Private Service Connect compatibility

Services

You can access the following services by using Private Service Connect.

Google published services

Google service Access provided
AlloyDB for PostgreSQL Lets you connect to AlloyDB for PostgreSQL instances.
Apigee Lets you expose APIs managed by Apigee to the internet. Also lets you connect privately from Apigee to backend target services.
BigQuery connections SAP Datasphere Lets you increase security when using BigQuery to send queries to SAP Datasphere.
BigQuery Data Transfer Service Lets you use BigQuery Data Transfer Service for Oracle.
Blockchain Node Engine Lets you access Blockchain Node Engine nodes.
Chrome Enterprise Premium Lets the Identity-Aware Proxy access the App Connector Gateway.
Cloud Data Fusion Lets you connect Cloud Data Fusion instances to resources in VPC networks.
Cloud Composer 2 Lets you access the Cloud Composer tenant project.
Cloud Composer 3 Lets you access the Cloud Composer tenant project.
Cloud SQL Lets you access your Cloud SQL database privately.
Cloud Workstations Lets you access private workstation clusters.
Database Migration Service Lets you migrate your data to Google Cloud.
Dataproc Metastore Lets you access Dataproc Metastore services.
Eventarc Lets you receive events from Eventarc.
Google Cloud Managed Service for Apache Kafka Lets you access Managed Service for Apache Kafka clusters.
Google Kubernetes Engine (GKE) public clusters and private clusters Lets you privately connect nodes and the control plane for a public or private cluster.
Integration Connectors Lets Integration Connectors access your managed services privately.
Looker (Google Cloud core) Lets you access Looker (Google Cloud core) instances.
Memorystore for Redis Cluster Lets you access Memorystore for Redis Cluster instances.
Memorystore for Valkey Lets you access Memorystore for Valkey instances.
Vertex AI Vector Search Lets you access Vector Search endpoints.
Vertex AI predictions Lets you access Vertex AI online prediction.

Third-party published services

Third-party service Access provided
Aiven Provides private access to Aiven Kafka clusters.
Citrix DaaS Provides private access to Citrix DaaS.
ClickHouse Provides private access to ClickHouse services.
Confluent Cloud Provides private access to Confluent Cloud clusters.
Databricks Provides private access to Databricks clusters.
Datadog Provides private access to Datadog intake services.
Datastax Astra Provides private access to Datastax Astra DB databases.
Elasticsearch Provides private access to Elastic Cloud.
JFrog Provides private access to JFrog SaaS instances.
MongoDB Atlas Provides private access to MongoDB Atlas.
Neo4j Aura Provides private access to Neo4j Aura.
Pega Cloud Provides private access to Pega Cloud.
Redis Enterprise Cloud Provides private access to Redis Enterprise clusters.
Redpanda Provides private access to Redpanda Cloud.
Snowflake Provides private access to Snowflake.
Striim Provides private access to Striim Cloud.

Global Google APIs

Endpoints can target a bundle of global Google APIs or a single regional Google API. Backends can target a single global Google API or a single regional Google API.

Bundles of global Google APIs

You can use Private Service Connect endpoints to send traffic to a bundle of Google APIs.

When you create an endpoint to access Google APIs and services, you choose which bundle of APIs you need access to—All APIs (all-apis) or VPC-SC (vpc-sc):

The API bundles support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP are not supported.

API bundle Supported services Example usage
all-apis

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.

Domain names that match:

  • accounts.google.com (only the paths needed for OAuth authentication)
  • *.aiplatform-notebook.cloud.google.com
  • *.aiplatform-notebook.googleusercontent.com
  • appengine.google.com
  • *.appspot.com
  • *.backupdr.cloud.google.com
  • backupdr.cloud.google.com
  • *.backupdr.googleusercontent.com
  • backupdr.googleusercontent.com
  • *.cloudfunctions.net
  • *.cloudproxy.app
  • *.composer.cloud.google.com
  • *.composer.googleusercontent.com
  • *.datafusion.cloud.google.com
  • *.datafusion.googleusercontent.com
  • *.dataproc.cloud.google.com
  • dataproc.cloud.google.com
  • *.dataproc.googleusercontent.com
  • dataproc.googleusercontent.com
  • dl.google.com
  • gcr.io or *.gcr.io
  • *.googleapis.com
  • *.gstatic.com
  • *.kernels.googleusercontent.com
  • *.ltsapis.goog
  • *.notebooks.cloud.google.com
  • *.notebooks.googleusercontent.com
  • packages.cloud.google.com
  • pkg.dev or *.pkg.dev
  • pki.goog or *.pki.goog
  • *.run.app
  • source.developers.google.com
  • storage.cloud.google.com

Choose all-apis under these circumstances:

  • You don't use VPC Service Controls.
  • You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls. 1

vpc-sc

Enables API access to Google APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Choose vpc-sc when you only need access to Google APIs and services that are supported by VPC Service Controls. The vpc-sc bundle does not permit access to Google APIs and services that do not support VPC Service Controls. 1

1 If you need to restrict users to just the Google APIs and services that support VPC Service Controls, use vpc-sc, as it provides additional risk mitigation for data exfiltration. Using vpc-sc denies access to Google APIs and services that are not supported by VPC Service Controls. See Setting up private connectivity in the VPC Service Controls documentation for more details.

Single global Google API

You can use Private Service Connect backends to send requests to a single supported global Google API. The following APIs are supported:

Regional Google APIs

You can use endpoints or backends to access regional Google APIs. For a list of supported regional Google APIs, see Regional service endpoints.

Types

The following tables summarize compatibility information for different Private Service Connect configurations.

In the following tables, a checkmark indicates that a feature is supported, and a no symbol indicates that a feature isn't supported.

