1. Home
  2. Training Library
  3. Google Cloud Platform
  4. Courses
  5. Configuring Private Google Access

Private Google Access-specific domains and VIPs

The course is part of these learning paths

Start course
Overview
Difficulty
Intermediate
Duration
40m
Students
149
Ratings
4.5/5
starstarstarstarstar-half
Description

In this course, we look at configuring Private Google access starting with an overview of what it is, before moving on to networking and DNS configuration as well as routing and firewalls. We'll then walk you through a guided demonstration of how to enable Private Google Access so that you get a practical understanding of the service.

We'll also look at Private Google Access for on-premises hosts, covering domain names, virtual IPs, networking and DNS configuration, and permissions. We'll wrap with Private Services Access and Serverless VPC Access.

Learning Objectives

  • Learn about Private Google Access, its networking and DNS requirements, and how to configure routing and firewalls to use it
  • Learn about Private Google Access for on-premises hosts, its requirements, its permissions, and how to use it
  • Get a high-level overview of Private Services Access and Serverless VPC Access

Intended Audience

This course is intended for those who wish to learn how to configure private Google access on the GCP platform.

Prerequisites

To get the most out of this course, you should have a basic knowledge of GCP.

Transcript

Welcome back! In this lesson, we are going to take a quick look at each of the Private Google Access-specific domains and VIPs. We’ll also take a look at what a typical configuration looks like when configuring Private Google Access for on-prem hosts.

If the table on your screen looks familiar, it’s because it’s the same table we looked at when we covered networking and DNS for Private Google Access. We aren’t going to re-hash the same lesson all over again, but I just wanted to touch on this topic in the context of private Google Access for on-prem hosts just to be complete.

When you enable private google access for on-prem hosts, you must use one of the options shown in this table.

Like we had for Private Google Access, we have entries for default domains, the private.googleapis.com domain, and the restricted.googleapis.com domain.

The private.googleapis.com domain has the same IP range of 199.36.153.8/30 that we talked about earlier and is used to access Google APIs and Services via a set of IP addresses that are only routable from within Google Cloud. 

The restricted.googleapis.com domain, with a range of 199.36.153.4/30, enables access to all Google APIs and services that are supported by VPC Service Controls and BLOCKS access to those that are not supported. You would use restricted.googleapis.com to access Google APIs and Services via a set of IPs that are only routable from within Google Cloud and when you need to access only those Google APIs and services that are supported by VPC Service Controls.

So, with that said, what does a typical Private Google Access for on-prem hosts configuration look like?

The image on your screen depicts a typical configuration for Private Google Access for on-prem hosts.

What this diagram shows is an on-prem network connected to a VPC network through a Cloud VPN tunnel. In such a configuration, traffic from an on-prem host, and bound for Google APIs, will first traverse the VPN tunnel to reach the VPC network. Once this traffic hits the VPC network, it will then follow a route that has the default internet gateway configured as the next hop. This causes the traffic to exit the VPC network. Once it leaves the VPC network in this example, it is delivered to restricted.googleapis.com. 

Let’s look at some of the specifics here.

Notice that the on-prem DNS in this example uses a CNAME record that maps *.googleapis.com to restricted.googleapis.com. restrictedgoogleapis.com, in turn, resolves to 199.36.153.4/30 through Google’s published DNS records.

The Cloud Router in this example advertises the 199.36.153.4/30 range through the Cloud VPN tunnel. This is achieved through a custom route advertisement. As a result, traffic bound for Google APIs gets routed through the VPN to the VPC network in Google Cloud.

Now, once the traffic hits the VPC network, a custom static route that’s added to the VPC network directs any traffic bound for 199.36.153.4/30 to the default internet gateway, since the default internet gateway is configured as the next hop.

The traffic is then routed to the appropriate API or service by Google. 

Join me in the next lesson, where we’ll take a closer look at Networking and DNS configuration.

About the Author
Avatar
Thomas Mitchell
Instructor
Students
43479
Courses
57
Learning Paths
16

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.