About accessing published services through endpoints

This document provides an overview of connecting to services in another VPC network by using Private Service Connect endpoints. You can connect to your own services, or those provided by other service producers, including by Google.

Clients connect to the endpoint by using internal IP addresses. Private Service Connect performs network address translation (NAT) to route the request to the service.

For more information about published services, see About published services.

Figure 1. A Private Service Connect endpoint lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network. The consumer, endpoint, and service must all be in the same region. (click to enlarge).

Features and compatibility

This table summarizes the supported configuration options and capabilities of endpoints that access published services.

In the following tables, a checkmark indicates that a feature is supported, and a no symbol indicates that a feature isn't supported.

Consumer configuration (endpoint) Producer load balancer
Internal passthrough Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer Internal protocol forwarding (target instance)
Consumer global access

Independent of global access setting on load balancer

Only if global access is enabled on the load balancer

Only if global access is enabled on the load balancer

Independent of global access setting on load balancer

Interconnect traffic

Cloud VPN traffic
Automatic DNS configuration
IP stack IPv4 IPv4 IPv4 IPv4

This table summarizes the supported configuration options and capabilities of published services that are accessed by endpoints.

Producer configuration (published service) Producer load balancer
Internal passthrough Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer Internal protocol forwarding (target instance)
Supported producer backends
  • GCE_VM_IP NEGs
  • Instance groups
  • GCE_VM_IP_PORT NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
  • GCE_VM_IP_PORT NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
Not applicable
PROXY protocol TCP traffic only TCP traffic only
Session affinity modes NONE (5-tuple)
CLIENT_IP_PORT_PROTO
Not applicable Not applicable Not applicable

Different load balancers support different port configurations; some load balancers support a single port, some support a range of ports, and some support all ports. For more information, see Port specifications.

Limitations

Endpoints that access a published service have the following limitations:

  • You can't create an endpoint in the same VPC network as the published service that you are accessing.

  • Endpoints are not accessible from peered VPC networks.

  • Packet Mirroring can't mirror packets for Private Service Connect published services traffic.

  • Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, see Static routes with load balancer next hops.

On-premises access

Endpoints that you use to access Google APIs can be accessed from supported connected on-premises hosts. For more information, see Access endpoints from hybrid networks.

Specifications

  • Private Service Connect endpoints must be created in the same region as the published service that is the target of the endpoint.
  • The endpoint must be created in a different VPC network from the VPC network that contains the target service.
  • The IP address that you assign to the endpoint must be from a regular subnet.
  • By default, the endpoint can be accessed only by clients that are in the same region and the same VPC network as the endpoint. For information about making endpoints available in other regions, see Global access.
  • When you create an endpoint to connect to a service, if the service has a DNS domain name configured, private DNS entries are automatically created in your VPC network for the endpoint.
  • Each endpoint has its own unique IP address and optionally its own unique DNS name.

Connection statuses

Private Service Connect endpoints, backends, and service attachments have a connection status that describes the state of their connection. The consumer and producer resources that form the two sides of a connection always have the same status. You can view connection statuses when you view endpoint details, describe a backend, or view details for a published service.

The following table describes the possible statuses.

Connection status Description
Accepted The Private Service Connect connection is established. The two VPC networks have connectivity, and the connection is functioning normally.
Pending

The Private Service Connect connection is not established, and network traffic can't travel between the two networks. A connection might have this status for the following reasons:

  • The service attachment requires explicit approval, and the consumer is not in the consumer accept list.
  • The number of connections exceeds the service attachment's connection limit.

Connections that are blocked for these reasons remain in the pending state indefinitely until the underlying issue is resolved.

Rejected

The Private Service Connect connection is not established. Network traffic can't travel between the two networks. A connection might have this status for the following reasons:

Needs attention There is an issue on the producer side of the connection. Some traffic might be able to flow between the two networks, but some connections might not be functional. For example, the producer's NAT subnet might be exhausted and unable to allocate IP addresses for new connections.
Closed

The service attachment was deleted, and the Private Service Connect connection is closed. Network traffic can't travel between the two networks.

