Cloud NAT and Google Private access

  • Google Cloud automatically enables Private Google Access for a subnet IP address range when you configure a Cloud NAT gateway to apply to that subnet range, either primary or secondary.
  • Private Google Access is enabled on a subnet by subnet basis.
  • As long as the gateway provides NAT for a subnet's range, Private Google Access is in effect for that range and cannot be disabled manually. A Cloud NAT gateway does not change the way that Private Google Access works.
  • Cloud NAT configures the Andromeda software that powers the VPC network to also provide source network address translation (SNAT) for VMs without external IP addresses.
  • Cloud NAT also provides DNAT (destination network address translation) for established inbound response packets.

What is Private Service Access?

This is not to be confused with Private Service access, which is defined at a VPC Level (not the subnet level).

Private services access is a private connection between your VPC network and another network. This other network  can be another GCP network or an external third party network.

The private connection enables VM instances in your VPC network and the services that you access to communicate exclusively by using internal IP addresses.

Need a hands-on, GCP Consultant?

Need help with your GCP journey?  Start the conversation today.