Enable Private Google Access and CloudDNS

Purpose

Hosts or services within the internal network can directly connect to GCP services, such as GCS, without going through the public internet.

Scenario

Create a VPC and enable Private Google Access (PGA)
Create a googleapis.com Private DNS Zone

Steps

Create VPC Network

Open CloudShell to perform the creation process

Set Environment Variables

1
export NETWORK_NAME="wp-network"
2
export SUBNET_NAME="wp-network-asia-east1"
3
export PROJECT_ID="$DEVSHELL_PROJECT_ID"
4
export REGION="asia-east1"

Create Custom VPC and Its Subnet

1
# create network and allow-iap
2
gcloud compute networks create ${NETWORK_NAME} --subnet-mode custom
3
gcloud compute networks subnets create ${SUBNET_NAME} --network ${NETWORK_NAME} \
4
--region ${REGION} \
5
--range 10.1.0.0/16
6
gcloud compute firewall-rules create allow-ssh \
7
--network ${NETWORK_NAME} \
8
--source-ranges 35.235.240.0/20 \
9
--allow tcp:22

After creation, you can see the newly created VPC in VPC Network

VPC Network overview showing the newly created VPC

Enable PGA

Enabling PGA allows direct connection from the VPC internal network to GCP internal services, such as GCS, without going through the public internet

Click on the created subnet

Selecting the created subnet

Click Edit

Editing the subnet

Enable PGA feature and save

Enabling Private Google Access

Configure Private Cloud DNS

To ensure all traffic stays within the GCP internal network, in addition to enabling PGA, we’ll also add CloudDNS settings to route all GCP-related API traffic through GCP’s internal network, rather than using public IPs for connection.

Create a Private Zone in CloudDNS

Creating a Private Zone in Cloud DNS