Private Service Connect compatibility

Services

You can access the following services by using Private Service Connect.

Google published services

Google service	Access provided
AlloyDB for PostgreSQL	Lets you connect to AlloyDB for PostgreSQL instances.
Apigee	Lets you expose APIs managed by Apigee to the internet. Also lets you connect privately from Apigee to backend target services.
BigQuery connections SAP Datasphere	Lets you increase security when using BigQuery to send queries to SAP Datasphere.
BigQuery Data Transfer Service	Lets you use BigQuery Data Transfer Service for Oracle.
Blockchain Node Engine	Lets you access Blockchain Node Engine nodes.
Chrome Enterprise Premium	Lets the Identity-Aware Proxy access the App Connector Gateway.
Cloud Data Fusion	Lets you connect Cloud Data Fusion instances to resources in VPC networks.
Cloud Composer 2	Lets you access the Cloud Composer tenant project.
Cloud Composer 3	Lets you access the Cloud Composer tenant project.
Cloud SQL	Lets you access your Cloud SQL database privately.
Cloud Workstations	Lets you access private workstation clusters.
Database Migration Service	Lets you migrate your data to Google Cloud.
Dataproc Metastore	Lets you access Dataproc Metastore services.
Eventarc	Lets you receive events from Eventarc.
Google Cloud Managed Service for Apache Kafka	Lets you access Managed Service for Apache Kafka clusters.
Google Kubernetes Engine (GKE) public clusters and private clusters	Lets you privately connect nodes and the control plane for a public or private cluster.
Integration Connectors	Lets Integration Connectors access your managed services privately.
Looker (Google Cloud core)	Lets you access Looker (Google Cloud core) instances.
Memorystore for Redis Cluster	Lets you access Memorystore for Redis Cluster instances.
Memorystore for Valkey	Lets you access Memorystore for Valkey instances.
Vertex AI Vector Search	Lets you access Vector Search endpoints.
Vertex AI predictions	Lets you access Vertex AI online prediction.

Third-party published services

Third-party service	Access provided
Aiven	Provides private access to Aiven Kafka clusters.
Citrix DaaS	Provides private access to Citrix DaaS.
ClickHouse	Provides private access to ClickHouse services.
Confluent Cloud	Provides private access to Confluent Cloud clusters.
Databricks	Provides private access to Databricks clusters.
Datadog	Provides private access to Datadog intake services.
Datastax Astra	Provides private access to Datastax Astra DB databases.
Elasticsearch	Provides private access to Elastic Cloud.
JFrog	Provides private access to JFrog SaaS instances.
MongoDB Atlas	Provides private access to MongoDB Atlas.
Neo4j Aura	Provides private access to Neo4j Aura.
Pega Cloud	Provides private access to Pega Cloud.
Redis Enterprise Cloud	Provides private access to Redis Enterprise clusters.
Redpanda	Provides private access to Redpanda Cloud.
Snowflake	Provides private access to Snowflake.
Striim	Provides private access to Striim Cloud.

Global Google APIs

Endpoints can target a bundle of global Google APIs or a single regional Google API. Backends can target a single global Google API or a single regional Google API.

Bundles of global Google APIs

You can use Private Service Connect endpoints to send traffic to a bundle of Google APIs.

When you create an endpoint to access Google APIs and services, you choose which bundle of APIs you need access to—All APIs (all-apis) or VPC-SC (vpc-sc):

The all-apis bundle provides access to most Google APIs and services, including all *.googleapis.com service endpoints.
The vpc-sc bundle provides access to APIs and services that support VPC Service Controls.

Note: Note: These bundles provide access to the same APIs that are available through the Private Google Access VIPs—all-apis is equivalent to private.googleapis.com and vpc-sc is equivalent to restricted.googleapis.com.

The API bundles support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP are not supported.

API bundle Supported services Example usage

API bundle	Supported services	Example usage
`all-apis`	Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites. Domain names that match: `accounts.google.com` (only the paths needed for OAuth authentication) `.aiplatform-notebook.cloud.google.com` `.aiplatform-notebook.googleusercontent.com` `appengine.google.com` `.appspot.com` `.backupdr.cloud.google.com` `backupdr.cloud.google.com` `.backupdr.googleusercontent.com` `backupdr.googleusercontent.com` `.cloudfunctions.net` `.cloudproxy.app` `.composer.cloud.google.com` `.composer.googleusercontent.com` `.datafusion.cloud.google.com` `.datafusion.googleusercontent.com` `.dataproc.cloud.google.com` `dataproc.cloud.google.com` `.dataproc.googleusercontent.com` `dataproc.googleusercontent.com` `dl.google.com` `gcr.io` or `.gcr.io` `.googleapis.com` `.gke.goog` `.gstatic.com` `.kernels.googleusercontent.com` `.ltsapis.goog` `.notebooks.cloud.google.com` `.notebooks.googleusercontent.com` `packages.cloud.google.com` `pkg.dev` or `.pkg.dev` `pki.goog` or `.pki.goog` `.run.app` `source.developers.google.com` `storage.cloud.google.com`	Choose `all-apis` under these circumstances: You don't use VPC Service Controls. You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls. ¹
`vpc-sc`	Enables API access to Google APIs and services that are supported by VPC Service Controls. Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.	Choose `vpc-sc` when you only need access to Google APIs and services that are supported by VPC Service Controls. The `vpc-sc` bundle does not permit access to Google APIs and services that do not support VPC Service Controls. ¹

all-apis

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.

