Configure Private Google Access

This page describes how to enable and configure Private Google Access.By default, when a Compute Engine VM lacks an external IP addressassigned to its network interface, it can only send packets to other internalIP address destinations. You can allow these VMs to connect to the set ofexternal IP addresses used byGoogle APIs andservices by enablingPrivate Google Access on the subnet used by the VM's network interface.

Private Google Access also allows access to the external IP addresses used byApp Engine, including third-party App Engine-based services.

To view the eligible APIs and services that you can use withPrivate Google Access, seeDomain options.

For information about other private connectivity options offered byGoogle Cloud, including Private Service Connect andPrivate Google Access, seePrivate access options forservices.

Specifications

A VM interface can send packets to the external IP addresses of Google APIs andservices using Private Google Access if all these conditions are met:

  • The VM interface is connected to a subnet where Private Google Access isenabled.

  • The VPC network that contains the subnet meets thenetworkrequirements for Google APIs and services.

  • The VM interface does not have an external IP address assigned.

  • The source IP address of packets sent from the VM matches one of the followingIP addresses.

    • The VM interface's primary internal IPv4 address
    • The VM interface's internal IPv6 address
    • An internal IPv4 address from an alias IP range

A VM with anexternal IPv4 or IPv6 address assigned to its networkinterface doesn't need Private Google Access toconnect to Google APIs and services. However, the VPC networkmust meetthe requirements for accessing Google APIs andservices.

Network requirements

Private Google Access has the following requirements:

  • If needed, you enable the API for the services that you want to access:

    • If you're accessing a Google API service endpoint, you mustenablethe API for that service.

      For example, to create a Cloud Storage bucket through thestorage.googleapis.com API service endpoint or a client library,you must enable the Cloud Storage API.

    • If you're accessing other types of resources, you might not need toenable any APIs.

      For example, to access a Cloud Storage bucket in another projectthrough its storage.googleapis.com URL, you don't need to enablethe Cloud Storage API.

  • If you want to connect to Google APIs and services using IPv6, you must meetboth of these requirements:

  • Depending on your chosen configuration, you might need to updateDNS entries, routes, and firewall rules. For more information, seeSummary of configuration options.

  • Because Private Google Access is enabled on a per-subnet basis, you mustuse aVPC network.Legacynetworks are not supported because they don't support subnets.

Permissions

Project owners, editors, and Identity and Access Management principals with theNetworkAdmin role can create or updatesubnets and assign IP addresses.

For more information on roles, read theIAM roles documentation.

Logging

Cloud Logging captures all API requests made from VM instances in subnetsthat have Private Google Access enabled. Log entries identify the source ofthe API request as an internal IP address of the calling instance.

You can configure daily usage and monthly rollup reports to be delivered to aCloud Storage bucket. See theViewing UsageReports page for details.

Summary of configuration options

The following table summarizes the different ways that you can configurePrivate Google Access. For more detailed configuration information, seeNetwork configuration.

If you want to access Firestore with MongoDB compatibility API(firestore.goog), seeConfigure Private Google Access inFirestore with MongoDBcompatibility.

Note: Some Google APIs and services offer direct connectivity fromCompute Engine virtual machine (VM) instances, bypassing Google Front Ends(GFEs). To allow this traffic, you must ensure that your routes and firewallrules allow egress traffic to reach34.126.0.0/18 and2001:4860:8040::/42. You don't need to create DNS records for theseaddresses. Services that offer direct connectivity supportVPC Service Controls.

Domain optionDNS configurationRouting configurationFirewall configuration
Default domainsYou access Google APIs and services through their public IP addresses, so no special DNS configuration is required.

Ensure that your VPC network can route traffic to the IP address ranges that are used by Google APIs and services.

  • Basic configuration: Confirm that you have default routes with next hopdefault-internet-gateway and a destination range of0.0.0.0/0 (for IPv4 traffic) and::/0 (for IPv6 traffic, if needed). Create those routes if they are missing.
  • Custom configuration: Create routes for the IP address ranges used by Google APIs and services.

Ensure that yourfirewall rules allow egress to the IP address ranges used by Google APIs and services.

