We are trying to run Packer from within GCP VPC.
We have disabled external IP addresses for all instances for security reasons.
To have access to Google APIs, we set up Private Google Access and verified it's working by the following:
$ traceroute -T -p 443 www.googleapis.com
traceroute to www.googleapis.com (199.36.153.4), 30 hops max, 44 byte packets
1 gateway (172.17.0.1) 0.081 ms 0.017 ms 0.016 ms
2 199.36.153.4 (199.36.153.4) 3.949 ms 3.942 ms 4.992 ms
Now within the instance, when we run we cannot access google cloud images using google api, it fails with:
<p><b>404.</b> <ins>That’s an error.</ins>
<p>The requested URL <code>/batch/compute/v1</code> was not found on this server.
<ins>That’s all we know.</ins>
Does that mean our setup is wrong in some way? Can anyone tell me the correct way to verify if Private Access is working?
Best Answer
First, ensure that you followed all the steps outlined in our public doc for Setting up private connectivity to GCP services from a VPC network.
The restricted.googleapis.com host acts as a proxy. Your request must contain a header for the original API you are trying to reach.
Next, note that VPC Service Controls support for Compute Engine enables you to use VPC networks inside service perimeters. But there are limitations such as, you cannot protect the Compute Engine API using a service perimeter.
The error you got is expected for services that are not supported by VPC Service Controls and not available on the restricted VIP. So ensure that the API you are trying to call is part of the services supported by VPC Service Controls. If it is then you should check the known service limitations and unsupported service with restricted VIP to see if it is a known limitation. Otherwise, the issue should be reported.
The Public Issue Tracker is the tool and perfect forum for reporting issues like this one concerning configuration or behavior of Google Cloud Platform services and products. It allows you to interact with experts and sometimes the engineers that built the product. Find out more about it here. You might even want to use it to report this issue if you still encounter roadblocks.