Access APIs from VMs with external IP addresses
A virtual machine (VM) instance with an external IP address assigned to its network interface can connect to Google APIs and services if the network requirements described on this page are met. Though the connection is made from the VM's external IP address, the traffic stays within Cloud de Confiance and is not sent through the public internet.
Network requirements
You must meet the following requirements to access Google APIs and services from a VM with an external IP address:
If needed, you enable the API for the services that you want to access:
If you're accessing a Google API service endpoint, you must enable the API for that service.
For example, to create a Cloud Storage bucket through the storage.s3nsapis.fr API service endpoint or a client library, you must enable the Cloud Storage API.
If you're accessing other types of resources, you might not need to enable any APIs.
For example, to access a Cloud Storage bucket in another project through its storage.s3nsapis.fr URL, you don't need to enable the Cloud Storage API.
If you want to connect to Google APIs and services using IPv6, you must meet both of these requirements:
Your VM must be configured with an external
/96IPv6 address range.The software running on the VM must send packets whose sources match one of those IPv6 addresses from that range.
- Depending on your chosen configuration, you might need to update DNS entries, routes, and firewall rules. For more information, see Summary of configuration options.
Summary of configuration options
The following table summarizes the different ways that a VM with an external IP address can access APIs and services that are hosted in Google's production infrastructure. For more detailed configuration information, see Network configuration.
| Domain option | DNS configuration | Routing configuration | Firewall configuration |
|---|---|---|---|
| Default domains | You access Google APIs and services through their public IP addresses, so no special DNS configuration is required. | Ensure that your VPC network can route traffic to the IP address ranges that are used by Google APIs and services.
|
Ensure that your firewall rules allow egress to the IP address ranges used by Google APIs and services. The default allow egress firewall rule allows this traffic, if there is no higher priority rule that blocks it. |
private.s3nsapis.fr
(Equivalent to private.googleapis.com in Google Cloud)
|
Configure DNS records in a private DNS zone to send requests to the following IP addresses: For IPv4 traffic:
For IPv6 traffic:
|
Ensure that your VPC network has routes to the following IP ranges: For IPv4 traffic:
For IPv6 traffic:
|
Ensure that your firewall rules allow egress to the following IP ranges: For IPv4 traffic:
For IPv6 traffic:
|
restricted.s3nsapis.fr
(Equivalent to restricted.googleapis.com in Google Cloud)
|
Configure DNS records to send requests to the following IP addresses: For IPv4 traffic:
For IPv6 traffic:
|
Ensure that your VPC network has routes to the following IP ranges: For IPv4 traffic:
For IPv6 traffic:
|
Ensure that your firewall rules allow egress to the following IP ranges: For IPv4 traffic:
For IPv6 traffic:
|
Network configuration
This section describes the basic network requirements you must meet in order for a VM in your VPC network to access Google APIs and services.
Domain options
Choose the domain that you want to use to access Google APIs and services.
The private.s3nsapis.fr and restricted.s3nsapis.fr virtual IP
addresses (VIPs) support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other
protocols, including MQTT and ICMP, are not supported.
Interactive websites and features that use the internet—for example, for redirects or
retrieving content—are not supported.
| Domain and IP address ranges | Supported services | Example usage |
|---|---|---|
Default domains. All domain names for Google APIs and services except for
Various IP address ranges—you can determine a set of IP ranges that contains the possible addresses used by the default domains by referencing IP addresses for default domains. |
Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes support for web applications. |
The default domains are used when you don't configure DNS records for
|
|
|
Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Does not support access to web applications.
For example, domains such as |
Use Choose
|
|
|
Enables API access to Google APIs and services that are supported by VPC Service Controls. Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support access to web applications. |
Use Choose The |
restricted.s3nsapis.fr, as it provides additional risk mitigation for data
exfiltration. Using restricted.s3nsapis.fr denies access to
Google APIs and services that are not supported by VPC Service Controls. See
Setting up private
connectivity in the VPC Service Controls documentation for more details.
IPv6 support for private.s3nsapis.fr and restricted.s3nsapis.fr
The following IPv6 address ranges can be used to direct traffic from IPv6 clients to Google APIs and services:
private.s3nsapis.fr:2a13:7500:8302::/64restricted.s3nsapis.fr:2a13:7500:8302:1::/64
Consider configuring the IPv6 addresses if you want to use the private.s3nsapis.fr or restricted.s3nsapis.fr domain, and you
have clients that use IPv6 addresses. IPv6 clients that also have IPv4 addresses configured can
reach Google APIs and services by using the IPv4 addresses. Not all services accept traffic from
IPv6 clients.
