Private Service Connect lets you connect to service producers using endpoints with internal IP addresses in your VPC network.
This document explains how to use Private Service Connect endpoints to connect to supported services in another VPC network. You can connect to your own services, or those provided by other service producers. See Publishing services for more information.
You can also use Private Service Connect to access Google APIs and services.
Roles
The following IAM role provides the permissions needed to perform the tasks in this guide.
| Task | Roles |
|---|---|
| Create a Private Service Connect endpoint |
Compute
Network Admin (roles/compute.networkAdmin)
|
Before you begin
You must enable the Compute Engine API in your project.
Egress firewall rules must permit traffic to the internal IP address of the Private Service Connect endpoint. The implied allow egress firewall rule permits egress to any destination IP address.
If you've created any egress deny firewall rules in your VPC network, or if you've created hierarchical firewall policies which modify the implied allowed egress behavior, access to the endpoint might be affected. Create a specific egress allow firewall rule or policy to permit traffic to the service endpoint's internal IP address destination.
You must have the URI of the service attachment for the service. For example,
projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME
Limitations
Private Service Connect endpoints are not accessible from peered VPC networks.
You cannot send requests from an on-premises environment that is connected to a VPC using Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) to a Private Service Connect endpoint that is used to access services in another VPC network.
See known issues for issues and workarounds.
Creating a Private Service Connect endpoint
A Private Service Connect endpoint connects to services in another VPC network using a Private Service Connect forwarding rule. Each forwarding rule counts toward the per project quota for Private Service Connect forwarding rules to access services in another VPC network.
When you use Private Service Connect to connect to services in another VPC network, you choose an IP address from a subnet in your VPC network.
The IP address must be in the same region as the service producer's service attachment.
The IP address counts toward the project's quota for Internal IP addresses.
Console
In the Google Cloud Console, go to Private Service Connect.
Click the Connected endpoints tab.
Click Connect endpoint.
For Target, select Published service.
For Target service, enter the service attachment URI that you want to connect to.
The service attachment URI is in this format:
projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAMEFor Endpoint name, enter a name to use for the endpoint.
Select a Network for the endpoint.
Select a Subnet for the endpoint.
Select an IP address for the endpoint. If you need a new IP address, you can create one:
- Click the IP address drop-down menu and select Create IP address.
- Enter a Name and optional Description for the IP address.
For Static IP address, select Assign automatically or Let me choose.
If you selected Let me choose, enter the Custom IP address you want to use.
Click Reserve.
Click Add endpoint.
gcloud
Reserve an internal IP address to assign to the endpoint.
gcloud compute addresses create ADDRESS_NAME \ --region=REGION \ --subnet=SUBNETReplace the following:
ADDRESS_NAME: the name to assign to the reserved IP address.REGION: the region for the endpoint IP address. This must be the same region that contains the service producer's service attachment.SUBNET: the name of the subnet for the endpoint IP address.
Find the reserved IP address.
gcloud compute addresses list --filter="name=ADDRESS_NAME"
Create a forwarding rule to connect the endpoint to the service producer's service attachment.
gcloud compute forwarding-rules create ENDPOINT_NAME \ --region=REGION \ --network=NETWORK_NAME \ --address=ADDRESS_NAME \ --target-service-attachment=SERVICE_ATTACHMENTReplace the following:
ENDPOINT_NAME: the name to assign to the endpoint.REGION: the region for the endpoint. This must be the same region that contains the service producer's service attachment.NETWORK_NAME: the name of the VPC network for the endpoint.ADDRESS_NAME: the name of the reserved address.SERVICE_ATTACHMENT: the URI of the service producer's service attachment. For example:projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME
API
Reserve an internal IP address to assign to the endpoint.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/region/REGION/addresses { "name": ADDRESS_NAME, "addressType": "INTERNAL", "subnetwork": SUBNET_URI }Replace the following:
PROJECT_ID: your project ID.ADDRESS_NAME: the name to assign to the reserved IP address.SUBNET_URI: the subnet for the IP address. Use the subnetworks.list method orgcloud compute networks subnets list --urito find the URLs of your networks.
