Private Google Access for on-premises hosts

On-premises hosts can reach Google APIs and services by using Cloud VPN or Cloud Interconnect from your on-premises network to Google Cloud. On-premises hosts can send traffic from the following types of source IP addresses:

a private IP address, such as an RFC 1918 address
a privately used public IP address, except for a Google-owned public IP address. (Private Google Access for on-premises hosts does not support re-using Google public IP addresses as sources in your on-premises network.)

To enable Private Google Access for on-premises hosts, you must configure DNS, firewall rules, and routes in your on-premises and VPC networks. You don't need to enable Private Google Access for any subnets in your VPC network as you would for Private Google Access for Google Cloud VM instances.

On-premises hosts must connect to Google APIs and services by using the virtual IP addresses (VIPs) for either the restricted.googleapis.com or private.googleapis.com domains. Refer to Private Google Access-specific domains and VIPs for more details.

Google publicly publishes DNS A records that resolve the domains to a VIP range. Even though the ranges have external IP addresses, Google does not publish routes for them. Therefore, you must add a custom route advertisement on a Cloud Router and have an appropriate custom static route in your VPC network for the VIP's destination.

The route must have a destination matching one of the VIP ranges and a next hop being the default internet gateway. Traffic sent to the VIP range stays within Google's network instead of traversing the public internet because Google does not publish routes to them externally.

For configuration information, see Configuring Private Google Access for on-premises hosts.

Private Google Access-specific domains and VIPs

The following table describes the domain names and their VIP range. You must use one of these VIPs for Private Google Access for on-premises hosts.

The private.googleapis.com and restricted.googleapis.com VIPs support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP are not supported.

Domain and IP address ranges Supported services Example usage

Default domains

All domain names for Google APIs and services except for private.googleapis.com and restricted.googleapis.com.

Various IP address ranges—you can determine a set of IP ranges that contains the possible addresses used by the default domains by referencing IP addresses for default domains Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud. Includes Google Workspace and other web applications. The default domains are used when you don't configure DNS records for private.googleapis.com and restricted.googleapis.com

Domain and IP address ranges	Supported services	Example usage
Default domains All domain names for Google APIs and services except for `private.googleapis.com` and `restricted.googleapis.com`. Various IP address ranges—you can determine a set of IP ranges that contains the possible addresses used by the default domains by referencing IP addresses for default domains	Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud. Includes Google Workspace and other web applications.	The default domains are used when you don't configure DNS records for `private.googleapis.com` and `restricted.googleapis.com`
`private.googleapis.com` `199.36.153.8/30`	Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications. Does not support any interactive websites. Domain names that match: `accounts.google.com` (only the paths needed for OAuth authentication) `appengine.google.com` `.appspot.com` `.cloudfunctions.net` `.cloudproxy.app` `.composer.cloud.google.com` `.composer.googleusercontent.com` `.datafusion.cloud.google.com` `.datafusion.googleusercontent.com` `dl.google.com` `gcr.io` or `.gcr.io` `.googleadapis.com` `.googleapis.com` `.gstatic.com` `.ltsapis.goog` `.notebooks.cloud.google.com` `.notebooks.googleusercontent.com` `packages.cloud.google.com` `pkg.dev` or `.pkg.dev` `pki.goog` or `.pki.goog` `*.run.app` `source.developers.google.com`	Use `private.googleapis.com` to access Google APIs and services using a set of IP addresses only routable from within Google Cloud. Choose `private.googleapis.com` under these circumstances: You don't use VPC Service Controls. You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.
`restricted.googleapis.com` `199.36.153.4/30`	Enables API access to Google APIs and services that are supported by VPC Service Controls. Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace web applications or Google Workspace APIs.	Use `restricted.googleapis.com` to access Google APIs and services using a set of IP addresses only routable from within Google Cloud. Choose `restricted.googleapis.com` when you only need access to Google APIs and services that are supported by VPC Service Controls — `restricted.googleapis.com` does not permit access to Google APIs and services that do not support VPC Service Controls.

private.googleapis.com

199.36.153.8/30

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications. Does not support any interactive websites.

Domain names that match:

accounts.google.com (only the paths needed for OAuth authentication)
appengine.google.com
*.appspot.com
*.cloudfunctions.net
*.cloudproxy.app
*.composer.cloud.google.com
*.composer.googleusercontent.com
*.datafusion.cloud.google.com
*.datafusion.googleusercontent.com
dl.google.com
gcr.io or *.gcr.io
*.googleadapis.com
*.googleapis.com
*.gstatic.com
*.ltsapis.goog
*.notebooks.cloud.google.com
*.notebooks.googleusercontent.com
packages.cloud.google.com
pkg.dev or *.pkg.dev
pki.goog or *.pki.goog
*.run.app
source.developers.google.com

Use private.googleapis.com to access Google APIs and services using a set of IP addresses only routable from within Google Cloud.

Choose private.googleapis.com under these circumstances:

You don't use VPC Service Controls.
You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.

restricted.googleapis.com

199.36.153.4/30

Enables API access to Google APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace web applications or Google Workspace APIs.

Use restricted.googleapis.com to access Google APIs and services using a set of IP addresses only routable from within Google Cloud.

Choose restricted.googleapis.com when you only need access to Google APIs and services that are supported by VPC Service Controls — restricted.googleapis.com does not permit access to Google APIs and services that do not support VPC Service Controls.

Note: If you need to restrict users to just the Google APIs and services that support VPC Service Controls, use restricted.googleapis.com. Although VPC Service Controls are enforced for compatible and configured services, regardless of the domain you use, restricted.googleapis.com provides additional risk mitigation for data exfiltration. restricted.googleapis.com denies access to Google APIs and services that are not supported by VPC Service Controls. See Setting up private connectivity in the VPC Service Controls documentation for more details.

Supported services

Services available to on-premises hosts are limited to those supported by the domain name and VIP used to access them. Refer to Private Google Access-specific domains and VIPs for details.

Example

In the following example, the on-premises network is connected to a VPC network through a Cloud VPN tunnel. Traffic from on-premises hosts to Google APIs travels through the tunnel to the VPC network. After traffic reaches the VPC network, it is sent through a route that uses the default internet gateway as its next hop. This next hop allows traffic to leave the VPC network and be delivered to restricted.googleapis.com (199.36.153.4/30).

Private Google Access for hybrid cloud use case (click to enlarge)

The on-premises DNS configuration maps *.googleapis.com requests to restricted.googleapis.com, which resolves to the 199.36.153.4/30.
Cloud Router has been configured to advertise the 199.36.153.4/30 IP address range through the Cloud VPN tunnel by using a custom route advertisement. Traffic going to Google APIs is routed through the tunnel to the VPC network.
A custom static route was added to the VPC network that directs traffic with the destination 199.36.153.4/30 to the default internet gateway (as the next hop). Google then routes traffic to the appropriate API or service.
If you created a Cloud DNS managed private zone for *.googleapis.com that maps to 199.36.153.4/30 and have authorized that zone for use by your VPC network, requests to anything in the googleapis.com domain are sent to the IP addresses that are used by restricted.googleapis.com. Only the supported APIs are accessible with this configuration, which might cause other services to be unreachable. Cloud DNS doesn't support partial overrides. If you require partial overrides, use BIND.

What's next

To configure Private Google Access for on-premises hosts, Configuring Private Google Access for on-premises hosts.