Access managed services using Private Service Connect

Private Service Connect lets you connect to service producers using endpoints with internal IP addresses in your VPC network.

This document explains how to use Private Service Connect endpoints to connect to supported services in another VPC network. You can connect to your own services, or those provided by other service producers. See Publishing services for more information.

Roles

The following IAM role provides the permissions needed to perform the tasks in this guide.

Task	Roles
Create a Private Service Connect endpoint	Compute Network Admin (`roles/compute.networkAdmin`)

Before you begin

You must enable the Compute Engine API in your project.
You must enable the Service Directory API in your project.
You must enable the Cloud DNS API in your project.
Egress firewall rules must permit traffic to the internal IP address of the Private Service Connect endpoint. The implied allow egress firewall rule permits egress to any destination IP address.

If you've created any egress deny firewall rules in your VPC network, or if you've created hierarchical firewall policies which modify the implied allowed egress behavior, access to the endpoint might be affected. Create a specific egress allow firewall rule or policy to permit traffic to the service endpoint's internal IP address destination.
You must have the URI of the service attachment for the service. For example, projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME
If you're creating a Private Service Connect endpoint in a project that is protected by a VPC Service Controls perimeter that restricts compute.googleapis.com, additional configuration is needed. You must create ingress and egress rules for VPC Service Controls before you create the endpoint. For more information, see Configuring ingress and egress rules for VPC Service Controls.

Limitations

Private Service Connect endpoints are not accessible from peered VPC networks.
You cannot send requests from an on-premises environment that is connected to a VPC using Cloud Interconnect attachments (VLANs) to a Private Service Connect endpoint that is used to access services in another VPC network.

For information about accessing Private Service Connect endpoints from on-premises environments that are connected using Cloud VPN, see Using Private Service Connect from on-premises hosts.
Packet Mirroring can't mirror packets between VMs and Private Service Connect endpoints that connect to a published service.

Creating a Private Service Connect endpoint

A Private Service Connect endpoint connects to services in another VPC network using a Private Service Connect forwarding rule. Each forwarding rule counts toward the per project quota for Private Service Connect forwarding rules to access services in another VPC network.

When you use Private Service Connect to connect to services in another VPC network, you choose an IP address from a subnet in your VPC network.

The IP address must be in the same region as the service producer's service attachment. The IP address counts toward the project's quota for Internal IP addresses.

When you create a Private Service Connect endpoint, it is automatically registered with Service Directory, using a namespace that you choose, or the default namespace, goog-psc-default.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.networks.use
compute.addresses.create
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.pscCreate
servicedirectory.namespaces.create
servicedirectory.services.create

Roles

See Roles for role information.

Console

In the Google Cloud Console, go to Private Service Connect.

Go to Private Service Connect
Click the Connected endpoints tab.
Click Connect endpoint.
For Target, select Published service.
For Target service, enter the service attachment URI that you want to connect to.

The service attachment URI is in this format: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME
For Endpoint name, enter a name to use for the endpoint.
Select a Network for the endpoint.
Select a Subnetwork for the endpoint.
Select an IP address for the endpoint. If you need a new IP address, you can create one:
1. Click the IP address drop-down menu and select Create IP address.
2. Enter a Name and optional Description for the IP address.
3. For Static IP address, select Assign automatically or Let me choose.
  
  If you selected Let me choose, enter the Custom IP address you want to use.
4. Click Reserve.
Select a Namespace from the drop-down list or create a new namespace.

The Region is populated based on the selected subnetwork.
Click Add endpoint.

gcloud

Reserve an internal IP address to assign to the endpoint.
```
gcloud compute addresses create ADDRESS_NAME \
    --region=REGION \
    --subnet=SUBNET
```
Replace the following:
- ADDRESS_NAME: the name to assign to the reserved IP address.
- REGION: the region for the endpoint IP address. This must be the same region that contains the service producer's service attachment.
- SUBNET: the name of the subnet for the endpoint IP address.

