network-programminggoogle-cloud-platformgoogle-apigoogle-oauthvpc

GCP - No Cloud NAT but given public IP leaves VPC


We have a VPC which has VMs with private IP addresses only. There is no Cloud NAT attached to this VPC, so we should not be able to reach out public IPs.

Despite of the aboves, we experienced that we were able to curl the following public IP address from an internal VM. 64.233.166.153
The subnet of the VM has Private Google Access enabled and there is a default route to the default internet gateway, no other route entry matches for this IP. But there is no Cloud NAT.

My questions:

  1. How is it possible to reach public IPs without NAT at all?
  2. Are there other reachable public IPs? (without Cloud NAT)
  3. What are these IPs used for?

Solution

  • Looks like the IP address belongs to a GCP resource/API.

    As per GCP documentation[1], when PGA(Private Google Access) is enabled GCP VM instances without external IP can connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM's network interface.

    This could be the potential reason why your VM was able to speak with the Public IP.

    [1] https://cloud.google.com/vpc/docs/configure-private-google-access