About accessing published services through endpoints
This document provides an overview of connecting to services in another VPC network by using Private Service Connect endpoints. You can connect to your own services, or those provided by other service producers, including by Google.
Clients connect to the endpoint by using internal IP addresses. Private Service Connect performs network address translation (NAT) to route the request to the service.
For more information about published services, see About published services.
Figure 1.
A Private Service Connect endpoint based on a forwarding rule
lets service consumers send traffic from the consumer's VPC
network to services in the service producer's VPC network
(click to enlarge).
Automatic DNS configuration
When you create an endpoint to connect to a service, if the service has a DNS domain name configured, Private Service Connect and Service Directory will automatically create DNS entries in your VPC network for the endpoint.
For more information, see DNS configuration for services.
Logging
You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using Private Service Connect endpoints. The logs show flows between the VMs and the Private Service Connect endpoint.
You can view changes in connection status for Private Service Connect endpoints using audit logs. Changes in connection status for the endpoint are captured in system event metadata for the resource type GCE forwarding rule. You can filter for
pscConnectionStatusto view these entries.For example, when a service producer allows connections from your project, the connection status of the endpoint changes from
PENDINGtoACCEPTED, and this change is reflected in the audit logs.- To view audit logs, see View logs.
- To set alerts based on audit logs, see Managing log-based alerts.
VPC Service Controls
VPC Service Controls and Private Service Connect are compatible with each other. If the VPC network where the Private Service Connect endpoint is deployed is in a VPC Service Controls perimeter, the Private Service Connect endpoint is part of the same perimeter. Any VPC Service Controls-supported services that are accessed through the Private Service Connect endpoint are subject to the policies of that VPC Service Controls perimeter.
When you create a Private Service Connect endpoint, control-plane API calls are made between the consumer and producer projects to establish a Private Service Connect connection. Establishing a Private Service Connect connection between consumer and producer projects that are not in the same VPC Service Controls perimeter does not require explicit authorization with egress policies. Communication to VPC Service Controls-supported services through the Private Service Connect endpoint is protected by the VPC Service Controls perimeter.
Pricing
Pricing for Private Service Connect is described in the VPC pricing page.
Quotas
The number of Private Service Connect
endpoints that you can create for accessing published services is controlled by the
PSC Internal LB Forwarding Rules quota.
For more information, see quotas.
Organization policy constraints
An Organization Policy Administrator can use the constraints/compute.disablePrivateServiceConnectCreationForConsumers constraint
to define the set of Private Service Connect endpoint types for
which users cannot create forwarding rules. The constraint applies to
new configurations and doesn't affect existing
connections.
On-premises access
Private Service Connect endpoints that you use to access Google APIs can be accessed from supported connected on-premises hosts. For more information, see Access endpoints from hybrid networks.
Limitations
You can't create a Private Service Connect endpoint in the same VPC network as the published service that you are accessing.
Private Service Connect endpoints are not accessible from peered VPC networks.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.