Find the reserved IP address.

gcloud compute addresses list --filter="name=ADDRESS_NAME"

Create a forwarding rule to connect the endpoint to the service producer's service attachment.
```
gcloud compute forwarding-rules create ENDPOINT_NAME \
    --region=REGION \
    --network=NETWORK_NAME \
    --address=ADDRESS_NAME \
    --target-service-attachment=SERVICE_ATTACHMENT \
    [ --service-directory-registration=NAMESPACE_URI ]
```
Replace the following:
- ENDPOINT_NAME: the name to assign to the endpoint.
- REGION: the region for the endpoint. This must be the same region that contains the service producer's service attachment.
- NETWORK_NAME: the name of the VPC network for the endpoint.
- ADDRESS_NAME: the name of the reserved address.
- SERVICE_ATTACHMENT: the URI of the service producer's service attachment. For example: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME
- NAMESPACE_URI: the URI of the Service Directory namespace that you want to use. NAMESPACE_URI must reference the same project and region that you are creating the Private Service Connect endpoint in. If you specify a namespace that doesn't exist, the namespace is created.
  
  NAMESPACE_URI has this format:
  
  projects/PROJECT_NAME/locations/REGION/namespaces/NAMESPACE
  
  If you omit the --service-directory-registration flag, the default namespace of goog-psc-default is used.

API

Reserve an internal IP address to assign to the endpoint.
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/region/REGION/addresses

{
  "name": ADDRESS_NAME,
  "addressType": "INTERNAL",
  "subnetwork": SUBNET_URI
}
```
Replace the following:
- PROJECT_ID: your project ID.
- ADDRESS_NAME: the name to assign to the reserved IP address.
- SUBNET_URI: the subnet for the IP address. Use the subnetworks.list method or gcloud compute networks subnets list --uri to find the URLs of your networks.
Create a forwarding rule to connect the endpoint to Google APIs and services.
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules
{
  "name": ENDPOINT_NAME,
  "IPAddress": ADDRESS_URI,
  "target": SERVICE_ATTACHMENT,
  "network": NETWORK_URI,
  "serviceDirectoryRegistrations": [
      {
          "namespace": NAMESPACE,
      }
  ],
}
```
Replace the following:
- PROJECT_ID: your project ID.
- REGION: the region for the endpoint.
- ENDPOINT_NAME: the name to assign to the endpoint.
- ADDRESS_URI: the URI of the reserved address on the associated network. Use the addresses.list method or gcloud compute addresses list --uri to find the URL of your reserved address.
- SERVICE_ATTACHMENT: the URI of the service producer's service attachment. For example: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME
- NETWORK_URI: the VPC network for the endpoint. Use the network.list method or gcloud compute networks list --uri to find the URI of your network.
- NAMESPACE: the namespace for the endpoint. If you specify a namespace that doesn't exist, the namespace is created. If you omit the namespace field, the default namespace of goog-psc-default is assigned.

Configuring ingress and egress rules for VPC Service Controls

If you're creating a Private Service Connect endpoint in a project that is protected by a VPC Service Controls perimeter that restricts compute.googleapis.com, additional configuration is needed. Before you create a Private Service Connect endpoint, ask the service producer for the following information:

PRODUCER_PROJECT_NUMBER: the project number of the project that contains the service attachment.
PRODUCER_SERVICE_ACCOUNT (optional): the name of the service account that created the service attachment, if you want to configure an ingress rule that restricts access by account.

Use this information to create ingress and egress rules to allow the connection between the Private Service Connect endpoint and the service attachment to be established.

For information about configuring ingress and egress rules, see Configuring ingress and egress policies.

Configure an egress rule that allows egress from the consumer project to the producer project PRODUCER_PROJECT_NUMBER.

- egressFrom:
    identityType: ANY_IDENTITY
  egressTo:
    operations:
    - serviceName: 'compute.googleapis.com'
      methodSelectors:
      - method: 'ServiceAttachmentsService.Patch'
      - method: 'RegionForwardingRulesService.Insert'
    resources:
    - 'projects/PRODUCER_PROJECT_NUMBER'

Create one of the following ingress rules.

