VPC subnet ‘Private Google Access’ should be enabled

Description

Enabling “Private Google Access” for VPC subnets allows virtual machines to connect to the external IP addresses used by Google APIs and services.

Remediation Steps

Google Cloud Console

• Navigate to VPC networks.

• Select your VPC.

• Select the Subnet and click Edit.

• In Private Google Access, select On and click Save.

gcloud CLI

• To enable Private Google access for a VPC subnet:

gcloud compute networks subnets update SUBNET_NAME \
--region=REGION \
--enable-private-ip-google-access

Terraform

• Set [private_ip_google_access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#private_ip_google_access) to true:

  • private_ip_google_access= true

Example Configuration

resource "google_compute_subnetwork" "subnet-with-logging" {
  name          = "log-test-subnetwork"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.custom-test.id
  private_ip_google_access= true
}

resource "google_compute_network" "custom-test" {
  name                    = "log-test-network"
  auto_create_subnetworks = false
}

Documentation Links

Runtime

• Configuring Private Google Access

• Private Google Access configuration

Terraform

• google_compute_subnetwork

• google_compute_network