Google API key IP-based restriction when using private instances and Cloud NAT in GCP

Michael

10/29/22, 2:50 PM

I'm using a private VM instance in GCP along with Cloud NAT to allow internet access for this instance. Recently I've been trying to access the Google Places API service via this instance, using an API key. The recommended approach is to restrict the use of this API key by IP address in this scenario. Unfortunately I'm getting a REQUEST_DENIED error, stating "This IP, site or mobile application is not authorized to use this API key. Request received from IP address {IPv6 address removed}, with empty referer" when I try to do this - despite GCP not supporting IPv6 addresses in VPCs.

My suspicion is that because enabling Cloud NAT automatically activates Private Google Access there's actually some internal GCP private IPv4 to IPv6 NAT happening before the request hits the API - but obviously I'm unable to confirm this.

My question then is, is anyone aware of a way of enabling IP-based restriction on Google Places API keys in this environment (private VM instance + Cloud NAT/Private Google Access)?

Thanks!

221

1 + 1

nat

private-ip

google-compute-engine

google-cloud-platform

Michael Hampton

10/29/22, 3:01 PM

You removed the IPv6 address (probably unnecessarily) so it's impossible to tell what it might be. You should avoid obfuscation whenever possible.

FranAguiar

9/1/24, 1:21 PM

Hello @Michael, Did you found a solution for this?

Score:0

Server

Ramesh kollisetty

11/9/22, 1:43 PM

When establishing private connectivity to Google API services certain procedures have to be followed involving creating a route to restricted.googleapis.com. The relevant additional details which can be referred from the doc.
Your observation is right that by enabling NAT leads to activate PGA even though it is not activated manually and Andromeda (provides n/w virtualization for GCP) does the encapsulation of IPv4 and IPv6.
As mentioned in doc, when a Private VM sends the packet to the destination address (199.36.153.8/30 or 199.36.153.4/30), then Andromeda encapsulation wraps the IPv4 packet in an Andromeda NAT64 IPv6 packet. This is internally routable. Bits 0 through 31 are the VM's IPv4 internal address; bits 32 through 63 represent a unique 32-bit identifier for the VPC network (called the VNID); bits 64 through 127 are a common 64 bits (8 bytes) for all customers. Thus,each GCP VM has a globally unique IPv6 address, routable within Google's networks.
Please try to follow the below setup in APIs & Services -> Credentials.
1. Select the key.
2. Under API Restriction, select API type.
3. Set Application Restriction to None.
4. Save

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Google API key IP-based restriction when using private instances and Cloud NAT in GCP

TH: ข้อจำกัดตามคีย์ Google API ของ IP เมื่อใช้อินสแตนซ์ส่วนตัวและ Cloud NAT ใน GCP

RO: Restricție bazată pe IP cheie API Google atunci când utilizați instanțe private și Cloud NAT în GCP

RU: Ограничение на основе IP-адреса ключа Google API при использовании частных экземпляров и Cloud NAT в GCP

VI: Hạn chế dựa trên IP của khóa Google API khi sử dụng các phiên bản riêng tư và Cloud NAT trong GCP

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.