Configure Private Google Access for on-premises hosts

Private Google Access for on-premises hosts provides a way for on-premisessystems to connect toGoogle APIs andservices by routing trafficthrough aCloud VPN tunnel or a VLAN attachment forCloud Interconnect.Private Google Access for on-premises hosts is an alternative toconnecting to Google APIs and services over the internet.

This document describes how to enable Private Google Access for on-premiseshosts.

Note: These instructions also apply to host machines in aBare Metal Solution region extension. Except in reference toname servers in theDNS configurationsection, the termon-premises in these instructions is equivalenttoBare Metal Solution. For DNS name servers, the DNS name server that youuse can be your own enterprise server in your actual on-premises environment,a DNS name server on Google Cloud, or, if you enableyour Bare Metal Solution machines to connect to the internet, a public DNSname server.

Specifications and requirements

Private Google Access for on-premises hosts has the following requirements:

  • You must direct Google APIs and services traffic sent by on-premises systemsto the IP addresses associated with either theprivate.googleapis.com or therestricted.googleapis.com special domain names. For details about what services can beaccessed on each domain, seeDomain options.

  • Your on-premises network must be connected to aVPCnetwork by using either Cloud VPN tunnels orVLAN attachments.

  • The VPC network to which your on-premises network is connectedmust have appropriate routes for either theprivate.googleapis.com orrestricted.googleapis.com destination IP ranges. For details, seeVPC network routing.

  • The VPC network to which your on-premises network is connectedmust have appropriate routes to reach the on-premises network. The next hopCloud VPN tunnels or VLAN attachments thatconnect to your on-premises network for these routes must be within the same regionwhere the request originated. If the next hop is in a region different from wherethe request to Private Google Access originated, response fromPrivate Google Access will not reach the on-premises network.

  • Your on-premises network must have routes for either theprivate.googleapis.com orrestricted.googleapis.com destination IP ranges.These routes must direct traffic to the appropriate Cloud VPN tunnelor VLAN attachment that connects to yourVPC network. For details, seeon-premises routing withCloud Router.

  • To let IPv6 clients in your on-premises environment access Google APIs by usingprivate.googleapis.com orrestricted.googleapis.com, you must configure the connection to your VPCnetwork to support IPv6. For more information, see the following pages:

  • On-premises clients can send requests from any IPv6 GUA or ULA addresses, except for the ULA rangefda3:e722:ac3:cc00::/64, which is reserved for internal use.

  • If your project is providing access to Google APIs for on-premises hostsonly, you don't need to enable the Google APIs for the project.

    However, if resources within the project need to access Google APIs, youmight need to separatelyenable the APIs forthe services that they need to access. For more information about usingPrivate Google Access for resources within a project, seeConfigurePrivate Google Access.

Permissions

Project owners, editors, and IAM principals with theNetworkAdmin role can create or updatesubnets and assign IP addresses.

For more information about roles, read theIAM roles documentation.

Network configuration

Private Google Access for on-premises hosts has specificnetworkrequirements for on-premises systems and for the VPCnetwork through which the on-premises systems send traffic to Google APIs andservices.

Domain options

Private Google Access for on-premises hosts requires that you direct servicesto one of the following special domains. The special domain you choosedetermines which services you can access.

Theprivate.googleapis.com andrestricted.googleapis.com VIPs supportonly HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTTand ICMP, are not supported.

Domain and IP address rangesSupported servicesExample usage

private.googleapis.com

199.36.153.8/30

2600:2d00:0002:2000::/64

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the following list. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.

Domain names that match:

