About Private Service Connect backends
You can access Google APIs and published services by creating a Private Service Connect endpoint (based on a forwarding rule) or a Private Service Connect backend (based on a load balancer). This guide focuses on Private Service Connect backends.
Private Service Connect backends use a load balancer configured with Private Service Connect network endpoint group (NEG) backends. This configuration was previously referred to as a Private Service Connect endpoint with consumer HTTP(S) service controls.
Accessing APIs and services through a consumer-managed load balancer provides several benefits. Load balancers can act as a centralized policy enforcement point where security or routing policies are enforced. They provide centralized metrics and logging that a published service might not provide, and they allow consumers to control their own routing and failover.
Figure 1 shows a load balancer with a Private Service Connect NEG connecting to a published service. Client traffic goes to a load balancer that processes the traffic and then routes it to a Private Service Connect backend that maps to a published service that runs in a different VPC network.

Figure 1. Using a global external Application Load Balancer lets service consumers with internet access send traffic to services in the service producer's VPC network (click to enlarge).
Deployment overview
To access APIs and services through Private Service Connect backends, do the following:
Identify the API or service that you want to connect to.
For Google APIs: Select a regional service endpoint.
For published services: Ask the service producer for the service attachment URI.
Deploy a load balancer to send traffic to your published service. Choose a load balancer that fits your requirements, including whether you have internet clients, internal clients, or require regional isolation. You can also reuse an existing load balancer.
Deploy the Private Service Connect NEGs and add them to your load balancer backend service. Create Private Service Connect NEGs that reference your published service. Then add the NEGs to the load balancer's backend service so that the load balancer can send them traffic.
Supported load balancers and targets
You can use a backend to access a published service or a regional Google API.
See the load balancing documentation for more information about the load balancer that you want to add a Private Service Connect backend to.
- For information about global external Application Load Balancers and regional external Application Load Balancers, see External Application Load Balancer overview.
- For information about internal Application Load Balancers and Cross-region internal Application Load Balancers, see Internal Application Load Balancer overview.
- For information about regional internal proxy Network Load Balancers, see Regional internal proxy Network Load Balancer overview.
- For information about regional external proxy Network Load Balancers, see Regional external proxy Network Load Balancer overview.
- For information about global external proxy Network Load Balancers, see External proxy Network Load Balancer overview.
Published service targets
A Private Service Connect backend for published services requires two load balancers—a consumer load balancer and a producer load balancer. This table describes the compatibility between different types of consumer and producer load balancers, including which backend-service protocols are compatible with the consumer load balancers. Each row represents a type of consumer load balancer, and each column represents a type of producer load balancer.
In the following tables, a checkmark indicates that a feature is supported, and a no symbol indicates that a feature isn't supported.
Consumer load balancer and supported consumer backend-service protocols | Producer load balancer | ||
---|---|---|---|
Internal passthrough Network Load Balancer | Regional internal Application Load Balancer | Regional internal proxy Network Load Balancer | |
Global external Application Load Balancer (supports multiple regions) Protocols: HTTPS, HTTP2 Note: Classic Application Load Balancer is not supported. |
|||
Regional external Application Load Balancer Protocols: HTTP, HTTPS, HTTP2 |
|||
Regional internal Application Load Balancer Protocols: HTTP, HTTPS, HTTP2 |
|||
Cross-region internal Application Load Balancer (Preview) Protocols: HTTPS, HTTP2 |
|||
Regional internal proxy Network Load Balancer Protocol: TCP |
|||
Cross-region internal proxy Network Load Balancer Protocol: TCP |
|||
Regional external proxy Network Load Balancer Protocol: TCP |
|||
Global external proxy Network Load Balancer (Preview) Protocol: TCP/SSL Note: Classic proxy Network Load Balancer is not supported. |
This table describes the configuration for the producer load balancers that are supported by Private Service Connect backends.
Configuration | Producer load balancer | ||
---|---|---|---|
Internal passthrough Network Load Balancer | Regional internal Application Load Balancer | Regional internal proxy Network Load Balancer | |
Supported producer backends |
|
|
|
Forwarding rule protocols |
|
|
|
Forwarding rule ports | The forwarding rule must refer to a single port. | The forwarding rule must refer to a single port. | The forwarding rule must refer to a single port. |
PROXY protocol |
For an example backend configuration that uses a global external Application Load Balancer, see Access published services through backends.
Google API targets
This table describes which load balancers can use a Private Service Connect backend to access Google APIs.
For an example configuration that uses an internal Application Load Balancer, see Access Google APIs through backends.
Configuration | Details |
---|---|
Consumer configuration (Private Service Connect backend) | |
Supported consumer load balancers |
|
Producer | |
Supported services | Supported regional Google APIs |
Different load balancers support different port configurations; some load balancers support a single port, some support a range of ports, and some support all ports. For more information, see Port specifications.
Specifications
All Private Service Connect backends have the following specifications:
- Private Service Connect NEGs cannot be mixed with other NEG types in the same backend service. However, self-hosted applications and managed services can both be backends of the same load balancer as long as they are part of separate backend services.
- Backend services with Private Service Connect NEGs do not support health checks. Health check resources are not configured with backend services used for Private Service Connect.
- Only the supported load balancers can use Private Service Connect NEGs as backends.
Private Service Connect backends that use global external Application Load Balancers have additional specifications:
- Multiple Private Service Connect NEGs can be in the same backend service as long as they are from different regions. You can't add multiple Private Service Connect NEGs from the same region to the same backend service.
- Private Service Connect NEGs are automatically configured with outlier detection. Outlier detection lets the load balancer detect failures in published service responses and fail over to remaining healthy regions. The default outlier detection policy can be overridden by applying your own outlier detection configuration to the backend service.
Pricing
For pricing information, see the following sections of the VPC pricing page:
Using a Private Service Connect backend to access a published service.
Using a Private Service Connect backend to access Google APIs.
What's next
- Create a Private Service Connect backend.
- Access Google APIs through backends.
- Access published services through backends.