Configuring Private Service Connect

Private Service Connect lets you create an endpoint that directs traffic to Google APIs. Instead of sending API requests to public service endpoints such as storage.googleapis.com, you can send the requests to the Private Service Connect endpoint, which is private and internal to your VPC network.

Roles

The following IAM roles provide the permissions needed to perform the tasks in this guide.

Task	Roles
Create a Private Service Connect endpoint	Compute Network Admin (`roles/compute.networkAdmin`) Service Directory Editor (`roles/servicedirectory.editor`)
Create and update Cloud DNS private zones (optional)	DNS Administrator (`roles/dns.admin`)
Configure Private Google Access (optional)	Compute Network Admin (`roles/compute.networkAdmin`)

Before you begin

Private Service Connect does not automatically enable any API. You must separately enable the Google APIs you need to use from the APIs & services page in the Google Cloud Console.
You must enable the Compute Engine API in your project.
You must enable the Service Directory API in your project.
If you plan to use Cloud DNS, you must enable the Cloud DNS API in your project.
Egress firewall rules must permit traffic to the Private Service Connect endpoint. The default firewall configuration for a VPC network permits this traffic, because it contains an implied allow egress rule. Verify that you have not created a higher priority egress rule that blocks the traffic.
Virtual machine (VM) instances without external IP addresses must have their primary interface in a subnet with Private Google Access enabled.

A VM with an external IP address can access Google APIs and services using Private Service Connect endpoints even if Private Google Access is disabled for its subnet. Connectivity to the Private Service Connect endpoint stays within Google's network.

Enabling Private Google Access for a subnet

To enable Private Google Access, follow these steps.

Console

Go to the VPC networks page in the Google Cloud Console.
Go to the VPC networks page
Click the name of the network that contains the subnet for which you need to enable Private Google Access.
Click the name of the subnet. The Subnet details page is displayed.
Click Edit.
In the Private Google Access section, select On.
Click Save.

gcloud

Determine the name and region of the subnet. To list the subnets for a particular network, use the following command:
```
gcloud compute networks subnets list --filter=NETWORK_NAME
```

Run the following command to enable Private Google Access:

gcloud compute networks subnets update SUBNET_NAME \
--region=REGION \
--enable-private-ip-google-access

Verify that Private Google Access is enabled by running this command:

gcloud compute networks subnets describe SUBNET_NAME \
--region=REGION \
--format="get(privateIpGoogleAccess)"

In all above commands, replace the following with valid values:

SUBNET_NAME: the name of the subnet
REGION: the region for the subnet
NETWORK_NAME: the name of the VPC network that contains the subnet

Choosing an IP address for the Private Service Connect endpoint

When you configure Private Service Connect on a VPC network, you provide an IP address which is used for the Private Service Connect endpoint.

The address counts toward the project's quota for Global internal IP addresses.

The IP address must meet the following specifications:

It must be a single IP address and not an address range.
It must be a valid IPv4 address. IPv6 addresses are not supported for Private Service Connect.
It cannot be within the range of subnets configured in the VPC network.
It cannot be within a primary or secondary IP address range of any subnet in the VPC network or a network connected to the VPC network using VPC Network Peering.
It cannot overlap with a /32 custom static route in the local VPC network. For example, if the VPC network has a custom static route for 10.10.10.10/32, you cannot reserve address 10.10.10.10 for Private Service Connect.
It cannot overlap with a /32 peering custom static route if you've configured the peered network to export custom routes and you've configured your VPC network to import custom routes.
It cannot be within any of the auto-mode IP ranges (in 10.128.0.0/9) if the local VPC network is an auto mode network or if it is peered with an auto mode network.
It cannot be within an allocated IP range in the local VPC network. However, it can be within an allocated IP range in a peered VPC network.
If a Private Service Connect endpoint overlaps with a custom dynamic route whose destination is the same /32, the Private Service Connect endpoint takes priority.
If a Private Service Connect endpoint IP address is located within the destination range of a custom static route, custom dynamic route, or peering custom route, and that route has a subnet mask shorter than /32, the Private Service Connect endpoint has higher priority.

Creating a Private Service Connect endpoint

Once you have chosen an IP address that meets the requirements, you can create a Private Service Connect endpoint.

A Private Service Connect endpoint connects to Google APIs and services using a forwarding rule. Each forwarding rule counts toward the per VPC network quota for Private Service Connect.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.globalForwardingRules.pscCreate
compute.networks.use
compute.globalAddresses.use
servicedirectory.namespaces.create

Roles

See Roles for role information.

