This document describes how to set up private connectivity from hosts in aVPC network or on-premises network to Google APIs and servicesthatVPC Service Controls supports.

Before you read this document, we recommend that you familiarize yourself withPrivate Google Access concepts,specifications, and network configuration. See example topology diagrams about usingPrivate Google Access with VPC Service Controls.

Before you begin

• Enable theAPIs that you want toaccess through theAPIs & services page inthe Google Cloud console.
• Ensure that you have the required role to create or update subnets.Project owners, editors, and IAM principals with theNetworkAdmin role can create or updatesubnets and assign IP addresses. For more information about roles, read theIAMroles documentation.
• Verify that aVPC network is set up forPrivate Google Access and Private Google Access for on-premises hosts.Both auto and custom mode VPC networks are supported.Legacy networks are not supported.
• Ensure that VM instances in a VPC network have a private IPaddress (no public IP address) and are in a subnet withPrivate Google Access enabled.
• For on-premises hosts, ensure that you have an existingCloud VPNtunnel or aCloud Interconnect connection to yourVPC network. To support on-premises hosts that have IPv6addresses, seeIPv6 support.

Overview of procedure

To set up private connectivity, complete the following tasks:

• Configure routes for therestricted.googleapis.com IP address ranges. Formore information, seeConfigure routes.
• Configure firewall rules to let the appropriate traffic reach therestricted.googleapis.com IP address ranges. For more information, seeConfigure firewall rules.
• Configure DNS so that traffic to Google APIs resolves to therestricted.googleapis.com IP address ranges. For more information, seeConfigure DNS.

IPv6 support forrestricted.googleapis.com

You can access Google APIs by using the IPv6 address range fortherestricted.googleapis.com domain:2600:2d00:0002:1000::/56.

Consider configuring the IPv6 addresses if you want to use therestricted.googleapis.com domain, and youhave clients that use IPv6 addresses. IPv6 clients that also have IPv4 addresses configured canreach Google APIs and services by using the IPv4 addresses. Not all services accept traffic from IPv6 clients.

To let IPv6 clients in your on-premises environment access Google APIs by usingrestricted.googleapis.com, you must configure the connection to your VPCnetwork to support IPv6. For more information, see the following pages:

• IPv6 support for HA VPN
• IP protocols support for Cloud Router

On-premises clients can send requests from any IPv6 GUA or ULA addresses, except for the ULA rangefda3:e722:ac3:cc00::/64, which is reserved for internal use.

For more information about therestricted.googleapis.com VIP, seeConfigurePrivate Google Access.

Direct connectivity to APIs and services

Some Google APIs and services support direct connectivity from Compute Enginevirtual machine (VM) instances, bypassingGoogle Front Ends(GFEs), offeringbetter performance.

To establish direct connectivity, it is necessary that yourroutes andfirewall rulesallow IPv4 traffic to reach34.126.0.0/18 and IPv6 traffic toreach2001:4860:8040::/42.

These IP addresses support VPC Service Controls.Additionally, DNS records don't need to be created for these addresses.

Note that direct connectivity is available only from Google Cloud resources andis not supported from on-premises hosts.

Configure routes torestricted.googleapis.com

Although VPC Service Controls are enforced for compatible and configuredservices, regardless of the domain you use,restricted.googleapis.com providesadditional risk mitigation for data exfiltration.restricted.googleapis.comdenies access to Google APIs and services that are not supported byVPC Service Controls.

For both Private Google Access and Private Google Access for on-premiseshosts, your VPC network must include a route for therestricted.googleapis.com IP address ranges whose next hop is the defaultinternet gateway. Even though the next hop is a default internet gateway, thetraffic sent torestricted.googleapis.com remains within Google's network.

If your VPC network does not have adefault route whose next hop is thedefault internet gateway, you can create a custom static route whose destinationis therestricted.googleapis.com IP address range, and whose next hop is thedefault internet gateway. To prevent access to the internet, you must removeother routes whose next hop is the default internet gateway.

For more information about working with VPC routes, seeUsingRoutes in the VPC documentation.

