Private Google Access

VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the external IP addresses of Google APIs and services. The source IP address of the packet can be the primary internal IP address of the network interface or an address in an alias IP range that is assigned to the interface. If you disable Private Google Access, the VM instances can no longer reach Google APIs and services; they can only send traffic within the VPC network.

Private Google Access has no effect on instances that have external IP addresses. Instances with external IP addresses can access the internet, according to the internet access requirements. They don't need any special configuration to send requests to the external IP addresses of Google APIs and services.

You enable Private Google Access on a subnet by subnet basis; it's a setting for subnets in a VPC network. To enable a subnet for Private Google Access and to view the requirements, see Configuring Private Google Access.

Supported services

Private Google Access permits access to Cloud and Developer APIs and most Google Cloud services, except for the following services:

  • App Engine Memcache
  • Filestore
  • Memorystore

Instead, private services access might support one or more of them.

Example

The VPC network in the following example meets the routing requirement for Private Google Access because it has routes to the external IP addresses for Google APIs and services whose next hops are the default internet gateway. Private Google Access is enabled for subnet-a but not for subnet-b.

Implementation of Private Google Access (click to enlarge)

The following list provides details about the above diagram:

  • Firewall rules in the VPC network have been configured to allow egress to 0.0.0.0/0 (or at least to the server IPs for Google APIs and services).
  • VM A1 can access Google APIs and services, including Cloud Storage, because its network interface is located in subnet-a, which has Private Google Access enabled. Private Google Access applies to the instance because it only has an internal IP address.
  • VM B1 cannot access Google APIs and services because it only has an internal IP address and Private Google Access is disabled for subnet-b.
  • VM A2 and VM B2 can both access Google APIs and services, including Cloud Storage, because they each have external IP addresses. Private Google Access has no effect on whether or not these instances can access Google APIs and services because both have external IP addresses.

What's next