Configure private network access

To set up private network access so that traffic runs within a Google Cloud network, you must configure the project that owns the Virtual Private Cloud (VPC) network, the Service Directory project, and the Google Cloud service project that you are using. These three projects could be the same or separate.

Network project is the project of the VPC network.
Service Directory project is the project of the Service Directory service. This project may be a service project in the Shared VPC network of the network project.
Google Cloud service project is the project with the configuration that is invoking private network access. For example, a Google Cloud service configuration.

Permissions required for this task

To perform this task, you must have been granted the following permissions and IAM roles.

Permissions

servicedirectory.services.resolve
servicedirectory.networks.access
servicedirectory.networks.attach

Roles

servicedirectory.editor
servicedirectory.viewer
servicedirectory.pscAuthorizedService
servicedirectory.networkAttacher

Note: The listed roles are what you must grant to per-product per-project service accounts. You must have the roles/resourcemanager.projectIamAdmin to grant these roles.

Before you begin

This procedure assumes that you have completed the following steps.

Enable the APIs that you want to access through the APIs & services page in the Google Cloud console, including the Service Directory API.
VM instances in a VPC network must have a private IP address.
For on-premises hosts, you must have an existing Cloud VPN tunnel or a Cloud Interconnect connection to your VPC network.
You must have an existing Service Directory namespace and service. For instructions on how to create a Service Directory namespace and service, see Configure Service Directory.

Configure the network project

Follow these steps to configure the network project.

Create or use an existing VPC network. Both auto and custom mode VPC networks are supported. Legacy networks are not supported.
If the destination target is a Compute Engine VM, or an internal load balancer backend, you must allow ingress through the VPC network firewall for private network access. The targets must allow TCP ingress from 35.199.192.0/19 on the appropriate port (port 443 or 80).

Note: By default, VPC network firewall rules do not allow ingress connections to Compute Engine VMs.
Grant the Identity and Access Management (IAM) Service Directory network access to the Google Cloud service project. Note that the Google Cloud project must be in the VPC Service Controls perimeter of the Google Cloud service and Service Directory project for servicedirectory.googleapis.com.

Note: The Service Directory project and the VPC Service Controls project need not be connected. VPC Service Controls are enabled by default.

To learn more about VPC Service Controls, see Overview of VPC Service Controls.

Configure the Service Directory project

Follow these steps to configure the Service Directory project.

Create a virtual machine (VM) or an internal load balancer in the VPC network.
Create a Service Directory service pointing to the VM or internal load balancer that you created in the VPC network.
Grant the IAM Service Directory network access to the Google Cloud service account. For more information about roles and permissions, see Service Directory permissions and roles.

Create an endpoint with private network access

Make sure that you grant or have the following IAM roles:

Inside the Service Directory project, grant servicedirectory.editor to the IAM principal creating the Service Directory endpoint.

If the project containing the VPC network is different from the project containing the Service Directory resource, you must grant the following additional permission:

Inside the VPC network project, grant servicedirectory.networkAttacher to the IAM principal that is creating the Service Directory endpoint.

To create an endpoint with private network access configured, do the following.

Console

Go to the Service Directory namespaces page in the Google Cloud console.
Go to the Service Directory namespaces page
Click a namespace.
Click a service.
Click Add endpoint.
Provide an Endpoint name.
Enter an IPv4 IP address, such as 192.0.2.0.
Enter a Port number, such as 443 or 80.
To enable private network access, click Choose from the list to choose from a list of available networks under Associated VPC network.
You can also provide a specific project ID and the network name by choosing Specify by a project and network name.
Click Create.

gcloud

Run the gcloud beta service-directory endpoints create command with the project ID and the network path specified.

gcloud beta service-directory endpoints create ENDPOINT_NAME \
    --project=PROJECT_ID \
    --location=REGION \
    --namespace=NAMESPACE_NAME \
    --service=SERVICE_ID \
    --address=IP_ADDRESS \
    --port=PORT_NUMBER \
    --network=NETWORK_PATH

Replace the following:

ENDPOINT_NAME: a name for the endpoint that you're creating in your service, such as my-endpoint
PROJECT_ID: the ID of the project
REGION: the Google Cloud region containing the namespace
NAMESPACE_NAME: the name that you gave the namespace, such as my-namespace
SERVICE_ID: the ID of the service
IP_ADDRESS: the IP address of the endpoint, such as 192.0.2.0
PORT_NUMBER: the ports that the endpoints are running on, typically 443 or 80
NETWORK_PATH: the URL to the network, such as projects/PROJECT_NUMBER/locations/global/networks/NETWORK_NAME

Configure the Google Cloud service project

Make sure that you grant or have the following IAM roles:

Inside the Service Directory project, grant servicedirectory.pscAuthorizedService and servicedirectory.viewer to the IAM principal that is associated with the Google Cloud service project.