Create a forwarding rule to connect the endpoint to Google APIs and services.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules { "name": ENDPOINT_NAME, "IPAddress": ADDRESS_URI, "target": SERVICE_ATTACHMENT, "network": NETWORK_URI, }Replace the following:
PROJECT_ID: your project ID.REGION: the region for the endpoint.ENDPOINT_NAME: the name to assign to the endpoint.ADDRESS_URI: the URI of the reserved address on the associated network. Use the addresses.list method orgcloud compute addresses list --urito find the URL of your reserved address.SERVICE_ATTACHMENT: the URI of the service producer's service attachment. For example:projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAMENETWORK_URI: the VPC network for the endpoint. Use the network.list method orgcloud compute networks list --urito find the URI of your network.
Listing endpoints
You can list all configured Private Service Connect endpoints.
Console
In the Google Cloud Console, go to the Private Service Connect page.
Click the Connected endpoints tab.
The Private Service Connect endpoints are displayed.
gcloud
gcloud compute forwarding-rules list \
--filter 'target~serviceAttachments'
The output is similar to the following:
NAME REGION IP_ADDRESS IP_PROTOCOL TARGET RULE IP TCP REGION/serviceAttachments/SERVICE_NAME
API
This API call returns all forwarding rules, not only Private Service Connect endpoints used to access services.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules
Replace the following:
PROJECT_ID: the project that contains the endpoint.REGION: the region for the endpoint.
Viewing endpoint details
You can view all configuration details of a Private Service Connect endpoint.
The endpoint can have one of the following statuses:
Pending: the endpoint is configured to connect to a service that requires approval, and approval has not been given to this project yet.
Accepted: the endpoint is in a project that is approved to connect to the service.
Rejected: the endpoint is in a project that is disallowed from connecting to the service.
Closed: the endpoint is connected to a service attachment that has been deleted.
Console
In the Google Cloud Console, go to the Private Service Connect page.
Click the Connected endpoints tab.
Click the endpoint that you want to view.
gcloud
gcloud compute forwarding-rules describe \
ENDPOINT_NAME --region=REGION
Replace the following:
ENDPOINT_NAME: the name of the endpoint.REGION: the region for the endpoint.
API
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules/ENDPOINT_NAME
Replace the following:
PROJECT_ID: the project that contains the endpoint.REGION: the region for the endpoint.ENDPOINT_NAME: the name of the endpoint.
Labeling an endpoint
You can manage labels for Private Service Connect endpoints. See labeling resources for more information.
Deleting an endpoint
You can delete a Private Service Connect endpoint.
Console
In the Google Cloud Console, go to Private Service Connect.
Click the Connected endpoints tab.
Select the Private Service Connect endpoint you want to delete, and click Delete.
gcloud
gcloud compute forwarding-rules delete \
ENDPOINT_NAME --region=REGION
Replace the following:
ENDPOINT_NAME: the name of the endpoint.REGION: the region for the endpoint.
API
DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/forwardingRules/ENDPOINT_NAME
Replace the following:
PROJECT_ID: the project that contains the endpoint.REGION: the region for the endpoint.ENDPOINT_NAME: the name of the endpoint.
Logging
You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using Private Service Connect endpoints. The logs show flows between the VMs and the Private Service Connect endpoint.
Known issues
If you create more Private Service Connect endpoints than are allowed by the limit set by the service producer, any endpoints created after the limit is reached have a status of Pending, as expected. However, if you remove Private Service Connect endpoints to get below the limit, the status of those endpoints does not change to Accepted.
Contact the service producer to find out what your project's limit is set to, and avoid exceeding that limit. If you do exceed the limit, contact the service producer and ask them to update the service attachment to set the limit again. The same limit can be applied.
Changes in Private Service Connect endpoint status are not logged in Cloud Logging.