Stay organized with collections Save and categorize content based on your preferences.

About accessing published services through endpoints

This document provides an overview of connecting to services in another VPC network by using Private Service Connect endpoints. You can connect to your own services, or those provided by other service producers, including by Google.

Clients connect to the endpoint by using internal IP addresses. Private Service Connect performs network address translation (NAT) to route the request to the service.

For more information about published services, see About published services.

Figure 1. A Private Service Connect endpoint based on a forwarding rule lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network (click to enlarge).

Automatic DNS configuration

When you create an endpoint to connect to a service, if the service has a DNS domain name configured, Private Service Connect and Service Directory will automatically create DNS entries in your VPC network for the endpoint.

For more information, see DNS configuration for services.

Logging

  • You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using Private Service Connect endpoints. The logs show flows between the VMs and the Private Service Connect endpoint.

  • You can view changes in connection status for Private Service Connect endpoints using audit logs. Changes in connection status for the endpoint are captured in system event metadata for the resource type GCE forwarding rule. You can filter for pscConnectionStatus to view these entries.

    For example, when a service producer allows connections from your project, the connection status of the endpoint changes from PENDING to ACCEPTED, and this change is reflected in the audit logs.

VPC Service Controls

VPC Service Controls and Private Service Connect are compatible with each other. If the VPC network where the Private Service Connect endpoint is deployed is in a VPC Service Controls perimeter, the Private Service Connect endpoint is part of the same perimeter. Any VPC Service Controls-supported services that are accessed through the Private Service Connect endpoint are subject to the policies of that VPC Service Controls perimeter.

When you create a Private Service Connect endpoint, control-plane API calls are made between the consumer and producer projects to establish a Private Service Connect connection. Establishing a Private Service Connect connection between consumer and producer projects that are not in the same VPC Service Controls perimeter does not require explicit authorization with egress policies. Communication to VPC Service Controls-supported services through the Private Service Connect endpoint is protected by the VPC Service Controls perimeter.

Pricing

Pricing for Private Service Connect is described in the VPC pricing page.

Quotas

The number of Private Service Connect endpoints that you can create for accessing published services is controlled by the PSC Internal LB Forwarding Rules quota. For more information, see quotas.

Organization policy constraints

An Organization Policy Administrator can use the constraints/compute.disablePrivateServiceConnectCreationForConsumers constraint to define the set of Private Service Connect endpoint types for which users cannot create forwarding rules. The constraint applies to new configurations and doesn't affect existing connections.

On-premises access

Private Service Connect endpoints that you use to access Google APIs can be accessed from supported connected on-premises hosts. For more information, see Access endpoints from hybrid networks.

Limitations

  • You can't create a Private Service Connect endpoint in the same VPC network as the published service that you are accessing.

  • Private Service Connect endpoints are not accessible from peered VPC networks.

  • Packet Mirroring can't mirror packets for Private Service Connect published services traffic.

What's next