Enable the Google Cloud service API.
Configure your Google Cloud service using the Service Directory service that you created in the network project.
If you are using VPC Service Controls, make sure that the VPC Service Controls perimeter allows Service Directory to access the network project and the Service Directory project.

Use cases

This section provides example use cases to configure private network access.

Call an HTTP endpoint when a VPC network, VM, and Service Directory are in the same project

You can set up a Google Cloud product to call an HTTP endpoint on your VM. This traffic must not transit over the public internet.

In this set up, you have a project with a VPC network, a VM, a Service Directory service, and the Google Cloud service in the same project.

Allowing a project's Google service configuration to egress to a network project VM that resides in a Google Cloud service project's VPC network (click to enlarge)

To set up your Google Cloud product using private network access, follow these steps.

Set up your network and target network

Create a project, such as my-project.
Create a VPC network, such as VPC-1 (projects/project-number/locations/global/networks/my-network).
Grant proxy access to ingress to VPC-1 or to the subnet or VM.
Allow ingress from 35.199.192.0/19.
Create VM-1 in region us-central1 in VPC-1.
Set it up to run the service on port P.
If you prefer using HTTPS, make sure that you have installed a public key infrastructure (PKI) transport layer security (TLS) certificate.
Create a Service Directory service SD-1 in REGION-1.
Create an endpoint in SD-1 with address=the internal IP address of VM-1on port P and network projects/project-number/global/networks/my-network. For detailed instructions, see Creating an endpoint with private network access configured.
Grant the Google Cloud service account the following IAM roles:
- servicedirectory.viewer
- servicedirectory.pscAuthorizedService
Optionally, you can set up VM-2, and add Endpoint-2.

Note: VPC-1 and SD-1 must be in the same project. If using Shared VPC, the Service Directory project and the VPC network project must be the same.

Set up a Google Cloud product

Configure Google Cloud product configuration CONFIG-1, such as, "Cloud Scheduler, call me every minute".
Set up an HTTP request.
Specify that request should go over private networking, such as through SD-1.
Optional: Configure Certificate Authority Service settings.

Now, the Google Cloud product can invoke the HTTP request using SD-1.

Call an HTTP endpoint when a VPC network, VM, and Service Directory are in different projects

In this example configuration, you want to set up a Google Cloud service, such as Events, Tasks, or Pub/Sub, to call an HTTP endpoint on your VM. In this example, the Service Directory project, the network project, and the Google Cloud service projects are different. This traffic must not transit over the public internet. Optionally, this API invocation must respect the VPC Service Controls perimeter.

In this case, the Google Cloud service project's configuration enables egress to a Google Cloud service project VM, which resides in the network project's VPC network.

The Google Cloud service project might be different from the producer project. Both projects' VPC Service Controls perimeters are used.

Sending traffic using private network access with VPC Service Controls perimeters enforced (click to enlarge)

Create a network project

Note the following:

The Service Directory project and network project need not be connected, but they must be part of the same VPC Service Controls.
The firewall and IAM are disabled by default on the network and the service.

To create the network project, follow these steps.

Create a VPC network, such as VPC-1 (projects/project-number/locations/global/networks/my-network).
Enable the VPC network firewall.

Note: The target (VM, or internal load balancer) must allow TCP ingress from 35.199.192.0/19 on the appropriate port .
If using VPC Service Controls, the VPC Service Controls perimeter allows Service Directory to connect to the Google Cloud service project and the Service Directory project.
Note:
- The Google Cloud service project must be in VPC Service Controls perimeter of the Google Cloud service project and the Service Directory project for servicedirectory.googleapis.com.
- The Google Cloud service project must be in the VPC Service Controls perimeter of the Google Cloud service project and the network project for servicedirectory.googleapis.com.
- VPC Service Controls are enabled by default.

Configure the Service Directory project

Create a VM or internal load balancer in the VPC network.
Since the network project and the Service Directory project are different, you must have an additional IAM permission. From the network project, grant the servicedirectory.networkAttacher IAM permission to the IAM principal that is creating the Service Directory endpoint.
Create a Service Directory endpoint that points to the VM or internal load balancer in the VPC network.
Grant the servicedirectory.viewer and servicedirectory.pscAuthorizedService IAM permissions to the service account associated with the Google Cloud service project messaging service.
If using VPC Service Controls, the VPC Service Controls perimeter allows Service Directory to connect to the Google Cloud service project and the Service Directory project.

Configure the Google Cloud service project

Enable the API for the messaging service that you are using.
Configure the messaging service PUSH using the Service Directory service from the Service Directory project.
If using VPC Service Controls, the VPC Service Controls perimeter allows Service Directory to connect to the network project and the Service Directory project.

Use Service Directory private network access with Dialogflow

For instructions on how you can use Service Directory private network access with Dialogflow, see Using Service Directory for private network access.

What's next

Configure a Service Directory endpoint.
To get an overview of Service Directory, see the Service Directory overview.
To learn more about Private Service Connect, see Private Service Connect.
To find solutions for common issues that you might encounter when using Service Directory, see Troubleshooting.