Private Service Connect

Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. You can publish and consume services using IP addresses that you define and that are internal to your VPC network.

Using Private Service Connect to access Google APIs

By default, if you have an application that uses a Google service, such as Cloud Storage, your application connects to the default DNS name for that service, such as storage.googleapis.com. Even though the IP addresses for the default DNS names are publicly routable, traffic sent from Google Cloud resources remains within Google's network.

With Private Service Connect, you can create private endpoints using global internal IP addresses within your VPC network. You can assign DNS names to these internal IP addresses with meaningful names like storage-vialink1.p.googleapis.com and bigtable-adsteam.p.googleapis.com. These names and IP addresses are internal to your VPC network and any on-premises networks that are connected to it using Cloud VPN tunnels or Cloud Interconnect attachments (VLANs). You can control which traffic goes to which endpoint, and can demonstrate that traffic stays within Google Cloud.

This option gives you access to all Google APIs and services that are included in the API bundles. If you need to restrict access to only certain APIs and services, Private Service Connect with consumer HTTP(S) service controls allows you to choose which APIs and services are made available, for supported regional service endpoints.

For more information about Private Service Connect configurations for accessing Google APIs, see use cases.

Figure 1. Private Service Connect lets you send traffic to Google APIs using a Private Service Connect endpoint that is private to your VPC network.

Using Private Service Connect to access Google APIs with consumer HTTP(S) service controls

You can create a Private Service Connect endpoint with consumer HTTP(S) service controls using an internal HTTP(S) load balancer. The internal HTTP(S) load balancer provides the following features:

Figure 2. Private Service Connect lets you send traffic to supported regional Google APIs using a Private Service Connect endpoint. Using a load balancer adds consumer HTTP(S) service controls. (click to enlarge).

Using Private Service Connect to publish and consume managed services

Private Service Connect lets a service producer offer services privately to a service consumer. Private Service Connect offers the following benefits:

  • A service producer VPC network can support more than one service consumer.

  • Each consumer connects to an internal IP address that they define. Private Service Connect performs network address translation (NAT) to route the request to the service producer.

Figure 3. Private Service Connect uses endpoints and service attachments to let service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network (click to enlarge).

Key concepts for service consumers

You can use Private Service Connect endpoints to consume services that are outside of your VPC network. Service consumers create Private Service Connect endpoints that connect to a target service.

Endpoints and targets

You use Private Service Connect endpoints to connect to a target service. Endpoints have an internal IP address in your VPC network and are based on the forwarding rule resource.

You send traffic to the endpoint, which forwards it to targets outside of your VPC network.

Endpoint type Supported targets Accessible by

Private Service Connect endpoint to access Google APIs

global internal IP address

An API bundle:
  • All APIs (all-apis): most Google APIs
    (same as private.googleapis.com).
  • VPC-SC (vpc-sc): APIs that VPC Service Controls supports
    (same as restricted.googleapis.com).
  • VMs in the same VPC network as the endpoint (all regions)
  • On-premises systems that are connected to the VPC network that contains the endpoint

Private Service Connect endpoint to access Google APIs with consumer HTTP(S) service controls

regional internal IP address of an internal HTTPS load balancer

A regional service endpoint.

This endpoint is an internal HTTP(S) load balancer with a simple URL map and single backend service. To configure the target, you connect the load balancer's backend service to a Private Service Connect network endpoint group which references a regional service endpoint.

  • VMs in the same VPC network and region as the endpoint
  • On-premises systems that are connected to the VPC network that contain the endpoint if the Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) are in the same region as the endpoint

Private Service Connect endpoint to access published services in another VPC network

regional internal IP address

A published service in another VPC network. This service can be managed by your own organization or a third party.

The target for this type of endpoint is a service attachment.

  • VMs in the same VPC network and region as the endpoint
  • On-premises systems that are connected to the VPC network that contain the endpoint using Cloud VPN tunnels that are in the same region as the endpoint

Key concepts for service producers

To make a service available to consumers, you create one or more dedicated subnets to use for network address translation (NAT) of customer IP addresses. You then create a service attachment which refers to those subnets.

Private Service Connect subnets

To expose a service, the service producer first creates one or more subnets with the purpose set to Private Service Connect.

When a request is sent from a consumer VPC network, the consumer's source IP address is translated using source NAT (SNAT) to an IP address selected from one of the Private Service Connect subnets.

If you want to retain the consumer connection IP address information, see Viewing consumer connection information.

These subnets cannot be used for resources such as VM instances or forwarding rules. The subnets are used only to provide IP addresses for SNAT of incoming consumer connections.

Private Service Connect subnet capacity

When you create the service producer Private Service Connect subnet, consider the following:

  • Private Service Connect subnets can be any valid size, and can use any valid IP range, including publicly used private IP addresses.

  • We recommend that you configure the Private Service Connect subnet with a prefix length of /22 or shorter.

  • Private Service Connect subnets use static internal IP addresses, which count towards the internal IP addresses quota. If you need to view this quota or request an increase to this quota, see Managing quotas.

  • If you exceed the internal IP addresses quota, the service consumer will see an internal error message.

    You can configure an alerting policy to inform you if the quota is close to being exceeded. The quota metric for the internal IP addresses quota is compute.googleapis.com/internal_addresses.

  • Don't create a Private Service Connect subnet that contains more IP addresses than are available in your quota.

    If you need to make more IP addresses available to an existing service, see Adding or removing subnets from a published service.

  • There are four reserved IP addresses in a Private Service Connect subnet, so the number of available IP addresses is 2(32 - PREFIX_LENGTH) - 4. For example, if you create a Private Service Connect subnet with prefix length /22, Private Service Connect can use 1020 of the IP addresses.

SNAT configuration for Private Service Connect subnets

The SNAT configuration for Private Service Connect subnets includes the following:

  • When SNAT is performed, each client VM in the consumer VPC network is given 1,024 source address and source port tuples using IP addresses in the Private Service Connect subnet.

  • The UDP Mapping Idle Timeout is 30 seconds and cannot be configured.

  • The TCP Established Connection Idle Timeout is 20 minutes and cannot be configured.

  • The TCP Transitory Connection Idle Timeout is 30 seconds and cannot be configured.

  • There is a two-minute delay before any 5-tuple (Private Service Connect subnet source IP address and source port plus destination protocol, IP address, and destination port) can be reused.

Service attachments

Service producers expose their service through a service attachment.

  • To expose a service, a service producer creates a service attachment that refers to the service's load balancer forwarding rule.

  • To access a service, a service consumer creates an endpoint that refers to the service attachment.

The service attachment URI has this format: projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

Connection preferences

When you create a service, you choose how to make it available. There are two options:

  • Automatically accept connections for all projects - any service consumer can configure an endpoint and connect to the service automatically.

  • Accept connections for selected projects - service consumers configure an endpoint to connect to the service and the service producer accepts or rejects the connection requests.

On-premises access

Pricing

Pricing for Private Service Connect is described in the VPC pricing page.

Quotas

There are quotas for Private Service Connect endpoints and service attachments. For more information, see quotas.

What's next