Using a Partner Interconnect I'm trying to get the restricted.googleapis.com access to work and having some issues.
The BGP sessions needs to advertise 199.36.153.4/30 for that to work. Does it also need to advertise all the VPC networks? Just the region cloud router is in? None of them?
GCP allows you to advertise the 199.36.153.4/30 network on the cloud router, and it will apply for all the BGP sessions it has, or you can do it for specific ones. It depends on your needs. You only need to advertise this network in order to be known for your on-prem devices which need to know that network.
Consider that you need to define a static route for this same network for your VPC whose next hop is the default internet gateway in order to have that traffic forwarded to the correct destination. For your VMs you need to set firewall rules to allow egress/ingress traffic for this network.
If you require to refer to restricted.googleapis.com from the on-prem network, you can define in your on-prem DNS system A/CNAME records as needed.