This example ingress rule allows the service producer to update a service attachment that was created by PRODUCER_SERVICE_ACCOUNT to add your project to the accept list.

- ingressFrom:
    sources:
    - accessLevel: '*' # All Sources
    identities: serviceAccount: PRODUCER_SERVICE_ACCOUNT
  ingressTo:
    operations:
    - serviceName: 'compute.googleapis.com'
      methodSelectors:
      - method: 'ServiceAttachmentsService.Patch'
    resources:
    - '*'

This example ingress rule allows the service producer to update a service attachment that was created by any account to add your project to the accept list.

- ingressFrom:
    sources:
    - accessLevel: '*' # All Sources
    identityType: ANY_IDENTITY
  ingressTo:
    operations:
    - serviceName: 'compute.googleapis.com'
      methodSelectors:
      - method: 'ServiceAttachmentsService.Patch'
    resources:
    - '*'

After the ingress and egress rules are configured, you can create a Private Service Connect endpoint that connects to a service attachment in project PRODUCER_PROJECT_NUMBER.

Creating DNS records for Private Service Connect endpoints

When you create a Private Service Connect endpoint, it is automatically registered with Service Directory, using a namespace you choose, or the default namespace, goog-psc-default.

If your Private Service Connect endpoint is registered with a Service Directory namespace, you can create a Service Directory zone that is associated with the namespace. Creating the zone results in DNS names being automatically created for the Private Service Connect endpoint. For instructions, see Configure a Service Directory zone.
If your Private Service Connect endpoint was created before automatic registration with Service Directory was enabled, the endpoint might not be registered with Service Directory. You can Register a Private Service Connect endpoint with Service Directory manually. Or you can delete the Private Service Connect endpoint and create a new one. New Private Service Connect endpoints are automatically registered with Service Directory.
If you prefer to manually configure DNS, see Configure DNS manually.

Configure a Service Directory zone

If your Private Service Connect endpoint is registered with Service Directory, you can configure a Service Directory zone that is associated with the namespace. After the zone is created, DNS entries for the Private Service Connect endpoint are automatically created.

Create a Service Directory zone with the following configuration:
- Zone name: Specify a name of your choice.
- DNS name: The DNS domain that the service producer is using for their published services. Check with the service producer for this information.
  
  It might have this format: REGION.p.DOMAIN. For example, if the service producer's public domain is example.com, and their published service is in us-west1, then we recommend that they make their service available using us-west1.p.example.com domain names.
- Service Directory namespace: The namespace that you configured for this endpoint.

With this configuration, if you have configured a Service Directory DNS zone with the us-west1.p.example.com DNS name, and you create a Private Service Connect endpoint called analytics, a DNS record for analytics.us-west1.p.example.com is automatically created.

Register a Private Service Connect endpoint with Service Directory manually

If your Private Service Connect endpoint is not registered with Service Directory, you can manually register it.

To manually register a Private Service Connect endpoint with Service Directory, follow these steps:

Create a Service Directory namespace for the Private Service Connect endpoint, NAMESPACE.
Create a Service Directory service for the Private Service Connect endpoint, SERVICE_NAME.

For the service, use the same name as the name of the forwarding rule used for the Private Service Connect endpoint, ENDPOINT_NAME.
Create a Service Directory endpoint, using the name default and use the IP address and port (443) of the Private Service Connect endpoint.

After you have registered the Private Service Connect endpoint with Service Directory, follow the instructions to Configure a Service Directory zone.

Configure DNS manually

If instead you want to use Cloud DNS to manually create DNS records, see the following pages:

Access Control: the DNS Administrator role (roles/dns.admin) provides the permissions needed to create DNS zones and records.
Create a private zone.
- When you configure a private zone, you provide a DNS name. Use the DNS domain that the service producer is using for their published services. Check with the service producer for this information.
  
  It might have this format: REGION.p.DOMAIN. For example, if the service producer's public domain is example.com, and their published service is in us-west1, then we recommend that they make their service available using us-west1.p.example.com domain names.
Add a record.

