Private Google Access: Routing with custom next hops

Configuring Routing Paths for Google APIs – A Detailed Summary

Key Concepts:

• Private Google Access: A method for VMs without external IP addresses to access Google APIs and services privately.
• Static Route: A manually configured network route specifying the path for traffic to a specific destination.
• Next Hop: The next device or gateway in the network path that a packet is forwarded to.
• Firewall/Proxy VM: A self-managed VM acting as a security intermediary for outbound network traffic.
• Google APIs.com: The primary domain for many Google Cloud API endpoints.
• Private.googleapis.com / Restricted.googleapis.com: Dedicated domain names for private Google access, reachable via static IP addresses.
• Cloud DNS: Google Cloud’s scalable, reliable, and managed Domain Name System (DNS) service.
• VPC Service Controls: A Google Cloud security perimeter that allows you to limit data exfiltration risks.
• Network Intelligence Center: A tool for testing network connectivity and diagnosing network issues.

1. The Problem: Performance Bottlenecks with Firewall/Proxy VMs

The video addresses a common issue in enterprise networks: performance degradation when accessing Google APIs through a custom firewall or proxy VM. Routing all outbound traffic through a central security appliance introduces a bottleneck, leading to increased latency, reduced throughput, and potential connection drops when communicating with Google Cloud services like Google Cloud Storage (GCS) and Filestore. This is particularly problematic because many Google Cloud APIs reside as subdomains of googleapis.com. The presenter highlights that while securing traffic is important, it shouldn’t come at the cost of performance.

2. Why Traditional Allow Lists are Ineffective

The video explicitly states the impracticality of maintaining an allow list of IP addresses for Google APIs. Google Cloud resources are distributed across a dynamic range of IP addresses, making a static allow list a “moving target” and unsustainable for network administration. The presenter points to a webpage (linked in the description) containing a comprehensive, but constantly changing, list of Google’s IP addresses and subnets.

3. Identifying the Issue: Connectivity Testing

The first step in diagnosing the problem is using the Network Intelligence Center to perform a connectivity test. The example uses the IP address 199.36.153.8 as a target for googleapis.com. The key indicator of a problem is the “next hop” in the test results. If the next hop is anything other than the internet gateway, it signifies that traffic is being unnecessarily routed through the firewall/proxy VM.

4. The Solution: DNS Redirection and Static Routing

The core solution involves two key steps:

• DNS Redirection: Configure Cloud DNS to resolve all subdomains of googleapis.com to a single domain name dedicated for private Google access: private.googleapis.com (or restricted.googleapis.com if VPC Service Controls are in use). This is achieved by creating a private DNS zone for googleapis.com and adding two record sets:
  • A CNAME record: * (wildcard) pointing to private.googleapis.com. This ensures all subdomains are redirected.
  • An A record: private pointing to the four static IP addresses: 199.36.153.8, 9.8.9.10, 11. These IPs are consistently reachable for private Google access.
• Static Route Creation: Create a static route in the VPC network with the following parameters:
  • Name: (e.g., "Private Google Access")
  • Network: The VPC network to apply the route to.
  • Destination IP Range: 199.36.153.8/30 (covering the four static IPs).
  • Priority: A lower value (higher priority) to ensure it overrides other potentially conflicting routes.
  • Next Hop: Default internet gateway.

This configuration instructs the VPC to send traffic destined for the specified Google API IP addresses directly to Google, bypassing the firewall/proxy VM.

5. Verification: Re-running the Connectivity Test

After implementing the DNS and routing changes, the presenter recommends re-running the connectivity test using the same target IP address (199.36.153.8). Successful implementation is confirmed when the “next hop” in the test results shows the internet gateway, indicating that traffic is now bypassing the firewall/proxy VM.

6. VPC Service Controls Consideration

The video notes that restricted.googleapis.com can be used instead of private.googleapis.com if VPC Service Controls are required. The configuration process remains identical.

7. Documentation and Resources

The presenter directs viewers to the documentation linked in the video description for a complete list of compatible services and further details on private Google access and VPC Service Controls.

Notable Quote:

“You cannot feasibly maintain an allow list or static routes for hundreds of shifting IP addresses, which effectively makes them a moving target.” – The presenter, emphasizing the impracticality of IP-based allow lists.

Synthesis/Conclusion:

The video provides a practical and effective solution to a common performance issue encountered when accessing Google APIs in enterprise networks. By leveraging Cloud DNS redirection and static routing, organizations can bypass unnecessary firewall/proxy bottlenecks, improving latency and throughput for critical Google Cloud service interactions. The solution is robust, avoids the complexities of managing dynamic IP addresses, and offers a clear, step-by-step implementation guide. The key takeaway is that strategically configuring network paths can significantly optimize performance and reliability when interacting with Google Cloud services.