In this Course, we look at configuring Private Google access starting with an overview of what it is, before moving on to networking and DNS configuration as well as routing and firewalls. We'll then walk you through a guided demonstration of how to enable Private Google Access so that you get a practical understanding of the service.
We'll also look at Private Google Access for on-premises hosts, covering domain names, virtual IPs, networking and DNS configuration, and permissions. We'll wrap with Private Services Access and Serverless VPC Access.
Learning Objectives
- Learn about Private Google Access, its networking and DNS requirements, and how to configure routing and firewalls to use it
- Learn about Private Google Access for on-premises hosts, its requirements, its permissions, and how to use it
- Get a high-level overview of Private Services Access and Serverless VPC Access
Intended Audience
This Course is intended for those who wish to learn how to configure private Google access on the GCP platform.
Prerequisites
To get the most out of this Course, you should have a basic knowledge of GCP.
Hello and welcome to Routing and Firewalls. In this lesson, we are going to take a look at the different routing and firewall requirements that are common to both Private Google Access and to Private Google Access for on-prem hosts.
Now, as I mentioned earlier, when you enable Private Google Access, your VPC network needs to have routes defined with the next hop configured as the default internet gateway. That being said, it’s important that I point out that even though these routes are configured with a next hop of “default internet gateway”, the network traffic going from VMs on the VPC network to Google APIs and services actually stays on Google’s network. It doesn’t actually go out to the internet.
For example, if you opt to use one of the default restricted or private domain names to connect to Google APIs and services, your virtual machines will connect to those services via a subset of Google’s external IP addresses. Although these public IPs ARE publicly routable, the actual path that the traffic takes from a VM in a VPC network to those public addresses actually stays within Google’s network. This is because Google doesn’t publish routes to these addresses on the internet. As a result, the private.googleapis.com domain and restricted.googleapis.com domain can only be accessed from VMs in a VPC network or from on-prem machines that are connected to a VPC network via a VPN.
So, what does this all mean? It means that as long as your VPC network has a default route configured with the next hop being the default internet gateway, the default route will allow your VMs in the VPC network to access Google APIs and services on any domain. However, if you’ve replaced the default route with a custom static route that has a destination of 0.0.0.0/0 and a next hop of something other than the default internet gateway, you’ll need to do some custom routing to reach Google APIs and services. The custom routes that you define will be dependent on your particular environment.
Now, as far as firewalls go, if you wish to access Google APIs and services from your VMs, you need to ensure that any firewall rules that you define for your VPC network allow access from those VMs to the IP addresses for Google APIs and services. This should be obvious. You can’t use a service if your firewall rules are blocking access to the IPs that that service uses.
In a typical configuration, the implied allow egress rule allows the necessary access to Google APIs and services. However, if you are running a configuration that includes an egress deny rule that, for example, blocks outbound traffic to all destinations, you’ll need to create an egress allow firewall rule that allows access to the IPs used by Google APIs and services. The egress allow rule that you create would need to have a higher priority than the deny rule.
So, to summarize things, as long as your VMs are on a VPC network that has a default route configured with a next hop of default internet gateway, your VMs should have no problem accessing Google APIs and services, assuming you have no firewall rules that are blocking that access. These routing and firewall requirements apply to both Private Google Access and to Private Google Access for on-prem hosts. Keep that in mind.
In the next lesson, I’ll show you how to enable Private Google Access.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.