DNS configuration
For connectivity to Google APIs and services, you can choose to send
packets to the IP addresses associated with the private.s3nsapis.fr or
restricted.s3nsapis.fr VIP. To use a VIP, you must configure DNS so that VMs
in your VPC network reach services by using the VIP addresses
instead of the public IP addresses.
The following sections describe how to use DNS zones to send packets to the IP addresses that are associated with your chosen VIP. Follow the instructions for all scenarios that apply to you:
- If you use services that have
s3nsapis.frdomain names, see Configure DNS fors3nsapis.fr. If you use services that have other domain names, see Configure DNS for other domains.
When you configure DNS records for the VIPs, use only the IP addresses that are
described in the following steps. Do not mix addresses from the
private.s3nsapis.fr and restricted.s3nsapis.fr VIPs. This can
cause intermittent failures because the services that are offered differ
based on a packet's destination.
Configure DNS for s3nsapis.fr
Create a DNS zone and records for s3nsapis.fr:
- Create a private DNS zone for
s3nsapis.fr. Consider creating a Cloud DNS private zone for this purpose. In the
s3nsapis.frzone, create the following private DNS records for eitherprivate.s3nsapis.frorrestricted.s3nsapis.fr, depending on which domain you've chosen to use.For
private.s3nsapis.fr:Create an
Arecord forprivate.s3nsapis.frpointing to the following IP addresses:177.222.88.0,177.222.88.1,177.222.88.2,177.222.88.3.To connect to APIs using IPv6 addresses, also configure an
AAAArecord forprivate.s3nsapis.frpointing to2a13:7500:8302::.
For
restricted.s3nsapis.fr:Create an
Arecord forrestricted.s3nsapis.frpointing to the following IP addresses:177.222.88.4,177.222.88.5,177.222.88.6,177.222.88.7.To connect to APIs using IPv6 addresses, also create an
AAAArecord forrestricted.s3nsapis.frpointing to2a13:7500:8302:1::.
To create private DNS records in Cloud DNS, see add a record.
In the
s3nsapis.frzone, create aCNAMErecord for*.s3nsapis.frthat points to the domain that you've configured:private.s3nsapis.frorrestricted.s3nsapis.fr.
Configure DNS for other domains
Some Google APIs and services are provided using domain names other than s3nsapis.fr.
Create a DNS zone for
DOMAIN(for example,gcr.io). If you're using Cloud DNS, make sure this zone is located in the same project as yours3nsapis.frprivate zone.In this DNS zone, create the following private DNS records for either
private.s3nsapis.frorrestricted.s3nsapis.fr, depending on which domain you've chosen to use.For
private.s3nsapis.fr:Create an
Arecord forDOMAINpointing to the following IP addresses:177.222.88.0,177.222.88.1,177.222.88.2,177.222.88.3.To connect to APIs using IPv6 addresses, also create an
AAAArecord forDOMAINpointing to2a13:7500:8302::.
For
restricted.s3nsapis.fr:Create an
Arecord forDOMAINpointing to the following IP addresses:177.222.88.4,177.222.88.5,177.222.88.6,177.222.88.7.To connect to APIs using IPv6 addresses, also create an
AAAArecord forDOMAINpointing to2a13:7500:8302:1::.
In the
DOMAINzone, create aCNAMErecord for*.DOMAINthat points toDOMAIN. For example, create aCNAMErecord for*.gcr.iothat points togcr.io.
Routing options
Your VPC network must have appropriate routes whose next hops are the default internet gateway. Cloud de Confiance does not support routing traffic to Google APIs and services through other VM instances or custom next hops. Despite being called default internet gateway, packets sent from VMs in your VPC network to Google APIs and services remain within Google's network.
If you select the default domains, your VM instances connect to Google APIs and services using a subset of Google's external IP addresses. These IP addresses are publicly routable, but the path from a VM in a VPC network to those addresses remains within Google's network.
Google doesn't publish routes on the internet to any of the IP addresses used by either the
private.s3nsapis.frorrestricted.s3nsapis.frdomains. Consequently, these domains can only be accessed by VMs in a VPC network or on-premises systems connected to a VPC network.
If your VPC network contains a default route whose next hop is the default internet gateway, you can use that route to access Google APIs and services, without needing to create custom routes. See routing with a default route for details.
If you have replaced a default route (destination 0.0.0.0/0 or ::0/0) with
a custom route whose next hop is not the default internet gateway, you can
meet the routing requirements for Google APIs and services using custom
routing instead.