The default allow egress firewall rule allows this traffic, if there is no higher priority rule that blocks it.

private.googleapis.com

ConfigureDNS records in a private DNS zone to send requests to the following IP addresses:

For IPv4 traffic:

  • 199.36.153.8/30

For IPv6 traffic:

  • 2600:2d00:0002:2000::/56

Ensure that your VPC network hasroutes to the following IP ranges:

For IPv4 traffic:

  • 199.36.153.8/30
  • 34.126.0.0/18

For IPv6 traffic:

  • 2600:2d00:0002:2000::/56
  • 2001:4860:8040::/42

Ensure that yourfirewall rules allow egress to the following IP ranges:

For IPv4 traffic:

  • 199.36.153.8/30
  • 34.126.0.0/18

For IPv6 traffic:

  • 2600:2d00:0002:2000::/56
  • 2001:4860:8040::/42
restricted.googleapis.com

ConfigureDNS records to send requests to the following IP addresses:

For IPv4 traffic:

  • 199.36.153.4/30

For IPv6 traffic:

  • 2600:2d00:0002:1000::/56

Ensure that your VPC network hasroutes to the following IP ranges:

For IPv4 traffic:

  • 199.36.153.4/30
  • 34.126.0.0/18

For IPv6 traffic:

  • 2600:2d00:0002:1000::/56
  • 2001:4860:8040::/42

Ensure that yourfirewall rules allow egress to the following IP ranges:

For IPv4 traffic:

  • 199.36.153.4/30
  • 34.126.0.0/18

For IPv6 traffic:

  • 2600:2d00:0002:1000::/56
  • 2001:4860:8040::/42

Network configuration

This section describes the basic network requirements you must meet in orderfor a VM in your VPC network to access Google APIs and services.

Domain options

Choose the domain that you want to use to access Google APIs and services.

Theprivate.googleapis.com andrestricted.googleapis.com virtual IP addresses (VIPs) support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP, are not supported. Interactive websites and features that use the internet—for example, for redirects or retrieving content—are not supported.

Domain and IP address rangesSupported servicesExample usage

Default domains.

All domain names for Google APIs and servicesexcept forprivate.googleapis.com andrestricted.googleapis.com.

Various IP address ranges—you can determine a set of IP ranges that contains the possible addresses used by the default domains by referencingIP addresses for default domains.

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, and Google Cloud. Includes Google Workspace web applications such as Gmail and Google Docs, and other web applications.

The default domains are used when you don't configure DNS records forprivate.googleapis.com andrestricted.googleapis.com.

private.googleapis.com

199.36.153.8/30

2600:2d00:0002:2000::/56

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the following list. Does not support Google Workspace web applications such as Gmail and Google Docs.

Domain names that match:

  • accounts.google.com (only supports paths needed for OAuth authentication of service accounts; user account authentication is interactive and not supported)
  • *.aiplatform-notebook.cloud.google.com
  • *.aiplatform-notebook.googleusercontent.com
  • appengine.google.com
  • *.appspot.com
  • *.backupdr.cloud.google.com
  • backupdr.cloud.google.com
  • *.backupdr.googleusercontent.com
  • backupdr.googleusercontent.com
  • *.cloudfunctions.net
  • *.cloudproxy.app
  • *.composer.cloud.google.com
  • *.composer.googleusercontent.com
  • *.datafusion.cloud.google.com
  • *.datafusion.googleusercontent.com
  • *.dataproc.cloud.google.com
  • dataproc.cloud.google.com
  • *.dataproc.googleusercontent.com
  • dataproc.googleusercontent.com
  • *.developerconnect.dev
  • dl.google.com
  • gcr.io or*.gcr.io
  • *.googleapis.com
  • *.gke.goog
  • *.gstatic.com
  • *.kernels.googleusercontent.com
  • *.ltsapis.goog
  • *.notebooks.byoid.googleusercontent.com
  • *.notebooks.cloud.google.com
  • notebooks.cloud.google.com
  • *.notebooks.googleusercontent.com
  • packages.cloud.google.com
  • pkg.dev or*.pkg.dev
  • pki.goog or*.pki.goog
  • *.run.app
  • source.developers.google.com
  • storage.cloud.google.com

Useprivate.googleapis.com to access Google APIs and services by using a set of IP addresses only routable from within Google Cloud.

Chooseprivate.googleapis.com under these circumstances:

  • You don't use VPC Service Controls.
  • You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.1

restricted.googleapis.com

199.36.153.4/30

2600:2d00:0002:1000::/56

Enables API access toGoogle APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not supportVPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Userestricted.googleapis.com to access Google APIs and services by using a set of IP addresses only routable from within Google Cloud.

Chooserestricted.googleapis.com when youonly need access to Google APIs and services thatare supported by VPC Service Controls.

