Private Service Connect compatibility

Services

You can access the following services by using Private Service Connect.

Google published services

Google service	Access provided
Apigee	Lets you expose APIs managed by Apigee to the internet. Also lets you connect privately from Apigee to backend target services.
BeyondCorp Enterprise	Lets the Identity-Aware Proxy access the App Connector Gateway.
Cloud Composer 2	Lets you access the Cloud Composer tenant project.
Cloud SQL	Lets you access your Cloud SQL database privately.
Dataproc Metastore	Lets you access the Dataproc Metastore service.
Google Kubernetes Engine (GKE) public clusters	Lets you access GKE public cluster control planes.
Integration Connectors	Lets Integration Connectors access your managed services privately.
Memorystore for Redis Cluster	Lets you access Memorystore for Redis Cluster instances.
Vector Search	Provides private access to Vector Search endpoints.

Third-party published services

Third-party service	Access provided
Aiven	Provides private access to Aiven Kafka clusters.
Confluent Cloud	Provides private access to Confluent Cloud clusters.
Databricks	Provides private access to Databricks clusters.
Datastax Astra	Provides private access to Datastax Astra DB databases.
Elasticsearch	Provides private access to Elastic Cloud.
JFrog	Provides private access to JFrog SaaS instances.
MongoDB Atlas	Provides private access to MongoDB Atlas.
Neo4j Aura	Provides private access to Neo4j Aura.
Pega Cloud	Provides private access to Pega Cloud.
Redis Enterprise Cloud	Provides private access to Redis Enterprise clusters.
Snowflake	Provides private access to Snowflake.
Striim	Provides private access to Striim Cloud.

Global Google APIs

When you create an endpoint to access Google APIs and services, you choose which bundle of APIs you need access to: All APIs (all-apis) or VPC-SC (vpc-sc).

The API bundles give access to the same APIs that are available through the Private Google Access VIPs.

The all-apis bundle provides access to the same APIs as private.googleapis.com.
The vpc-sc bundle provides access to the same APIs as restricted.googleapis.com.

The API bundles support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP are not supported.

API bundle Supported services Example usage

API bundle	Supported services	Example usage
`all-apis`	Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites. Domain names that match: `accounts.google.com` (only the paths needed for OAuth authentication) `appengine.google.com` `.appspot.com` `.backupdr.cloud.google.com` `backupdr.cloud.google.com` `.backupdr.googleusercontent.com` `backupdr.googleusercontent.com` `.cloudfunctions.net` `.cloudproxy.app` `.composer.cloud.google.com` `.composer.googleusercontent.com` `.datafusion.cloud.google.com` `.datafusion.googleusercontent.com` `.dataproc.cloud.google.com` `dataproc.cloud.google.com` `.dataproc.googleusercontent.com` `dataproc.googleusercontent.com` `dl.google.com` `gcr.io` or `.gcr.io` `.googleadapis.com` `.googleapis.com` `.gstatic.com` `.ltsapis.goog` `.notebooks.cloud.google.com` `.notebooks.googleusercontent.com` `packages.cloud.google.com` `pkg.dev` or `.pkg.dev` `pki.goog` or `.pki.goog` `*.run.app` `source.developers.google.com`	Choose `all-apis` under these circumstances: You don't use VPC Service Controls. You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls. ¹
`vpc-sc`	Enables API access to Google APIs and services that are supported by VPC Service Controls. Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.	Choose `vpc-sc` when you only need access to Google APIs and services that are supported by VPC Service Controls. The `vpc-sc` bundle does not permit access to Google APIs and services that do not support VPC Service Controls. ¹

all-apis

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.

Domain names that match:

accounts.google.com (only the paths needed for OAuth authentication)
appengine.google.com
*.appspot.com
*.backupdr.cloud.google.com
backupdr.cloud.google.com
*.backupdr.googleusercontent.com
backupdr.googleusercontent.com
*.cloudfunctions.net
*.cloudproxy.app
*.composer.cloud.google.com
*.composer.googleusercontent.com
*.datafusion.cloud.google.com
*.datafusion.googleusercontent.com
*.dataproc.cloud.google.com
dataproc.cloud.google.com
*.dataproc.googleusercontent.com
dataproc.googleusercontent.com
dl.google.com
gcr.io or *.gcr.io
*.googleadapis.com
*.googleapis.com
*.gstatic.com
*.ltsapis.goog
*.notebooks.cloud.google.com
*.notebooks.googleusercontent.com
packages.cloud.google.com
pkg.dev or *.pkg.dev
pki.goog or *.pki.goog
*.run.app
source.developers.google.com

Choose all-apis under these circumstances:

You don't use VPC Service Controls.
You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls. ¹

vpc-sc

Enables API access to Google APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Choose vpc-sc when you only need access to Google APIs and services that are supported by VPC Service Controls. The vpc-sc bundle does not permit access to Google APIs and services that do not support VPC Service Controls. ¹

¹ If you need to restrict users to just the Google APIs and services that support VPC Service Controls, use vpc-sc. Although VPC Service Controls are enforced for compatible and configured services, regardless of the bundle you use, vpc-sc provides additional risk mitigation for data exfiltration. Using vpc-sc denies access to Google APIs and services that are not supported by VPC Service Controls. See Setting up private connectivity in the VPC Service Controls documentation for more details.

