This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Can I access Google Cloud Console from gce without internet gateway/external IP.

Posted 2 weeks ago
shogo_s
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

To access https://console.cloud.google.com from a Google Cloud VM instance that is configured with:

  • Internal IP address only.
  • No external IP address.
  • No default route to an Internet Gateway (0.0.0.0/0 route via default-internet-gateway is removed).

My Question:
Is it technically possible to access https://console.cloud.google.com using Private Service Connect (PSC).

0 3 136
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
diannemcm
Staff
Reply posted on --/--/---- --:-- AM

Hi @shogo_s,

Welcome to Google Cloud Community!

You may achieve your goal by leveraging the use of Identity-Aware Proxy (IAP) TCP forwarding to enable administrative access to VM instances that do not have external IP addresses or do not permit direct access over the internet. 

The following table summarizes the SSH options for connecting to VMs through their internal IP addresses.

Method

Best used when

SSH tunneling with IAP

You don't want any external IP address access to any VMs in your project. You can use IAP on all Linux VMs, including bastion host VMs and VMs within projects that use Cloud VPN or Cloud Interconnect.

Bastion host VMs

You have a specific use case, like session recording, and you can't use IAP.

Cloud VPN or Cloud Interconnect

Your organization has configured Cloud VPN or Cloud Interconnect for their networking needs.

Cloud VPN and Cloud Interconnect are separate Google Cloud products that aren't included in Compute Engine pricing.

The Cloud Console is not an API but a public web application, therefore, PSC cannot be used to access https://console.cloud.google.com, Cloud Console is not a PSC-supported service, and your VM's network configuration prevents public internet access. You would need to modify the network setup. Other information about PSC and its use cases can be found here

To use Private Service Connect, virtual machine (VM) instances without external IP addresses must have their primary interface in a subnet with Private Google Access enabled.

A VM with an external IP address can access Google APIs and services using Private Service Connect endpoints whether or not Private Google Access is enabled for its subnet. Connectivity to the Private Service Connect endpoint stays within Google's network. See Network requirements

Sharing with you these articles and stackoverflow conversation that you may find helpful:

  1. Login to GCP VM Instance without Public IP using Identity-Aware proxy (IAP)
  2. Connecting Securely to Google Compute Engine VMs without a Public IP or VPN
  3. connecting to VM instance having no external IP
  4. Accessing Google APIs via Private Service Connect(PSC) and Private Google Access (PGA)

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Posted on --/--/---- --:-- AM
shogo_s
Bronze 1
Bronze 1
In response to diannemcm
Reply posted on --/--/---- --:-- AM

Hi @diannemcm 

Thank you for your detailed explanation and for suggesting alternatives like IAP.

I understand now that accessing the Cloud Console GUI via Private Service Connect is not a supported use case.

To provide some additional context, my main requirement was to operate various Google Cloud products using the GUI console from a GCE instance (with a desktop environment) without that instance having general internet access.

I have a past experience where I was able to access the console from a GCE instance with only an internal IP. This was possible when its subnet had Private Google Access (PGA) enabled and also had a default route to an Internet Gateway (IGW), even though the VM itself had no external IP.

This led me to believe that PGA's function is to perform a type of IP address translation (similar to NAT), allowing the internal IP to reach Google's public services like the console.

Am I correct in this understanding of PGA's role?

0 Likes

Posted on --/--/---- --:-- AM
diannemcm
Staff
In response to shogo_s
Reply posted on --/--/---- --:-- AM

Hi @shogo_s,

For accessing Google Cloud Console or other public Google services, PGA does not function in the same way as standard NAT. 

PGA instead provides a private, internal route to Google’s API endpoints without leaving Google’s network while Cloud NAT allows private VMs to access the public internet/any external IP via a managed NAT gateway.

For access to Google APIs privately → enable PGA, and for access to the general internet → configure Cloud NAT or assign external IPs.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help. 

0 Likes
Top Labels in this Space
Top Solution Authors
View all