Domain names that match:

accounts.google.com (only the paths needed for OAuth authentication)
*.aiplatform-notebook.cloud.google.com
*.aiplatform-notebook.googleusercontent.com
appengine.google.com
*.appspot.com
*.backupdr.cloud.google.com
backupdr.cloud.google.com
*.backupdr.googleusercontent.com
backupdr.googleusercontent.com
*.cloudfunctions.net
*.cloudproxy.app
*.composer.cloud.google.com
*.composer.googleusercontent.com
*.datafusion.cloud.google.com
*.datafusion.googleusercontent.com
*.dataproc.cloud.google.com
dataproc.cloud.google.com
*.dataproc.googleusercontent.com
dataproc.googleusercontent.com
dl.google.com
gcr.io or *.gcr.io
*.googleapis.com
*.gke.goog
*.gstatic.com
*.kernels.googleusercontent.com
*.ltsapis.goog
*.notebooks.cloud.google.com
*.notebooks.googleusercontent.com
packages.cloud.google.com
pkg.dev or *.pkg.dev
pki.goog or *.pki.goog
*.run.app
source.developers.google.com
storage.cloud.google.com

Choose all-apis under these circumstances:

You don't use VPC Service Controls.
You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls. ¹

vpc-sc

Enables API access to Google APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Choose vpc-sc when you only need access to Google APIs and services that are supported by VPC Service Controls. The vpc-sc bundle does not permit access to Google APIs and services that do not support VPC Service Controls. ¹

¹ If you need to restrict users to just the Google APIs and services that support VPC Service Controls, use vpc-sc, as it provides additional risk mitigation for data exfiltration. Using vpc-sc denies access to Google APIs and services that are not supported by VPC Service Controls. See Setting up private connectivity in the VPC Service Controls documentation for more details.

Single global Google API

You can use Private Service Connect backends to send requests to a single supported global Google API. The following APIs are supported:

Bigtable: bigtable.googleapis.com and bigtableadmin.googleapis.com
Cloud Logging: logging.googleapis.com
Spanner: spanner.googleapis.com
Cloud Storage: storage.googleapis.com
Pub/Sub: pubsub.googleapis.com

Regional Google APIs

You can use endpoints or backends to access regional Google APIs. For a list of supported regional Google APIs, see Regional service endpoints.

Types

The following tables summarize compatibility information for different Private Service Connect configurations.

In the following tables, a checkmark indicates that a feature is supported, and a no symbol indicates that a feature isn't supported.

Endpoints and published services

This section summarizes the configuration options that are available for consumers and producers when using endpoints to access publish services.

Consumer configuration

This table summarizes the supported configuration options and capabilities of endpoints that access published services.

Consumer configuration (endpoint)	Producer load balancer
Consumer configuration (endpoint)	Internal passthrough Network Load Balancer	Regional internal Application Load Balancer	Regional internal proxy Network Load Balancer	Internal protocol forwarding (target instance)
Consumer global access	Independent of global access setting on load balancer	Only if global access is enabled on the load balancer before the service attachment is created	Only if global access is enabled on the load balancer before the service attachment is created	Independent of global access setting on load balancer
Interconnect traffic
Cloud VPN traffic
Automatic DNS configuration	IPv4 only	IPv4 only	IPv4 only	IPv4 only
Connection propagation	IPv4 only	IPv4 only	IPv4 only	IPv4 only
IPv4 endpoints	IPv4 producer forwarding rules	IPv4 producer forwarding rules	IPv4 producer forwarding rules	IPv4 producer forwarding rules
IPv6 endpoints	IPv4 producer forwarding rules IPv6 producer forwarding rules	IPv4 producer forwarding rules	IPv4 producer forwarding rules	IPv4 producer forwarding rules IPv6 producer forwarding rules

Endpoints that access a published service have the following limitations:

You can't create an endpoint in the same VPC network as the published service that you are accessing.
Endpoints are not accessible from peered VPC networks.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, see Static routes with load balancer next hops.
Connectivity Tests can't test connectivity between an IPv6 endpoint and a published service.

Producer configuration

This table summarizes the supported configuration options and capabilities of published services that are accessed by endpoints.