Endpoints and published services

This section summarizes the configuration options that are available for consumers and producers when using endpoints to access publish services.

Consumer configuration

This table summarizes the supported configuration options and capabilities of endpoints that access published services.

Consumer configuration (endpoint) Producer load balancer
Internal passthrough Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer Internal protocol forwarding (target instance)
Consumer global access

Independent of global access setting on load balancer

Only if global access is enabled on the load balancer before the service attachment is created

Only if global access is enabled on the load balancer before the service attachment is created

Independent of global access setting on load balancer

Interconnect traffic

Cloud VPN traffic
Automatic DNS configuration IPv4 only IPv4 only IPv4 only IPv4 only
Connection propagation IPv4 only IPv4 only IPv4 only IPv4 only
IPv4 endpoints
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
IPv6 endpoints
  • IPv4 producer forwarding rules
  • IPv6 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv6 producer forwarding rules

Endpoints that access a published service have the following limitations:

  • You can't create an endpoint in the same VPC network as the published service that you are accessing.

  • Endpoints are not accessible from peered VPC networks.

  • Packet Mirroring can't mirror packets for Private Service Connect published services traffic.

  • Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, see Static routes with load balancer next hops.

  • Connectivity Tests can't test connectivity between an IPv6 endpoint and a published service.

Producer configuration

This table summarizes the supported configuration options and capabilities of published services that are accessed by endpoints.

Producer configuration (published service) Producer load balancer
Internal passthrough Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer Internal protocol forwarding (target instance)

Supported producer backends:

  • GCE_VM_IP zonal NEGs
  • Instance groups
  • Port mapping NEGs
  • GCE_VM_IP_PORT zonal NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
  • GCE_VM_IP_PORT zonal NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
Not applicable
PROXY protocol TCP traffic only TCP traffic only
Session affinity modes NONE (5-tuple)
CLIENT_IP_PORT_PROTO
Not applicable Not applicable Not applicable
IP version
  • IPv4 producer forwarding rules
  • IPv6 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv6 producer forwarding rules

Published services have the following limitations:

For issues and workarounds, see Known issues.

Different load balancers support different port configurations; some load balancers support a single port, some support a range of ports, and some support all ports. For more information, see Port specifications.

Backends and published services

A Private Service Connect backend for published services requires two load balancers—a consumer load balancer and a producer load balancer. This section summarizes the configuration options that are available for consumers and producers when using backends to access publish services.

Consumer configuration

This table describes the consumer load balancers that are supported by Private Service Connect backends for published services, including which backend service protocols can be used with each consumer load balancer. The consumer load balancers can access published services that are hosted on supported producer load balancers.

Consumer load balancer Protocols IP version

Global external Application Load Balancer (supports multiple regions)

Note: Classic Application Load Balancer is not supported.

  • HTTP
  • HTTPS
  • HTTP2
IPv4

Regional external Application Load Balancer

  • HTTP
  • HTTPS
  • HTTP2
IPv4

Regional internal Application Load Balancer

  • HTTP
  • HTTPS
  • HTTP2
IPv4

Cross-region internal Application Load Balancer

  • HTTP
  • HTTPS
  • HTTP2
IPv4

Regional internal proxy Network Load Balancer

  • TCP
IPv4

Cross-region internal proxy Network Load Balancer

  • TCP
IPv4

Regional external proxy Network Load Balancer

  • TCP
IPv4

Global external proxy Network Load Balancer

To associate this load balancer with a Private Service Connect NEG, use the Google Cloud CLI or send an API request.

Note: Classic proxy Network Load Balancer is not supported.

  • TCP/SSL
IPv4

Producer configuration

This table describes the configuration for producer load balancers that are supported by Private Service Connect backends for published services.

Configuration Producer load balancer
Internal passthrough Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer
Supported producer backends
  • GCE_VM_IP zonal NEGs
  • Instance groups
  • GCE_VM_IP_PORT zonal NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
  • GCE_VM_IP_PORT zonal NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
Forwarding rule protocols
  • TCP
  • HTTP
  • HTTPS
  • HTTP/2
  • TCP
Forwarding rule ports Using a single port is recommended, see Producer port configuration Supports a single port Supports a single port
PROXY protocol
IP version IPv4 IPv4 IPv4

Published services have the following limitations:

For issues and workarounds, see Known issues.

For an example backend configuration that uses a global external Application Load Balancer, see Access published services through backends.

To publish a service, see Publish services.

Endpoints and global Google APIs

This table summarizes the features that are supported by endpoints used to access Google APIs.

To create this configuration, see Access Google APIs through endpoints.

Configuration Details
Consumer configuration (endpoint)
Global reachability Uses an internal global IP address
Interconnect traffic
Cloud VPN traffic
Automatic DNS configuration
IP version IPv4
Producer
Supported services Supported global Google APIs

Backends and global Google APIs

This table describes which load balancers can use a Private Service Connect backend to a global Google API.

Configuration Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers
  • Global external Application Load Balancer

    Note: Classic Application Load Balancer is not supported.

  • Cross-region internal Application Load Balancer

IP version IPv4
Producer
Supported services

Endpoints and regional Google APIs

You can use a Private Service Connect endpoint to access a single regional Google API. For a list of supported regional APIs, see Regional service endpoints.

Backends and regional Google APIs

This table describes which load balancers can use a Private Service Connect backend to access regional Google APIs.

For an example backend configuration that uses an internal Application Load Balancer, see Access regional Google APIs through backends.

Configuration Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers
  • Internal Application Load Balancer

    Protocols: HTTPS

  • Regional external Application Load Balancer

    Protocols: HTTPS

IP version IPv4
Producer
Supported services Supported regional Google APIs

What's next