  • accounts.google.com (only supports paths needed for OAuth authentication of service accounts; user account authentication is interactive and not supported)
  • *.aiplatform-notebook.cloud.google.com
  • *.aiplatform-notebook.googleusercontent.com
  • appengine.google.com
  • *.appspot.com
  • *.backupdr.cloud.google.com
  • backupdr.cloud.google.com
  • *.backupdr.googleusercontent.com
  • backupdr.googleusercontent.com
  • *.cloudfunctions.net
  • *.cloudproxy.app
  • *.composer.cloud.google.com
  • *.composer.googleusercontent.com
  • *.datafusion.cloud.google.com
  • *.datafusion.googleusercontent.com
  • *.dataproc.cloud.google.com
  • dataproc.cloud.google.com
  • *.dataproc.googleusercontent.com
  • dataproc.googleusercontent.com
  • dl.google.com
  • gcr.io or*.gcr.io
  • *.googleapis.com
  • *.gke.goog
  • *.gstatic.com
  • *.kernels.googleusercontent.com
  • *.ltsapis.goog
  • *.notebooks.cloud.google.com
  • *.notebooks.googleusercontent.com
  • packages.cloud.google.com
  • pkg.dev or*.pkg.dev
  • pki.goog or*.pki.goog
  • *.run.app
  • source.developers.google.com
  • storage.cloud.google.com

Useprivate.googleapis.com to access Google APIs and services using a set of IP addresses only routable from within Google Cloud.

Chooseprivate.googleapis.com under these circumstances:

  • You don't use VPC Service Controls.
  • You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.1

restricted.googleapis.com

199.36.153.4/30

2600:2d00:0002:1000::/64

Enables API access toGoogle APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not supportVPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Userestricted.googleapis.com to access Google APIs and services using a set of IP addresses only routable from within Google Cloud.

Chooserestricted.googleapis.com when youonly need access to Google APIs and services thatare supported by VPC Service Controls.

Therestricted.googleapis.com domain does not permit access to Google APIs and services that do not support VPC Service Controls.1

1 If you need to restrict users to just the Google APIs and services that supportVPC Service Controls, userestricted.googleapis.com, as it provides additional risk mitigation for data exfiltration. Usingrestricted.googleapis.com denies access to Google APIs and services that are not supported by VPC Service Controls. SeeSetting up private connectivity in the VPC Service Controls documentation for more details.

IPv6 support forprivate.googleapis.com andrestricted.googleapis.com

The following IPv6 address ranges can be used to direct traffic from IPv6clients to Google APIs and services:

  • private.googleapis.com:2600:2d00:0002:2000::/64
  • restricted.googleapis.com:2600:2d00:0002:1000::/64

Consider configuring the IPv6 addresses if you want to use theprivate.googleapis.com orrestricted.googleapis.com domain, and youhave clients that use IPv6 addresses. IPv6 clients that also have IPv4 addresses configured canreach Google APIs and services by using the IPv4 addresses. Not all services accept traffic from IPv6 clients.

DNS configuration

Your on-premises network must have DNS zones and records configured so that thedomain names of the services that you're accessing resolve to the set of IPaddresses for eitherprivate.googleapis.com orrestricted.googleapis.com. Youcan create Cloud DNS managed private zones and use a Cloud DNSinbound server policy, or you can configure on-premises name servers. Forexample, you can useBIND orMicrosoftActive DirectoryDNS.

The following sections describe how to use DNS zones to send packets to the IPaddresses that are associated with your chosen VIP. Follow the instructions forall scenarios that apply to you:

When you configure DNS records for the VIPs, use only the IP addresses that aredescribed in the following steps. Do not mix addresses from theprivate.googleapis.com andrestricted.googleapis.com VIPs. This cancause intermittent failures because the services that are offered differbased on a packet's destination.

Note: There are public DNS records for private.googleapis.com orrestricted.googleapis.com. However, you can't use the public records to accessGoogle APIs. You must create a private DNS zone and records.

Configure DNS forgoogleapis.com

Create a DNS zone and records forgoogleapis.com:

  1. Create a private DNS zone forgoogleapis.com. Considercreating aCloud DNS private zone for thispurpose.

  2. In thegoogleapis.com zone, create the following private DNS records foreitherprivate.googleapis.com orrestricted.googleapis.com, depending on whichdomain you've chosen to use.

    • Forprivate.googleapis.com:

      1. Create anA record forprivate.googleapis.com pointing to thefollowing IP addresses:199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11.

      2. To connect to APIs using IPv6 addresses, also configure anAAAArecord forprivate.googleapis.com pointing to2600:2d00:0002:2000::.