Therestricted.googleapis.com domain does not permit access to Google APIs and services that do not support VPC Service Controls.1

1 If you need to restrict users to just the Google APIs and services that supportVPC Service Controls, userestricted.googleapis.com, as it provides additional risk mitigation for data exfiltration. Usingrestricted.googleapis.com denies access to Google APIs and services that are not supported by VPC Service Controls. SeeSetting up private connectivity in the VPC Service Controls documentation for more details.

IPv6 support forprivate.googleapis.com andrestricted.googleapis.com

The following IPv6 address ranges can be used to direct traffic from IPv6clients to Google APIs and services:

  • private.googleapis.com:2600:2d00:0002:2000::/56
  • restricted.googleapis.com:2600:2d00:0002:1000::/56

Consider configuring the IPv6 addresses if you want to use theprivate.googleapis.com orrestricted.googleapis.com domain, and youhave clients that use IPv6 addresses. IPv6 clients that also have IPv4 addresses configured canreach Google APIs and services by using the IPv4 addresses. Not all services accept traffic from IPv6 clients.

DNS configuration

For connectivity to Google APIs and services, you can choose to sendpackets to the IP addresses associated with theprivate.googleapis.com orrestricted.googleapis.com VIP. To use a VIP, you must configure DNS so that VMsin your VPC network reach services by using the VIP addressesinstead of the public IP addresses.

The following sections describe how to use DNS zones to send packets to the IPaddresses that are associated with your chosen VIP. Follow the instructions forall scenarios that apply to you:

When you configure DNS records for the VIPs, use only the IP addresses that aredescribed in the following steps. Do not mix addresses from theprivate.googleapis.com andrestricted.googleapis.com VIPs. This cancause intermittent failures because the services that are offered differbased on a packet's destination.

Note: There are public DNS records for private.googleapis.com orrestricted.googleapis.com. However, you can't use the public records to accessGoogle APIs. You must create a private DNS zone and records.

Configure DNS forgoogleapis.com

Create a DNS zone and records forgoogleapis.com:

  1. Create a private DNS zone forgoogleapis.com. Considercreating aCloud DNS private zone for thispurpose.

  2. In thegoogleapis.com zone, create the following private DNS records foreitherprivate.googleapis.com orrestricted.googleapis.com, depending on whichdomain you've chosen to use.

    • Forprivate.googleapis.com:

      1. Create anA record forprivate.googleapis.com pointing to thefollowing IP addresses:199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11.

      2. To connect to APIs using IPv6 addresses, also configure anAAAArecord forprivate.googleapis.com pointing to2600:2d00:0002:2000::.

    • Forrestricted.googleapis.com:

      1. Create anA record forrestricted.googleapis.com pointing to thefollowing IP addresses:199.36.153.4,199.36.153.5,199.36.153.6,199.36.153.7.

      2. To connect to APIs using IPv6 addresses, also create anAAAArecord forrestricted.googleapis.com pointing to2600:2d00:0002:1000::.

    To create private DNS records in Cloud DNS, seeadd a record.

  3. In thegoogleapis.com zone, create aCNAME record for*.googleapis.comthat points to the domain that you've configured:private.googleapis.com orrestricted.googleapis.com.

Configure DNS for other domains

Some Google APIs and services are provided using additional domain names,including*.gcr.io,*.gstatic.com,*.pkg.dev,pki.goog,*.run.app, and*.gke.goog.Refer to thedomain and IP address ranges table inDomain optionsto determine if the additional domain's services can be accessed usingprivate.googleapis.comorrestricted.googleapis.com. Then, for each of the additional domains:

  1. Create a DNS zone forDOMAIN (for example,gcr.io).If you're using Cloud DNS, make sure this zone is located in thesame project as yourgoogleapis.com private zone.

  2. In this DNS zone, create the following private DNS records foreitherprivate.googleapis.com orrestricted.googleapis.com, depending on whichdomain you've chosen to use.

    • Forprivate.googleapis.com:

      1. Create anA record forDOMAIN pointing to the followingIP addresses:199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11.

      2. To connect to APIs using IPv6 addresses, also create anAAAArecord forDOMAIN pointing to2600:2d00:0002:2000::.

    • Forrestricted.googleapis.com:

      1. Create anA record forDOMAIN pointing to the followingIP addresses:199.36.153.4,199.36.153.5,199.36.153.6,199.36.153.7.

