About Private Service Connect backends

You can access Google APIs and published services by creating a Private Service Connect endpoint (based on a forwarding rule) or a Private Service Connect backend (based on a load balancer). This guide focuses on Private Service Connect backends.

Private Service Connect backends use a load balancer configured with Private Service Connect network endpoint group (NEG) backends. This configuration was previously referred to as a Private Service Connect endpoint with consumer HTTP(S) service controls.

Accessing APIs and services through a consumer-managed load balancer provides several benefits. Load balancers can act as a centralized policy enforcement point where security policies (such as Google Cloud Armor policies and SSL policies) or routing policies (such as Google Cloud URL maps) are enforced. They provide centralized metrics and logging that a published service might not provide, and they allow consumers to control their own routing and failover.

Figure 1 shows a load balancer with a Private Service Connect NEG connecting to a published service. Client traffic goes to a load balancer that processes the traffic and then routes it to a Private Service Connect backend that maps to a published service that runs in a different VPC network.

Figure 1. Using a global external Application Load Balancer lets service consumers with internet access send traffic to services in the service producer's VPC network (click to enlarge).

Deployment overview

To access APIs and services through Private Service Connect backends, do the following:

  1. Identify the API or service that you want to connect to.

    For Google APIs: Select a regional service endpoint.

    For published services: Ask the service producer for the service attachment URI.

  2. Deploy a load balancer to send traffic to your published service. Choose a load balancer that fits your requirements, including whether you have internet clients, internal clients, or require regional isolation. You can also reuse an existing load balancer.

  3. Deploy the Private Service Connect NEGs and add them to your load balancer backend service. Create Private Service Connect NEGs that reference your published service. Then add the NEGs to the load balancer's backend service so that the load balancer can send them traffic.

Supported load balancers and targets

You can use a backend to access a published service or a supported Google API.

See the load balancing documentation for more information about the load balancer that you want to add a Private Service Connect backend to.

Published service targets

A Private Service Connect backend for published services requires two load balancers—a consumer load balancer and a producer load balancer.

Consumer configuration

This table describes the consumer load balancers that are supported by Private Service Connect backends for published services, including which backend service protocols can be used with each consumer load balancer. The consumer load balancers can access published services that are hosted on supported producer load balancers.

Consumer load balancer Protocols IP version

Global external Application Load Balancer (supports multiple regions)

Note: Classic Application Load Balancer is not supported.

  • HTTP
  • HTTPS
  • HTTP2
IPv4

Regional external Application Load Balancer

  • HTTP
  • HTTPS
  • HTTP2
IPv4

Regional internal Application Load Balancer

  • HTTP
  • HTTPS
  • HTTP2
IPv4

Cross-region internal Application Load Balancer

  • HTTP
  • HTTPS
  • HTTP2
IPv4

Regional internal proxy Network Load Balancer

  • TCP
IPv4

Cross-region internal proxy Network Load Balancer

  • TCP
IPv4

Regional external proxy Network Load Balancer

  • TCP
IPv4

Global external proxy Network Load Balancer

To associate this load balancer with a Private Service Connect NEG, use the Google Cloud CLI or send an API request.

Note: Classic proxy Network Load Balancer is not supported.

  • TCP/SSL
IPv4

Producer configuration

This table describes the configuration for producer load balancers that are supported by Private Service Connect backends for published services.

Configuration Producer load balancer
Internal passthrough Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer
Supported producer backends
  • GCE_VM_IP zonal NEGs
  • Instance groups
  • GCE_VM_IP_PORT zonal NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
  • GCE_VM_IP_PORT zonal NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
Forwarding rule protocols
  • TCP
  • HTTP
  • HTTPS
  • HTTP/2
  • TCP
Forwarding rule ports Using a single port is recommended, see Producer port configuration Supports a single port Supports a single port
PROXY protocol
IP version IPv4 IPv4 IPv4

For an example backend configuration that uses a global external Application Load Balancer, see Access published services through backends.

Regional Google API targets

This table describes which load balancers can use a Private Service Connect backend to access regional Google APIs.

For an example configuration that uses an internal Application Load Balancer, see Access Google APIs through backends.

Configuration Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers
  • Internal Application Load Balancer

    Protocols: HTTPS

  • Regional external Application Load Balancer

    Protocols: HTTPS

IP version IPv4
Producer
Supported services Supported regional Google APIs

Global Google API targets

This table describes which load balancers can use a Private Service Connect backend to access a global Google API.

Configuration Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers
  • Global external Application Load Balancer

    Note: Classic Application Load Balancer is not supported.

  • Cross-region internal Application Load Balancer

IP version IPv4
Producer
Supported services

Connection statuses

Private Service Connect endpoints, backends, and service attachments have a connection status that describes the state of their connection. The consumer and producer resources that form the two sides of a connection always have the same status. You can view connection statuses when you view endpoint details, describe a backend, or view details for a published service.

The following table describes the possible statuses.

Connection status Description
Accepted The Private Service Connect connection is established. The two VPC networks have connectivity, and the connection is functioning normally.
Pending

The Private Service Connect connection is not established, and network traffic can't travel between the two networks. A connection might have this status for the following reasons:

Connections that are blocked for these reasons remain in the pending state indefinitely until the underlying issue is resolved.

Rejected

The Private Service Connect connection is not established. Network traffic can't travel between the two networks. A connection might have this status for the following reasons:

Needs attention or Unspecified There is an issue on the producer side of the connection. Some traffic might be able to flow between the two networks, but some connections might not be functional. For example, the producer's NAT subnet might be exhausted and unable to allocate IP addresses for new connections.
Closed

The service attachment was deleted, and the Private Service Connect connection is closed. Network traffic can't travel between the two networks.

A closed connection is a terminal state. To restore the connection, you must recreate both the service attachment and the endpoint or backend.

Specifications

All Private Service Connect backends have the following specifications:

  • Only the supported load balancers can use Private Service Connect NEGs as backends.
  • Private Service Connect NEGs cannot be mixed with other NEG types in the same backend service. However, self-hosted applications and managed services can both be backends of the same load balancer as long as they are part of separate backend services.
  • Backend services with Private Service Connect NEGs don't support health checks. Health check resources are not configured with backend services used for Private Service Connect.
  • Backend services with Private Service Connect NEGs don't support session affinity.
  • If a Private Service Connect NEG references a service attachment, the service attachment must be in a different VPC network from the NEG and the load balancer.
  • Private Service Connect NEGs can't reference service attachments that are configured for port mapping services.

Private Service Connect backends that are used in global backend services have additional specifications:

  • Multiple Private Service Connect NEGs can be in the same backend service as long as they are from different regions. You can't add multiple Private Service Connect NEGs from the same region to the same backend service.
  • Private Service Connect NEGs are automatically configured with outlier detection. Outlier detection lets the load balancer detect failures in published service responses and fail over to remaining healthy regions. The default outlier detection policy can be overridden by applying your own outlier detection configuration to the backend service.

Pricing

For pricing information, see the following sections of the VPC pricing page:

What's next