Pureport allows you to leverage Google Cloud Interconnect to reach Google APIs and most public-facing Google Cloud services. With the Pureport platform, you can reach these public-facing services from your on-premises hosts and from instances/services in other clouds. For example, you could combine an environment in AWS with Google's BigQuery or Cloud Spanner service, or connect from Azure to Google Cloud Storage privately instead of over the Internet.
When using this feature, you do not need to use any public IP address. Hosts that connect via Pureport can connect using their native private (RFC1918) IPv4 addresses.
Google provides instructions for configuring access with their native GCI service. This article includes information for enabling access after you have already connected from Pureport into Google Cloud Platform.
Supported GCP Public services
Currently, Google offers private connectivity support for a subset of services, as compared to Private Google Access (access to services from within a VPC). Only the following Google APIs and services that support the restricted VIP are supported:
- Cloud Bigtable
- Cloud Dataflow
- Cloud Dataproc
- Cloud Data Loss Prevention
- Cloud Deployment Manager
- Cloud DNS
- Cloud KMS
- Cloud Pub/Sub
- Cloud Spanner
- Cloud Storage
- Container Registry
- Stackdriver logging
- Stackdriver Error Reporting
Setting up Private Google Access via Pureport
Before you begin, you must:
- Enable the APIs that you want to access by using the APIs & services page in the Google Cloud Platform Console.
- Have an existing Google Cloud Interconnect through Pureport, or use set up a new one.
To set up Private Google Access via Pureport, you will need to:
- Configure Custom Routes in your Google Cloud Router.
- Meet the VPC Network route requirement.
- Configure DNS so that traffic to Google's APIs resolves to the Restricted API Range.
- Modify site routing as necessary (for non-BGP sites).
- Set up appropriate firewall rules in your VPC networks and other cloud or on-premises networks.
Configuring Custom Routes in the Google Cloud Router
Use the Google Cloud Router Custom Route Advertisement to announce the Restricted Google APIs IP addresses (220.127.116.11/30) to your Pureport Network. Although this is a public IP address range, it is not reachable via the public Internet and is only accessible via a Cloud Interconnect connection. Therefore, any traffic to/from this IP range will not traverse the public Internet.
After adding this range to your Google Cloud Router's list of announced networks, it will automatically be advertised to your Pureport Network and be picked up by any other clouds or sites running BGP (this includes all cloud sites - VPN may use BGP or may have static routing or policy-based VPNs that require manual addition of this network).
To create a custom route advertisement for the restricted range for all BGP sessions on an existing Cloud Router:
Open the Cloud Router list in the GCP Console
- Click on the cloud router you want to update (note that you will need to update BOTH cloud routers for an HA Connection)
- In the Cloud Router's detail page, click Edit
- Expand the Advertised routes section
- under Routes, click Create custom routes
- Select Advertise all subnets visible to the Cloud Router
- Select Add custom route
- Source: Select Custom IP range
- IP address range: 18.104.22.168/30
- Description: Google Restricted API
- Click Save
Repeat these steps for the redundant Google Cloud Router (if you have an HA connection from Pureport). You should see this route propogate to your other clouds and BGP-enabled sites via the Pureport network.
Meeting the VPC Network Route Requirement
The routing table of your VPN must either contain:
- a default route to an Internet gateway
- a specific static route pointing next hop to the Google Restricted APIs range to an Internet Gateway
To be clear, this is simply a next hop and in no case will traffic to or from the Restricted API network traverse the public Internet. If you already have a default route for your VPC pointing to an Internet gateway, the requirement is already satisfied. If not, you can create a custom static route with a destination of 22.214.171.124/30 and a next hop of the Internet gateway for that VPC. Creating a custom static route is only required if you remove the default route
In order to use the Google Private Access via GCI, you will need to configure your internal DNS server(s) to resolve *.googleapis.com as a CNAME to restricted.googleapis.com
If any of your sites connect to Pureport via static routing or using a policy-based VPN, you will need to add the Google Restricted API network to these in order to ensure reachability. Note that any clouds connected to your Pureport network should automatically receive the route without any intervention.
For sites with static routes, simply add a static route with a destination of 126.96.36.199/30 and a gateway of the Pureport VTI(s) to your customer premises firewall or router. No changes to the configuration of your Pureport Network or Connections is required.
For sites with policy-based VPNs, you will need to add the 188.8.131.52/30 network to the traffic selectors on both the Pureport Connection configuration and to your network firewall.
Finally, you will need to configure the security settings in your other clouds and your on-premises firewalls to allow outbound traffic to reach