Reputation: 147
GCP - No Cloud NAT but given public IP leaves VPC
We have a VPC which has VMs with private IP addresses only. There is no Cloud NAT attached to this VPC, so we should not be able to reach out public IPs.
Despite of the aboves, we experienced that we were able to curl the following public IP address from an internal VM.
64.233.166.153
The subnet of the VM has Private Google Access enabled and there is a default route to the default internet gateway, no other route entry matches for this IP. But there is no Cloud NAT.
My questions:
- How is it possible to reach public IPs without NAT at all?
- Are there other reachable public IPs? (without Cloud NAT)
- What are these IPs used for?
Upvotes: 2
Views: 1240
Answers (2)
Reputation: 11
Answer provided by @dp nulletla is right.
@Robert - For your use case that you mentioned in the comments - to reach BQ API from GCE with private IP without leaving google backbone network, I believe VPC Private Service Connect (PSC) for Google APIs is the right solution approach for you.
By default, if you have an application that uses a Google service, such as Cloud Storage, your application connects to the default DNS name for that service, such as storage.googleapis.com. Even though the IP addresses for the default DNS names are publicly routable, traffic sent from Google Cloud resources remains within Google's network.
With Private Service Connect, you can create private endpoints using global internal IP addresses within your VPC network. You can assign DNS names to these internal IP addresses with meaningful names like storage-vialink1.p.googleapis.com and bigtable-adsteam.p.googleapis.com. These names and IP addresses are internal to your VPC network and any on-premises networks that are connected to it using Cloud VPN tunnels or VLAN attachments. You can control which traffic goes to which endpoint, and can demonstrate that traffic stays within Google Cloud.
Basically when you create PSC endpoint,you assign private IP address to this endpoint. You reach respective google API e.g. Big Query, you always connect via PSC endpoint IP. This way you can control egress traffic in your VPC firewall rule with deny all and allow only PSC endpoint IP.
Additionally you can go 1 step further and try to restrict traffic/data going to BQ APIs from your GCE/VPC on more granular level with the use of VPC Service Control. By setting the VPC SC perimeter you can define/enforce with more restrictive policies to avoid any sort of data exfiltration.
Thanks
BR Omkar
Upvotes: 1
Reputation: 76
Looks like the IP address belongs to a GCP resource/API.
As per GCP documentation[1], when PGA(Private Google Access) is enabled GCP VM instances without external IP can connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM's network interface.
This could be the potential reason why your VM was able to speak with the Public IP.
[1] https://cloud.google.com/vpc/docs/configure-private-google-access
Upvotes: 1
Related Questions
- How to redirect port for GCP compute instance using NAT rule for VPC Firewall
- Creating VMs without public IP in GCP
- Private NAT gateway in GCP
- Implementing Vpc peering in GCP
- Google Cloud Functions with VPC Serverless Connector Egress with Cloud NAT not working
- Public IPv4 communication within VPC in GCP
- GCP: Disable Private Google Access for Serverless VPC access connector
- Google Cloud VPC Internet Gateway
- VPC Network on GCP
- Assign a public IP to a nested VM on GCP without using proxy or port forwarding