1

We are trying to run Packer from within GCP VPC.

We have disabled external IP addresses for all instances for security reasons.

To have access to Google APIs, we set up Private Google Access and verified it's working by the following:

$ traceroute -T -p 443 www.googleapis.com
traceroute to www.googleapis.com (199.36.153.4), 30 hops max, 44 byte packets
 1  gateway (172.17.0.1)  0.081 ms  0.017 ms  0.016 ms
 2  199.36.153.4 (199.36.153.4)  3.949 ms  3.942 ms  4.992 ms

Now within the instance, when we run we cannot access google cloud images using google api, it fails with:

<p><b>404.</b> <ins>That’s an error.</ins>
<p>The requested URL <code>/batch/compute/v1</code> was not found on this server.  
<ins>That’s all we know.</ins>

Does that mean our setup is wrong in some way? Can anyone tell me the correct way to verify if Private Access is working?

Samuel N
  • 115
  • 4
Jasper Wu
  • 113
  • 5

3 Answers3

1

First, ensure that you followed all the steps outlined in our public doc for Setting up private connectivity to GCP services from a VPC network.

To restrict Private Google Access within a service perimeter to only VPC Service Controls supported Google APIs and services, your VM instances must send requests to restricted.googleapis.com instead of *.googleapis.com.

The restricted.googleapis.com host acts as a proxy. Your request must contain a header for the original API you are trying to reach.

Next, note that VPC Service Controls support for Compute Engine enables you to use VPC networks inside service perimeters. But there are limitations such as, you cannot protect the Compute Engine API using a service perimeter.

Attempting to access an API that is not supported by the VPC Service Controls restricted VIP will result in a 404 error.

The error you got is expected for services that are not supported by VPC Service Controls and not available on the restricted VIP. So ensure that the API you are trying to call is part of the services supported by VPC Service Controls. If it is then you should check the known service limitations and unsupported service with restricted VIP to see if it is a known limitation. Otherwise, the issue should be reported.

The Public Issue Tracker is the tool and perfect forum for reporting issues like this one concerning configuration or behavior of Google Cloud Platform services and products. It allows you to interact with experts and sometimes the engineers that built the product. Find out more about it here. You might even want to use it to report this issue if you still encounter roadblocks.

Samuel N
  • 115
  • 4
  • Thank you for your attention! I read about the documentation and saw that: `Currently, you cannot protect the Compute Engine API using a service perimeter.` Does that mean Compute Engine is not supported by VPC Service Controls and therefore not supported by Private Google Access? – Jasper Wu Jun 26 '19 at 22:35
  • 1
    Is there a quick way to test if my Private Google Access is set up correctly? – Jasper Wu Jun 27 '19 at 21:43
  • Like a "hello world" google api or a gcloud command that is sure to work if private access is set up? – Jasper Wu Jun 27 '19 at 21:44
0

Samuel's reply is a valid one. Regarding your Compute Engine API observation, this is also correct - it is not supported in VPC Service Control.

On the same page you have found Compute Engine limitations, there is an instruction how to use images.

You should add a user to access level for the perimeter.

Ivan
  • 76
  • 3
0

It turned out there are two documents seemingly talking about the same thing -- Private Google Access, while one is for VPC Service Control (which we have no idea if we have since we are not at org level)

All we needed to do is to remove the DNS that points restricted.googleapis.com and problem solved.

Jasper Wu
  • 113
  • 5