services regardless of
whether they are supported by VPC Service Controls. Includes API access to
Maps, Google Ads, Google Cloud, and most other
Google APIs, including the lists below. Does not support Google Workspace web
applications. Does not support any interactive websites. Domain names that end with:
|
Use Choose
|
restricted.googleapis.com 199.36.153.4/30 |
Enables API access to
Google APIs and
services that are supported by VPC Service Controls. Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace web applications or Google Workspace APIs. |
Use Choose |
DNS configuration
Your on-premises network must have DNS zones and records configured so that
Google domain names resolve to the set of IP addresses for either
private.googleapis.com
or restricted.googleapis.com
. You can create
Cloud DNS managed private zones and use a Cloud DNS inbound
server policy, or you can configure on-premises name servers. For example, you
can use
BIND or Microsoft
Active Directory
DNS.
Create a DNS zone and records for *.googleapis.com
:
- Create a DNS zone for
googleapis.com
. Consider creating a Cloud DNS private zone for this purpose. In the
googleapis.com
zone, create one of the followingA
records, depending on the chosen domain:- An
A
record forprivate.googleapis.com
pointing to the following IP addresses:199.36.153.8
,199.36.153.9
,199.36.153.10
,199.36.153.11
- An
A
record forrestricted.googleapis.com
pointing to the following IP addresses:199.36.153.4
,199.36.153.5
,199.36.153.6
,199.36.153.7
If you're using Cloud DNS, add the records to the
googleapis.com
private zone.- An
In the
googleapis.com
zone, create aCNAME
record for*.googleapis.com
that points to theA
record you created in the previous step.
Some Google APIs and services are provided using additional domain names,
including *.gcr.io
, *.gstatic.com
, and pki.goog
. Refer to the domain and
IP address ranges table in network requirements to determine if the
additional domain's services can be accessed using private.googleapis.com
or
restricted.googleapis.com
. Then, for each of the additional domains:
- Create a DNS zone for the additional domain (for example,
gcr.io
). If you're using Cloud DNS, make sure this zone is located in the same project as yourgoogleapis.com
private zone. - In this DNS zone:
- Create an
A
record for the domain (zone) name itself; for example,gcr.io
. Point thisA
record to the same four IP addresses for the custom domain name you chose (eitherprivate.googleapis.com
orrestricted.googleapis.com
). - Create a
CNAME
record for all of the additional domain's possible host names by using an asterisk and a dot followed by the domain (zone) name; for example,*.gcr.io
. Point thisCNAME
record to theA
record in the same zone. For example, point*.gcr.io
togcr.io
.
- Create an
If you've implemented the DNS configuration using Cloud DNS, you'll need to configure on-premises systems so that they can make queries to your Cloud DNS managed private zones:
- Create an inbound server policy in the VPC network to which your on-premises network connects.
- Identify the inbound forwarder entry points, in the region(s) where your Cloud VPN tunnels and Cloud Interconnect attachments (VLANs) are located, in the VPC network to which your on-premises network connects.
- Configure on-premises systems and on-premises DNS name servers to forward
googleapis.com
and any of the additional domain names to an inbound forwarder entry point in the same region as the Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) that connects to the VPC network.
VPC network routing
The VPC network to which your on-premises network connects must
have routes for the IP address ranges used by private.googleapis.com
or
restricted.googleapis.com
. These routes must use the default internet gateway
next hop.
Google doesn't publish routes on the internet for the IP address ranges used
by the private.googleapis.com
or restricted.googleapis.com
domains.
Consequently, even though the routes in the VPC network send
traffic to the default internet gateway next hop, packets sent to
199.36.153.8/30
and 199.36.153.4/30
remain within Google's network.
If the VPC network to which your on-premises network connects contains a default route whose next hop is the default internet gateway, that route meets the routing requirements for Private Google Access for on-premises hosts.
VPC network custom routing
If you've replaced or changed your default route, ensure that you have custom
static routes configured for the destination IP ranges used by
private.googleapis.com
or restricted.googleapis.com
. To check the
configuration of custom routes for Google APIs and services in a given network,
follow these directions.
Console
- Go to the Routes page in the Google Cloud Console.
Go to the Routes page - Use the Filter table text field to filter the list of routes using
the following criteria, replacing
NETWORK_NAME
with the name of the VPC network to which your on-premises network connects:- Network:
NETWORK_NAME
- Next hop type:
default internet gateway
- Network:
- Look at the Destination IP range column for each route. Look for a
route whose destination range matches:
199.36.153.8/30
if you choseprivate.googleapis.com
199.36.153.4/30
if you choserestricted.googleapis.com
gcloud
Use the following gcloud
command, replacing NETWORK_NAME
with
the name of the VPC network to which your on-premises network
connects:
gcloud compute routes list \ --filter="default-internet-gateway NETWORK_NAME"
Routes are listed in table format unless you customize the command with the
--format
flag. Look in the DEST_RANGE
column for a route whose
destination range matches:
199.36.153.8/30
if you choseprivate.googleapis.com
199.36.153.4/30
if you choserestricted.googleapis.com
If you need to create routes in your VPC network, see Adding a static route.
On-premises routing with Cloud Router
Routes in your on-premises network must be configured to direct traffic for the
IP address ranges used by the private.googleapis.com
or
restricted.googleapis.com
domains to the next hop Cloud VPN tunnels
or Cloud Interconnect attachments (VLANs) that connect to your
VPC network.
