Google Cloud Platform – Private Google access

How to use the Docker Compose command

By default, virtual machines instances that have an external IP address can access Google APIs. Not all instances will have a public IP address and your instances may need access to Google APIs and services. Private Google access allows your instances to reach Google APIs and services using an internal IP address rather than a public IP address. This makes it possible for you to use private access to allow virtual machines to reach Google services. Services such as BigQuery, Cloud Bigtable, container registry, Cloud Dataproc, cloud storage, and many more can all be reached internally through Private Google access.

You can enable Private Google access on a subnet level and any VMs on that subnet can access Google APIs by using their internal IP address. These subnets can either be auto or custom. Here is a list of services that can be accessed privately using this feature. Remember that this is a dynamic list so it can change as Google enables more services:

  • BigQuery
  • Cloud Bigtable
  • Container registry
  • Cloud Dataproc
  • Cloud datastore
  • Cloud pub/sub
  • Cloud spanner
  • Cloud storage
Private Google access does not apply to cloud SQL. You do not get private connectivity.

If your VM instance has an external IP address, this remains unaffected and your VM can continue to access Google services and APIs on its internal IP address when Private Google access is enabled. It is also important to remember that DNS resolutions of Google domains does not change with Private Google access. Both internal and external IP addresses will resolve to external IP addresses of Google domains. For Private Google access to work properly, you also need to have a default-internet-gateway set in the VM instances so Google services can be reached. If you have routes configured to reach external IP addresses, then such a default internet gateway need not be set.

Google services reside on external IP addresses. For Private Google access to work, a default-internet-gateway needs to be set to allow access to those services from an internal IP.

Enabling Private Google access is as easy as selecting the option during creation of a subnet in a VPC network:

Comments are closed.