About accessing published services through endpoints
This document provides an overview of connecting to services in another VPC network by using Private Service Connect endpoints. You can connect to your own services, or those provided by other service producers, including by Google.
Clients connect to the endpoint by using internal IP addresses. Private Service Connect performs network address translation (NAT) to route the request to the service.
For more information about published services, see About published services.
Figure 1.
A Private Service Connect endpoint
lets service consumers send traffic from the consumer's VPC
network to services in the service producer's VPC network.
The consumer, endpoint, and service must all be in the same region.
(click to enlarge).
Features and compatibility
This table summarizes the supported configuration options and capabilities of both the endpoint and the published service that the endpoint is accessing.
To create an endpoint, see Access published services through endpoints.
To publish a service, see Publish services.
Configuration | Published service using internal passthrough Network Load Balancer | Published service using regional internal Application Load Balancer | Published service using regional internal proxy Network Load Balancer | Published service using internal protocol forwarding (target instance) |
---|---|---|---|---|
Consumer configuration (endpoint) | ||||
Consumer global access |
Independent of global access setting on load balancer |
Only if global access is enabled on the load balancer |
Only if global access is enabled on the load balancer |
|
Interconnect traffic (for Dataplane v2 only) |
||||
Cloud VPN traffic | ||||
Automatic DNS configuration | ||||
IP stack | IPv4 | IPv4 | IPv4 | IPv4 |
Producer configuration (published service) | ||||
Supported producer backends |
|
|
|
Not applicable |
PROXY protocol | TCP traffic only | |||
Session affinity modes | NONE (5-tuple) CLIENT_IP_PORT_PROTO |
Not applicable | Not applicable | Not applicable |
Limitations
Endpoints that access a published service have the following limitations:
You can't create an endpoint in the same VPC network as the published service that you are accessing.
Endpoints are not accessible from peered VPC networks.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
- Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, see Static routes with load balancer next hops.
On-premises access
Endpoints that you use to access Google APIs can be accessed from supported connected on-premises hosts. For more information, see Access endpoints from hybrid networks.
Specifications
- Private Service Connect endpoints must be created in the same region as the published service that is the target of the endpoint.
- The endpoint must be created in a different VPC network from the VPC network that contains the target service.
- The IP address that you assign to the endpoint must be from a regular subnet.
- By default, the endpoint can be accessed only by clients that are in the same region and the same VPC network as the endpoint. For information about making endpoints available in other regions, see Global access.
- When you create an endpoint to connect to a service, if the service has a DNS domain name configured, private DNS entries are automatically created in your VPC network for the endpoint.
- Each endpoint has its own unique IP address and optionally its own unique DNS name.
Global access
Private Service Connect endpoints that are used to access services are regional resources. However, you can make an endpoint available in other regions by configuring global access.
Global access lets resources in any region send traffic to Private Service Connect endpoints. You can use global access to provide high availability across services that are hosted in multiple regions, or to allow clients to access a service that is not in the same region as the client.
The following diagram illustrates clients in different regions accessing the same endpoint:
The endpoint is in
us-west1
and has global access configured.The VM in
us-west1
can send traffic to the endpoint, and the traffic stays within the same region.The VM in
us-east1
and the VM from the on-premises network can also connect the endpoint inus-west1
, even though they are in different regions. The dotted lines represent the inter-regional traffic path.Figure 2. A Private Service Connect endpoint with global access lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network. The client can be in the same region or a different region as the endpoint (click to enlarge).
Global access specifications
- You can turn global access on or off at any time for an endpoint.
- Turning on global access does not cause traffic disruption for existing connections.
- Turning off global access terminates any connections from regions other than the region where the endpoint is located.
Endpoints with global access can be created in a Shared VPC host project or service project. The client VM, Cloud VPN tunnel, or VLAN attachment for Cloud Interconnect does not need to be in the same project as the endpoint.
Not all Private Service Connect services support endpoints with global access. Check with your service producer to verify if their service supports global access. For more information, see Supported configurations.
Global access does not provide a single global IP address or DNS name for multiple global access endpoints.
VPC Service Controls
VPC Service Controls and Private Service Connect are compatible with each other. If the VPC network where the Private Service Connect endpoint is deployed is in a VPC Service Controls perimeter, the endpoint is part of the same perimeter. Any VPC Service Controls-supported services that are accessed through the endpoint are subject to the policies of that VPC Service Controls perimeter.
When you create an endpoint, control-plane API calls are made between the consumer and producer projects to establish a Private Service Connect connection. Establishing a Private Service Connect connection between consumer and producer projects that are not in the same VPC Service Controls perimeter does not require explicit authorization with egress policies. Communication to VPC Service Controls-supported services through the endpoint is protected by the VPC Service Controls perimeter.
Static routes with load balancer next hops
Static routes can be configured to use the forwarding rule of an
internal passthrough Network Load Balancer as the next
hop
(--next-hop-ilb
). Not all routes of this type are supported with
Private Service Connect.
Static routes that use --next-hop-ilb
to specify the name of an
internal passthrough Network Load Balancer forwarding rule can be used to send and receive traffic to a
Private Service Connect endpoint when the route and the endpoint
are in the same VPC network and region.
The following routing configurations are not supported with Private Service Connect:
- Static routes that use
--next-hop-ilb
to specify the IP address of an internal passthrough Network Load Balancer forwarding rule. - Static routes that use
--next-hop-ilb
to specify the name or IP address of a Private Service Connect endpoint forwarding rule.
Logging
You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using endpoints. The logs show flows between the VMs and the endpoint.
You can view changes in connection status for endpoints using audit logs. Changes in connection status for the endpoint are captured in system event metadata for the resource type GCE forwarding rule. You can filter for
pscConnectionStatus
to view these entries.For example, when a service producer allows connections from your project, the connection status of the endpoint changes from
PENDING
toACCEPTED
, and this change is reflected in the audit logs.- To view audit logs, see View logs.
- To set alerts based on audit logs, see Managing log-based alerts.
Pricing
Pricing for Private Service Connect is described in the VPC pricing page.
Quotas
The number of
endpoints that you can create for accessing published services
is controlled by the PSC Internal LB Forwarding Rules
quota.
For more information, see quotas.
Organization policy constraints
An Organization Policy Administrator can use the
constraints/compute.disablePrivateServiceConnectCreationForConsumers
constraint
to define the set of endpoint types for
which users cannot create forwarding rules.
For information about creating an organization policy that uses this constraint, see Block consumers from deploying endpoints by connection type.