If your VPC network does not have an IPv6 default route, you won't have IPv6 connectivity to Google APIs and services. Add an IPv6 default route to allow IPv6 connectivity.
Routing with a default route
Each VPC network contains an IPv4 default route (0.0.0.0/0)
when it is created. If you enable external IPv6 addresses on a subnet, a
system-generated IPv6 default route (::/0) is added to that VPC
network.
The default routes provides a path to the IP addresses for the following destinations:
The default domains.
private.s3nsapis.fr:177.222.88.0/30and2a13:7500:8302::/64.restricted.s3nsapis.fr:177.222.88.4/30and2a13:7500:8302:1::/64.
To check the configuration of a default route in a given network, follow these directions.
Console
In the Cloud de Confiance console, go to the Routes page.
Filter the list of routes to show just the routes for the network you need to inspect.
Look for a route whose destination is
0.0.0.0/0for IPv4 traffic or::/0for IPv6 traffic and whose next hop is default internet gateway.
gcloud
Use the following gcloud command, replacing NETWORK_NAME with
the name of the network to inspect:
gcloud compute routes list \
--filter="default-internet-gateway NETWORK_NAME"
If you need to create a replacement default IPv4 route, see Adding a static route.
If you need to create a replacement default IPv6 route, see Adding an IPv6 default route.
Custom routing
As an alternative to a default route, you can use custom static routes, each having a more specific destination, and each using the default internet gateway next hop. The number of routes you need and their destination IP addresses depend on the domain that you choose.
- Default domains: you must have routes for the IP address ranges for Google APIs and services.
private.s3nsapis.fr:177.222.88.0/30and2a13:7500:8302::/64restricted.s3nsapis.fr:177.222.88.4/30and2a13:7500:8302:1::/64
Additionally, we recommend that you add routes for 2a13:7500:8400::/42.
For more information, see Summary of configuration options.
To check the configuration of custom routes for Google APIs and services in a given network, follow these directions.
Console
In the Cloud de Confiance console, go to the Routes page.
Use the Filter table text field to filter the list of routes using the following criteria, replacing
NETWORK_NAMEwith the name of your VPC network.- Network:
NETWORK_NAME - Next hop type:
default internet gateway
- Network:
Look at the Destination IP range column for each route. If you chose the default domains, check for several custom static routes, one for each IP address range used by the default domain. If you chose
private.s3nsapis.frorrestricted.s3nsapis.fr, look for that domain's IP range.
gcloud
Use the following gcloud command, replacing NETWORK_NAME with
the name of the network to inspect:
gcloud compute routes list \
--filter="default-internet-gateway NETWORK_NAME"
Routes are listed in table format unless you customize the command with the
--format flag. Look in the DEST_RANGE column for the destination of each
route. If you chose the default domains, check for several custom static
routes, one for each IP address range used by the default
domain. If you chose private.s3nsapis.fr or
restricted.s3nsapis.fr, look for that domain's IP range.
If you need to create routes, see Adding a static route.
Firewall configuration
The firewall configuration of your VPC network must allow access
from VMs to the IP addresses used by Google APIs and services. The implied
allow egress rule satisfies this requirement.
In some firewall configurations, you need to create specific egress allow rules.
For example, suppose you've created an egress deny rule that blocks traffic to
all destinations (0.0.0.0 for IPv4 or ::/0 for IPv6). In that case, you must
create one egress allow firewall rule whose priority is higher than the egress
deny rule for each IP address range used by your chosen domain
for Google APIs and services.
- Default domains: all IP address ranges for Google APIs and services.
private.s3nsapis.fr:177.222.88.0/30and2a13:7500:8302::/64restricted.s3nsapis.fr:177.222.88.4/30and2a13:7500:8302:1::/64
Additionally, we recommend that you include
2a13:7500:8400::/42 in your egress allow firewall rule. For more
information, see Summary of configuration options.
To create firewall rules, see Creating firewall rules. You can limit the VMs to which the firewall rules apply when you define the target of each egress allow rule.
IP addresses for default domains
This section lists the default domain IP ranges used by Google APIs and services in Cloud de Confiance. These ranges are allocated dynamically and can change, so it's not possible to define specific IP ranges for individual services or APIs. To maintain an accurate list, check this page frequently. For alternatives to maintaining a list of IP address ranges, consider using the private.s3nsapis.fr VIP or Private Service Connect.
177.222.84.0/24 2a13:7500:241::/60