Stay organized with collections Save and categorize content based on your preferences.

Add a Private Service Connect NEG to a load balancer

You can use Private Service Connect with consumer HTTP(S) service controls to connect to supported services, using the load balancer for policy enforcement. You connect to the service through a forwarding rule that is mapped to a Private Service Connect network endpoint group (NEG).

For more information about supported services and configurations, see Private Service Connect with consumer HTTP(S) controls.

This page shows you how to add a Private Service Connect NEG to an existing HTTP(S) load balancer to access either Google APIs or a published service.

For instructions that include creating the HTTP(S) load balancer, see the following:

Roles

The Compute Load Balancer Admin role (roles/compute.loadBalancerAdmin) contains the permission required to perform the tasks described in this guide.

Before you begin

  1. Determine which API or service you want to connect to:

    • For Google APIs:

    • For managed services:

      • If you want to publish your own service, see Publish managed services.

      • If you are connecting to a Google Cloud or third-party managed service, ask the producer for the following information:

        • The URI of the service attachment for the service that you want to connect to.

        • Any requirements for what DNS names you use to send requests to. You might need to use specific DNS names in your URL map configuration.

  2. Determine which load balancer type supports the service you want to connect to. For more information, see Supported load balancers and targets.

Create a Private Service Connect NEG

If you're creating NEG that points to a published service, you need the service attachment URI for the service. The service attachment has this format: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

Console

  1. In the Google Cloud console, go to the Network endpoint groups page.

    Go to Network endpoint groups

  2. Click Create network endpoint group.

  3. Enter a Name for the network endpoint group.

  4. For the Network endpoint group type, select Network endpoint group (Private Service Connect).

  5. Configure the target.

    • To connect to a regional Google API, do the following:
      1. For Target, select Google APIs.
      2. Select a Region and the Target service.
    • To connect to a published service, do the following:

      1. For Target, select Published service.
      2. For Target service, enter the URI of the service attachment.
      3. Select the Network and Subnetwork to create the network endpoint group in.

        The subnet must be in the same region as the published service.

  6. Click Create.

gcloud

  • To create a NEG that connects to a regional Google API, do the following:

    gcloud compute network-endpoint-groups create NEG_NAME \
      --network-endpoint-type=private-service-connect \
      --psc-target-service=TARGET_SERVICE \
      --region=REGION
    

    Replace the following:

    • NEG_NAME: a name for the network endpoint group.

    • TARGET_SERVICE: the regional service endpoints that you want to connect to.

    • REGION: the region to create the network endpoint group in. The region must be the same region as the service that you are connecting to.

  • To create a NEG that connects to a published service, do the following:

    gcloud compute network-endpoint-groups create NEG_NAME \
      --network-endpoint-type=private-service-connect \
      --psc-target-service=TARGET_SERVICE \
      --region=REGION \
      --network=NETWORK \
      --subnet=SUBNET
    

    Replace the following:

    • NEG_NAME: a name for the network endpoint group.

    • TARGET_SERVICE: the URI of the service attachment.

    • REGION: the region to create the network endpoint group in. The region must be the same region as the target service.

    • NETWORK: the network to create the network endpoint group in. If omitted, the default network is used.

    • SUBNET: the subnet to create the network endpoint group in. The subnet must be in the same region as the target service. A subnet must be provided if you provide the network. If both network and subnet are omitted, the default network is used, and the default subnet in the specified REGION is used.

Add a Private Service Connect NEG to an existing load balancer

You can configure a supported load balancer to direct traffic to a Private Service Connect NEG.

For more information about supported configurations, see Specifications.

Console

Edit the load balancer

  1. In the Google Cloud console, go to the Load balancing page.

    Go to Load balancing

  2. Click the load balancer that you want to modify.

  3. Click Edit.

Update the backend configuration

  1. Click Backend configuration.
  2. Expand the list of backend services, and select Create a backend service.
  3. Enter a Name for the backend service.
  4. Set the Backend type to Private Service Connect network endpoint group.
  5. In the Backends section, click the Private Service Connect network endpoint group list, and select the Private Service Connect NEG that you created. Click Done.
  6. If you are configuring a global external HTTP(S) load balancer to connect to a published service in multiple regions, and you have created more than one Private Service Connect NEG, click Add backend to select another NEG.

