On-premises hosts can reach Google APIs and services by using
Cloud VPN or Cloud Interconnect
from your on-premises network to Trusted Cloud. On-premises hosts can
send traffic from the following types of source IP addresses:
a privately used public IP address, except for a Google-owned public IP
address. (Private Google Access for on-premises hosts does not support
re-using Google public IP addresses as sources in your on-premises network.)
To enable Private Google Access for on-premises hosts, you must configure
DNS, firewall rules, and routes in your on-premises and VPC
networks. You don't need to enable Private Google Access for any subnets in
your VPC network as you would for Private Google Access for
Trusted Cloud VM instances.
On-premises hosts must connect to Google APIs and services by using the virtual
IP addresses (VIPs) for either the restricted.googleapis.com or
private.googleapis.com domains. Refer to Private Google Access-specific
domains and VIPs for more details.
Google publicly publishes DNS A records that resolve the domains to a VIP range.
Even though the ranges have external IP addresses, Google does not publish
routes for them. Therefore, you must add a custom advertised route on a
Cloud Router and have an appropriate custom static route in your
VPC network for the VIP's destination.
The route must have a destination matching one of the VIP ranges and a next hop
being the default internet gateway. Traffic sent to the VIP range stays within
Google's network instead of traversing the public internet because Google does
not publish routes to them externally.
Services available to on-premises hosts are limited to those supported by the
domain name and VIP used to access them. For more information, see
Domain options.
Example
In the following example, the on-premises network is connected to a
VPC network through a Cloud VPN tunnel. Traffic from
on-premises hosts to Google APIs travels through the tunnel to the
VPC network. After traffic reaches the VPC
network, it is sent through a route that uses the default internet gateway as
its next hop. This next hop allows traffic to leave the VPC
network and be delivered to restricted.googleapis.com (199.36.153.4/30).
Private Google Access for hybrid cloud use case (click to
enlarge).
The on-premises DNS configuration maps *.googleapis.com requests to
restricted.googleapis.com, which resolves to the 199.36.153.4/30.
Cloud Router has been configured to advertise the 199.36.153.4/30
IP address range through the Cloud VPN tunnel by using a custom advertised route.
Traffic going to Google APIs is routed through the tunnel to the
VPC network.
A custom static route was added to the VPC network that
directs traffic with the destination 199.36.153.4/30 to the default internet
gateway (as the next hop). Google then routes traffic to the appropriate API
or service.
If you created a Cloud DNS managed private zone for
*.googleapis.com that maps to 199.36.153.4/30 and have authorized that
zone for use by your VPC network, requests to anything in the
googleapis.com domain are sent to the IP addresses that are used by
restricted.googleapis.com. Only the supported
APIs are accessible with this configuration,
which might cause other services to be unreachable. Cloud DNS doesn't
support partial overrides. If you require partial overrides, use
BIND.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Private Google Access for on-premises hosts\n===========================================\n\nOn-premises hosts can reach Google APIs and services by using\n[Cloud VPN](/network-connectivity/docs/vpn) or [Cloud Interconnect](/network-connectivity/docs/interconnect)\nfrom your on-premises network to Google Cloud. On-premises hosts can\nsend traffic from the following types of source IP addresses:\n\n- a private IP address, such as an [RFC\n 1918](https://tools.ietf.org/html/rfc1918) address\n- a privately used public IP address, except for a Google-owned public IP address. (Private Google Access for on-premises hosts does not support re-using Google public IP addresses as sources in your on-premises network.)\n\nTo enable Private Google Access for on-premises hosts, you must configure\nDNS, firewall rules, and routes in your on-premises and VPC\nnetworks. You don't need to enable Private Google Access for any subnets in\nyour VPC network as you would for Private Google Access for\nGoogle Cloud VM instances.\n\nOn-premises hosts must connect to Google APIs and services by using the virtual\nIP addresses (VIPs) for either the `restricted.googleapis.com` or\n`private.googleapis.com` domains. Refer to [Private Google Access-specific\ndomains and VIPs](#private-vips) for more details.\n\nGoogle publicly publishes DNS A records that resolve the domains to a VIP range.\nEven though the ranges have external IP addresses, Google does not publish\nroutes for them. Therefore, you must add a custom advertised route on a\nCloud Router and have an appropriate custom static route in your\nVPC network for the VIP's destination.\n\nThe route must have a destination matching one of the VIP ranges and a next hop\nbeing the default internet gateway. Traffic sent to the VIP range stays within\nGoogle's network instead of traversing the public internet because Google does\nnot publish routes to them externally.\n\nFor configuration information, see [Configure\nPrivate Google Access for on-premises hosts](/vpc/docs/configure-private-google-access-hybrid).\n\n### Supported services\n\nServices available to on-premises hosts are limited to those supported by the\ndomain name and VIP used to access them. For more information, see\n[Domain options](/vpc/docs/configure-private-google-access-hybrid#domain-options).\n\nExample\n-------\n\nIn the following example, the on-premises network is connected to a\nVPC network through a Cloud VPN tunnel. Traffic from\non-premises hosts to Google APIs travels through the tunnel to the\nVPC network. After traffic reaches the VPC\nnetwork, it is sent through a route that uses the default internet gateway as\nits next hop. This next hop allows traffic to leave the VPC\nnetwork and be delivered to `restricted.googleapis.com` (`199.36.153.4/30`).\n[](/static/vpc/images/pga-onprem.svg) Private Google Access for hybrid cloud use case (click to enlarge).\n\n- The on-premises DNS configuration maps `*.googleapis.com` requests to `restricted.googleapis.com`, which resolves to the `199.36.153.4/30`.\n- Cloud Router has been configured to advertise the `199.36.153.4/30` IP address range through the Cloud VPN tunnel by using a custom advertised route. Traffic going to Google APIs is routed through the tunnel to the VPC network.\n- A custom static route was added to the VPC network that directs traffic with the destination `199.36.153.4/30` to the default internet gateway (as the next hop). Google then routes traffic to the appropriate API or service.\n- If you created a Cloud DNS managed private zone for `*.googleapis.com` that maps to `199.36.153.4/30` and have authorized that zone for use by your VPC network, requests to anything in the `googleapis.com` domain are sent to the IP addresses that are used by `restricted.googleapis.com`. Only the [supported\n APIs](#supported-services-onprem) are accessible with this configuration, which might cause other services to be unreachable. Cloud DNS doesn't support partial overrides. If you require partial overrides, use [BIND](https://www.wikipedia.org/wiki/BIND).\n\nWhat's next\n-----------\n\n- To configure Private Google Access for on-premises hosts, see [Configure\n Private Google Access for on-premises\n hosts](/vpc/docs/configure-private-google-access-hybrid)."]]