Configure custom static routes in a VPC network

Add custom static routes to enable access to Google-managed services thatVPC Service Controls supports.

gcloudcomputeroutescreateROUTE_NAME\--network=NETWORK_NAME\--destination-range=DESTINATION_RANGE\--next-hop-gateway=default-internet-gateway

Replace the following:

• ROUTE_NAME: a name for the custom route
• NETWORK_NAME: the name of your VPC network
• DESTINATION_RANGE: the destination range for the route
  • To route traffic to therestricted.googleapis.com VIP, use the followingranges:
    • For IPv4 traffic:199.36.153.4/30
    • For IPv6 traffic:2600:2d00:0002:1000::/56
  • To route traffic to APIs that allowdirectconnectivity, use the following ranges:
    • For IPv4 traffic:34.126.0.0/18
    • For IPv6 traffic:2001:4860:8040::/42

Announce the restricted route to hosts in an on-premises network

If you're using Private Google Access for on-premises hosts, configure routesso that Google API traffic is forwarded through your Cloud VPN orCloud Interconnect connection. To announce the restricted VIP address rangesto your on-premises network, useCloud Router custom advertisementmode. Therestricted VIP address ranges are only accessible to on-premises hosts that canreach your VPC network through private IP addresses.

IPv6 routes are advertised only in BGP sessions whereIPv6 is enabled.

To create a custom advertised route for the restricted range for all BGPsessions on an existing Cloud Router, follow these steps:

To create a custom advertised route for the restricted range on a specific BGPsession of an existing Cloud Router, follow these steps:

Configure firewall rules

For Private Google Access, VM instances use internal IP addresses and don'trequire external IP addresses to reach protected Google API resources. However,it's possible for VM instances to possess external IP addresses or otherwisemeet therequirements for internet access.In addition tocustom advertised routes, you can restrictegress traffic from VM instances in your VPC network by creatingfirewall rules to deny egress traffic.

By default, theimplied allow egress firewallrule permits VM instances to sendtraffic to any destination if an applicable route exists. You can first create anegress deny rule to block all outbound traffic. You can then create higherpriority egress rules that permit traffic to selected destinations in yourVPC network and to therestricted.googleapis.com IP addressranges. All communication torestricted.googleapis.com is on TCPport443.

To let traffic from Google Cloud reach therestricted.googleapis.comVIPs, add firewall rules for the following destinations:

• For IPv4 traffic:199.36.153.4/30
• For IPv6 traffic:2600:2d00:0002:1000::/56

To allow traffic from Google Cloud to reach APIs and services that allowdirect connectivity, add firewall rules for thefollowing destinations:

• For IPv4 traffic:34.126.0.0/18
• For IPv6 traffic:2001:4860:8040::/42

For more information about working with VPC firewall rules, seeUse VPC firewall rules in theCloud Next Generation Firewall documentation.

Configure your on-premises firewall rules to let traffic from youron-premises hosts reach therestricted.googleapis.com IP addressranges.

• For IPv4 traffic:199.36.153.4/30
• For IPv6 traffic:2600:2d00:0002:1000::/56

Direct connectivity to Google APIs and services is notsupported from on-premises networks.

Configure DNS

You can use managed private zones for your VPC networks.Cloud DNS private DNS zones enable you to host a DNS zone accessible fromauthorized VPC networks.To configure forwarding from certain on-premises name servers, you can use therestricted.googleapis.com IP address ranges.You can then create a private zone forgoogleapis.com with a DNS A record thatmapsrestricted.googleapis.com and appropriate CNAME records for each*.googleapis.com name. For more information, seeManaging zones.

For on-premises access, you can configure a Cloud DNS inboundforwarding policy to enable on-premises name servers to query aCloud DNS managed private zone. You can also configure anon-premises name server, such as one usingBIND:

To enable DNS resolution for VM instances in your VPC network,hosts in an on-premises network, or both, use Cloud DNS. If you'reusing Shared VPC, seePrivate zones and Shared VPCin the Cloud DNS documentation. Also, if you're using Shared VPC,we recommend that you include the Shared VPC network host project in the sameservice perimeter as projects that connect to the network.

Configure Cloud DNS by using private zones

You can use private zones to configure Cloud DNS:

1. Create a managed private zone for your VPC network.

   gclouddnsmanaged-zonescreateZONE_NAME\--visibility=private\--networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME\--description=DESCRIPTION\--dns-name=googleapis.com

   Replace the following:

   • ZONE_NAME: a name for the zone that you are creating.For example,vpc. This name is used in each of the following steps.
   • PROJECT_ID: the ID of the project that hosts yourVPC network.
   • NETWORK_NAME: the name of your VPC network.
   • DESCRIPTION: an optional, human-readable description ofthe managed zone.