    • Forrestricted.googleapis.com:

      1. Create anA record forrestricted.googleapis.com pointing to thefollowing IP addresses:199.36.153.4,199.36.153.5,199.36.153.6,199.36.153.7.

      2. To connect to APIs using IPv6 addresses, also create anAAAArecord forrestricted.googleapis.com pointing to2600:2d00:0002:1000::.

    To create private DNS records in Cloud DNS, seeadd a record.

  3. In thegoogleapis.com zone, create aCNAME record for*.googleapis.comthat points to the domain that you've configured:private.googleapis.com orrestricted.googleapis.com.

Configure DNS for other domains

Some Google APIs and services are provided using additional domain names,including*.gcr.io,*.gstatic.com,*.pkg.dev,pki.goog,*.run.app, and*.gke.goog.Refer to thedomain and IP address ranges table inDomain optionsto determine if the additional domain's services can be accessed usingprivate.googleapis.comorrestricted.googleapis.com. Then, for each of the additional domains:

  1. Create a DNS zone forDOMAIN (for example,gcr.io).If you're using Cloud DNS, make sure this zone is located in thesame project as yourgoogleapis.com private zone.

  2. In this DNS zone, create the following private DNS records foreitherprivate.googleapis.com orrestricted.googleapis.com, depending on whichdomain you've chosen to use.

    • Forprivate.googleapis.com:

      1. Create anA record forDOMAIN pointing to the followingIP addresses:199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11.

      2. To connect to APIs using IPv6 addresses, also create anAAAArecord forDOMAIN pointing to2600:2d00:0002:2000::.

    • Forrestricted.googleapis.com:

      1. Create anA record forDOMAIN pointing to the followingIP addresses:199.36.153.4,199.36.153.5,199.36.153.6,199.36.153.7.

      2. To connect to APIs using IPv6 addresses, also create anAAAArecord forDOMAIN pointing to2600:2d00:0002:1000::.

  3. In theDOMAIN zone, create aCNAME record for*.DOMAIN that points toDOMAIN.For example, create aCNAME record for*.gcr.io that points togcr.io.

Configure DNS for Cloud Storage custom domain names

If you are using Cloud Storage buckets, and you send requests to aCloud Storage custom domain name,configuring DNS records for the custom Cloud Storage domain name to point tothe IP addresses forprivate.googleapis.com orrestricted.googleapis.com isnot sufficient to allow access to the Cloud Storage buckets.

If you want to send requests to a Cloud Storage custom domain name, you must also explicitlyset the HTTP request's Host header and TLS SNI tostorage.googleapis.com TheIP addresses forprivate.googleapis.com andrestricted.googleapis.com do notsupport custom Cloud Storage hostnames in HTTP request Host headers and TLSSNIs.

Configure DNS for on-premises systems

If you've implemented the DNS configuration using Cloud DNS, you'llneed to configure on-premises systems so that they can make queries to yourCloud DNS managed private zones:

  • Create aninbound server policy in theVPC network to which your on-premises network connects.
  • Identify theinbound forwarder entrypoints, in the region(s) where yourCloud VPN tunnels and VLAN attachmentsare located, in the VPC network to which your on-premisesnetwork connects.
  • Configure on-premises systems and on-premises DNS name servers to forwardgoogleapis.com and any of the additional domain names to an inboundforwarder entry pointin the same region as the Cloud VPNtunnel or VLAN attachment that connects to theVPC network.

VPC network routing

The VPC network to which your on-premises network connects musthave routes for the IP address ranges used byprivate.googleapis.com orrestricted.googleapis.com. These routes must use the default internet gatewaynext hop.

Google Cloud doesn't publish routes on the internet for the IP addressranges used by theprivate.googleapis.com orrestricted.googleapis.com domains.Consequently, even though the routes in the VPC network sendtraffic to thedefault internet gateway next hop, packets sent to those IPaddress ranges remain within Google's network.

If the VPC network to which your on-premises network connectscontains adefault route whose next hopis the default internet gateway, that route meets the routing requirements forPrivate Google Access for on-premises hosts.

VPC network custom routing

If you've replaced or changed your default route, ensure that you have customstatic routes configured for the destination IP ranges used byprivate.googleapis.com orrestricted.googleapis.com. To check theconfiguration of custom routes for Google APIs and services in a given network,follow these directions.