Regional Google APIs

For a list of supported regional Google APIs, see Regional service endpoints.

Types

The following tables summarize compatibility information for different Private Service Connect configurations.

In the following tables, a checkmark indicates that a feature is supported, and indicates that a feature isn't supported.

Endpoints and published services

This table summarizes the supported configuration options and capabilities of both the endpoint and the published service that the endpoint is accessing.

To create an endpoint, see Access published services through endpoints.

To publish a service, see Publish services.

Configuration	Published service using internal passthrough Network Load Balancer	Published service using regional internal Application Load Balancer	Published service using regional internal proxy Network Load Balancer	Published service using internal protocol forwarding (target instance)
Consumer configuration (endpoint)
Consumer global access	Independent of global access setting on load balancer	Only if global access is enabled on the load balancer	Only if global access is enabled on the load balancer
Interconnect traffic (for Dataplane v2 only)
Cloud VPN traffic
Automatic DNS configuration
IP stack	IPv4	IPv4	IPv4	IPv4
Producer configuration (published service)
Supported producer backends	GCE_VM_IP NEGs Instance groups	GCE_VM_IP_PORT NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	GCE_VM_IP_PORT NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	Not applicable
PROXY protocol	TCP traffic only
Session affinity modes	NONE (5-tuple) CLIENT_IP_PORT_PROTO	Not applicable	Not applicable	Not applicable

Endpoints that access a published service have the following limitations:

You can't create an endpoint in the same VPC network as the published service that you are accessing.
Endpoints are not accessible from peered VPC networks.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, see Static routes with load balancer next hops.

Published services have the following limitations:

Producer load balancers do not support the following features:

Multiple forwarding rules that use a shared IP address (SHARED_LOADBALANCER_VIP)
Backend subsetting

Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
You must use the Google Cloud CLI or the API to create a service attachment that points to a forwarding rule that is used for internal protocol forwarding.
For issues and workarounds, see Known issues.

Different load balancers support different port configurations; some load balancers support a single port, some support a range of ports, and some support all ports. For more information, see Port specifications.

Backends and published services

This table describes which load balancers can use a Private Service Connect backend to access published services.

For an example backend configuration that uses a global external Application Load Balancer, see Access published services through backends.

To publish a service, see Publish services.

Configuration	Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers	Global external Application Load Balancer (supports multiple regions) Protocols: HTTPS, HTTP2 Note: Classic Application Load Balancer is not supported. Regional external Application Load Balancer Protocols: HTTPS, HTTP2, HTTP Internal Application Load Balancer Protocols: HTTPS, HTTP2, HTTP Cross-region internal Application Load Balancer (Preview) Protocols: HTTPS, HTTP2, HTTP Regional external proxy Network Load Balancer Protocols: TCP Regional internal proxy Network Load Balancer Protocols: TCP Global external proxy Network Load Balancer (Preview) Protocols: TCP Note: Classic proxy Network Load Balancer is not supported.
Producer configuration (published service)
Supported producer load balancer	Internal passthrough Network Load Balancer
Supported producer backends	GCE_VM_IP NEGs Instance groups
Protocols and ports	The producer load balancer must serve TCP traffic, and the forwarding rule must reference a single port.
PROXY protocol

Published services have the following limitations:

Producer load balancers do not support the following features:

Multiple forwarding rules that use a shared IP address (SHARED_LOADBALANCER_VIP)
Backend subsetting

Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
You must use the Google Cloud CLI or the API to create a service attachment that points to a forwarding rule that is used for internal protocol forwarding.
For issues and workarounds, see Known issues.

Endpoints and Google APIs

This table summarizes the features that are supported by endpoints used to access Google APIs.

To create this configuration, see Access Google APIs through endpoints.

Configuration	Details
Consumer configuration (endpoint)
Global reachability	Uses an internal global IP address
Interconnect traffic
Cloud VPN traffic
Automatic DNS configuration
IP stack	IPv4
Producer
Supported services	Supported global Google APIs

Backends and Google APIs

This table describes which load balancers can use a Private Service Connect backend to access Google APIs.

For an example backend configuration that uses an internal Application Load Balancer, see Access Google APIs through backends.

Configuration	Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers	Internal Application Load Balancer Protocols: HTTPS Regional external Application Load Balancer Protocols: HTTPS
Producer
Supported services	Supported regional Google APIs

What's next

Learn about accessing published services through endpoints.
Learn about accessing Google APIs through endpoints.
Learn about backends.
Learn about publishing services.