      2. To connect to APIs using IPv6 addresses, also create anAAAArecord forDOMAIN pointing to2600:2d00:0002:1000::.

  3. In theDOMAIN zone, create aCNAME record for*.DOMAIN that points toDOMAIN.For example, create aCNAME record for*.gcr.io that points togcr.io.

Configure DNS for Cloud Storage custom domain names

If you are using Cloud Storage buckets, and you send requests to aCloud Storage custom domain name,configuring DNS records for the custom Cloud Storage domain name to point tothe IP addresses forprivate.googleapis.com orrestricted.googleapis.com isnot sufficient to allow access to the Cloud Storage buckets.

If you want to send requests to a Cloud Storage custom domain name, you must also explicitlyset the HTTP request's Host header and TLS SNI tostorage.googleapis.com TheIP addresses forprivate.googleapis.com andrestricted.googleapis.com do notsupport custom Cloud Storage hostnames in HTTP request Host headers and TLSSNIs.

Routing options

Your VPC network must have appropriate routes whose next hops arethe default internet gateway. Google Cloud does not support routingtraffic to Google APIs and services through other VM instances or custom nexthops. Despite being calleddefault internet gateway, packets sent from VMsin your VPC network to Google APIs and services remain withinGoogle's network.

  • If you select the default domains, your VM instances connect to Google APIsand services usinga subset of Google's external IPaddresses. These IP addresses are publicly routable, butthe path from a VM in a VPC network to those addresses remainswithin Google's network.

  • Google doesn't publish routes on the internet to any of the IP addresses usedby either theprivate.googleapis.com orrestricted.googleapis.com domains. Consequently, these domainscan only be accessed by VMs in a VPC network or on-premisessystems connected to a VPC network.

If your VPC network contains adefaultroute whose next hop is the defaultinternet gateway, you can use that route to access Google APIs and services,without needing to create custom routes. Seerouting with a defaultroute for details.

If you have replaced a default route (destination0.0.0.0/0 or::0/0) witha custom route whose next hop isnot the default internet gateway, you canmeet the routing requirements for Google APIs and servicesusing customrouting instead.

If your VPC network does not have an IPv6 default route, youwon't have IPv6 connectivity to Google APIs and services.Add an IPv6 default route to allowIPv6 connectivity.

Routing with a default route

Each VPC network contains an IPv4 default route (0.0.0.0/0)when it is created. If you enable external IPv6 addresses on a subnet, asystem-generated IPv6 default route (::/0) is added to that VPCnetwork.

The default routes provides a path to the IP addresses for the following destinations:

  • The default domains.

  • private.googleapis.com:199.36.153.8/30 and2600:2d00:0002:2000::/56.

  • restricted.googleapis.com:199.36.153.4/30 and2600:2d00:0002:1000::/56.

To check the configuration of a default route in a given network, follow thesedirections.

Console

  1. In the Google Cloud console, go to theRoutes page.

    Go to Routes

  2. Filter the list of routes to show just the routes for the network youneed to inspect.

  3. Look for a route whose destination is0.0.0.0/0 for IPv4 traffic or::/0 for IPv6 traffic and whose next hop isdefault internet gateway.

gcloud

Use the followinggcloud command, replacingNETWORK_NAME withthe name of the network to inspect:

gcloud compute routes list \    --filter="default-internet-gatewayNETWORK_NAME"

If you need to create a replacement default IPv4 route, seeAdding a staticroute.

If you need to create a replacement default IPv6 route, seeAdding an IPv6default route.

Custom routing

As an alternative to a default route, you can use custom static routes, eachhaving a more specific destination, and each using the default internet gatewaynext hop. The number of routes you need and their destination IP addressesdepend onthe domain that you choose.

  • Default domains: you must have routes for theIP address ranges for GoogleAPIs and services.
  • private.googleapis.com:199.36.153.8/30 and2600:2d00:0002:2000::/56
  • restricted.googleapis.com:199.36.153.4/30 and2600:2d00:0002:1000::/56

Additionally, we recommend that you add routes for34.126.0.0/18and2001:4860:8040::/42. For more information, seeSummary ofconfiguration options.

To check the configuration of custom routes for Google APIs and services in agiven network, follow these directions.

Console

  1. In the Google Cloud console, go to theRoutes page.

    Go to Routes

  2. Use theFilter table text field to filter the list of routes usingthe following criteria, replacingNETWORK_NAME with the nameof your VPC network.

