In this hands-on guide, we’ll learn how to use VPC Private Google Access (PGA) so that a Cloud Run service with an internal endpoint can be securely accessed without a public IP address.
This ensures traffic flows internally through Google’s network, not over the public internet.
🔹 Step 01: Introduction
We will:
- Deploy a Cloud Run service with an internal endpoint
- Create a subnet with Private Google Access enabled (ON)
- Create another subnet without Private Google Access (OFF)
- Launch VMs in both subnets (without external IPs)
- Test connectivity to the Cloud Run service via curl
- Expected Result:
✅ VM in subnet with PGA:ON → Access succeeds
❌ VM in subnet with PGA:OFF → Access fails
- Clean up resources
🔹 Step 02: Create Cloud Run Service with Internal Endpoint
# Set Project
gcloud config set project PROJECT_ID
gcloud config set project gcpdemos
# Set Cloud Run Region
gcloud config set run/region us-central1
gcloud config list
# Deploy Cloud Run Service
gcloud run deploy myservice201 \
--image=stacksimplify/google-cloud-run:v1 \
--allow-unauthenticated \
--ingress=internal \
--port=80 \
--region=us-central1
Test access:
https://myservice201-506997606680.us-central1.run.app
Observation:
- Service is not publicly accessible 🌐❌
- Endpoint is internal only.
🔹 Step 03: Create a Subnet with Private Google Access Enabled
- Go to VPC Networks → vpc2-custom → SUBNETS → ADD SUBNET
- Name: mysubnet2pga
- Description: Subnet with PGA enabled
- Region: us-central1
- IP range: 10.231.0.0/20
- Private Google Access: ON ✅
- Leave other settings default → ADD
🔹 Step 04: Create VM in Subnet with PGA:ON
# Create VM in mysubnet2pga without external IP
gcloud compute instances create myvm-pga-on \
--zone=us-central1-a \
--machine-type=e2-micro \
--network-interface=subnet=mysubnet2pga,no-address
# Connect via IAP
gcloud compute ssh --zone "us-central1-a" "myvm-pga-on" --tunnel-through-iap
# Test Cloud Run access
curl https://myservice201-506997606680.us-central1.run.app
Observation: ✅ Access succeeds because traffic uses Private Google Access.
🔹 Step 05: Create VM in Subnet with PGA:OFF
# Create VM in mysubnet1 without external IP
gcloud compute instances create myvm-pga-off \
--zone=us-central1-a \
--machine-type=e2-micro \
--network-interface=subnet=mysubnet1,no-address
# Connect via IAP
gcloud compute ssh --zone "us-central1-a" "myvm-pga-off" --tunnel-through-iap
# Test Cloud Run access
curl https://myservice201-506997606680.us-central1.run.app
Observation: ❌ Access fails because Private Google Access is disabled in mysubnet1.
🔹 Step 06: Clean Up Resources
# Delete VM Instances
gcloud compute instances delete myvm-pga-on --zone=us-central1-a --delete-disks=all
gcloud compute instances delete myvm-pga-off --zone=us-central1-a --delete-disks=all
# Delete Cloud Run Service
gcloud run services delete myservice201
✅ Summary
- Private Google Access (PGA) allows VM instances without external IPs to securely access Google APIs & services.
- With PGA enabled, internal-only workloads can reach services like Cloud Run internal endpoints.
- With PGA disabled, requests fail since the subnet cannot route traffic to Google APIs privately.
- Best Practice: Enable PGA in subnets where private workloads need access to Google services without assigning public IPs.
Top comments (0)