Console

In the Google Cloud Console, go to Private Service Connect.

Go to Private Service Connect
Click Connect Service.
Select the target API bundle.
For Connection name, enter a name for the endpoint.
Select a Network for the endpoint.
Select an IP Address for the endpoint.

The IP address must meet these requirements.

If you need a new IP address, you can create one:
1. Click Create IP address.
2. Enter a Name and Description for the IP address.
3. Enter the IP address you want to use and click Save.
Click Add service.

gcloud

Reserve a global internal IP address to assign to the endpoint.
```
gcloud beta compute addresses create ADDRESS_NAME \
    --global \
    --purpose=PRIVATE_SERVICE_CONNECT \
    --addresses=ENDPOINT_IP \
    --network=NETWORK_NAME
```
Replace the following:
- ADDRESS_NAME: the name to assign to the reserved IP address.
- ENDPOINT_IP: the IP address to reserve for the endpoint.
The IP address must meet these requirements.
- NETWORK_NAME: the name of the VPC network for the endpoint.
Create a forwarding rule to connect the endpoint to Google APIs and services.
```
gcloud beta compute forwarding-rules create ENDPOINT_NAME \
    --global \
    --network=NETWORK_NAME \
    --address=ADDRESS_NAME \
    --target-google-apis-bundle=API_BUNDLE
```
Replace the following:
- ENDPOINT_NAME: the name to assign to the endpoint. The name must be a string of 1-20 characters, containing only lower-case letters and numbers. The name must start with a letter.
- NETWORK_NAME: the name of the VPC network for the endpoint.
- ADDRESS_NAME: the name of the reserved address on the associated network.
- API_BUNDLE: the bundle of APIs to make available using the endpoint. See the list of supported APIs.
  - Use all-apis to give access to all supported APIs.
  - Use vpc-sc to restrict access to Google APIs that support VPC Service Controls.

API

Reserve a global internal IP address to assign to the endpoint.
```
POST https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/global/addresses

{
  "name": ADDRESS_NAME,
  "address": ENDPOINT_IP,
  "addressType": "INTERNAL",
  "purpose": PRIVATE_SERVICE_CONNECT,
  "network": NETWORK_URL
}
```
Replace the following:
- PROJECT_ID: your project ID.
- ADDRESS_NAME: the name to assign to the reserved IP address.
- ENDPOINT_IP: the IP address to reserve for the endpoint.
The IP address must meet these requirements.
- NETWORK_URL: the VPC network for the endpoint. Use the network.list method or gcloud compute networks list --uri to find the URLs of your networks.
Create a forwarding rule to connect the endpoint to Google APIs and services.
```
POST https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/global/forwardingRules
{
   "IPAddress": ADDRESS_URL,
   "network": NETWORK_URL,
   "name": ENDPOINT_NAME,
   "target": API_BUNDLE,
}
```
Replace the following:
- PROJECT_ID: your project ID.
- ENDPOINT_NAME: the name to assign to the endpoint. The name must be a string of 1-20 characters, containing only lower-case letters and numbers. The name must start with a letter.
- NETWORK_URL: the VPC network for the endpoint. Use the network.list method or gcloud compute networks list --uri to find the URLs of your networks.
- ADDRESS_URL: the URL of the reserved address on the associated network. Use the globalAddresses.list method or gcloud compute addresses list --uri to find the URLs of your reserved addresses.
- API_BUNDLE: the bundle of APIs to make available using the endpoint. See the list of supported APIs.
  - Use all-apis to give access to all supported APIs.
  - Use vpc-sc to restrict access to Google APIs that support VPC Service Controls.

Listing endpoints

You can list all configured Private Service Connect endpoints.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.globalForwardingRules.list

Roles

See Roles for role information.

Console

In the Google Cloud Console, go to the Private Service Connect page.

The Private Service Connect endpoints are displayed.

gcloud

gcloud beta compute forwarding-rules list  \
--filter target="(all-apis OR vpc-sc)" --global

The output is similar to the following:

NAME  REGION  IP_ADDRESS  IP_PROTOCOL  TARGET
RULE          IP          TCP          all-apis

Describing an endpoint

You can view all configuration details of a Private Service Connect endpoint.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.globalForwardingRules.pscGet

Roles

See Roles for role information.

gcloud beta compute forwarding-rules describe \
    ENDPOINT_NAME --global

Labeling an endpoint

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.globalForwardingRules.pscSetLabels

Roles

See Roles for role information.

