Private Google Access for on-premises hosts
On-premises hosts can reach Google APIs and services by using Cloud VPN or Cloud Interconnect from your on-premises network to Google Cloud. On-premises hosts can send traffic from the following types of source IP addresses:
- a private IP address, such as an RFC 1918 address
- a privately used public IP address, except for a Google-owned public IP address. (Private Google Access for on-premises hosts does not support re-using Google public IP addresses as sources in your on-premises network.)
To enable Private Google Access for on-premises hosts, you must configure DNS, firewall rules, and routes in your on-premises and VPC networks. You don't need to enable Private Google Access for any subnets in your VPC network as you would for Private Google Access for Google Cloud VM instances.
On-premises hosts must connect to Google APIs and services by using the virtual
IP addresses (VIPs) for either the restricted.googleapis.com
or
private.googleapis.com
domains. Refer to Private Google Access-specific
domains and VIPs for more details.
Google publicly publishes DNS A records that resolve the domains to a VIP range. Even though the ranges have external IP addresses, Google does not publish routes for them. Therefore, you must add a custom advertised route on a Cloud Router and have an appropriate custom static route in your VPC network for the VIP's destination.
The route must have a destination matching one of the VIP ranges and a next hop being the default internet gateway. Traffic sent to the VIP range stays within Google's network instead of traversing the public internet because Google does not publish routes to them externally.
For configuration information, see Configure Private Google Access for on-premises hosts.
Supported services
Services available to on-premises hosts are limited to those supported by the domain name and VIP used to access them. For more information, see Domain options.
Example
In the following example, the on-premises network is connected to a
VPC network through a Cloud VPN tunnel. Traffic from
on-premises hosts to Google APIs travels through the tunnel to the
VPC network. After traffic reaches the VPC
network, it is sent through a route that uses the default internet gateway as
its next hop. This next hop allows traffic to leave the VPC
network and be delivered to restricted.googleapis.com
(199.36.153.4/30
).
- The on-premises DNS configuration maps
*.googleapis.com
requests torestricted.googleapis.com
, which resolves to the199.36.153.4/30
. - Cloud Router has been configured to advertise the
199.36.153.4/30
IP address range through the Cloud VPN tunnel by using a custom advertised route. Traffic going to Google APIs is routed through the tunnel to the VPC network. - A custom static route was added to the VPC network that
directs traffic with the destination
199.36.153.4/30
to the default internet gateway (as the next hop). Google then routes traffic to the appropriate API or service. - If you created a Cloud DNS managed private zone for
*.googleapis.com
that maps to199.36.153.4/30
and have authorized that zone for use by your VPC network, requests to anything in thegoogleapis.com
domain are sent to the IP addresses that are used byrestricted.googleapis.com
. Only the supported APIs are accessible with this configuration, which might cause other services to be unreachable. Cloud DNS doesn't support partial overrides. If you require partial overrides, use BIND.
What's next
- To configure Private Google Access for on-premises hosts, see Configure Private Google Access for on-premises hosts.