    Repeat this step until all NEGs for this managed service are added to the backend service.

  7. Click Create.

Update the routing rules

  1. Click Routing rules.
  2. Enter a Host and Path for each backend service that you have added.
  3. To review the configuration, click Review and finalize.
  4. Click Create.

gcloud

Update the backend configuration

  1. Create a backend service for the target service.

    gcloud compute backend-services create BACKEND_SERVICE_NAME \
        --load-balancing-scheme=EXTERNAL_MANAGED \
        --protocol=HTTPS \
        --global
    

    Replace BACKEND_SERVICE_NAME with the name of the backend service.

  2. Add the Private Service Connect NEG that points to the target service.

    • If you are adding a backend service to a regional load balancer, use the --region flag to specify the same region as the load balancer.

      gcloud compute backend-services add-backend BACKEND_SERVICE_NAME \
          --network-endpoint-group=NEG_NAME \
          --network-endpoint-group-region=REGION \
          --region-REGION
      

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of the backend service.
      • NEG_NAME: the name of the network endpoint group.
      • REGION: the region of the network endpoint group. Use the same region for the backend service.
      • REGION: the region of the backend service. Use the same region for the NEG.
    • If you are adding a backend service to a global load balancer, use the --global flag.

      If you have created multiple NEGs in different regions for the same service, repeat this step to add all of the NEGs to the backend service.

      gcloud compute backend-services add-backend BACKEND_SERVICE_NAME \
        --network-endpoint-group=NEG_NAME \
        --network-endpoint-group-region=NEG_REGION \
        --global
      

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of the backend service.
      • NEG_NAME: the name of the network endpoint group.
      • NEG_REGION: the region of the network endpoint group.

Update the routing rules

  1. For each backend service that you have created, add a path matcher to the load balancer's URL map.

    • If the URL map is regional, specify the region by using the --region flag.

      gcloud compute url-maps add-path-matcher URL_MAP_NAME \
      --path-matcher-name=PATH_MATCHER \
      --default-service=BACKEND_SERVICE_NAME \
      --region=REGION
      

      Replace the following:

      • URL_MAP_NAME: the name of the URL map.
      • PATH_MATCHER: a name for the path matcher.
      • BACKEND_SERVICE_NAME: the name of the backend service.
      • REGION: the region of the URL map.
    • If the URL map is global, specify the --global flag.

      gcloud compute url-maps add-path-matcher URL_MAP_NAME \
      --path-matcher-name=PATH_MATCHER \
      --default-service=BACKEND_SERVICE_NAME \
      --global
      

      Replace the following:

      • URL_MAP_NAME: the name of the URL map.
      • PATH_MATCHER: a name for the path matcher.
      • BACKEND_SERVICE_NAME: the name of the backend service.
      • REGION: the region of the URL map.
  2. For each hostname, add a host rule.

    Each host rule can reference only one path matcher, but two or more host rules can reference the same path matcher.

    • If the URL map is regional, specify the region by using the --region flag.

      gcloud compute url-maps add-host-rule URL_MAP_NAME \
      --hosts=HOST \
      --path-matcher-name=PATH_MATCHER \
      --region=REGION
      

      Replace the following:

      • URL_MAP_NAME: the name of the URL map.
      • HOST: the hostname to send requests to for this service.
      • PATH_MATCHER: the name of the path matcher.
      • REGION: the region of the URL map.
    • If the URL map is global, specify the --global flag.

      gcloud compute url-maps add-host-rule URL_MAP_NAME \
      --hosts=HOST \
      --path-matcher-name=PATH_MATCHER \
      --global
      

      Replace the following:

      • URL_MAP_NAME: the name of the URL map.
      • HOST: the hostname to send requests to for this service.
      • PATH_MATCHER: the name of the path matcher.