You can manage labels for Private Service Connect endpoints. See labeling resources for more information.

Deleting an endpoint

You can delete a Private Service Connect endpoint.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.globalForwardingRules.pscDelete
servicedirectory.namespaces.delete

Roles

See Roles for role information.

Console

In the Google Cloud Console, go to the Private Service Connect page.
Select the connection you want to delete, and click Delete.

gcloud

    gcloud beta compute forwarding-rules delete \
        ENDPOINT_NAME --global

Replace the following:

ENDPOINT_NAME: the name of the endpoint that you want to delete.

Configuring DNS

You must create private DNS records for the services you want to use. You can use Cloud DNS or another DNS solution.

If you can configure your client or application to use a custom Google API service endpoint, create DNS records for custom endpoint names in this format: SERVICE-ENDPOINT.p.googleapis.com.
If you can't configure your client or application to use a custom Google API service endpoint, create DNS records to match the default DNS names. For example, storage.googleapis.com.

See DNS configuration for more information about DNS record format for Private Service Connect.

Create DNS records using custom endpoint names

Follow these instructions to create DNS records in the SERVICE-ENDPOINT.p.googleapis.com format. Use these directions only if you can configure your client or application to use a custom endpoint DNS name.

Create a private DNS zone for p.googleapis.com or googleapis.com. Consider creating a Cloud DNS private zone for this purpose.
For each service that you want to use, add a DNS record in the p.googleapis.com private zone that points to the Private Service Connect endpoint IP address.

If you're using Cloud DNS, add the records to the p.googleapis.com private zone.

Use this format for the hostname: SERVICE-ENDPOINT, where SERVICE is the default hostname of the Google service endpoint you want to use, and ENDPOINT is the name of your Private Service Connect endpoint.

For example, to access Cloud Storage with Private Service Connect endpoint xyz, create the DNS record for your Private Service Connect endpoint as storage-xyz.p.googleapis.com.

Though you can use any name in SERVICE, as a best practice, use the service endpoint's default DNS name. Include the service endpoint's default DNS name in the Host header of your HTTP request.

Creating DNS records using default DNS names

If your client or application cannot use a custom endpoint DNS name, create a DNS zone that contains the hostname that the client or application contacts.

Create a private DNS zone for googleapis.com. Consider creating a Cloud DNS private zone for this purpose.
For each service that you want to use, add a DNS record in the googleapis.com private zone that points to the Private Service Connect endpoint IP address.

If you're using Cloud DNS, add the records to the googleapis.com private zone.

For example, if you want to access Cloud Storage, create a record for the hostname storage in the private googleapis.com zone that points to the Private Service Connect endpoint IP address.

Using Private Service Connect from on-premises hosts

If your on-premises network is connected to a VPC network, you can use Private Service Connect to access Google APIs and services from on-premises hosts using the internal IP address of the Private Service Connect endpoint.

Your on-premises network must be connected to a VPC network using either Cloud VPN tunnels or Cloud Interconnect attachments (VLANs).
The Private Service Connect endpoint is in the VPC network that is connected to your on-premises network.
The on-premises network must have appropriate routes for the Private Service Connect endpoint. Configure a Cloud Router custom route advertisement to announce routes for the Private Service Connect endpoint on the BGP session that manages routes for the Cloud VPN tunnel or Cloud Interconnect attachment (VLAN).
You must configure on-premises systems so that they can make queries to your private DNS zones.

If you've implemented the private DNS zones using Cloud DNS, complete the following steps:
- Create an inbound server policy in the VPC network to which your on-premises network connects.
- Identify the inbound forwarder entry points, in the regions where your Cloud VPN tunnels and Cloud Interconnect attachments (VLANs) are located, in the VPC network to which your on-premises network connects.
- Configure on-premises systems and on-premises DNS name servers to forward the DNS names for the Private Service Connect endpoints to an inbound forwarder entry point in the same region as the Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) that connects to the VPC network.

Verifying that Private Service Connect endpoint is working

Create a VM instance in the VPC network where Private Service Connect is configured, and run this command on the VM to verify that the Private Service Connect endpoint is working.

curl -v ENDPOINT_IP/generate_204

Replace the following:

ENDPOINT_IP: the IP address of the Private Service Connect endpoint.

If the endpoint is working, you see an HTTP 204 response code.