Private Google Access

Private Google access enables virtual machine (VM) instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform (GCP) and are not routable or reachable over the Internet. You can use Private Google access to allow VMs without Internet access to reach Cloud APIs, Google services, and Google properties that are accessible over HTTP(S)

The Google Cloud and Developer APIs and services that can be reached include, but are not limited to, the following:

  • Google Cloud BigQuery
  • Google Cloud Bigtable
  • Google Container Registry
  • Google Cloud Dataproc
  • Google Cloud Datastore
  • Google Cloud Pub/Sub
  • Google Cloud Spanner
  • Google Cloud Storage

Private Google access does not apply to Google Cloud SQL. You do not get private connectivity to Cloud SQL when you use Private Google access.


Google virtual networks and subnetworks in Google Cloud Platform (GCP) provide a logically isolated and secure network partition of the Google Cloud where you can launch Google Cloud resources.

When Private Google access is enabled, VM instances in a subnet can reach the above APIs and services without needing an external IP address. Instead, VMs can use their internal IP addresses to access Google-managed services.

Instances with external IP addresses are not affected when you enable the ability to access Google services from internal IP addresses. These instances can still connect to Google APIs and managed services.


The Network pricing page documents the current charging model for Private Google access. Access to Google managed services is the same whether from internal IPs or external IPs.

What's next

Send feedback about...