    • Network:NETWORK_NAME
    • Next hop type:default internet gateway

  3. Look at theDestination IP range column for each route. If you chosethe default domains, check for several custom static routes, one foreach IP address range used by the default domain. Ifyou choseprivate.googleapis.com orrestricted.googleapis.com, lookforthat domain's IP range.

gcloud

Use the followinggcloud command, replacingNETWORK_NAME withthe name of the network to inspect:

gcloud compute routes list \    --filter="default-internet-gatewayNETWORK_NAME"

Routes are listed in table format unless you customize the command with the--format flag. Look in theDEST_RANGE column for the destination of eachroute. If you chose the default domains, check for several custom staticroutes, one foreach IP address range used by the defaultdomain. If you choseprivate.googleapis.com orrestricted.googleapis.com, look forthat domain's IP range.

If you need to create routes, seeAdding a staticroute.

Firewall configuration

The firewall configuration of your VPC network must allow accessfrom VMs to the IP addresses used by Google APIs and services. The impliedallow egress rule satisfies this requirement.

In some firewall configurations, you need to create specific egress allow rules.For example, suppose you've created an egress deny rule that blocks traffic toall destinations (0.0.0.0 for IPv4 or::/0 for IPv6). In that case, you mustcreate one egress allow firewall rule whose priority is higher than the egressdeny rule for each IP address range used by yourchosen domainfor Google APIs and services.

Additionally, we recommend that you include34.126.0.0/18 and2001:4860:8040::/42 in your egress allow firewall rule. For moreinformation, seeSummary of configuration options.

To create firewall rules, seeCreating firewallrules. You can limit the VMsto which the firewall rules apply when you definethetarget of each egress allow rule.

IP addresses for default domains

This section describes how to create a list of default domain IP ranges used byGoogle APIs and services. These ranges are allocated dynamically and changeoften, so it's not possible to define specific IP ranges for individual servicesor APIs. To maintain an accurate list, set up automation to run the script everyday.

If you have strict egress requirements, don't use the IP addresses for thedefault domains. Use aPrivate Service Connectendpoint, or theprivate.googleapis.com or restricted.googleapis.com VIP. Theseoptions require additional DNS configuration, but don't require that youmaintain a list of IP address ranges.

Follow these steps to determine the IP address ranges used by the defaultdomains, such as*.googleapis.com.

  • Google publishes a list of Google-owned IP addresses ingoog.json.

  • Google also publishes a list of global and regional external IP addressesranges available for customers' Google Cloud resources incloud.json.

Taking away all ranges incloud.json from those ingoog.json results in alarge set of IP addresses that are used by global Google APIs and other Googleservices, including customer-facing products outside of Google Cloud.These lists are updated frequently.

You can use the following Python script to create a list of IP address rangesthat include those used by the default domains for Google APIs and services.

For information about running this script, seeHow torun.

from__future__importprint_functionimportjsontry:fromurllibimporturlopenexceptImportError:fromurllib.requestimporturlopenfromurllib.errorimportHTTPErrorimportnetaddrIPRANGE_URLS={"goog":"https://www.gstatic.com/ipranges/goog.json","cloud":"https://www.gstatic.com/ipranges/cloud.json",}defread_url(url):try:returnjson.loads(urlopen(url).read())except(IOError,HTTPError):print("ERROR: Invalid HTTP response from%s"%url)exceptjson.decoder.JSONDecodeError:print("ERROR: Could not parse HTTP response from%s"%url)defget_data(link):data=read_url(link)ifdata:print("{} published:{}".format(link,data.get("creationTime")))cidrs=netaddr.IPSet()foreindata["prefixes"]:if"ipv4Prefix"ine:cidrs.add(e.get("ipv4Prefix"))if"ipv6Prefix"ine:cidrs.add(e.get("ipv6Prefix"))returncidrsdefmain():cidrs={group:get_data(link)forgroup,linkinIPRANGE_URLS.items()}iflen(cidrs)!=2:raiseValueError("ERROR: Could process data from Google")print("IP ranges for Google APIs and services default domains:")foripin(cidrs["goog"]-cidrs["cloud"]).iter_cidrs():print(ip)if__name__=="__main__":main()
Note: In the past, Google Cloud published a list of IP address rangesin the_spf.google.com DNS TXT record (and the records it referenced). Whilethis DNS TXT record continues to be accurate forSPFpurposes,it does not contain the complete set of possible IP address ranges used by the default domains for Google APIs and services.

