Ensure Private Google Access is enabled for all subnetworks in VPC Network

Private Google Access enables virtual machine instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.

Risk Level: High
Cloud Entity: Subnet
CloudGuard Rule ID: D9.GCP.NET.14
Covered by Spectral: Yes
Category: Networking & Content Delivery


Subnet should have privateIpGoogleAccess=true


From Portal

  1. Go to VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
  2. Click the name of the network that contains the subnet.
  3. Click the name of the subnet. The Subnet details page is displayed.
  4. Click on EDIT button
  5. Set Private Google access to On
  6. Click on Save

From TF
Set the private_ip_google_access argument to 'true':

resource "google_compute_subnetwork" "container_subnetwork" {
	private_ip_google_access = true

From Command Line

gcloud compute networks subnets update SUBNET_NAME --region=REGION --enable-private-ip-google-access


  1. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork
  2. https://cloud.google.com/vpc/docs/configure-private-google-access


A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP CloudGuard Network Security
  • GCP GDPR Readiness
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2