Stay organized with collections Save and categorize content based on your preferences.
Configure Private Google AccessThis page describes how to enable and configure Private Google Access. By default, when a Compute Engine VM lacks an external IP address assigned to its network interface, it can only send packets to other internal IP address destinations. You can allow these VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM's network interface.
Private Google Access also allows access to the external IP addresses used by App Engine, including third-party App Engine-based services.
To view the eligible APIs and services that you can use with Private Google Access, see supported services in the Private Google Access overview.
See Private Access Options for Services for background information about Private Google Access and other private connectivity options offered by Google Cloud.
SpecificationsA VM interface can send packets to the external IP addresses of Google APIs and services using Private Google Access if all these conditions are met:
The VM interface is connected to a subnet where Private Google Access is enabled.
The VPC network that contains the subnet meets the network requirements for Google APIs and services.
The VM interface does not have an external IP address assigned.
The source IP address of packets sent from the VM matches one of the following IP addresses.
A VM with an external IPv4 or IPv6 address assigned to its network interface doesn't need Private Google Access to connect to Google APIs and services. However, the VPC network must meet the requirements for accessing Google APIs and services.
Network requirementsPrivate Google Access has the following requirements:
If you want to connect to Google APIs and services using IPv6, you must meet both of these requirements:
Your VM must be configured with a /96 IPv6 address range.
The software running on the VM must send packets whose sources match one of those IPv6 addresses from that range.
Project owners, editors, and IAM principals with the Network Admin role can create or update subnets and assign IP addresses.
For more information on roles, read the IAM roles documentation.
LoggingCloud Logging captures all API requests made from VM instances in subnets that have Private Google Access enabled. Log entries identify the source of the API request as an internal IP address of the calling instance.
You can configure daily usage and monthly rollup reports to be delivered to a Cloud Storage bucket. See the Viewing Usage Reports page for details.
Summary of configuration optionsThe following table summarizes the different ways that you can configure Private Google Access. For more detailed configuration information, see Network configuration.
Note: Some Google APIs and services offer direct connectivity from Compute Engine virtual machine (VM) instances, bypassing Google Front Ends (GFEs). To allow this traffic, you must ensure that your routes and firewall rules allow egress traffic to reach34.126.0.0/18 and 2001:4860:8040::/42. You don't need to create DNS records for these addresses. Services that offer direct connectivity support VPC Service Controls. Domain option DNS configuration Routing configuration Firewall configuration Default domains No special DNS configuration required.
Ensure that your VPC network can route traffic to the IP address ranges that are used by Google APIs and services.
default-internet-gateway and a destination range of 0.0.0.0/0 (for IPv4 traffic) and ::/0 (for IPv6 traffic, if needed). Create those routes if they are missing.Ensure that your firewall rules allow egress to the IP address ranges used by Google APIs and services.
The default allow egress firewall rule allows this traffic, if there is no higher priority rule that blocks it.
private.googleapis.com
Configure DNS records in a private DNS zone to send requests to the following IP addresses:
For IPv4 traffic:
199.36.153.8/30For IPv6 traffic:
2600:2d00:0002:2000::/64Ensure that your VPC network has routes to the following IP ranges:
For IPv4 traffic:
199.36.153.8/3034.126.0.0/18For IPv6 traffic:
2600:2d00:0002:2000::/642001:4860:8040::/42Ensure that your firewall rules allow egress to the following IP ranges:
For IPv4 traffic:
199.36.153.8/3034.126.0.0/18For IPv6 traffic:
2600:2d00:0002:2000::/642001:4860:8040::/42restricted.googleapis.com
Configure DNS records to send requests to the following IP addresses:
For IPv4 traffic:
199.36.153.4/30For IPv6 traffic:
2600:2d00:0002:1000::/64 Ensure that your VPC network has routes to the following IP ranges:
For IPv4 traffic:
199.36.153.4/3034.126.0.0/18For IPv6 traffic:
2600:2d00:0002:1000::/64 2001:4860:8040::/42Ensure that your firewall rules allow egress to the following IP ranges:
For IPv4 traffic:
199.36.153.4/3034.126.0.0/18For IPv6 traffic:
2600:2d00:0002:1000::/64 2001:4860:8040::/42This section describes the basic network requirements you must meet in order for a VM in your VPC network to access Google APIs and services.
