[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-05 (世界標準時間)。"],[],[],null,["# About Private Service Connect backends\n======================================\n\nYou can access Google APIs and published services by creating a\n[Private Service Connect endpoint (based on a forwarding\nrule)](/vpc/docs/configure-private-service-connect-services) or a\n[Private Service Connect backend (based on a load\nbalancer)](/vpc/docs/access-apis-managed-services-private-service-connect-backends).\nThis guide focuses on Private Service Connect backends.\n\nPrivate Service Connect backends use a load balancer configured\nwith Private Service Connect network endpoint group (NEG)\nbackends. This configuration was previously referred to as a\n*Private Service Connect endpoint with consumer HTTP(S) service\ncontrols*.\n\nAccessing APIs and services through a consumer-managed load balancer provides\nseveral benefits. Load balancers can act as a centralized policy enforcement\npoint where security policies (such as\n[Google Cloud Armor policies](/armor/docs/security-policy-overview)\nand [SSL policies](/load-balancing/docs/ssl-policies-concepts)) or\nrouting policies (such as [Google Cloud URL maps](/load-balancing/docs/url-map-concepts))\nare enforced. They provide centralized metrics and logging that a published\nservice might not provide, and they allow consumers to control their own\nrouting and failover.\n\nFigure 1 shows a load balancer with a\nPrivate Service Connect NEG connecting to a published service.\nClient traffic goes to a load balancer that processes the traffic and\nthen routes it to a Private Service Connect backend that maps to\na published service that runs in a different VPC\nnetwork.\n[](/static/vpc/images/private-service-connect-xlb-services.png) **Figure 1.**\nUsing a global external Application Load Balancer lets service consumers with internet access\nsend traffic to services in the service producer's VPC network\n(click to enlarge).\n\nDeployment overview\n-------------------\n\nTo access APIs and services through Private Service Connect\nbackends, do the following:\n\n1. **Identify the API or service that you want to connect to.**\n\n For Google APIs: Select a [regional service endpoint](/vpc/docs/regional-service-endpoints).\n\n For published services: Ask the service producer for the\n [service attachment](/vpc/docs/private-service-connect#service-attachments)\n URI.\n2. **Deploy a load balancer to send traffic to your published service.**\n Choose a\n load balancer that fits your requirements, including whether you have\n internet clients, internal clients, or require regional isolation. You can\n also reuse an existing load balancer.\n\n3. **Deploy the Private Service Connect NEGs and add them\n to your load balancer backend service.** Create\n Private Service Connect NEGs that reference your published\n service. Then add the NEGs to the load balancer's backend service so that\n the load balancer can send them traffic.\n\nSupported load balancers and targets\n------------------------------------\n\nYou can use a backend to access a published service or a supported Google API.\n\nSee the load balancing documentation for more information about the load\nbalancer that you want to add a Private Service Connect backend\nto.\n\n- For information about global external Application Load Balancers and regional external Application Load Balancers, see [External Application Load Balancer overview](/load-balancing/docs/https).\n- For information about internal Application Load Balancers and Cross-region internal Application Load Balancers, see [Internal Application Load Balancer overview](/load-balancing/docs/l7-internal).\n- For information about regional internal proxy Network Load Balancers, see [Regional internal proxy Network Load Balancer\n overview](/load-balancing/docs/tcp/internal-proxy).\n- For information about regional external proxy Network Load Balancers, see [Regional external proxy Network Load Balancer overview](/load-balancing/docs/tcp).\n- For information about global external proxy Network Load Balancers, see [External proxy Network Load Balancer overview](/load-balancing/docs/tcp).\n\n### Published service targets\n\nA Private Service Connect backend for published services\nrequires two load balancers---a consumer load balancer and a producer load\nbalancer.\n\n#### Consumer configuration\n\n\nThis table describes the consumer load balancers that are supported by\nPrivate Service Connect backends for published services, including\nwhich backend service protocols can be used with each consumer load balancer.\nThe consumer load balancers can access published services that are hosted on\n[supported producer load balancers](#producer-configuration-backends).