Producer configuration (published service)	Producer load balancer
Producer configuration (published service)	Internal passthrough Network Load Balancer	Regional internal Application Load Balancer	Regional internal proxy Network Load Balancer	Internal protocol forwarding (target instance)
Supported producer backends: Network endpoint groups (NEGs) Instance groups	GCE_VM_IP zonal NEGs Instance groups Port mapping NEGs	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	Not applicable
PROXY protocol	TCP traffic only			TCP traffic only
Session affinity modes	NONE (5-tuple) CLIENT_IP_PORT_PROTO	Not applicable	Not applicable	Not applicable
IP version	IPv4 producer forwarding rules IPv6 producer forwarding rules	IPv4 producer forwarding rules	IPv4 producer forwarding rules	IPv4 producer forwarding rules IPv6 producer forwarding rules

Published services have the following limitations:

Producer load balancers don't support the following features:

Multiple forwarding rules that use a shared IP address (SHARED_LOADBALANCER_VIP)
Backend subsetting

Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
You must use the Google Cloud CLI or the API to create a service attachment that points to a forwarding rule that is used for internal protocol forwarding.

For issues and workarounds, see Known issues.

Different load balancers support different port configurations; some load balancers support a single port, some support a range of ports, and some support all ports. For more information, see Port specifications.

Backends and published services

A Private Service Connect backend for published services requires two load balancers—a consumer load balancer and a producer load balancer. This section summarizes the configuration options that are available for consumers and producers when using backends to access publish services.

Consumer configuration

This table describes the consumer load balancers that are supported by Private Service Connect backends for published services, including which backend service protocols can be used with each consumer load balancer. The consumer load balancers can access published services that are hosted on supported producer load balancers.

Consumer load balancer	Protocols	IP version
Global external Application Load Balancer (supports multiple regions) Note: Classic Application Load Balancer is not supported.	HTTP HTTPS HTTP2	IPv4
Regional external Application Load Balancer	HTTP HTTPS HTTP2	IPv4
Regional internal Application Load Balancer	HTTP HTTPS HTTP2	IPv4
Cross-region internal Application Load Balancer	HTTP HTTPS HTTP2	IPv4
Regional internal proxy Network Load Balancer	TCP	IPv4
Cross-region internal proxy Network Load Balancer	TCP	IPv4
Regional external proxy Network Load Balancer	TCP	IPv4
Global external proxy Network Load Balancer To associate this load balancer with a Private Service Connect NEG, use the Google Cloud CLI or send an API request. Note: Classic proxy Network Load Balancer is not supported.	TCP/SSL	IPv4

Producer configuration

This table describes the configuration for producer load balancers that are supported by Private Service Connect backends for published services.

Configuration	Producer load balancer
Configuration	Internal passthrough Network Load Balancer	Regional internal Application Load Balancer	Regional internal proxy Network Load Balancer
Supported producer backends	GCE_VM_IP zonal NEGs Instance groups	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups
Forwarding rule protocols	TCP	HTTP HTTPS HTTP/2	TCP
Forwarding rule ports	Using a single port is recommended, see Producer port configuration	Supports a single port	Supports a single port
PROXY protocol
IP version	IPv4	IPv4	IPv4

Published services have the following limitations:

Producer load balancers don't support the following features:

Multiple forwarding rules that use a shared IP address (SHARED_LOADBALANCER_VIP)
Backend subsetting

Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
You must use the Google Cloud CLI or the API to create a service attachment that points to a forwarding rule that is used for internal protocol forwarding.

For issues and workarounds, see Known issues.

For an example backend configuration that uses a global external Application Load Balancer, see Access published services through backends.

To publish a service, see Publish services.

Endpoints and global Google APIs

This table summarizes the features that are supported by endpoints used to access Google APIs.

To create this configuration, see Access Google APIs through endpoints.

Configuration	Details
Consumer configuration (endpoint)
Global reachability	Uses an internal global IP address
Interconnect traffic
Cloud VPN traffic
Automatic DNS configuration
IP version	IPv4
Producer
Supported services	Supported global Google APIs

Backends and global Google APIs

This table describes which load balancers can use a Private Service Connect backend to a global Google API.

Configuration	Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers	Global external Application Load Balancer Note: Classic Application Load Balancer is not supported. Cross-region internal Application Load Balancer
IP version	IPv4
Producer
Supported services	Bigtable: `bigtable.googleapis.com` and `bigtableadmin.googleapis.com` Cloud Logging: `logging.googleapis.com` Spanner: `spanner.googleapis.com` Cloud Storage: `storage.googleapis.com` Pub/Sub: `pubsub.googleapis.com`

Endpoints and regional Google APIs

You can use a Private Service Connect endpoint to access a single regional Google API. For a list of supported regional APIs, see Regional service endpoints.

Backends and regional Google APIs

This table describes which load balancers can use a Private Service Connect backend to access regional Google APIs.

For an example backend configuration that uses an internal Application Load Balancer, see Access regional Google APIs through backends.

Configuration	Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers	Internal Application Load Balancer Protocols: HTTPS Regional external Application Load Balancer Protocols: HTTPS
IP version	IPv4
Producer
Supported services	Supported regional Google APIs

What's next

Learn about accessing published services through endpoints.
Learn about accessing global Google APIs through endpoints.
Learn about accessing regional Google APIs through endpoints.
Learn about backends.
Learn about publishing services.