Domain optionsChoose the domain that you want to use to access Google APIs and services.
The private.googleapis.com and restricted.googleapis.com virtual IP addresses (VIPs) support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP, are not supported.
Default domains.
All domain names for Google APIs and services except for private.googleapis.com and restricted.googleapis.com.
Various IP address ranges—you can determine a set of IP ranges that contains the possible addresses used by the default domains by referencing IP addresses for default domains.
Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, and Google Cloud. Includes Google Workspace web applications such as Gmail and Google Docs, and other web applications.
The default domains are used when you don't configure DNS records for private.googleapis.com and restricted.googleapis.com.
private.googleapis.com
199.36.153.8/30
2600:2d00:0002:2000::/64
Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the following list. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.
Domain names that match:
accounts.google.com (only the paths needed for OAuth authentication)*.aiplatform-notebook.cloud.google.com*.aiplatform-notebook.googleusercontent.comappengine.google.com*.appspot.com*.backupdr.cloud.google.combackupdr.cloud.google.com*.backupdr.googleusercontent.combackupdr.googleusercontent.com*.cloudfunctions.net*.cloudproxy.app*.composer.cloud.google.com*.composer.googleusercontent.com*.datafusion.cloud.google.com*.datafusion.googleusercontent.com*.dataproc.cloud.google.comdataproc.cloud.google.com*.dataproc.googleusercontent.comdataproc.googleusercontent.comdl.google.comgcr.io or *.gcr.io*.googleapis.com*.gke.goog*.gstatic.com*.kernels.googleusercontent.com*.ltsapis.goog*.notebooks.cloud.google.com*.notebooks.googleusercontent.compackages.cloud.google.compkg.dev or *.pkg.devpki.goog or *.pki.goog*.run.appsource.developers.google.comstorage.cloud.google.comUse private.googleapis.com to access Google APIs and services by using a set of IP addresses only routable from within Google Cloud.
Choose private.googleapis.com under these circumstances:
restricted.googleapis.com
199.36.153.4/30
2600:2d00:0002:1000::/64
Enables API access to Google APIs and services that are supported by VPC Service Controls.
Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.
Use restricted.googleapis.com to access Google APIs and services by using a set of IP addresses only routable from within Google Cloud.
Choose restricted.googleapis.com when you only need access to Google APIs and services that are supported by VPC Service Controls.
The restricted.googleapis.com domain does not permit access to Google APIs and services that do not support VPC Service Controls.1
private.googleapis.com and restricted.googleapis.com
The following IPv6 address ranges can be used to direct traffic from IPv6 clients to Google APIs and services:
private.googleapis.com: 2600:2d00:0002:2000::/64restricted.googleapis.com: 2600:2d00:0002:1000::/64Consider configuring the IPv6 addresses if you want to use the private.googleapis.com or restricted.googleapis.com domain, and you have clients that use IPv6 addresses. IPv6 clients that also have IPv4 addresses configured can reach Google APIs and services by using the IPv4 addresses. Not all services accept traffic from IPv6 clients.
For connectivity to Google APIs and services, you can choose to send packets to the IP addresses associated with the private.googleapis.com or restricted.googleapis.com VIP. To use a VIP, you must configure DNS so that VMs in your VPC network reach services by using the VIP addresses instead of the public IP addresses.
The following sections describe how to use DNS zones to send packets to the IP addresses that are associated with your chosen VIP. Follow the instructions for all scenarios that apply to you:
*.googleapis.com domain names, see Configure DNS for googleapis.com.If you use services that have other domain names, see Configure DNS for other domains.
For example, if you use Google Kubernetes Engine (GKE), you also need to configure *.gcr.io and *.pkg.dev, or if you use Cloud Run, you need to configure *.run.app.
If you use Cloud Storage buckets, and you send requests to a Cloud Storage custom domain name, see Configure DNS for Cloud Storage custom domain names.
When you configure DNS records for the VIPs, use only the IP addresses that are described in the following steps. Do not mix addresses from the private.googleapis.com and restricted.googleapis.com VIPs. This can cause intermittent failures because the services that are offered differ based on a packet's destination.
