Google Cloud – Troubleshoot Private Google Access Not Working

google-cloud-dnsgoogle-cloud-platformgoogle-compute-engine

We are trying to run Packer from within GCP VPC.

We have disabled external IP addresses for all instances for security reasons.

To have access to Google APIs, we set up Private Google Access and verified it's working by the following:

$ traceroute -T -p 443 www.googleapis.com
traceroute to www.googleapis.com (199.36.153.4), 30 hops max, 44 byte packets
 1  gateway (172.17.0.1)  0.081 ms  0.017 ms  0.016 ms
 2  199.36.153.4 (199.36.153.4)  3.949 ms  3.942 ms  4.992 ms

Now within the instance, when we run we cannot access google cloud images using google api, it fails with:

<p><b>404.</b> <ins>That’s an error.</ins>
<p>The requested URL <code>/batch/compute/v1</code> was not found on this server.  
<ins>That’s all we know.</ins>

Does that mean our setup is wrong in some way? Can anyone tell me the correct way to verify if Private Access is working?

Best Answer

First, ensure that you followed all the steps outlined in our public doc for Setting up private connectivity to GCP services from a VPC network.

To restrict Private Google Access within a service perimeter to only VPC Service Controls supported Google APIs and services, your VM instances must send requests to restricted.googleapis.com instead of *.googleapis.com.

The restricted.googleapis.com host acts as a proxy. Your request must contain a header for the original API you are trying to reach.

Next, note that VPC Service Controls support for Compute Engine enables you to use VPC networks inside service perimeters. But there are limitations such as, you cannot protect the Compute Engine API using a service perimeter.

Attempting to access an API that is not supported by the VPC Service Controls restricted VIP will result in a 404 error.

The error you got is expected for services that are not supported by VPC Service Controls and not available on the restricted VIP. So ensure that the API you are trying to call is part of the services supported by VPC Service Controls. If it is then you should check the known service limitations and unsupported service with restricted VIP to see if it is a known limitation. Otherwise, the issue should be reported.

The Public Issue Tracker is the tool and perfect forum for reporting issues like this one concerning configuration or behavior of Google Cloud Platform services and products. It allows you to interact with experts and sometimes the engineers that built the product. Find out more about it here. You might even want to use it to report this issue if you still encounter roadblocks.

Best Answer

Related Solutions

How to run Ansible’s gce.py script from inside an instance running in the cloud

Google Cloud Resolve VM host name to Google Cloud DNS host names

Results:

Related Topic