Private Google Access configuration

You can enable Private Google Access after you've met thenetworkrequirements in your VPC network.

Enable Private Google Access

Follow these steps to enable Private Google Access:

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the network that contains the subnet for which you needto enable Private Google Access.

  3. For an existing subnet:

    1. Click the name of the subnet. TheSubnet details page isdisplayed.
    2. ClickEdit.
    3. In thePrivate Google Access section, selectOn.
    4. ClickSave.

  4. For a new subnet:

    1. ClickAdd subnet.
    2. Enter aName.
    3. Select aRegion.
    4. ForIP stack type, select one of the following:
      • IPv4 (single-stack)
      • IPv4 and IPv6 (dual-stack)
      • IPv6 (single-stack) (Preview)

    5. If you are creating a subnet with an IPv4 address range, enter anIPv4 range. This is theprimary IPv4range for the subnet.

      If you select a range that is not an RFC 1918 address, confirm that the range doesn't conflict with an existing configuration. For more information, seeIPv4 subnet ranges.

    6. If you are creating a subnet with an IPv6 address range, select anIPv6 access type:Internal orExternal.

      If you want to set the access type toInternal, but theInternal option is not available, check thatan internal IPv6 range is assigned on the network.

    7. Make other selections for the new subnet to meet your needs. Forexample, you might need to create secondary subnet IP ranges orenable VPC Flow Logs.

    8. SelectOn in thePrivate Google Access section.

    9. ClickAdd.

gcloud

For an existing subnet:

  1. Determine the name and region of the subnet. To list the subnets for aparticular network, use the following command:

    gcloud compute networks subnets list --filter=NETWORK_NAME

  2. Run the following command to enable Private Google Access:

    gcloud compute networks subnets updateSUBNET_NAME \--region=REGION \--enable-private-ip-google-access

  3. Verify that Private Google Access is enabled by running this command:

    gcloud compute networks subnets describeSUBNET_NAME \--region=REGION \--format="get(privateIpGoogleAccess)"

In all above commands, replace the following with valid values:

  • SUBNET_NAME: the name of the subnet
  • REGION: the region for the subnet
  • NETWORK_NAME: the name of the VPC network thatcontains the subnet

Whencreating a newsubnet, use the--enable-private-ip-google-access flag to enable Private Google Access:

gcloud compute networks subnets createSUBNET_NAME \    --region=REGION \    --network=NETWORK_NAME \    --range=PRIMARY_IPV4_RANGE \    [ --stack-type=STACK_TYPE ] \    [ --ipv6-access-type=IPv6_ACCESS_TYPE ] \    --enable-private-ip-google-access

Replace the following with valid values:

  • SUBNET_NAME: the name of the subnet
  • REGION: the region for the subnet
  • NETWORK_NAME: the name of the VPC network thatcontains the subnet
  • PRIMARY_IPV4_RANGE: the subnet's primary IPv4 address range.If you are creating an IPv6-only subnet, omit this flag.
  • STACK_TYPE is the stack type for the subnet:IPV4_ONLY,IPV4_IPV6, orIPV6_ONLY.
  • IPv6_ACCESS_TYPE is the IPv6 access type:EXTERNAL orINTERNAL. Only specify the IPv6 access type if you have also specified--stack-type=IPV4_IPV6 or--stack-type=IPV6_ONLY.

Disable Private Google Access

Follow these steps to disable Private Google Access for an existing subnet:

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click the name of the network that contains the subnet for which you needto disable Private Google Access.

  3. Click the name of an existing subnet. TheSubnet details page isdisplayed.

  4. ClickEdit.

  5. In thePrivate Google Access section, selectOff.

  6. ClickSave.

gcloud

  1. Determine the name and region of the subnet. To list the subnets for aparticular network, use the following command:

    gcloud compute networks subnets list \    --filter=NETWORK_NAME

  2. Run the following command to disable Private Google Access:

    gcloud compute networks subnets updateSUBNET_NAME \    --region=REGION \    --no-enable-private-ip-google-access

  3. Run the following command to verify that Private Google Access isdisabled:

    gcloud compute networks subnets describeSUBNET_NAME \    --region=REGION \    --format="get(privateIpGoogleAccess)"

In all above commands, replace the following with valid values:

  • SUBNET_NAME: the name of the subnet
  • REGION: the region for the subnet
  • NETWORK_NAME: the name of the VPC network thatcontains the subnet

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.