In this Course, we look at configuring Private Google access starting with an overview of what it is, before moving on to networking and DNS configuration as well as routing and firewalls. We'll then walk you through a guided demonstration of how to enable Private Google Access so that you get a practical understanding of the service.
We'll also look at Private Google Access for on-premises hosts, covering domain names, virtual IPs, networking and DNS configuration, and permissions. We'll wrap with Private Services Access and Serverless VPC Access.
Learning Objectives
- Learn about Private Google Access, its networking and DNS requirements, and how to configure routing and firewalls to use it
- Learn about Private Google Access for on-premises hosts, its requirements, its permissions, and how to use it
- Get a high-level overview of Private Services Access and Serverless VPC Access
Intended Audience
This Course is intended for those who wish to learn how to configure private Google access on the GCP platform.
Prerequisites
To get the most out of this Course, you should have a basic knowledge of GCP.
Welcome to Networking and DNS for Private Google Access for On-prem hosts. In this lesson, we are going to take a look at the network requirements that must be addressed in order to allow the on-prem resources to send traffic to Google APIs and services.
As we touched on earlier, to use Private Google Access for on-prem hosts, you need to direct traffic to either private.googleapis.com or restricted.googelapis.com, depending on your requirements. The private.googleapis.com domain can be used to access most Google APIs and services, including those that DO support VPC Service Controls and those the DO NOT support VPC Service Controls. The restricted.googleapis.com domain only provides access to APIs that DO support VPC Service Controls.
To use Private Google Access for on-prem hosts, you need to configure your on-prem DNS or Cloud DNS so that your on-prem resources can resolve the IP addresses for the private and restricted domain names. The process for configuring DNS for Private Google Access for on-prem hosts is identical to the process we covered in Networking and DNS Configuration for Private Google Access. However, there is one extra step that you need to take if you are using Cloud DNS rather than your own on-prem DNS.
If you opt to use Cloud DNS to resolve Google APIs and services domain names, you need to ensure that you configure your environment so that your on-prem resources can query the Cloud DNS zones that you create – because creating zones and records in Cloud DNS doesn’t help you if your on-prem resources can’t resolve against it.
To do this, you need to first create an inbound server policy in the VPC network that your on-prem network is connected to. You then need to configure your on-prem environment so that queries for googleapis.com and any other API and service domains are forwarded to an inbound forwarder entry point that exists in the same Google Cloud region as the Cloud VPN tunnel or Cloud Interconnect attachment that was used to connect the on-prem network to your VPC network.
For a refresher on configuring DNS, go back and take a look at the Networking and DNS Configuration for Private Google Access lesson in this course. Otherwise, join me in the next lesson, where we will talk about routing and firewalls when configuring Private Google Access for on-prem hosts.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.