Access managed services using Private Service Connect

Private Service Connect lets you connect to service producers using endpoints with internal IP addresses in your VPC network.

This document explains how to use Private Service Connect endpoints to connect to supported managed services in another VPC network. You can connect to your own services, or those provided by other service producers. See publish managed services for more information.

Roles

The following IAM role provides the permissions needed to perform the tasks in this guide.

Before you begin

• You must enable the Compute Engine API in your project.

• You must enable the Service Directory API in your project.

• You must enable the Cloud DNS API in your project.

• Egress firewall rules must permit traffic to the internal IP address of the Private Service Connect endpoint. The implied allow egress firewall rule permits egress to any destination IP address.

  If you've created any egress deny firewall rules in your VPC network, or if you've created hierarchical firewall policies which modify the implied allowed egress behavior, access to the endpoint might be affected. Create a specific egress allow firewall rule or policy to permit traffic to the service endpoint's internal IP address destination.

• You must have the URI of the service attachment for the service. For example, projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

• If you're creating a Private Service Connect endpoint in a project that is protected by a VPC Service Controls perimeter that restricts compute.googleapis.com, servicedirectory.googleapis.com, or dns.googleapis.com, additional configuration is needed. You must create ingress and egress rules for VPC Service Controls before you create the endpoint. For more information, see Configuring ingress and egress rules for VPC Service Controls.

Limitations

• You can't create a Private Service Connect endpoint in the same VPC network as the published service that you are accessing.

• Private Service Connect endpoints are not accessible from peered VPC networks.

• You cannot send requests from an on-premises environment that is connected to a VPC using Cloud Interconnect attachments (VLANs) to a Private Service Connect endpoint that is used to access services in another VPC network.

  For information about accessing Private Service Connect endpoints from on-premises environments that are connected using Cloud VPN, see Using Private Service Connect from on-premises hosts.

• Packet Mirroring can't mirror packets for Private Service Connect published services traffic.

Automatic DNS configuration

If the following configurations are present, DNS entries are automatically created for Private Service Connect endpoints:

• The service producer has configured a domain name for the service.

• The Private Service Connect endpoint is registered with a Service Directory namespace.

  All new endpoints are automatically registered with Service Directory, but older endpoints might not be registered.

If both configurations are present, when the Private Service Connect endpoint is created, a Service Directory DNS zone is created with the name: NAMESPACE--REGION. This private zone stores DNS entries for services found in the Service Directory namespace NAMESPACE, in region REGION.

After you create the Private Service Connect endpoint, you can verify if a Service Directory DNS zone is created. If the Service Directory DNS zone is not created, you can manually create a similar configuration. For more information, see View Service Directory DNS zones.

If you don't want these DNS entries to be created, do one of the following:

• If you're not using Cloud DNS for another purpose, disable the Cloud DNS API, or remove the permissions that are required for Cloud DNS.

• Wait for the DNS zone to be created, then Delete the DNS zone manually.

  If you want to manually configure DNS, see Configure DNS manually.

Create a Private Service Connect endpoint

A Private Service Connect endpoint connects to services in another VPC network using a Private Service Connect forwarding rule. Each forwarding rule counts toward the per project quota for Private Service Connect forwarding rules to access services in another VPC network.

When you use Private Service Connect to connect to services in another VPC network, you choose an IP address from a subnet in your VPC network.

The IP address must be in the same region as the service producer's service attachment. The IP address counts toward the project's quota for Internal IP addresses.

When you create a Private Service Connect endpoint, it is automatically registered with Service Directory, using a namespace that you choose, or the default namespace, goog-psc-default.

Configure ingress and egress rules for VPC Service Controls

If you're creating a Private Service Connect endpoint in a project that is protected by a VPC Service Controls perimeter that restricts compute.googleapis.com, servicedirectory.googleapis.com, or dns.googleapis.com, additional configuration is needed. Before you create a Private Service Connect endpoint, ask the service producer for the following information:

• PRODUCER_PROJECT_NUMBER: the project number of the project that contains the service attachment.

• PRODUCER_SERVICE_ACCOUNT (optional): the name of the service account that created the service attachment, if you want to configure an ingress rule that restricts access by account.

Use this information to create ingress and egress rules to allow the connection between the Private Service Connect endpoint and the service attachment to be established.

For information about configuring ingress and egress rules, see Configuring ingress and egress policies.

1. Configure an egress rule that allows egress from the consumer project to the producer project PRODUCER_PROJECT_NUMBER.