Console

  1. In the Google Cloud console, go to theRoutes page.

    Go to Routes

  2. Use theFilter table text field to filter the list of routes usingthe following criteria, replacingNETWORK_NAME with the nameof the VPC network to which your on-premises networkconnects:

    • Network:NETWORK_NAME
    • Next hop type:default internet gateway

  3. Look at theDestination IP range column for each route. Look for aroute whose destination range matches:

    • 199.36.153.8/30 if you choseprivate.googleapis.com
    • 199.36.153.4/30 if you choserestricted.googleapis.com

gcloud

Use the followinggcloud command, replacingNETWORK_NAME withthe name of the VPC network to which your on-premises networkconnects:

gcloud compute routes list \    --filter="default-internet-gatewayNETWORK_NAME"

Routes are listed in table format unless you customize the command with the--format flag. Look in theDEST_RANGE column for a route whosedestination range matches:

  • 199.36.153.8/30 if you choseprivate.googleapis.com
  • 199.36.153.4/30 if you choserestricted.googleapis.com

If you need to create routes in your VPC network, seeAdding astatic route.

On-premises routing with Cloud Router

Routes in your on-premises network must be configured to direct traffic for theIP address ranges used by theprivate.googleapis.com orrestricted.googleapis.com domains to the next hop Cloud VPN tunnelsor VLAN attachments that connect to your VPC network.

You can useCloud Router Custom RouteAdvertisementsto announce routes for the IP ranges used by theprivate.googleapis.com andrestricted.googleapis.com domains.

IPv6 routes are advertised only in BGP sessions whereIPv6 is enabled.

Important: IP address ranges forprivate.googleapis.com andrestricted.googleapis.com are not routable on the internet.

Console

To update the route advertisement mode for all BGP sessions on aCloud Router, except for those BGP sessions that use custom BGPadvertisements themselves:

  1. In the Google Cloud console, go to theCloud Router page.

    Go to Cloud Router

  2. Select the Cloud Router that manages BGP sessions for theCloud VPN tunnels or VLAN attachmentsthat connect your on-premises network to your VPCnetwork.

  3. In the Cloud Router's detail page, selectEdit.

  4. Expand theAdvertised routes section.

  5. For theRoutes, selectCreate custom routes.

  6. If you want to advertise all subnet routes available to theCloud Router, selectAdvertise all subnets visible to the Cloud Router. Thissetting replicates the default configuration to your custom configuration.

  7. For each advertised route that you want to add, do the following:

    1. SelectAdd custom route.
    2. ForSource, selectCustom IP range.
    3. ForIP address range, enter one of the ranges that you want to use:
      • If you useprivate.googleapis.com:
        • For IPv4 connectivity:199.36.153.8/30
        • For IPv6 connectivity:2600:2d00:0002:2000::/64
      • If you userestricted.googleapis.com:
        • For IPv4 connectivity:199.36.153.4/30
        • For IPv6 connectivity:2600:2d00:0002:1000::/64
    4. ClickDone.

  8. After you're done adding routes, selectSave.

To update the route advertisement mode for a particular BGP session:

  1. In the Google Cloud console, go to theCloud Router page.

    Go to Cloud Router

  2. Select the Cloud Router that manages the BGP session for aCloud VPN tunnel or VLAN attachmentthat connects your on-premises network to your VPCnetwork.

  3. In the Cloud Router's detail page, select the BGP session toupdate.

  4. In the BGP session details page, clickEdit.

  5. For theRoutes, selectCreate custom routes.

  6. SelectAdvertise all subnets visible to the Cloud Router toadvertise all subnet routes available to the Cloud Router if youdesire the Cloud Router's default behavior.

  7. For each advertised route that you want to add, do the following:

    1. SelectAdd custom route.
    2. ForSource, selectCustom IP range.
    3. ForIP address range, enter one of the ranges that you want to use:
      • If you useprivate.googleapis.com:
        • For IPv4 connectivity:199.36.153.8/30
        • For IPv6 connectivity:2600:2d00:0002:2000::/64
      • If you userestricted.googleapis.com:
        • For IPv4 connectivity:199.36.153.4/30
        • For IPv6 connectivity:2600:2d00:0002:1000::/64
    4. ClickDone.