2. Start a transaction.

   gclouddnsrecord-setstransactionstart--zone=ZONE_NAME

   ReplaceZONE_NAME with the name of the zone that youcreated in the first step.

3. Add DNS records.

   gclouddnsrecord-setstransactionadd--name=*.googleapis.com.\--type=CNAMErestricted.googleapis.com.\--zone=ZONE_NAME\--ttl=300

   ReplaceZONE_NAME with the name of the zone that youcreated in the first step.

   gclouddnsrecord-setstransactionadd--name=restricted.googleapis.com.\--type=A 199.36.153.4 199.36.153.5 199.36.153.6 199.36.153.7\--zone=ZONE_NAME\--ttl=300

   ReplaceZONE_NAME with the name of the zone that youcreated in the first step.

   If you're configuring the IPv6 addresses forrestricted.googleapis.com, alsocreate the following record set:

   gclouddnsrecord-setstransactionadd--name=restricted.googleapis.com.\--type=AAAA 2600:2d00:0002:1000::\--zone=ZONE_NAME\--ttl=300

4. Execute the transaction.

   gclouddnsrecord-setstransactionexecute--zone=ZONE_NAME

   ReplaceZONE_NAME with the name of the zone that youcreated in the first step.

5. Optional. To enable on-premises hosts to reach the restricted VIP, completethe following steps:

   1. Create a DNS policy and enable inbound DNS forwarding to makeVPC network's name resolution services externallyavailable to systems in on-premises networks,

      gclouddnspoliciescreatePOLICY_NAME\--networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME\--enable-inbound-forwarding\--description=DESCRIPTION

      Replace the following:

      • POLICY_NAME: a name for the policy that you arecreating. For example,apipolicy.
      • PROJECT_ID: the ID of the project that hosts yourVPC network.
      • NETWORK_NAME: the name of your VPCnetwork.
      • DESCRIPTION: an optional, human-readable descriptionof the managed zone.

   2. In your on-premises network, point your on-premises DNS to theCloud DNS forwarder IP address. To find the forwarder IP address,use thecompute addresses list command:

      gcloudcomputeaddresseslist--filter='name ~ ^dns-forwarding.*'\--format='csv[no-heading](address, subnetwork)'

      Note: Your VPC network only has a forwarder IP address ifyou have configured an inbound DNS forwarding policy for it. For moreinformation about DNS policies, see theCloud DNSserver policies overview andCreating aninbound server policy.

Configure DNS with BIND

If you useBIND forDNS resolution, you can configure it to resolve Google API requests to therestricted Google APIs. Use the following example BIND configuration, whichmakes use ofresponse policyzones (RPZ) to achieve this behavior:

1. Add the following lines to/etc/bind/named.conf:

   include "/etc/bind/named.conf.options";include "/etc/bind/named.conf.local";

2. Add the following lines to/etc/bind/named.conf.options:

   options {  directory "/var/cache/bind";  dnssec-validation no;  auth-nxdomain no;    # conform to RFC 1035  listen-on-v6 { any; };  listen-on { any; };  response-policy { zone "googleapis.zone"; };  allow-query { any;};};

3. Add the following lines to/etc/bind/named.conf.local:

   include "/etc/bind/named.conf.default-zones";
   zone "googleapis.zone" {  type master;  file "/etc/bind/db.googleapis.zone";  allow-query {none;};};

4. Add the following lines to/etc/bind/db.googleapis.zone:

   $TTL 1H@                       SOA LOCALHOST. noreply.localhost(1 1h 15m 30d 2h)                        NS  LOCALHOST.
   *.googleapis.com CNAME restricted.googleapis.com.restricted.googleapis.com CNAME rpz-passthru.

Configure DNS in special cases

When you need to configure DNS in special cases, keep the following in mind:

• Custom BIND is not supported when using Dataflow. To customize DNS resolution whenusing Dataflow with VPC Service Controls, use Cloud DNSprivate zonesinstead of using custom BIND servers. To use your own on-premises DNS resolution, consider using aGoogle CloudDNS forwarding method.

• You might need to also configure DNS forgcr.io if, for example, you'reusing Google Kubernetes Engine (GKE). For more information, seeSetting upContainer Registry for GKE private clusters.