Note: There are public DNS records for private.googleapis.com or restricted.googleapis.com. However, you can't use the public records when you configure Private Google Access. You must create a private DNS zone and records.
Configure DNS forgoogleapis.com
Create a DNS zone and records for googleapis.com:
googleapis.com. Consider creating a Cloud DNS private zone for this purpose.In the googleapis.com zone, create the following private DNS records for either private.googleapis.com or restricted.googleapis.com, depending on which domain you've chosen to use.
For private.googleapis.com:
Create an A record for private.googleapis.com pointing to the following IP addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11.
To connect to APIs using IPv6 addresses, also configure an AAAA record for private.googleapis.com pointing to 2600:2d00:0002:2000::.
For restricted.googleapis.com:
Create an A record for restricted.googleapis.com pointing to the following IP addresses: 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7.
To connect to APIs using IPv6 addresses, also create an AAAA record for restricted.googleapis.com pointing to 2600:2d00:0002:1000::.
To create private DNS records in Cloud DNS, see add a record.
In the googleapis.com zone, create a CNAME record for *.googleapis.com that points to the domain that you've configured: private.googleapis.com or restricted.googleapis.com.
Some Google APIs and services are provided using additional domain names, including *.gcr.io, *.gstatic.com, *.pkg.dev, pki.goog, *.run.app, and *.gke.goog. Refer to the domain and IP address ranges table in Domain options to determine if the additional domain's services can be accessed using private.googleapis.com or restricted.googleapis.com. Then, for each of the additional domains:
Create a DNS zone for DOMAIN (for example, gcr.io). If you're using Cloud DNS, make sure this zone is located in the same project as your googleapis.com private zone.
In this DNS zone, create the following private DNS records for either private.googleapis.com or restricted.googleapis.com, depending on which domain you've chosen to use.
For private.googleapis.com:
Create an A record for DOMAIN pointing to the following IP addresses: 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11.
To connect to APIs using IPv6 addresses, also create an AAAA record for DOMAIN pointing to 2600:2d00:0002:2000::.
For restricted.googleapis.com:
Create an A record for DOMAIN pointing to the following IP addresses: 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7.
To connect to APIs using IPv6 addresses, also create an AAAA record for restricted.googleapis.com pointing to 2600:2d00:0002:1000::.
In the DOMAIN zone, create a CNAME record for *.DOMAIN that points to DOMAIN. For example, create a CNAME record for *.gcr.io that points to gcr.io.
If you are using Cloud Storage buckets, and you send requests to a Cloud Storage custom domain name, configuring DNS records for the custom Cloud Storage domain name to point to the IP addresses for private.googleapis.com or restricted.googleapis.com is not sufficient to allow access to the Cloud Storage buckets.
If you want to send requests to a Cloud Storage custom domain name, you must also explicitly set the HTTP request's Host header and TLS SNI to storage.googleapis.com The IP addresses for private.googleapis.com and restricted.googleapis.com do not support custom Cloud Storage hostnames in HTTP request Host headers and TLS SNIs.
Your VPC network must have appropriate routes whose next hops are the default internet gateway. Google Cloud does not support routing traffic to Google APIs and services through other VM instances or custom next hops. Despite being called default internet gateway, packets sent from VMs in your VPC network to Google APIs and services remain within Google's network.
If you select the default domains, your VM instances connect to Google APIs and services using a subset of Google's external IP addresses. These IP addresses are publicly routable, but the path from a VM in a VPC network to those addresses remains within Google's network.
Google doesn't publish routes on the internet to any of the IP addresses used by either the private.googleapis.com or restricted.googleapis.com domains. Consequently, these domains can only be accessed by VMs in a VPC network or on-premises systems connected to a VPC network.
If your VPC network contains a default route whose next hop is the default internet gateway, you can use that route to access Google APIs and services, without needing to create custom routes. See routing with a default route for details.
If you have replaced a default route (destination 0.0.0.0/0 or ::0/0) with a custom route whose next hop is not the default internet gateway, you can meet the routing requirements for Google APIs and services using custom routing instead.
If your VPC network does not have an IPv6 default route, you won't have IPv6 connectivity to Google APIs and services. Add an IPv6 default route to allow IPv6 connectivity.
