GCP VPC Network Subnets Have Private Google Access Disabled

This policy identifies GCP VPC Network subnets have disabled Private Google access. Private Google access enables virtual machine instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

GCP VPC Network subnets have Private Google access disabled.
JSON Query:
$.resource[*].google_compute_subnetwork[*].*[*].private_ip_google_access anyNull or $.resource[*].google_compute_subnetwork[*].*[*].private_ip_google_access anyFalse
Recommended solution to enable VPC Network subnets Private Google access.
Ensure that VPC Network subnets have Private Google access enabled. Please make sure that in the template, "private_ip_google_access" exists and is set to "true".
For example:
"google_compute_subnetwork": [ { "subnet-with-logging": [ { "ip_cidr_range": "", "name": "log-test-subnetwork", "network": "google_compute_network.custom-test.self_link", "private_ip_google_access": true, "region": "us-central1" } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to VPC network (Left Panel).
  3. Select VPC networks.
  4. Click on the name of a reported subnet, The 'Subnet details' page will be displayed.
  5. Click on 'EDIT' button.
  6. Set 'Private Google access' to 'On'.
  7. Click on Save.
Remediation CLI Command:
gcloud compute networks subnets update ${resourceName} --project=${account} --region ${region} --enable-private-ip-google-access
CLI Command Description:
This CLI command requires 'compute.networkAdmin' permission. Successful execution will enable GCP VPC Network subnets 'Private Google access'.


There are 6 standards that are applicable to this policy:
  • PCI DSS v3.2
  • CIS v1.0.0 (GCP)
  • CSA CCM v3.0.1
  • SOC 2
  • ISO 27001:2013
  • NIST 800-53 Rev4

Recommended For You