Stay organized with collections Save and categorize content based on your preferences.

Private Service Connect endpoints with consumer HTTP(S) controls

You can access APIs and services by creating a Private Service Connect endpoint (based on a forwarding rule) or a Private Service Connect endpoint with consumer HTTP(S) controls (based on an HTTP(S) load balancer). This guide focuses on Private Service Connect endpoints with consumer HTTP(S) controls. This configuration requires an HTTP(S) load balancer configured with Private Service Connect NEG backends.

Accessing APIs and services through a consumer-managed load balancer provides several benefits. Load balancers can act as a centralized policy enforcement point where security or routing policies are enforced. They provide centralized metrics and logging that a managed service might not provide, and they allow consumers to control their own routing and failover.

The following diagram shows a load balancer with a Private Service Connect NEG connecting to a managed service. Client traffic goes to a load balancer that processes the traffic and then routes it to a Private Service Connect backend that maps to a managed service running in a different VPC network.

Using a global external HTTP(S) load balancer lets service consumers with internet access
  send traffic to services in the service producer's VPC network.

Figure 1. Using a global external HTTP(S) load balancer lets service consumers with internet access send traffic to services in the service producer's VPC network (click to enlarge).

Deployment overview

To access APIs and services by using Private Service Connect with consumer HTTP(S) controls, do the following:

  1. Identify the API or service that you want to connect to.

    For Google APIs: Select a regional service endpoint.

    For managed services: Ask the service producer for the service attachment URI.

  2. Deploy a load balancer to send traffic to your managed service. Choose a load balancer that fits your requirements, including whether you have internet clients, internal clients, or require regional isolation. You can also reuse an existing load balancer.

  3. Deploy the Private Service Connect network endpoint groups (NEGs) and add them to your load balancer backend service. Create Private Service Connect NEGs that reference your managed service. Then add the NEGs to the load balancer's backend service so that the load balancer can send them traffic.

Supported load balancers and targets

The following load balancers can be configured with Private Service Connect NEG backends to send traffic to supported APIs and services:

Load balancer Supported Google API targets Supported managed service targets

Global external HTTP(S) load balancer with advanced traffic management capabilities1

None

Service producer internal TCP/UDP load balancer in one or more regions

Regional internal HTTP(S) load balancer

Regional Google APIs

Service producer internal TCP/UDP load balancer in a single region (Preview)

Regional external HTTP(S) load balancer

Regional Google APIs

Service producer internal TCP/UDP load balancer in a single region (Preview)

1Global external HTTP(S) load balancer (classic) is not supported with Private Service Connect.

Specifications

All Private Service Connect backends have the following specifications:

  • Private Service Connect NEGs cannot be mixed with other NEG types in the same backend service. However, self-hosted apps and managed services can both be backends of the same load balancer as long as they are part of separate backend services.
  • Backend services with Private Service Connect NEGs must use HTTPS as the protocol. HTTP is not supported with Private Service Connect NEGs.
  • Backend services with Private Service Connect NEGs do not support health checks. Health check resources are not configured with backend services used for Private Service Connect.
  • Only the supported load balancers can use Private Service Connect NEGs as backends.

Private Service Connect backends that are added to global external HTTP(S) load balancers have additional specifications:

  • Multiple Private Service Connect NEGs can be in the same backend service as long as they are from different regions. You can't add multiple Private Service Connect NEGs from the same region to the same backend service.
  • Private Service Connect NEGs are automatically configured with outlier detection. Outlier detection lets the load balancer detect failures in managed service responses and fail over to remaining healthy regions. The default outlier detection policy can be overridden by applying your own outlier detection configuration to the backend service.

Pricing

For pricing information, see the following sections of the VPC pricing page:

What's next