Private access options for services
Virtual machine (VM) instances in Virtual Private Cloud (VPC) networks can reach Google and third-party APIs and services without an external IP address. All Google Cloud APIs and services support private access.
The access methods are different for services in VPC networks compared to services in Google's production infrastructure. The former use peering or Private Service Connect; the latter use Private Google Access or Private Service Connect.
The following sections summarize the private access options in each category:
- Connect to Google APIs in Google's production infrastructure
- Connect to services in VPC networks
- Connect from serverless Google services to VPC networks
You can configure one or all of these options. They operate independently of each other.
Connect to Google APIs
The following table shows the options for connecting to services in Google's production networks:
| Option | Clients | Connection | Supported services |
|---|---|---|---|
| Private Service Connect endpoints for Google APIs | |||
| Google Cloud resources or on-premises systems, with or without external IP addresses. | Connect to an endpoint in your VPC network, which forwards requests to Google APIs and services. | Supports all Google Cloud APIs and most other Google APIs and services1. | |
| Private Service Connect backends for Google APIs | |||
| Google Cloud resources or on-premises systems, with or without external IP addresses. | Connect to a load balancer in your VPC network, which forwards requests to Google APIs and services. | Supports selected locational and global Google APIs and services. | |
| Private Google Access | |||
| Google Cloud resources without external IP addresses. | Connect to the standard external IP addresses or Private Google Access domains and VIPs for Google APIs and services through the VPC network's default internet gateway. | Supports most Google APIs and services1. | |
| Private Google Access for on-premises hosts | |||
| On-premises hosts with or without external IP addresses. | Connect to Google APIs and services from your on-premises network through a Cloud VPN tunnel or VLAN attachment by using one of the Private Google Access-specific domains and VIPs. | The Google services that you can access depend on which Private Google Access-specific domain you use. | |
Connect to services in VPC networks
The following table shows the options for connecting to services in VPC networks:
| Option | Clients | Connection | Supported services | Usage |
|---|---|---|---|---|
| Connecting to services | ||||
| Private Service Connect endpoints for published services | ||||
| Google Cloud VM instances with or without external IP addresses. | Connect to services in another VPC network through an endpoint. | Supports services that are published using Private Service Connect for service producers. | Use this option to connect to supported services in another VPC network without assigning external IP addresses to your Google Cloud resources. | |
| Private Service Connect backends for published services | ||||
| Google Cloud VM instances with or without external IP addresses. | Connect to services in another VPC network through a load balancer. | Supports services that are published using Private Service Connect for service producers. | Use this option to connect to supported services in another VPC network through a consumer-managed load balancer. You don't need to assign external IP addresses to your Google Cloud resources. | |
| Service connection policies | ||||
| Google Cloud VM instances with or without external IP addresses. | Connect to services in another VPC network through an endpoint. | Supports specific Google and third-party services. To find out whether a service supports service connection policies, contact the service provider. | Use this option to deploy a managed service instance and configure connectivity through a service's administrative API or UI. The service instance is deployed in a producer VPC network that is connected to your VPC network through an endpoint. You don't need to assign external IP addresses to your Google Cloud resources. | |
| Private services access | ||||
| Google Cloud VM instances with or without external IP addresses. | Connect to a Google or third-party managed VPC network through a VPC Network Peering connection. | Supports Google services2 and third-party services that are made available using the Service Networking API. | Use this option to connect to specific Google and third-party services without assigning external IP addresses to your Google Cloud and Google or third-party resources. | |
Connect from serverless Google services to VPC networks
You can use a Serverless VPC Access connector to let Cloud Run, App Engine standard, and Cloud Run functions environments send packets to the internal IPv4 addresses of resources in a VPC network. Serverless VPC Access also supports sending packets to other networks connected to the selected VPC network.