You can use Cloud Router Custom Route Advertisements to announce routes for the following destinations:
199.36.153.8/30
if you choseprivate.googleapis.com
199.36.153.4/30
if you choserestricted.googleapis.com
Console
To update the route advertisement mode for all BGP sessions on a Cloud Router, except for those BGP sessions that use custom BGP advertisements themselves:
- Go to the Cloud Router page in the Google Cloud Console.
Cloud Router list - Select the Cloud Router that manages BGP sessions for the Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) that connect your on-premises network to your VPC network.
- In the Cloud Router's detail page, select Edit.
- Expand the Advertised routes section.
- For the Routes, select Create custom routes.
- Select Advertise all subnets visible to the Cloud Router to advertise all subnet routes available to the Cloud Router if you desire the Cloud Router's default behavior.
- Select Add custom route to add an advertised route.
- Configure the route advertisement.
- Source — Select Custom IP range to specify a custom IP range.
- IP address range — Specify:
199.36.153.8/30
if you choseprivate.googleapis.com
199.36.153.4/30
if you choserestricted.googleapis.com
- Description — Add a description.
- After you're done adding routes, select Save.
To update the route advertisement mode for a particular BGP session:
- Go to the Cloud Router page in the Google Cloud Console.
Cloud Router list - Select the Cloud Router that manages the BGP session for a Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) that connects your on-premises network to your VPC network.
- In the Cloud Router's detail page, select the BGP session to update.
- In the BGP session details page, click Edit.
- For the Routes, select Create custom routes.
- Select Advertise all subnets visible to the Cloud Router to advertise all subnet routes available to the Cloud Router if you desire the Cloud Router's default behavior.
- Select Add custom route to add an advertised route.
- Configure the route advertisement.
- Source — Select Custom IP range to specify a custom IP range.
- IP address range — Specify:
199.36.153.8/30
if you choseprivate.googleapis.com
199.36.153.4/30
if you choserestricted.googleapis.com
- Description — Add a description.
- After you're done adding routes, select Save.
gcloud
Identify the name and region of the Cloud Router that manages BGP session(s) on the Cloud VPN tunnel(s) or Cloud Interconnect attachment(s) (VLANs) that connect your on-premises network to your VPC network.
Use
compute routers update
to update the route advertisement mode on all the Cloud Router's BGP sessions, except for those BGP sessions that use custom BGP advertisements themselves:gcloud compute routers update ROUTER_NAME \ --region=REGION \ --advertisement-mode=CUSTOM \ --set-advertisement-groups=ALL_SUBNETS \ --set-advertisement-ranges=CUSTOM_RANGES
You can append new advertisement ranges if you're already using the
CUSTOM
advertisement mode for the Cloud Router. This updates the route advertisement mode on all the Cloud Router's BGP sessions, except for those BGP sessions that use custom BGP advertisements themselves:gcloud compute routers update ROUTER_NAME \ --region=REGION \ --add-advertisement-ranges=CUSTOM_RANGES
Alternatively, use
compute routers update-bgp-peer
to configure a specific BGP peer on the Cloud Router:gcloud compute routers update ROUTER_NAME \ --region=REGION \ --peer-name=PEER_NAME \ --advertisement-mode=CUSTOM \ --set-advertisement-groups=ALL_SUBNETS \ --set-advertisement-ranges=CUSTOM_RANGES
You can append new advertisement ranges if you're already using the
CUSTOM
advertisement mode for a BGP session on a Cloud Routergcloud compute routers update ROUTER_NAME \ --region=REGION \ --peer-name=PEER_NAME \ --add-advertisement-ranges=CUSTOM_RANGES
In the commands above, replace the following with valid values:
ROUTER_NAME
: The name of the Cloud RouterREGION
: The region of the Cloud RouterPEER_NAME
: The name of the BGP peer configured when you create a VLAN attachment for Dedicated Interconnect, when you create a VLAN attachment for Partner Interconnect, when you create an HA VPN tunnel, or when you create a Classic VPN tunnel using dynamic routing.- Leave
--set-advertisement-groups=ALL_SUBNETS
in order to advertise all subnet routes available to the Cloud Router. This is the Cloud Router's default behavior. CUSTOM_RANGES
: A comma-delimited list of custom ranges to advertise. If you choseprivate.googleapis.com
, use199.36.153.8/30
. If you choserestricted.googleapis.com
, use199.36.153.4/30
.
Firewall considerations
Google Cloud firewall rules in the VPC network to which your on-premises network connects have no effect upon:
- Packets sent through a Cloud VPN tunnel connected to the VPC network
- Packets sent through a Cloud Interconnect attachment (VLAN) connected to the VPC network
- Incoming packets to Cloud DNS inbound forwarder IP addresses in the VPC network
You should ensure that the firewall configuration of on-premises systems allows outbound traffic to and established responses from:
199.36.153.8/30
if you useprivate.googleapis.com
199.36.153.4/30
if you userestricted.googleapis.com
- any Cloud DNS inbound forwarder IP addresses, if you're using Cloud DNS for the DNS configuration
What's next
- See Configuring Private Google Access for VPC if you need VMs in your Google Cloud VPC network to access Google APIs and services.