Private access options for services

Google Cloud provides several private access options that let virtual machine (VM) instances in Virtual Private Cloud (VPC) networks reach supported APIs and services without requiring an external IP address. Choose an option that supports the APIs and services that you need to access.

The following sections summarize the options in each category:

You can configure one or all of these options. They operate independently of each other.

Connect to Google APIs

The following table shows the options for connecting to Google APIs:

Option Clients Connection Supported services Usage
Private Service Connect for Google APIs
Google Cloud resources with or without external IP addresses, and on-premises systems. Connect to a Private Service Connect endpoint in your VPC network, which forwards requests to Google APIs and services. Supports most Google APIs and services. Connect to Google APIs and services using an endpoint in your VPC network. Google Cloud and on-premises resources don't need an external IP addresses.
Private Service Connect for Google APIs with consumer HTTP(S) service controls
Google Cloud resources with or without external IP addresses, and on-premises systems. Connect to an internal HTTP(S) load balancer in your VPC network, which forwards requests to Google APIs and services. Supports selected regional Google APIs and services. Connect to regional Google APIs and services using an internal HTTP(S) load balancer in your VPC network. Google Cloud and on-premises resources don't need an external IP addresses.
Private Google Access
Google Cloud resources without external IP addresses. Connect to the standard external IP addresses or Private Google Access domains and VIPs for Google APIs and services through the VPC network's default internet gateway. Supports most Google APIs and services. Use this option to connect to Google APIs and services without giving your Google Cloud resources external IP addresses.
Private Google Access for on-premises hosts
On-premises hosts with or without external IP addresses. Connect to Google APIs and services, from your on-premises network, through a Cloud VPN tunnel or Cloud Interconnect by using one of the Private Google Access-specific domains and VIPs. The Google services that you can access depend on which Private Google Access-specific domain you use. Use this option to connect to Google APIs and services through a VPC network. This method doesn't require your on-premises hosts to have external IP addresses.

Connect to services

The following table shows the options for connecting to supported services:

Option Clients Connection Supported services Usage
Connecting to services
Private Service Connect for published services
Google Cloud VM instances with or without external IP addresses. Connect to services in another VPC network through a Private Service Connect endpoint. Supports services that are published using Private Service Connect for service producers Use this option to connect to supported services in another VPC network without assigning external IP addresses to your Google Cloud resources.
Private services access
Google Cloud VM instances with or without external IP addresses. Connect to a Google or third-party managed VPC network through a VPC Network Peering connection. Supports some Google or third-party services Use this option to connect to specific Google and third-party services without assigning external IP addresses to your Google Cloud and Google or third-party resources.

Connect from serverless Google services to VPC networks

You can use a Serverless VPC Access connector to let Cloud Run, App Engine standard, and Cloud Functions environments send packets to the internal IPv4 addresses of resources in a VPC network. Serverless VPC Access also supports sending packets to other networks connected to the selected VPC network.