Private Google Access enables virtual machine (VM) instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform (GCP) and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP(S).
The Cloud and Developer APIs and services that can be reached include, but are not limited to, the following:
- Cloud Bigtable
- Container Registry
- Cloud Dataproc
- Cloud Datastore
- Cloud Pub/Sub
- Cloud Spanner
- Cloud Storage
Private Google Access does not apply to Cloud SQL. You do not get private connectivity to Cloud SQL when you use Private Google Access.
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources.
When Private Google Access is enabled, VM instances in a subnet can reach the above APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google managed services.
Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services.
The Network pricing page documents the current charging model for Private Google Access. Access to Google managed services is the same whether from internal IPs or external IPs.