Google Private Access, Private Instances, Private Subnets
In this post, we will create a VPC network (with a custom private subnet), some firewall rules and a PRIVATE VM instance that has no external IP address. We will connect to the instance using an IAP tunnel. We also briefly discuss the difference between Google Private Access and Private Service Connect in GCP.
Google Private Access is different from Private Service Connect in GCP
- Google Private Access is closer to AWS VPC Endpoints - in that, all google APIs (services) are made targets from a private subnet within a VPC.
- Private Service Connect is different from the Private Access (think VPC Endpoints) outlined above
- Private Service Connect is used to allow cross VPC, cross Project, even cross Organization access to your project's deployed services. With Private Service Connect, you can create private endpoints using global internal IP addresses within your VPC network
Google Private Access for Private Subnets
Then, we will explore how this private VM in a private subnet can still make API calls (e.g. storage API) and also reach other internet addresses (e.g. for patching purposes).
Let's get started - Step 1 - Create a VPC Network with a custom Subnet
| Name | privatesubnet-us |
| Region | us-central1 |
| IP address range | 10.130.0.0/20 |
Step 2 - Create a Firewall Rule defined at Network Level
| Property | Value (type value or select option as specified) |
|---|---|
| Name | privatenet-allow-ssh |
| Network | privatenet |
| Targets | All instances in the network |
| Source filter | IP ranges |
| Source IP ranges | 35.235.240.0/20 |
| Protocols and ports | Specified protocols and ports |
What's that source CIDR range - 35.235.240.0/20 ? What are IAP (Identity Aware Proxy) Connections?
IAP connections come from a specific set of IP addresses (35.235.240.0/20). Therefore, you can limit the rule to this CIDR range. To learn more about IAP, read this post.
Step 3 - Create the Instance
| Property | Value (type value or select option as specified) |
|---|---|
| Name | vm-internal |
| Region | us-central1 |
| Zone | us-central1-c |
| Series | N1 |
| Machine type | n1-standard-1 (1vCPU, 3.75 GB memory) |
| Boot disk | Debian GNU/Linux 10 (buster) |
Step 4 - Ensure the VM is private (Network Interfaces, External IP)
- Click Management -> security -> disks -> networking -> sole tenancy.
- Click Networking
- For Network interfaces, click the pencil icon to edit.
- Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Network privatenet Subnetwork privatenet-us External IP None
- To address Google API access, simply enable Private Google Access on the containing subnet.
- To address the internet access issue, create a NAT gateway
Need an experienced AWS/GCP/Azure/DevSecOps Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.
Leave a Reply