\n\n\u003cbr /\u003e\n\n\n\u003cbr /\u003e\n\n#### Producer configuration\n\n\nThis table describes the configuration for producer load balancers\nthat are supported by Private Service Connect backends for\npublished services.\n\n\n| **Note:** To support access by a Private Service Connect backend in a global or cross-regional load balancer, the producer load balancer must have [global access](/load-balancing/docs/internal/setting-up-internal#ilb-global-access) turned on before the service attachment is created.\n\n\u003cbr /\u003e\n\nFor an example backend configuration that uses a global external Application Load Balancer, see\n[Access published services through\nbackends](/vpc/docs/configure-private-service-connect-services-controls).\n\n### Regional Google API targets\n\nThis table describes which load balancers can use a\nPrivate Service Connect backend to access regional Google APIs.\n\nFor an example configuration that uses an internal Application Load Balancer, see\n[Access Google APIs through\nbackends](/vpc/docs/configure-private-service-connect-controls).\n\n\n\u003cbr /\u003e\n\n### Global Google API targets\n\nThis table describes which load balancers can use a\nPrivate Service Connect backend to access a global Google API.\n\n\n\u003cbr /\u003e\n\nConnection statuses\n-------------------\n\n\nPrivate Service Connect endpoints, backends, and service attachments have a connection\nstatus that describes the state of their connection.\n\n\nThe consumer and producer resources that\nform the two sides of a connection always have the same status.\n\n\nYou can view connection statuses\nwhen you\n[view endpoint\ndetails](/vpc/docs/configure-private-service-connect-services#endpoint-details),\n[describe a backend](/vpc/docs/access-apis-managed-services-private-service-connect-backends#describe-backends), or\n[view details for a published service](/vpc/docs/configure-private-service-connect-producer#attachment-details).\n\n\nThe following table describes the possible statuses.\n\n\u003cbr /\u003e\n\nSpecifications\n--------------\n\nAll Private Service Connect backends have the following\nspecifications:\n\n- Only the [supported load balancers](#supported-lb-targets) can use Private Service Connect NEGs as backends.\n- Private Service Connect NEGs cannot be mixed with other NEG types in the same backend service. However, self-hosted applications and managed services can both be backends of the same load balancer as long as they are part of separate backend services.\n- Backend services with Private Service Connect NEGs don't support health checks. Health check resources are not configured with backend services used for Private Service Connect.\n- Backend services with Private Service Connect NEGs don't support [session affinity](/load-balancing/docs/backend-service#session_affinity).\n- If a Private Service Connect NEG references a service attachment, the service attachment must be in a different VPC network from the NEG and the load balancer.\n- Private Service Connect NEGs can't reference service attachments that are configured for [port mapping services](/vpc/docs/about-private-service-connect-port-mapping).\n\nPrivate Service Connect backends that are used in global backend\nservices have additional specifications:\n\n- Multiple Private Service Connect NEGs can be in the same backend service as long as they are from different regions. You can't add multiple Private Service Connect NEGs from the same region to the same backend service.\n- Private Service Connect NEGs are automatically configured with [outlier detection](/load-balancing/docs/https/traffic-management-global#traffic_policies). Outlier detection lets the load balancer detect failures in published service responses and fail over to remaining healthy regions. The default outlier detection policy can be overridden by applying your own [outlier detection configuration to the backend service](/load-balancing/docs/https/setting-up-global-traffic-mgmt#configure_outlier_detection).\n\nPricing\n-------\n\nFor pricing information, see the following sections of the VPC\npricing page:\n\n- [Using a Private Service Connect backend to access a published service](/vpc/pricing#psc-loadbalancer-services).\n\n- [Using a Private Service Connect backend to access Google APIs](/vpc/pricing#psc-loadbalancer-apis).\n\nWhat's next\n-----------\n\n- [Create a Private Service Connect backend](/vpc/docs/access-apis-managed-services-private-service-connect-backends)\n- [Access regional Google APIs through backends](/vpc/docs/configure-private-service-connect-controls)\n- [Access global Google APIs through backends](/vpc/docs/access-global-google-apis-backends)\n- [Access published services through backends](/vpc/docs/configure-private-service-connect-services-controls)"]]