Configuring Private Service Connect to access services

Private Service Connect lets you connect to service producers using endpoints with internal IP addresses in your VPC network.

This document explains how to use Private Service Connect endpoints to connect to supported services in another VPC network. You can connect to your own services, or those provided by other service producers. See Publishing services for more information.

You can also use Private Service Connect to access Google APIs and services.

Roles

The following IAM role provides the permissions needed to perform the tasks in this guide.

Task Roles
Create a Private Service Connect endpoint Compute Network Admin (roles/compute.networkAdmin)

Before you begin

  • You must enable the Compute Engine API in your project.

  • Egress firewall rules must permit traffic to the internal IP address of the Private Service Connect endpoint. The implied allow egress firewall rule permits egress to any destination IP address.

    If you've created any egress deny firewall rules in your VPC network, or if you've created hierarchical firewall policies which modify the implied allowed egress behavior, access to the endpoint might be affected. Create a specific egress allow firewall rule or policy to permit traffic to the service endpoint's internal IP address destination.

  • You must have the URI of the service attachment for the service. For example, projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

Limitations

  • Private Service Connect endpoints are not accessible from peered VPC networks.

The following limitations apply to Private Service Connect endpoints that are used to access services in another VPC network during Preview:

  • You cannot send requests from an on-premises environment that is connected to a VPC using Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) to a Private Service Connect endpoint.

  • If you want to create a Private Service Connect endpoint in a Shared VPC, the endpoint must be created in the same project that contains the virtual machines (VMs) that send requests to the endpoint.

Creating a Private Service Connect endpoint

A Private Service Connect endpoint connects to services in another VPC network using a Private Service Connect forwarding rule. Each forwarding rule counts toward the per project quota for Private Service Connect forwarding rules to access services in another VPC network.

When you use Private Service Connect to connect to services in another VPC network, you choose an IP address from a subnet in your VPC network.

The IP address must be in the same region as the service producer's service attachment.

The IP address counts toward the project's quota for Internal IP addresses.

Console

  1. In the Google Cloud Console, go to Private Service Connect.

    Go to Private Service Connect

  2. Click the Connected endpoints tab.

  3. Click Connect endpoint.

  4. For Target, select Published service.

  5. For Target service, enter the service attachment URI that you want to connect to.

    The service attachment URI is in this format: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

  6. For Endpoint name, enter a name to use for the endpoint.

  7. Select a Network for the endpoint.

  8. Select a Subnet for the endpoint.

  9. Select an IP address for the endpoint. If you need a new IP address, you can create one:

    1. Click the IP address drop-down menu and select Create IP address.
    2. Enter a Name and optional Description for the IP address.

    3. For Static IP address, select Assign automatically or Let me choose.

      If you selected Let me choose, enter the Custom IP address you want to use.

    4. Click Reserve.

  10. Click Add endpoint.

gcloud

  1. Reserve an internal IP address to assign to the endpoint.

    gcloud compute addresses create ADDRESS_NAME \
    --region=REGION \
    --subnet=SUBNET

    Replace the following:

    • ADDRESS_NAME: the name to assign to the reserved IP address.

    • REGION: the region for the endpoint IP address. This must be the same region that contains the service producer's service attachment.

    • SUBNET: the name of the subnet for the endpoint IP address.

  2. Find the reserved IP address.

    gcloud compute addresses list --filter="name=ADDRESS_NAME"

  3. Create a forwarding rule to connect the endpoint to the service producer's service attachment.

    gcloud beta compute forwarding-rules create ENDPOINT_NAME \
    --region=REGION \
    --network=NETWORK_NAME \
    --address=ADDRESS_NAME \
    --target-service-attachment=SERVICE_ATTACHMENT

    Replace the following:

    • ENDPOINT_NAME: the name to assign to the endpoint.

    • REGION: the region for the endpoint. This must be the same region that contains the service producer's service attachment.

    • NETWORK_NAME: the name of the VPC network for the endpoint.

    • ADDRESS_NAME: the name of the reserved address.

