Stay organized with collections Save and categorize content based on your preferences.

Private Service Connect

This document provides an overview of Private Service Connect. Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. You can publish and consume services using IP addresses that you define and that are internal to your VPC network.

You can use Private Service Connect to access Google APIs and services, or managed services in another VPC network.

Use Private Service Connect to access Google APIs

By default, if you have an application that uses a Google service, such as Cloud Storage, your application connects to the default DNS name for that service, such as storage.googleapis.com. Even though the IP addresses for the default DNS names are publicly routable, traffic sent from Google Cloud resources remains within Google's network.

With Private Service Connect, you can create private endpoints using global internal IP addresses within your VPC network. You can assign DNS names to these internal IP addresses with meaningful names like storage-vialink1.p.googleapis.com and bigtable-adsteam.p.googleapis.com. These names and IP addresses are internal to your VPC network and any on-premises networks that are connected to it using Cloud VPN tunnels or VLAN attachments. You can control which traffic goes to which endpoint, and can demonstrate that traffic stays within Google Cloud.

This option gives you access to all Google APIs and services that are included in the API bundles. If you need to restrict access to only certain APIs and services, Private Service Connect with consumer HTTP(S) service controls allows you to choose which APIs and services are made available, for supported regional service endpoints.

Figure 1. Private Service Connect lets you send traffic to Google APIs by using a Private Service Connect endpoint that is private to your VPC network (click to enlarge).

For more information, see About accessing Google APIs through endpoints.

Use Private Service Connect to access Google APIs with consumer HTTP(S) service controls

You can create a Private Service Connect endpoint with consumer HTTP(S) service controls using an internal HTTP(S) load balancer. The internal HTTP(S) load balancer provides the following features:

Figure 2. Private Service Connect lets you send traffic to supported regional Google APIs by using a Private Service Connect endpoint. Using a load balancer adds consumer HTTP(S) service controls (click to enlarge).

For more information, see About endpoints with consumer HTTP(S) controls.

Use Private Service Connect to publish and consume managed services

Private Service Connect lets a service producer offer services to a service consumer. A service producer VPC network can support multiple service consumers.

There are two types of Private Service Connect endpoints that can connect to a published service:

For more information about services, see About published services.

Managed services in multiple regions

You can make a service available in multiple regions by creating the following configurations.

Producer configuration:

Consumer configuration:

In this configuration, the endpoint routes traffic by using the default global load balancing policy—first by health, then by closest location to the client.

Figure 5. Using a global external HTTP(S) load balancer lets service consumers with internet access send traffic to services in the service producer's VPC network. Because the service is deployed in multiple regions, the load balancer can route traffic to a NEG in the closest healthy region (click to enlarge).

Key concepts for service consumers

You can use Private Service Connect endpoints to consume services that are outside of your VPC network. Service consumers create Private Service Connect endpoints that connect to a target service.

Endpoints and targets

You use Private Service Connect endpoints to connect to a target service. Endpoints have an internal IP address in your VPC network and are based on the forwarding rule resource.

You send traffic to the endpoint, which forwards it to targets outside of your VPC network.

Endpoint type Supported targets Accessible by

Private Service Connect endpoint to access Google APIs

global internal IP address

An API bundle:
  • All APIs (all-apis): most Google APIs
    (same as private.googleapis.com).
  • VPC-SC (vpc-sc): APIs that VPC Service Controls supports
    (same as restricted.googleapis.com).
  • VMs in the same VPC network as the endpoint (all regions)
  • On-premises systems that are connected to the VPC network that contains the endpoint

Private Service Connect endpoint to access Google APIs with consumer HTTP(S) service controls

regional internal IP address of an internal HTTPS load balancer

A regional service endpoint.

This endpoint is an internal HTTP(S) load balancer with a simple URL map and single backend service. To configure the target, you connect the load balancer's backend service to a Private Service Connect network endpoint group which references a regional service endpoint.

  • VMs in the same VPC network and region as the endpoint
  • On-premises systems that are connected to the VPC network that contain the endpoint if the Cloud VPN tunnels or VLAN attachments are in the same region as the endpoint

Private Service Connect endpoint to access published services in another VPC network

regional internal IP address

A published service in another VPC network. This service can be managed by your own organization or a third party.

The target for this type of endpoint is a service attachment.

  • VMs in the same VPC network and region as the endpoint
  • On-premises systems that are connected to the VPC network that contain the endpoint using Cloud VPN tunnels that are in the same region as the endpoint

Private Service Connect endpoint to access published services with consumer HTTP(S) service controls

global external IP address of an external HTTPS load balancer

A published service in another VPC network. This service can be managed by your own organization or a third party.

This endpoint is a global external HTTP(S) load balancer with a simple URL map and single backend service. To configure the target, you connect the load balancer's backend service to a Private Service Connect network endpoint group which references a service attachment.

  • Systems with internet access

Key concepts for service producers

For more information about services, including subnets, service attachments, and connection preferences, see About published services.

On-premises access

  • Private Service Connect endpoints that you use to access Google APIs can be accessed from supported connected on-premises hosts. For more information, see Access the endpoint from on-premises hosts.

  • Private Service Connect endpoints with HTTP(S) service controls can be accessed from supported connected on-premises hosts. For more information, see Access the endpoint from on-premises hosts.

  • Private Service Connect endpoints that you use to access managed services in another VPC network can be accessed from supported connected on-premises hosts. For more information, see Access the endpoint from on-premises hosts.

  • Private Service Connect endpoints with HTTP(S) service controls that you use to access managed services are based on a global external HTTP(S) load balancer and can be accessed from any systems that have internet access.

Supported Google services

The following table lists Google Cloud services supported by Private Service Connect. You can create a Private Service Connect endpoint to connect to these services privately within your own VPC network.

Service Description
Google APIs Lets you access most Google APIs and services, for example, *.googleapis.com. For more information, see Supported APIs.
Apigee X Lets you expose APIs managed by Apigee to the internet. Also lets you connect privately from Apigee to backend target services.
Cloud Composer 2 Lets you access the Cloud Composer tenant project.
Dataproc Metastore Lets you access the Dataproc Metastore service.
Google Kubernetes Engine (GKE) public clusters Lets you access GKE public cluster master nodes for GKE 1.23 and later.

Pricing

Pricing for Private Service Connect is described in the VPC pricing page.

Organization policy constraints

An Organization Policy Administrator can use the constraints/compute.disablePrivateServiceConnectCreationForConsumers constraint to define the set of Private Service Connect endpoint types for which users cannot create forwarding rules. You can use this constraint to prevent users from creating Private Service Connect endpoints to access Google APIs or from creating Private Service Connect endpoints to access managed services. The constraint applies to new configurations and doesn't affect existing connections.

Quotas

There are quotas for Private Service Connect endpoints and service attachments. For more information, see quotas.

What's next