Making Private Google Access the Default for GCP Workloads
Google Cloud Platform offers the Private Google Access feature to allow VPC networks to privately connect to Google APIs and services that are external to the VPC. However, Private Google Access is an opt-in configuration that requires users to manually setup required networking components like routes, firewall rules, DNS configuration, etc.
While the current documentation provides comprehensive instructions for enabling Private Google Access, it places the burden on customers to actively configure it. This friction can be avoided by making private access to Google services the default for GCP workloads.
The Benefits of Private Google Access by Default
- Access to Google APIs and services is essential for most workloads running on GCP. Enabling private connectivity by default would align with typical usage patterns.
- Users would no longer have to worry about manually enabling Private Google Access. The networking configuration would get handled automatically behind the scenes.
- Workloads would get access to Google APIs necessary for GCP services right out of the box. No more stepping through requisites before resources can leverage useful Google APIs.
- From a security perspective, access to Google services over internal networking is preferred compared to external internet traffic. This would be provided by default with Private Google Access.
- For workloads that do require external internet access, outbound internet connectivity can co-exist with default private Google access. The two are not mutually exclusive.
Making Private Google Access the default would deliver a smoother, more seamless experience for the majority of GCP users. Of course, users that do not want default private connectivity would retain the ability to disable it.
But by shifting private access to an opt-out model rather than opt-in, Google can streamline the typical use case and remove unnecessary configuration steps. This change would enhance the agility and simplicity that makes GCP appealing for customers.
At Zencore, we have developed automation using Terraform to handle the network configuration for Private Google Access. This removes the configuration burden for our customers. However, many organizations exploring GCP on their own find the manual process confusing and cumbersome. For these newcomers to Google Cloud, making Private Google Access the default would provide a much more accessible onboarding experience.
Cloud Engineers at Zencore see firsthand how customers can struggle with the current complexity of opt-in private connectivity. Enabling it by default would allow a wider range of customers to evaluate GCP without getting blocked on prerequisite networking steps.
