GCPcloud~5 mins

Private Google Access in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes, virtual machines in a private network need to reach Google services without using public internet. Private Google Access lets these machines connect securely without public IP addresses.

When you want virtual machines without public IPs to access Google Cloud APIs and services.

When you want to keep your network isolated but still use Google services like Cloud Storage or BigQuery.

When you want to improve security by avoiding public internet exposure for your VMs.

When you have a private subnet and need to allow access to Google services without adding NAT gateways.

When you want to reduce costs by avoiding NAT usage for Google service traffic.

Config File - private_google_access.yaml

private_google_access.yaml

resources:
- name: example-subnet
  type: compute.v1.subnetwork
  properties:
    region: us-central1
    network: projects/my-project/global/networks/default
    ipCidrRange: 10.0.0.0/24
    privateIpGoogleAccess: true

This configuration enables Private Google Access on a subnet named example-subnet in the us-central1 region. The key property privateIpGoogleAccess: true allows VMs in this subnet without public IPs to reach Google APIs privately.

Commands

This command enables Private Google Access on the subnet named example-subnet in the us-central1 region. It allows VMs without public IPs in this subnet to access Google services privately.

Terminal

gcloud compute networks subnets update example-subnet --region=us-central1 --enable-private-ip-google-access

Expected OutputExpected

Updated [https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/subnetworks/example-subnet].

→

--enable-private-ip-google-access - Enables Private Google Access on the subnet.

→

--region - Specifies the region of the subnet.

Creates a VM named example-vm in the example-subnet without a public IP address. This VM will use Private Google Access to reach Google services.

Terminal

gcloud compute instances create example-vm --zone=us-central1-a --subnet=example-subnet --no-address

Expected OutputExpected

Created [https://www.googleapis.com/compute/v1/projects/my-project/zones/us-central1-a/instances/example-vm].

→

--no-address - Prevents assigning a public IP to the VM.

→

--subnet - Specifies the subnet for the VM.

SSH into the VM and run a curl command to access Google Cloud Storage API. This tests that Private Google Access is working without a public IP.

Terminal

gcloud compute ssh example-vm --zone=us-central1-a --command="curl https://storage.googleapis.com/storage/v1/b"

Expected OutputExpected

{"kind":"storage#buckets"

→

--command - Runs a command on the VM without opening an interactive shell.

Key Concept

If you remember nothing else from this pattern, remember: Private Google Access lets VMs without public IPs securely reach Google services inside your private network.

Common Mistakes

Not enabling Private Google Access on the subnet before creating VMs.

VMs without public IPs cannot reach Google services without this enabled.

Always enable Private Google Access on the subnet first using the gcloud command or subnet configuration.

Assigning public IPs to VMs and expecting Private Google Access to apply.

Private Google Access only affects VMs without public IPs; public IP VMs use normal internet routing.

Create VMs with --no-address flag to ensure they have no public IP and use Private Google Access.

Summary

Enable Private Google Access on your subnet to allow private VMs to reach Google services.

Create VMs without public IPs in that subnet to use Private Google Access.

Test connectivity by accessing Google APIs from the VM without a public IP.