---
title: Google Compute subnetwork with Private Google Access disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Google Compute subnetwork with Private Google
  Access disabled
---

# Google Compute subnetwork with Private Google Access disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-google-compute-subnetwork-with-private-google-access-disabled` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Low

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access)

### Description{% #description %}

Subnetworks must have Private Google Access enabled so VM instances with only internal IPs can reach Google APIs and services over Google's internal network. Without Private Google Access, operators may assign external IPs or route traffic over the public internet, increasing attack surface and the risk of data exposure or network-based attacks.

For Ansible resources using the google.cloud.gcp_compute_subnetwork or gcp_compute_subnetwork modules, the `private_ip_google_access` property must be defined and set to `yes`. Tasks missing this property or with `private_ip_google_access` not equal to `yes` are flagged.

Secure Ansible example:

```yaml
- name: Create subnetwork with Private Google Access enabled
  google.cloud.gcp_compute_subnetwork:
    name: my-subnet
    region: us-central1
    ip_cidr_range: 10.0.0.0/24
    network: my-vpc
    private_ip_google_access: yes
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create a subnetwork3
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    private_ip_google_access: yes
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: create a subnetwork
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
```

```yaml
- name: create a subnetwork2
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    private_ip_google_access: no
    state: present
```