A closed connection is a terminal state. To restore the connection, you must recreate both the service attachment and the endpoint or backend.

Global access

Private Service Connect endpoints that are used to access services are regional resources. However, you can make an endpoint available in other regions by configuring global access.

Global access lets resources in any region send traffic to Private Service Connect endpoints. You can use global access to provide high availability across services that are hosted in multiple regions, or to allow clients to access a service that is not in the same region as the client.

The following diagram illustrates clients in different regions accessing the same endpoint:

  • The endpoint is in us-west1 and has global access configured.

  • The VM in us-west1 can send traffic to the endpoint, and the traffic stays within the same region.

  • The VM in us-east1 and the VM from the on-premises network can also connect the endpoint in us-west1, even though they are in different regions. The dotted lines represent the inter-regional traffic path.

    Figure 2. A Private Service Connect endpoint with global access lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network. The client can be in the same region or a different region as the endpoint (click to enlarge).

Global access specifications

  • You can turn global access on or off at any time for an endpoint.
    • Turning on global access does not cause traffic disruption for existing connections.
    • Turning off global access terminates any connections from regions other than the region where the endpoint is located.
  • Endpoints with global access can be created in a Shared VPC host project or service project. The client VM, Cloud VPN tunnel, or VLAN attachment for Cloud Interconnect does not need to be in the same project as the endpoint.

  • Not all Private Service Connect services support endpoints with global access. Check with your service producer to verify if their service supports global access. For more information, see Supported configurations.

  • Global access does not provide a single global IP address or DNS name for multiple global access endpoints.

VPC Service Controls

VPC Service Controls and Private Service Connect are compatible with each other. If the VPC network where the Private Service Connect endpoint is deployed is in a VPC Service Controls perimeter, the endpoint is part of the same perimeter. Any VPC Service Controls-supported services that are accessed through the endpoint are subject to the policies of that VPC Service Controls perimeter.

When you create an endpoint, control-plane API calls are made between the consumer and producer projects to establish a Private Service Connect connection. Establishing a Private Service Connect connection between consumer and producer projects that are not in the same VPC Service Controls perimeter does not require explicit authorization with egress policies. Communication to VPC Service Controls-supported services through the endpoint is protected by the VPC Service Controls perimeter.

Static routes with load balancer next hops

Static routes can be configured to use the forwarding rule of an internal passthrough Network Load Balancer as the next hop (--next-hop-ilb). Not all routes of this type are supported with Private Service Connect.

Static routes that use --next-hop-ilb to specify the name of an internal passthrough Network Load Balancer forwarding rule can be used to send and receive traffic to a Private Service Connect endpoint when the route and the endpoint are in the same VPC network and region.

The following routing configurations are not supported with Private Service Connect:

  • Static routes that use --next-hop-ilb to specify the IP address of an internal passthrough Network Load Balancer forwarding rule.
  • Static routes that use --next-hop-ilb to specify the name or IP address of a Private Service Connect endpoint forwarding rule.

Logging

  • You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using endpoints. The logs show flows between the VMs and the endpoint.

  • You can view changes in connection status for endpoints using audit logs. Changes in connection status for the endpoint are captured in system event metadata for the resource type GCE forwarding rule. You can filter for pscConnectionStatus to view these entries.

    For example, when a service producer allows connections from your project, the connection status of the endpoint changes from PENDING to ACCEPTED, and this change is reflected in the audit logs.

Pricing

Pricing for Private Service Connect is described in the VPC pricing page.

Quotas

The number of endpoints that you can create for accessing published services is controlled by the PSC Internal LB Forwarding Rules quota. For more information, see quotas.

Organization policy constraints

An Organization Policy Administrator can use the constraints/compute.disablePrivateServiceConnectCreationForConsumers constraint to define the set of endpoint types for which users cannot create forwarding rules.

For information about creating an organization policy that uses this constraint, see Block consumers from deploying endpoints by connection type.

What's next