Listing endpoints

You can list all configured Private Service Connect endpoints.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.forwardingRules.list

Roles

See Roles for role information.

Console

In the Google Cloud Console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Connected endpoints tab.

The Private Service Connect endpoints are displayed.

gcloud

gcloud compute forwarding-rules list  \
    --filter 'target~serviceAttachments'

The output is similar to the following:

NAME  REGION  IP_ADDRESS  IP_PROTOCOL  TARGET
RULE          IP          TCP          REGION/serviceAttachments/SERVICE_NAME

API

This API call returns all forwarding rules, not only Private Service Connect endpoints used to access services.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules

Replace the following:

PROJECT_ID: the project that contains the endpoint.
REGION: the region for the endpoint.

Viewing endpoint details

You can view all configuration details of a Private Service Connect endpoint.

The endpoint can have one of the following statuses:

Pending: the endpoint is configured to connect to a service that requires approval, and approval has not been given to this project yet.
Accepted: the endpoint is in a project that is approved to connect to the service.
Rejected: the endpoint is in a project that is disallowed from connecting to the service.
Closed: the endpoint is connected to a service attachment that has been deleted.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.forwardingRules.get

Roles

See Roles for role information.

Console

In the Google Cloud Console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Connected endpoints tab.
Click the endpoint that you want to view.

gcloud

gcloud compute forwarding-rules describe \
    ENDPOINT_NAME --region=REGION

Replace the following:

ENDPOINT_NAME: the name of the endpoint.
REGION: the region for the endpoint.

API

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules/ENDPOINT_NAME

Replace the following:

PROJECT_ID: the project that contains the endpoint.
REGION: the region for the endpoint.
ENDPOINT_NAME: the name of the endpoint.

Labeling an endpoint

You can manage labels for Private Service Connect endpoints. See labeling resources for more information.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.forwardingRules.pscSetLabels
compute.forwardingRules.setLabels

Roles

See Roles for role information.

Deleting an endpoint

You can delete a Private Service Connect endpoint.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.forwardingRules.pscDelete
compute.forwardingRules.delete
servicedirectory.namespaces.delete
servicedirectory.services.delete

Roles

See Roles for role information.

Console

In the Google Cloud Console, go to Private Service Connect.

Go to Private Service Connect
Click the Connected endpoints tab.
Select the Private Service Connect endpoint you want to delete, and click Delete.

gcloud

    gcloud compute forwarding-rules delete \
        ENDPOINT_NAME --region=REGION

Replace the following:

ENDPOINT_NAME: the name of the endpoint.
REGION: the region for the endpoint.

API

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules/ENDPOINT_NAME

Replace the following:

PROJECT_ID: the project that contains the endpoint.
REGION: the region for the endpoint.
ENDPOINT_NAME: the name of the endpoint.

Logging

You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using Private Service Connect endpoints. The logs show flows between the VMs and the Private Service Connect endpoint.

Using Private Service Connect from on-premises hosts

If your on-premises network is connected to a VPC network, you can access Private Service Connect published services from on-premises hosts using the internal IP address of the Private Service Connect endpoint.

Your on-premises network must be connected to a VPC network using Cloud VPN tunnels, in the same region where the Private Service Connect endpoint is located.
The Private Service Connect endpoint is in the VPC network that is connected to your on-premises network.
If you want to access the Private Service Connect endpoint using its DNS name, you must configure on-premises systems so that they can make queries to your private DNS zones.

If you've implemented the private DNS zones using Cloud DNS, complete the following steps:
- Create an inbound server policy in the VPC network to which your on-premises network connects.
- Identify the inbound forwarder entry points, in the regions where your Cloud VPN tunnels are located, in the VPC network to which your on-premises network connects.
- Configure on-premises systems and on-premises DNS name servers to forward the DNS names for the Private Service Connect endpoints to an inbound forwarder entry point in the same region as the Cloud VPN tunnel that connects to the VPC network.