Private Google Access

Private Google access enables virtual machine (VM) instances on a subnetwork to reach Google APIs and Services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google access to allow VMs without Internet access to reach Google services.

The services that can be reached include, but are not limited to, the following:

  • Cloud Spanner
  • Google Cloud BigQuery
  • Google Cloud Bigtable
  • Google Cloud Dataproc
  • Google Cloud Datastore
  • Google Cloud Pub/Sub
  • Google Cloud Storage

Private Google access does not apply to Google Cloud SQL. You do not get private connectivity to Cloud SQL when you use Private Google access.


Google virtual networks and subnetworks in Google Cloud Platform (GCP) provide a logically isolated and secure network partition of the Google Cloud where you can launch Google Cloud resources.

When Private Google access is enabled, VM instances in a subnetwork can reach Google APIs, such as BigQuery, Cloud Bigtable, Cloud Dataproc, Cloud Datastore, Cloud Pub/Sub, Cloud Spanner, and Cloud Storage, without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google-managed services. Read the section below on Accessible Services for information on internally accessible Google services.

Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services.

Accessible Services

Google services that you can reach using Private Google access include:


The Network pricing page documents the current charging model for Private Google access. Access to Google managed services is the same whether from internal IPs or external IPs.

What's next

Send feedback about...