   - egressFrom:
       identityType: ANY_IDENTITY
     egressTo:
       operations:
       - serviceName: 'compute.googleapis.com'
         methodSelectors:
         - method: 'ServiceAttachmentsService.Insert'
         - method: 'ServiceAttachmentsService.Patch'
         - method: 'RegionForwardingRulesService.Insert'
       - serviceName: 'servicedirectory.googleapis.com'
         methodSelectors:
         - method: '*'
       - serviceName: 'dns.googleapis.com'
         methodSelectors:
         - method: '*'
       resources:
       - 'projects/PRODUCER_PROJECT_NUMBER'
   

2. Create one of the following ingress rules.

   • This example ingress rule allows the service producer to update a service attachment that was created by PRODUCER_SERVICE_ACCOUNT to add your project to the accept list.

     - ingressFrom:
         sources:
         - accessLevel: '*' # All Sources
         identities: serviceAccount: PRODUCER_SERVICE_ACCOUNT
       ingressTo:
         operations:
         - serviceName: 'compute.googleapis.com'
           methodSelectors:
           - method: 'ServiceAttachmentsService.Patch'
         - serviceName: 'servicedirectory.googleapis.com'
           methodSelectors:
           - method: '*'
         - serviceName: 'dns.googleapis.com'
           methodSelectors:
           - method: '*'
         resources:
         - '*'
     

   • This example ingress rule allows the service producer to update a service attachment that was created by any account to add your project to the accept list.

     - ingressFrom:
         sources:
         - accessLevel: '*' # All Sources
         identityType: ANY_IDENTITY
       ingressTo:
         operations:
         - serviceName: 'compute.googleapis.com'
           methodSelectors:
           - method: 'ServiceAttachmentsService.Patch'
         - serviceName: 'servicedirectory.googleapis.com'
           methodSelectors:
           - method: '*'
         - serviceName: 'dns.googleapis.com'
           methodSelectors:
           - method: '*'
         resources:
         - '*'
     

After the ingress and egress rules are configured, you can create a Private Service Connect endpoint that connects to a service attachment in project PRODUCER_PROJECT_NUMBER.

View Service Directory DNS zones

If the prerequisites for automatic DNS configuration are met, a DNS zone is created with a name in the format NAMESPACE--REGION.

If the zone is not present, view the details for the Private Service Connect endpoint and check if the endpoint configuration includes a value for the namespace.

• If the endpoint has a namespace configuration, see Configure a Service Directory DNS zone.

• If the endpoint does not have a namespace configuration, see Register a Private Service Connect endpoint with Service Directory.

List endpoints

You can list all configured Private Service Connect endpoints.

gcloud compute forwarding-rules list  \
    --filter 'target~serviceAttachments'

NAME  REGION  IP_ADDRESS  IP_PROTOCOL  TARGET
RULE          IP          TCP          REGION/serviceAttachments/SERVICE_NAME

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules

View endpoint details

You can view all configuration details of a Private Service Connect endpoint.

The endpoint can have one of the following statuses:

• Pending: the endpoint is configured to connect to a service that requires approval, and approval has not been given to this project yet.

• Accepted: the endpoint is in a project that is approved to connect to the service.

• Rejected: the endpoint is in a project that is disallowed from connecting to the service.

• Closed: the endpoint is connected to a service attachment that has been deleted.

gcloud compute forwarding-rules describe \
    ENDPOINT_NAME --region=REGION

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules/ENDPOINT_NAME

Labeling an endpoint

You can manage labels for Private Service Connect endpoints. See labeling resources for more information.

Deleting an endpoint

You can delete a Private Service Connect endpoint.

However, the following Service Directory configurations are not deleted when you delete the endpoint:

• Service Directory namespace
• Service Directory DNS zone

The Service Directory namespace and Service Directory DNS zone can be used by other services. Check that the namespace is empty before you delete the Service Directory namespace or delete the Service Directory DNS zone.

    gcloud compute forwarding-rules delete \
        ENDPOINT_NAME --region=REGION

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules/ENDPOINT_NAME

Other ways to configure DNS

If the prerequisites for automatic DNS configuration are not met, you can create DNS entries in other ways:

• If the endpoint has a namespace configured, see Configure a Service Directory DNS zone.

• If the endpoint does not have a namespace configured, see Register a Private Service Connect endpoint with Service Directory.

• If you prefer to manually configure DNS, see Configure DNS manually.

Configure a Service Directory DNS zone

If a Private Service Connect endpoint is registered with Service Directory, but the published service that it connects to does not have a domain name configured, no DNS changes are made.

If you want to replicate the automatic DNS configuration, you can manually configure a Service Directory DNS zone that is backed by the Service Directory namespace. After the zone is created, DNS entries for the Private Service Connect endpoint are automatically created.

Create a Service Directory DNS zone with the following configuration:

• Zone name: Specify NAMESPACE--REGION, where NAMESPACE is the namespace that the Private Service Connect endpoint is registered to, and REGION is the region where the endpoint is created.

• DNS name: The DNS domain that the service producer is using for their published services. Check with the service producer for this information.

