Private Google Access is a small but high-yield topic on the Professional Cloud Architect exam. It shows up in scenario questions about hardening VMs, controlling egress, and accessing Google services like Cloud Storage and BigQuery from instances that have no external IP address.
By default, a VM with only an internal IP address cannot reach Google APIs. Those APIs sit at public endpoints, and a VM with no external IP has no path to the public internet. Enabling Private Google Access on a subnet changes that. Any VM in that subnet, even one with only an internal IP, can connect to Google APIs and services without traversing the public internet.
The setting is configured at the subnet level, not the VPC level and not the instance level. You enable it on a specific subnet, and every VM in that subnet inherits the behavior.
The whole point is to keep sensitive workloads off the public internet while still letting them use managed Google services. A data processing VM that needs to read from Cloud Storage does not need a public IP and should not have one. With Private Google Access enabled on its subnet, the VM reaches Cloud Storage over Google's internal network. There is no NAT, no external IP, and no exposure to the public internet for that traffic.
The exam likes to set up two subnets side by side. One subnet has Private Google Access enabled. A VM there with only an internal IP can reach BigQuery or Cloud Storage directly. The other subnet does not have Private Google Access enabled. A VM in that subnet that needs to reach the same Google APIs must have an external IP and route its traffic over the public internet.
If a question asks how to let internal-IP-only VMs talk to Google APIs, the answer is to enable Private Google Access on the subnet. If a question asks why an internal-IP-only VM is failing to reach Cloud Storage, check whether the subnet has Private Google Access enabled.
Private Google Access is a per-subnet setting. It lets VMs without external IPs reach Google APIs and services. It does not give those VMs general internet access. For general egress to non-Google destinations from internal-IP-only VMs, you would use Cloud NAT instead. For traffic going the other direction into your VPC, this feature is not relevant. It is strictly about outbound access from your VMs to Google's APIs.
Knowing that distinction, Private Google Access for Google APIs versus Cloud NAT for general internet egress, is the kind of detail the Professional Cloud Architect exam rewards.
My Professional Cloud Architect course covers Private Google Access alongside the rest of the networking material.
