Private Google Access offers private connectivity to hosts in either aVPC network or an on-premises network that uses private IP addressesto accessGoogle APIs and services. You can extend aVirtual Private Cloud service perimeter to hosts in those networks to control accessto protected resources.

Hosts in a VPC network must have a private IP addressonly (no public IP address) and be in a subnet with Private Google Accessenabled.

For on-premises hosts to reach restricted Google API services, requeststo Google APIs must be sent through a VPC network, either throughaCloud VPN tunnel or aCloud Interconnect connection.

In both cases, we recommend that you send all requests to Google APIs andservices to thevirtual IP (VIP) address ranges forrestricted.googleapis.com. The IP address ranges are not announcedto the internet. Traffic sent to the VIP stays within Google Cloud'snetwork only.

If you require access to other Google APIs and services that aren'tsupported by VPC Service Controls, you can useprivate.googleapis.com. However,private VIP can allow access to services that are not compliant withVPC Service Controls that might have data exfiltration risks. We recommendthat you userestricted.googleapis.com, which integrates with VPC Service Controlsand mitigates data exfiltration risks. Usingrestricted.googleapis.com deniesaccess to Google APIs and services that are not supported by VPC Service Controls.

For more information about theprivate.googleapis.com andrestricted.googleapis.com VIPs, seeConfigurePrivate Google Access.

IP address ranges forrestricted.googleapis.com

There are two IP address ranges associated with therestricted.googleapis.comdomain:

• IPv4 range:199.36.153.4/30
• IPv6 range:2600:2d00:0002:1000::/56

For information about using the IPv6 range to access Google APIs,seeIPv6 support.

VPC network example

In the following example, the service perimeter contains two projects: one thathas an authorized VPC network and another with the protectedCloud Storage resource. In the VPC network, VM instancesmust be in a subnet withPrivate Google Access enabled and only requireaccess to Virtual Private Cloud restricted services. Queries to Google APIs andservices from VM instances in the authorized VPC network resolvetorestricted.googleapis.com and can access the protected resource.

• DNS was configured in the VPC network to map*.googleapis.comrequests torestricted.googleapis.com, which resolves to199.36.153.4/30.
• A custom static route was added to the VPC network thatdirects traffic with the destination199.36.153.4/30 to thedefault-internet-gateway as the next hop. Even thoughdefault-internet-gateway is used as the next hop, traffic is routedprivately through Google's network to the appropriate API or service.
• The VPC network was authorized to access theMy-authorized-gcs-project because both projects are in the same serviceperimeter.

On-premises network example

You can use either static routing, by simply configuring a static route in theon-premises router, or by announcing the restricted Google API address rangethrough border gateway protocol (BGP) fromCloud Router.

To use Private Google Access for on-premises hosts with Virtual Private Cloud,set up private connectivity for on-premises hosts and then configureVPC. Define a service perimeter for the project thatcontains the VPC network that's connected to your on-premisesnetwork.

In the following scenario, the storage buckets in projectsensitive-bucketscan only be accessed from VM instances in the projectmain-project and fromconnected on-premises applications. On-premises hosts can access storage bucketsin the projectsensitive-buckets because traffic goes through aVPC network that's inside the same service perimeter assensitive-buckets.

• The on-premises DNS configuration maps*.googleapis.com requests torestricted.googleapis.com, which resolves to199.36.153.4/30.
• The Cloud Router was configured to advertise the199.36.153.4/30 IPaddress range through the VPN tunnel. Traffic going to Google APIs is routedthrough the tunnel to the VPC network.
• A custom static route was added to the VPC network that directstraffic with the destination199.36.153.4/30 to thedefault-internet-gateway as the next hop. Even thoughdefault-internet-gateway is used as the next hop, traffic is routedprivately through Google's network to the appropriate API or service.
• The VPC network was authorized to access thesensitive-buckets projects, and on-premises hosts have the same access.
• On-premises hosts can't access other resources that are outside of the serviceperimeter.

The project that connects to your on-premises network must be a member of theservice perimeter to reach restricted resources. On-premises access also worksif the relevant projects are connected by a perimeter bridge.

What's next

• To configure private connectivity, refer toSetting up private connectivity.