  The DNS name might have the format REGION.p.DOMAIN. For example, if the service producer's public domain is example.com, and their published service is in us-west1, then we recommend that they make their service available using us-west1.p.example.com domain names. Include a trailing dot—for example, us-west1.p.example.com.

• Service Directory namespace: The namespace that you configured for this endpoint.

View the Private Service Connect endpoint details to find the Service Directory namespace and region.

With this configuration, if you have configured a Service Directory DNS zone with the us-west1.p.example.com DNS name, and you create a Private Service Connect endpoint with the name analytics, a DNS record for analytics.us-west1.p.example.com is automatically created.

Register a Private Service Connect endpoint with Service Directory

New Private Service Connect endpoints are automatically registered with Service Directory. However, if a Private Service Connect endpoint was created before automatic registration with Service Directory was enabled, this configuration might be missing.

You can delete the Private Service Connect endpoint and create a new one, which is registered with Service Directory automatically.

Or you can follow these steps to register an existing Private Service Connect endoint with a Service Directory namespace.

1. Create a Service Directory namespace for the Private Service Connect endpoint, NAMESPACE.

2. Create a Service Directory service for the Private Service Connect endpoint, SERVICE_NAME.

   For the service, use the same name as the name of the forwarding rule used for the Private Service Connect endpoint, ENDPOINT_NAME.

3. Create a Service Directory endpoint, using the name default and use the IP address and port (443) of the Private Service Connect endpoint.

After you have registered the Private Service Connect endpoint with Service Directory, follow the instructions to Configure a Service Directory DNS zone.

Configure DNS manually

If you've prevented automatic DNS configuration, or if it is not enabled in your configuration, you can use Cloud DNS to manually create DNS records

For more information, see the following pages:

• Access Control: the DNS Administrator role (roles/dns.admin) provides the permissions needed to create DNS zones and records.

• Create a private zone.

  • When you configure a private zone, you provide a DNS name. Use the DNS domain that the service producer is using for their published services. Check with the service producer for this information.

    It might have this format: REGION.p.DOMAIN. For example, if the service producer's public domain is example.com, and their published service is in us-west1, then we recommend that they make their service available using us-west1.p.example.com domain names.

• Add a record.

Logging

• You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using Private Service Connect endpoints. The logs show flows between the VMs and the Private Service Connect endpoint.

• You can view changes in connection status for Private Service Connect endpoints using audit logs. Changes in connection status for the endpoint are captured in system event metadata for the resource type GCE Forwarding Rule. You can filter for pscConnectionStatus to view these entries.

  For example, when a service producer allows connections from your project, the connection status of the endpoint changes from PENDING to ACCEPTED, and this change is reflected in the audit logs.

  • To view audit logs, see View logs.
  • To set alerts based on audit logs, see Managing log-based alerts.

Using Private Service Connect from on-premises hosts

If your on-premises network is connected to a VPC network, you can access Private Service Connect published services from on-premises hosts using the internal IP address of the Private Service Connect endpoint.

• Your on-premises network must be connected to a VPC network using Cloud VPN tunnels, in the same region where the Private Service Connect endpoint is located.

• The Private Service Connect endpoint is in the VPC network that is connected to your on-premises network.

• If you want to access the Private Service Connect endpoint using its DNS name, you must configure on-premises systems so that they can make queries to your private DNS zones.

  If you've implemented the private DNS zones using Cloud DNS, complete the following steps:

  • Create an inbound server policy in the VPC network to which your on-premises network connects.

  • Identify the inbound forwarder entry points, in the regions where your Cloud VPN tunnels are located, in the VPC network to which your on-premises network connects.

  • Configure on-premises systems and on-premises DNS name servers to forward the DNS names for the Private Service Connect endpoints to an inbound forwarder entry point in the same region as the Cloud VPN tunnel that connects to the VPC network.

Troubleshooting

Private DNS zone creation fails

When you create a Private Service Connect endpoint, a Service Directory DNS zone is created. Zone creation can fail for these reasons:

• You haven't enabled the Cloud DNS API in your project.

• You don't have the required permissions to create a Service Directory DNS zone.

• A DNS zone with the same zone name exists in this VPC network.

• A DNS zone for the same domain name already exists in this VPC network.

To manually create the Service Directory DNS zone, do the following:

1. Verify that the Cloud DNS API is enabled in your project.

2. Verify that you have the required permissions to create the Service Directory DNS zone:

   • dns.managedZones.create
   • dns.networks.bindPrivateDNSZone
   • servicedirectory.namespaces.associatePrivateZone

3. If there is a conflicting zone, but it is no longer needed, delete the DNS zone.

4. Create a Service Directory DNS zone that is backed by the Service Directory namespace associated with your Private Service Connect endpoint.