Routing with a default routeEach VPC network contains an IPv4 default route (0.0.0.0/0) when it is created. If you enable external IPv6 addresses on a subnet, a system-generated IPv6 default route (::/0) is added to that VPC network.
The default routes provides a path to the IP addresses for the following destinations:
The default domains.
private.googleapis.com: 199.36.153.8/30 and 2600:2d00:0002:2000::/64.
restricted.googleapis.com: 199.36.153.4/30 and 2600:2d00:0002:1000::/64.
To check the configuration of a default route in a given network, follow these directions.
ConsoleIn the Google Cloud console, go to the Routes page.
Filter the list of routes to show just the routes for the network you need to inspect.
Look for a route whose destination is 0.0.0.0/0 for IPv4 traffic or ::/0 for IPv6 traffic and whose next hop is default internet gateway.
Use the following gcloud command, replacing NETWORK_NAME with the name of the network to inspect:
gcloud compute routes list \
--filter="default-internet-gateway NETWORK_NAME"
If you need to create a replacement default IPv4 route, see Adding a static route.
If you need to create a replacement default IPv6 route, see Adding an IPv6 default route.
Custom routingAs an alternative to a default route, you can use custom static routes, each having a more specific destination, and each using the default internet gateway next hop. The number of routes you need and their destination IP addresses depend on the domain that you choose.
private.googleapis.com: 199.36.153.8/30 and 2600:2d00:0002:2000::/64restricted.googleapis.com: 199.36.153.4/30 and 2600:2d00:0002:1000::/64Additionally, we recommend that you add routes for 34.126.0.0/18 and 2001:4860:8040::/42. For more information, see Summary of configuration options.
To check the configuration of custom routes for Google APIs and services in a given network, follow these directions.
ConsoleIn the Google Cloud console, go to the Routes page.
Use the Filter table text field to filter the list of routes using the following criteria, replacing NETWORK_NAME with the name of your VPC network.
NETWORK_NAMEdefault internet gatewayLook at the Destination IP range column for each route. If you chose the default domains, check for several custom static routes, one for each IP address range used by the default domain. If you chose private.googleapis.com or restricted.googleapis.com, look for that domain's IP range.
Use the following gcloud command, replacing NETWORK_NAME with the name of the network to inspect:
gcloud compute routes list \
--filter="default-internet-gateway NETWORK_NAME"
Routes are listed in table format unless you customize the command with the --format flag. Look in the DEST_RANGE column for the destination of each route. If you chose the default domains, check for several custom static routes, one for each IP address range used by the default domain. If you chose private.googleapis.com or restricted.googleapis.com, look for that domain's IP range.
If you need to create routes, see Adding a static route.
Firewall configurationThe firewall configuration of your VPC network must allow access from VMs to the IP addresses used by Google APIs and services. The implied allow egress rule satisfies this requirement.
In some firewall configurations, you need to create specific egress allow rules. For example, suppose you've created an egress deny rule that blocks traffic to all destinations (0.0.0.0 for IPv4 or ::/0 for IPv6). In that case, you must create one egress allow firewall rule whose priority is higher than the egress deny rule for each IP address range used by your chosen domain for Google APIs and services.
private.googleapis.com: 199.36.153.8/30 and 2600:2d00:0002:2000::/64restricted.googleapis.com: 199.36.153.4/30 and 2600:2d00:0002:1000::/64Additionally, we recommend that you include 34.126.0.0/18 and 2001:4860:8040::/42 in your egress allow firewall rule. For more information, see Summary of configuration options.
To create firewall rules, see Creating firewall rules. You can limit the VMs to which the firewall rules apply when you define the target of each egress allow rule.
IP addresses for default domainsThis section describes how to create a list of default domain IP ranges used by Google APIs and services. These ranges are allocated dynamically and change often, so it's not possible to define specific IP ranges for individual services or APIs. To maintain an accurate list, set up automation to run the script every day. For alternatives to maintaining a list of IP address ranges, consider using the private.googleapis.com VIP or Private Service Connect.
Follow these steps to determine the IP address ranges used by the default domains, such as *.googleapis.com and *.gcr.io.
Google publishes the complete list of IP ranges that it makes available to users on the internet in goog.json.
Google also publishes a list of global and regional external IP addresses ranges available for customers' Google Cloud resources in cloud.json.
