Private Google Access for on-premises hosts

On-premises hosts can reach Google APIs and services by usingCloud VPN orCloud Interconnectfrom your on-premises network to Google Cloud. On-premises hosts cansend traffic from the following types of source IP addresses:

• a private IP address, such as anRFC1918 address
• a privately used public IP address, except for a Google-owned public IPaddress. (Private Google Access for on-premises hosts does not supportre-using Google public IP addresses as sources in your on-premises network.)

To enable Private Google Access for on-premises hosts, you must configureDNS, firewall rules, and routes in your on-premises and VPCnetworks. You don't need to enable Private Google Access for any subnets inyour VPC network as you would for Private Google Access forGoogle Cloud VM instances.

On-premises hosts must connect to Google APIs and services by using the virtualIP addresses (VIPs) for either therestricted.googleapis.com orprivate.googleapis.com domains. Refer toPrivate Google Access-specificdomains and VIPs for more details.

Google publicly publishes DNS A records that resolve the domains to a VIP range.Even though the ranges have external IP addresses, Google does not publishroutes for them. Therefore, you must add a custom advertised route on aCloud Router and have an appropriate custom static route in yourVPC network for the VIP's destination.

The route must have a destination matching one of the VIP ranges and a next hopbeing the default internet gateway. Traffic sent to the VIP range stays withinGoogle's network instead of traversing the public internet because Google doesnot publish routes to them externally.

For configuration information, seeConfigurePrivate Google Access for on-premises hosts.

Supported services

Services available to on-premises hosts are limited to those supported by thedomain name and VIP used to access them. For more information, seeDomain options.

Example

In the following example, the on-premises network is connected to aVPC network through a Cloud VPN tunnel. Traffic fromon-premises hosts to Google APIs travels through the tunnel to theVPC network. After traffic reaches the VPCnetwork, it is sent through a route that uses the default internet gateway asits next hop. This next hop allows traffic to leave the VPCnetwork and be delivered torestricted.googleapis.com (199.36.153.4/30).

• The on-premises DNS configuration maps*.googleapis.com requests torestricted.googleapis.com, which resolves to the199.36.153.4/30.
• Cloud Router has been configured to advertise the199.36.153.4/30IP address range through the Cloud VPN tunnel by using a custom advertised route.Traffic going to Google APIs is routed through the tunnel to theVPC network.
• A custom static route was added to the VPC network thatdirects traffic with the destination199.36.153.4/30 to the default internetgateway (as the next hop). Google then routes traffic to the appropriate APIor service.
• If you created a Cloud DNS managed private zone for*.googleapis.com that maps to199.36.153.4/30 and have authorized thatzone for use by your VPC network, requests to anything in thegoogleapis.com domain are sent to the IP addresses that are used byrestricted.googleapis.com. Only thesupportedAPIs are accessible with this configuration,which might cause other services to be unreachable. Cloud DNS doesn'tsupport partial overrides. If you require partial overrides, useBIND.

What's next

• To configure Private Google Access for on-premises hosts, seeConfigurePrivate Google Access for on-premiseshosts.