About accessing published services through endpoints

This document provides an overview of connecting to services in another VPC network by using Private Service Connect endpoints. You can connect to your own services, or those provided by other service producers, including by Google.

Clients connect to the endpoint by using internal IP addresses. Private Service Connect performs network address translation (NAT) to route the request to the service.

For more information about published services, see About published services.

Figure 1. A Private Service Connect endpoint lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network. The consumer, endpoint, and service must all be in the same region. (click to enlarge).

Features and compatibility

This table summarizes the supported configuration options and capabilities of both the endpoint and the published service that the endpoint is accessing.

To create an endpoint, see Access published services through endpoints.

To publish a service, see Publish services.

Configuration	Published service using internal passthrough Network Load Balancer	Published service using regional internal Application Load Balancer	Published service using regional internal proxy Network Load Balancer	Published service using internal protocol forwarding (target instance)
Consumer configuration (endpoint)
Consumer global access	Independent of global access setting on load balancer	Only if global access is enabled on the load balancer	Only if global access is enabled on the load balancer
Interconnect traffic (for Dataplane v2 only)
Cloud VPN traffic
Automatic DNS configuration
IP stack	IPv4	IPv4	IPv4	IPv4
Producer configuration (published service)
Supported producer backends	GCE_VM_IP NEGs Instance groups	GCE_VM_IP_PORT NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	GCE_VM_IP_PORT NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	Not applicable
PROXY protocol	TCP traffic only
Session affinity modes	NONE (5-tuple) CLIENT_IP_PORT_PROTO	Not applicable	Not applicable	Not applicable

Limitations

Endpoints that access a published service have the following limitations:

You can't create an endpoint in the same VPC network as the published service that you are accessing.
Endpoints are not accessible from peered VPC networks.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, see Static routes with load balancer next hops.

On-premises access

Endpoints that you use to access Google APIs can be accessed from supported connected on-premises hosts. For more information, see Access endpoints from hybrid networks.

Specifications

Private Service Connect endpoints must be created in the same region as the published service that is the target of the endpoint.
The endpoint must be created in a different VPC network from the VPC network that contains the target service.
The IP address that you assign to the endpoint must be from a regular subnet.
By default, the endpoint can be accessed only by clients that are in the same region and the same VPC network as the endpoint. For information about making endpoints available in other regions, see Global access.
When you create an endpoint to connect to a service, if the service has a DNS domain name configured, private DNS entries are automatically created in your VPC network for the endpoint.
Each endpoint has its own unique IP address and optionally its own unique DNS name.

Global access

Private Service Connect endpoints that are used to access services are regional resources. However, you can make an endpoint available in other regions by configuring global access.

Global access lets resources in any region send traffic to Private Service Connect endpoints. You can use global access to provide high availability across services that are hosted in multiple regions, or to allow clients to access a service that is not in the same region as the client.

The following diagram illustrates clients in different regions accessing the same endpoint:

The endpoint is in us-west1 and has global access configured.
The VM in us-west1 can send traffic to the endpoint, and the traffic stays within the same region.
The VM in us-east1 and the VM from the on-premises network can also connect the endpoint in us-west1, even though they are in different regions. The dotted lines represent the inter-regional traffic path.

Figure 2. A Private Service Connect endpoint with global access lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network. The client can be in the same region or a different region as the endpoint (click to enlarge).

Global access specifications

You can turn global access on or off at any time for an endpoint.
- Turning on global access does not cause traffic disruption for existing connections.
- Turning off global access terminates any connections from regions other than the region where the endpoint is located.
Endpoints with global access can be created in a Shared VPC host project or service project. The client VM, Cloud VPN tunnel, or VLAN attachment for Cloud Interconnect does not need to be in the same project as the endpoint.
Not all Private Service Connect services support endpoints with global access. Check with your service producer to verify if their service supports global access. For more information, see Supported configurations.
Global access does not provide a single global IP address or DNS name for multiple global access endpoints.

VPC Service Controls

VPC Service Controls and Private Service Connect are compatible with each other. If the VPC network where the Private Service Connect endpoint is deployed is in a VPC Service Controls perimeter, the endpoint is part of the same perimeter. Any VPC Service Controls-supported services that are accessed through the endpoint are subject to the policies of that VPC Service Controls perimeter.

When you create an endpoint, control-plane API calls are made between the consumer and producer projects to establish a Private Service Connect connection. Establishing a Private Service Connect connection between consumer and producer projects that are not in the same VPC Service Controls perimeter does not require explicit authorization with egress policies. Communication to VPC Service Controls-supported services through the endpoint is protected by the VPC Service Controls perimeter.

Static routes with load balancer next hops

Static routes can be configured to use the forwarding rule of an internal passthrough Network Load Balancer as the next hop (--next-hop-ilb). Not all routes of this type are supported with Private Service Connect.

Static routes that use --next-hop-ilb to specify the name of an internal passthrough Network Load Balancer forwarding rule can be used to send and receive traffic to a Private Service Connect endpoint when the route and the endpoint are in the same VPC network and region.

The following routing configurations are not supported with Private Service Connect:

Static routes that use --next-hop-ilb to specify the IP address of an internal passthrough Network Load Balancer forwarding rule.
Static routes that use --next-hop-ilb to specify the name or IP address of a Private Service Connect endpoint forwarding rule.

Logging

You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using endpoints. The logs show flows between the VMs and the endpoint.
You can view changes in connection status for endpoints using audit logs. Changes in connection status for the endpoint are captured in system event metadata for the resource type GCE forwarding rule. You can filter for pscConnectionStatus to view these entries.

For example, when a service producer allows connections from your project, the connection status of the endpoint changes from PENDING to ACCEPTED, and this change is reflected in the audit logs.
- To view audit logs, see View logs.
- To set alerts based on audit logs, see Managing log-based alerts.

Pricing

Pricing for Private Service Connect is described in the VPC pricing page.

Quotas

The number of endpoints that you can create for accessing published services is controlled by the PSC Internal LB Forwarding Rules quota. For more information, see quotas.

Organization policy constraints

An Organization Policy Administrator can use the constraints/compute.disablePrivateServiceConnectCreationForConsumers constraint to define the set of endpoint types for which users cannot create forwarding rules.

For information about creating an organization policy that uses this constraint, see Block consumers from deploying endpoints by connection type.

What's next

Access published services by using endpoints