The IP addresses used by the default domains for Google APIs and services fit within the list of ranges computed by taking away all ranges in cloud.json from those in goog.json. These lists are updated frequently.
You can use the following Python script to create a list of IP address ranges that include those used by the default domains for Google APIs and services.
For information about running this script, see How to run.
Note: In the past, Google Cloud published a list of IP address ranges in the_spf.google.com DNS TXT record (and the records it referenced). While this DNS TXT record continues to be accurate for SPF purposes, it does not contain the complete set of possible IP address ranges used by the default domains for Google APIs and services. Private Google Access configuration
You can enable Private Google Access after you've met the network requirements in your VPC network.
Enable Private Google AccessFollow these steps to enable Private Google Access:
ConsoleIn the Google Cloud console, go to the VPC networks page.
Click the name of the network that contains the subnet for which you need to enable Private Google Access.
For an existing subnet:
For a new subnet:
If you are creating a subnet with an IPv4 address range, enter an IPv4 range. This is the primary IPv4 range for the subnet.
If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, see IPv4 subnet ranges.
If you are creating a subnet with an IPv6 address range, select an IPv6 access type: Internal or External.
If you want to set the access type to Internal, but the Internal option is not available, check that an internal IPv6 range is assigned on the network.
Make other selections for the new subnet to meet your needs. For example, you might need to create secondary subnet IP ranges or enable VPC Flow Logs.
Select On in the Private Google Access section.
Click Add.
For an existing subnet:
Determine the name and region of the subnet. To list the subnets for a particular network, use the following command:
gcloud compute networks subnets list --filter=NETWORK_NAME
Run the following command to enable Private Google Access:
gcloud compute networks subnets update SUBNET_NAME \ --region=REGION \ --enable-private-ip-google-access
Verify that Private Google Access is enabled by running this command:
gcloud compute networks subnets describe SUBNET_NAME \ --region=REGION \ --format="get(privateIpGoogleAccess)"
In all above commands, replace the following with valid values:
SUBNET_NAME: the name of the subnetREGION: the region for the subnetNETWORK_NAME: the name of the VPC network that contains the subnetWhen creating a new subnet, use the --enable-private-ip-google-access flag to enable Private Google Access:
gcloud compute networks subnets create SUBNET_NAME \
--region=REGION \
--network=NETWORK_NAME \
--range=PRIMARY_IPV4_RANGE \
[ --stack-type=STACK_TYPE ] \
[ --ipv6-access-type=IPv6_ACCESS_TYPE ] \
--enable-private-ip-google-access
Replace the following with valid values:
SUBNET_NAME: the name of the subnetREGION: the region for the subnetNETWORK_NAME: the name of the VPC network that contains the subnetPRIMARY_IPV4_RANGE: the subnet's primary IPv4 address range. If you are creating an IPv6-only subnet (Preview) , omit this flag.STACK_TYPE is the stack type for the subnet: IPV4_ONLY, IPV4_IPV6, or IPV6_ONLY.IPv6_ACCESS_TYPE is the IPv6 access type: EXTERNAL or INTERNAL. Only specify the IPv6 access type if you have also specified --stack-type=IPV4_IPV6 or --stack-type=IPV6_ONLY.Follow these steps to disable Private Google Access for an existing subnet:
ConsoleIn the Google Cloud console, go to the VPC networks page.
Click the name of the network that contains the subnet for which you need to disable Private Google Access.
Click the name of an existing subnet. The Subnet details page is displayed.
Click Edit.
In the Private Google Access section, select Off.
Click Save.
Determine the name and region of the subnet. To list the subnets for a particular network, use the following command:
gcloud compute networks subnets list \
--filter=NETWORK_NAME
Run the following command to disable Private Google Access:
gcloud compute networks subnets update SUBNET_NAME \
--region=REGION \
--no-enable-private-ip-google-access
Run the following command to verify that Private Google Access is disabled:
gcloud compute networks subnets describe SUBNET_NAME \
--region=REGION \
--format="get(privateIpGoogleAccess)"
In all above commands, replace the following with valid values:
SUBNET_NAME: the name of the subnetREGION: the region for the subnetNETWORK_NAME: the name of the VPC network that contains the subnetRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3