    • SERVICE_ATTACHMENT: the URI of the service producer's service attachment. For example: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

API

  1. Reserve an internal IP address to assign to the endpoint.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/region/REGION/addresses

{
  "name": ADDRESS_NAME,
  "addressType": "INTERNAL",
  "subnetwork": SUBNET_URI
}

    Replace the following:

    • PROJECT_ID: your project ID.

    • ADDRESS_NAME: the name to assign to the reserved IP address.

    • SUBNET_URI: the subnet for the IP address. Use the subnetworks.list method or gcloud compute networks subnets list --uri to find the URLs of your networks.

  2. Create a forwarding rule to connect the endpoint to Google APIs and services.

    POST https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/forwardingRules
{
  "name": ENDPOINT_NAME,
  "IPAddress": ADDRESS_URI,
  "target": SERVICE_ATTACHMENT,
  "network": NETWORK_URI,
}

    Replace the following:

    • PROJECT_ID: your project ID.

    • REGION: the region for the endpoint.

    • ENDPOINT_NAME: the name to assign to the endpoint.

    • ADDRESS_URI: the URI of the reserved address on the associated network. Use the addresses.list method or gcloud compute addresses list --uri to find the URL of your reserved address.

    • SERVICE_ATTACHMENT: the URI of the service producer's service attachment. For example: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

    • NETWORK_URI: the VPC network for the endpoint. Use the network.list method or gcloud compute networks list --uri to find the URI of your network.

Listing endpoints

You can list all configured Private Service Connect endpoints.

Console

  1. In the Google Cloud Console, go to the Private Service Connect page.

    Go to Private Service Connect

  2. Click the Connected endpoints tab.

    The Private Service Connect endpoints are displayed.

gcloud

gcloud beta compute forwarding-rules list  \
    --filter 'target~serviceAttachments'

The output is similar to the following:

NAME  REGION  IP_ADDRESS  IP_PROTOCOL  TARGET
RULE          IP          TCP          REGION/serviceAttachments/SERVICE_NAME

API

This API call returns all forwarding rules, not only Private Service Connect endpoints used to access services.

GET https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/forwardingRules

Replace the following:

  • PROJECT_ID: the project that contains the endpoint.
  • REGION: the region for the endpoint.

Viewing endpoint details

You can view all configuration details of a Private Service Connect endpoint.

The endpoint can have one of the following statuses:

  • Pending: the endpoint is configured to connect to a service that requires approval, and approval has not been given to this project yet.

  • Accepted: the endpoint is in a project that is approved to connect to the service.

  • Rejected: the endpoint is in a project that is disallowed from connecting to the service.

  • Closed: the endpoint is connected to a service attachment that has been deleted.

Console

  1. In the Google Cloud Console, go to the Private Service Connect page.

    Go to Private Service Connect

  2. Click the Connected endpoints tab.

  3. Click the endpoint that you want to view.

gcloud 

gcloud beta compute forwarding-rules describe \
    ENDPOINT_NAME --region=REGION

Replace the following:

  • ENDPOINT_NAME: the name of the endpoint.
  • REGION: the region for the endpoint.

API 

GET https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/forwardingRules/ENDPOINT_NAME

Replace the following:

  • PROJECT_ID: the project that contains the endpoint.
  • REGION: the region for the endpoint.
  • ENDPOINT_NAME: the name of the endpoint.

Labeling an endpoint

You can manage labels for Private Service Connect endpoints. See labeling resources for more information.

Deleting an endpoint

You can delete a Private Service Connect endpoint.

Console

  1. In the Google Cloud Console, go to Private Service Connect.

    Go to Private Service Connect

  2. Click the Connected endpoints tab.

  3. Select the Private Service Connect endpoint you want to delete, and click Delete.

gcloud 

    gcloud beta compute forwarding-rules delete \
        ENDPOINT_NAME --region=REGION

Replace the following:

  • ENDPOINT_NAME: the name of the endpoint.
  • REGION: the region for the endpoint.

API 

DELETE https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/forwardingRules/ENDPOINT_NAME

Replace the following:

  • PROJECT_ID: the project that contains the endpoint.
  • REGION: the region for the endpoint.
  • ENDPOINT_NAME: the name of the endpoint.