Stay organized with collections
Save and categorize content based on your preferences.
Private Google Access
VM instances that only have internal IP addresses (no external IP addresses) can
use Private Google Access. They can reach the external IP addresses of Google
APIs and services. The source IP address of the packet can be the primary
internal IP address of the network interface or an address in an alias IP range
that is assigned to the interface. If you disable Private Google Access, the
VM instances can no longer reach Google APIs and services; they can only send
traffic within the VPC network.
Private Google Access has no effect on instances that have external IP
addresses. Instances with external IP addresses can access the internet,
according to the internet access
requirements. They don't need any special
configuration to send requests to the external IP addresses of Google APIs and
services.
You enable Private Google Access on a subnet by subnet basis; it's a setting
for subnets in a VPC network. To enable a subnet for
Private Google Access and to view the requirements, see Configure
Private Google Access.
Supported services
Private Google Access lets you access Google APIs and
services
that are hosted in Google's production infrastructure.
Other Google services are hosted in VPC networks and can be
accessed by using the following methods:
The following diagram shows an implementation of Private Google Access.
Implementation of Private Google Access (click to
enlarge).
The VPC network has been configured to meet the DNS, routing,
and firewall network requirements
for Google APIs and services. Private Google Access has been enabled on
subnet-a, but not on subnet-b.
VM A1 can access Google APIs and services, including Cloud Storage,
because its network interface is located in subnet-a, which has
Private Google Access enabled. Private Google Access applies to the instance
because it only has an internal IP address.
VM B1cannot access Google APIs and services because it only has an
internal IP address and Private Google Access is disabled for subnet-b.
VM A2 and VM B2 can both access Google APIs and services, including
Cloud Storage, because they each have external IP addresses.
Private Google Access has no effect on whether or not these instances can
access Google APIs and services because both have external IP addresses.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Private Google Access\n=====================\n\nVM instances that only have internal IP addresses (no external IP addresses) can\nuse Private Google Access. They can reach the external IP addresses of Google\nAPIs and services. The source IP address of the packet can be the primary\ninternal IP address of the network interface or an address in an alias IP range\nthat is assigned to the interface. If you disable Private Google Access, the\nVM instances can no longer reach Google APIs and services; they can only send\ntraffic within the VPC network.\n\nPrivate Google Access has no effect on instances that have external IP\naddresses. Instances with external IP addresses can access the internet,\naccording to the [internet access\nrequirements](/vpc/docs/vpc#internet_access_reqs). They don't need any special\nconfiguration to send requests to the external IP addresses of Google APIs and\nservices.\n\nYou enable Private Google Access on a subnet by subnet basis; it's a setting\nfor subnets in a VPC network. To enable a subnet for\nPrivate Google Access and to view the requirements, see [Configure\nPrivate Google Access](/vpc/docs/configure-private-google-access).\n\nSupported services\n------------------\n\nPrivate Google Access lets you access [Google APIs and\nservices](/vpc/docs/configure-private-google-access#domain-options)\nthat are hosted in Google's production infrastructure.\n\nOther Google services are hosted in VPC networks and can be\naccessed by using the following methods:\n\n- To connect to services that are published using the\n [Service Networking API](/service-infrastructure/docs/service-networking/reference/rest),\n see [private services access](/vpc/docs/private-services-access).\n\n- To connect to services that are published using\n [Private Service Connect](/vpc/docs/configure-private-service-connect-producer), see [Access managed services](/vpc/docs/configure-private-service-connect-services).\n\nExample\n-------\n\nThe following diagram shows an implementation of Private Google Access.\n[](/static/vpc/images/private-google-access.svg) Implementation of Private Google Access (click to enlarge).\n\nThe VPC network has been configured to meet the [DNS, routing,\nand firewall network requirements](/vpc/docs/configure-private-google-access#config)\nfor Google APIs and services. Private Google Access has been enabled on\n`subnet-a`, but not on `subnet-b`.\n\n- `VM A1` can access Google APIs and services, including Cloud Storage,\n because its network interface is located in `subnet-a`, which has\n Private Google Access enabled. Private Google Access applies to the instance\n because it only has an internal IP address.\n\n- `VM B1` **cannot** access Google APIs and services because it only has an\n internal IP address and Private Google Access is disabled for `subnet-b`.\n\n- `VM A2` and `VM B2` can both access Google APIs and services, including\n Cloud Storage, because they each have external IP addresses.\n Private Google Access has no effect on whether or not these instances can\n access Google APIs and services because both have external IP addresses.\n\nWhat's next\n-----------\n\n- To configure Private Google Access, see [Configure\n Private Google Access](/vpc/docs/configure-private-google-access)."]]