  8. After you're done adding routes, selectSave.

gcloud

  1. Identify the name and region of the Cloud Router that managesBGP sessions on the Cloud VPN tunnels orVLAN attachments that connect youron-premises network to your VPC network.

  2. Usecompute routersupdate to update theroute advertisement mode on all the Cloud Router's BGP sessions,except for those BGP sessions that use custom BGP advertisementsthemselves:

    gcloud compute routers updateROUTER_NAME \    --region=REGION \    --advertisement-mode=CUSTOM \    --set-advertisement-groups=ALL_SUBNETS \    --set-advertisement-ranges=CUSTOM_RANGES

    You can append new advertisement ranges if you're already using theCUSTOM advertisement mode for the Cloud Router. This updatesthe route advertisement mode on all the Cloud Router's BGPsessions, except for those BGP sessions that use custom BGPadvertisements themselves:

    gcloud compute routers updateROUTER_NAME \    --region=REGION \    --add-advertisement-ranges=CUSTOM_RANGES

  3. Alternatively, usecompute routersupdate-bgp-peerto configure a specific BGP peer on the Cloud Router:

    If you are adding IPv6 custom ranges, and if IPv6 traffic is disabled forthe BGP session, you can enable it with the--enable-ipv6 flag.

    gcloud compute routers update-bgp-peerROUTER_NAME \    --region=REGION \    --peer-name=PEER_NAME \    --advertisement-mode=CUSTOM \    --set-advertisement-groups=ALL_SUBNETS \    --set-advertisement-ranges=CUSTOM_RANGES

    You can append new advertisement ranges if you're already using theCUSTOM advertisement mode for a BGP session on a Cloud Router

    If you are adding IPv6 custom ranges, and if IPv6 traffic is disabled forthe BGP session, you can enable it with the--enable-ipv6 flag.

    gcloud compute routers update-bgp-peerROUTER_NAME \    --region=REGION \    --peer-name=PEER_NAME \    --add-advertisement-ranges=CUSTOM_RANGES

    In the commands above, replace the following with valid values:

    • ROUTER_NAME: The name of the Cloud Router
    • REGION: The region of the Cloud Router
    • PEER_NAME: The name of the BGP peer configured when youcreate a VLAN attachment forDedicated Interconnect, whenyoucreate a VLAN attachment forPartner Interconnect, or when youcreate anHA VPNtunnel
    • Leave--set-advertisement-groups=ALL_SUBNETS in order to advertiseall subnet routes available to the Cloud Router. This is theCloud Router's default behavior.
    • CUSTOM_RANGES: A comma-delimited list of custom ranges toadvertise.
      • Forprivate.googleapis.com:
        • For IPv4 connectivity:199.36.153.8/30
        • For both IPv4 and IPv6 connectivity:199.36.153.8/30,2600:2d00:0002:2000::/64
      • Forrestricted.googleapis.com:
        • For IPv4 connectivity:199.36.153.4/30
        • For both IPv4 and IPv6 connectivity:199.36.153.4/30,2600:2d00:0002:1000::/64

Firewall considerations

Google Cloud firewall rules in the VPC network to whichyour on-premises network connects have no effect upon:

  • Packets sent through a Cloud VPN tunnel connected to theVPC network
  • Packets sent through a VLAN attachment connectedto the VPC network
  • Incoming packets to Cloud DNS inbound forwarder IP addresses inthe VPC network

You should ensure that the firewall configuration of on-premises systems allowsoutbound traffic to and established responses from the appropriate IP addresses:

  • If you useprivate.googleapis.com:
    • For IPv4 connectivity:199.36.153.8/30
    • For IPv6 connectivity:2600:2d00:0002:2000::/64
  • If you userestricted.googleapis.com:
    • For IPv4 connectivity:199.36.153.4/30
    • For IPv6 connectivity:2600:2d00:0002:1000::/64
  • Any Cloud DNS inbound forwarder IP addresses, if you're using Cloud DNS for theDNS configuration

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.