Can't connect to Cloud Storage if Instance has no External IP

[Grant Trevor]

I'm sure there is an obvious answer to this but here goes.

When creating an Instance in Compute Engine that has no external ip I can't use gsutil to copy anything from a cloud storage bucket.

If I relaunch that instance with an external ip attached then I can use gsutil with no problem.

A simplified view of the setup is that I have two instances one being a bastion host with an external IP, the other only having an internal ip on the 

subnet that it is contained within.

My firewall settings only allow ssh access from the bastion to the other instance so I'm first connecting to the bastion via ssh and then using ssh -A 0.0.0.0 to 

connect to my other instance.

From that second instance I'm then executing gsutil cp gs://mybucket/......  which fails.

[Kamran (Google Cloud Support)]

Hello Grant,

What you've explained above is correct and an intended behavior. The VM instance that does not have an external IP address assigned to it can not reach directly to external services including other Cloud Platform services. That being said, please take a look at this article which demonstrates several methods for securing communications with Compute Engine instances with or without external IP addresses and the last part of the article which specifically talks about your scenario and provides configuration steps to set up a NAT gateway machine for such a situation.

I hope this answers your question.

Sincerely,

[Grant Trevor]

Thanks Kamran - exactly what I was after - appreciate the information.

[Piotr Tabor]

For some time there is a better method available. 

Private Google Access enables VMs on a subnetwork to reach Google APIs and services using an internal IP address rather than an external IP address.

See more here: https://cloud.google.com/vpc/docs/configure-private-google-access

Thanks,

Piotr