What is Private Google Access?
Private Google Access (PGA) is a GCP feature that allows Virtual Machine (VM) instances without external IP addresses to access Google APIs and services (like Cloud Storage, Cloud Run, Pub/Sub, etc.) through internal IPs only. This helps keep workloads private while still interacting with Google services.
Key Points:
- Configured per subnet (ON/OFF).
- Only affects VMs without external IPs.
- VMs with external IPs are unaffected—they can access Google services normally.
Customer Project & VPC
Project: gcpdemos
VPC: vpc2-custom
Contains two subnets in the us-central1 region:
- mysubnet1 (Private Google Access: OFF)
- mysubnet2pga (Private Google Access: ON)
VM Instances
VM1
- Subnet: mysubnet1 (PGA OFF)
- Private IP: 10.225.0.5
- No external IP
- Cannot access Google APIs internally. The diagram shows a red cross indicating blocked access.
VM2
- Subnet: mysubnet2pga (PGA ON)
- Private IP: 10.131.0.5
- No external IP
- Can access Google APIs internally (shown with a blue arrow connecting to Cloud Run).
Cloud Run
- Service is internal-only.
- VM2 can communicate with it via Private Google Access.
- VM1 cannot communicate because PGA is disabled in its subnet.
Takeaways
- Subnet-level control: Enable PGA at the subnet level to allow private VMs access to Google services.
- Security-first approach: VMs can remain without external IPs, reducing exposure.
- Simple connectivity: Eliminates the need for NAT or external IPs just to access Google APIs.
Top comments (0)