Private Service Connect allows private consumption of services across VPC networks that belong to different groups, teams, projects, or organizations. You can publish and consume services using IP addresses that you define and that are internal to your VPC network.
You can access Google APIs and services using a Private Service Connect endpoint. You can optionally protect your API resources and data using VPC Service Controls.
You can connect to a service in another VPC network using a Private Service Connect endpoint.
You can make a service available outside your VPC network using a Private Service Connect service attachment.
Using Private Service Connect to access Google APIs
By default, if you have an application that uses a Google service, such as
Cloud Storage, your application connects to the default DNS name for that
service, such as
storage.googleapis.com. Even though the IP addresses for the
default DNS names are publicly routable, traffic sent from Google Cloud
resources remains within Google's network.
With Private Service Connect, you can create private endpoints
using global internal IP addresses within your VPC network. You
can assign DNS names to these internal IP addresses with meaningful names like
These names and IP addresses are internal to your VPC network and
any on-premises networks that are connected to it using Cloud VPN
tunnels or Cloud Interconnect attachments (VLANs). You can control
which traffic goes to which endpoint, and can demonstrate that traffic stays
within Google Cloud.
For more information about Private Service Connect configurations for accessing Google APIs, see use cases.
Using Private Service Connect to publish and consume services
Private Service Connect lets a service producer offer services privately to a service consumer. Private Service Connect offers the following benefits:
A service producer VPC network can support more than one service consumer.
Each consumer connects to an internal IP address that they define. Private Service Connect performs network address translation (NAT) to route the request to the service producer.
Key concepts for service consumers
You can use Private Service Connect endpoints to consume services that are outside of your VPC network. Service consumers create Private Service Connect endpoints that connect to a target service.
You use Private Service Connect endpoints to connect to a target service. Endpoints have an internal IP address in your VPC network and are based on the forwarding rule resource.
You send traffic to the endpoint, which forwards it to targets outside of your VPC network.
Private Service Connect endpoints have a target, which is the service you want to connect to:
An API bundle:
All APIs: most Google APIs
VPC-SC: APIs that VPC Service Controls supports
A published service in another VPC network. This service can be managed by your own organization or a third party.
When you create a Private Service Connect endpoint to access
Google APIs and services, you choose which bundle of APIs you need
access to: All APIs (
all-apis) or VPC-SC (
The API bundles give access to the same APIs that are available through the Private Google Access VIPs.
all-apisbundle provides access to the same APIs as
vpc-scbundle provides access to the same APIs as
For more information about supported APIs, see supported APIs.
To connect your endpoint to a service producer's service, you need the service
attachment for the service. The service attachment URI
has this format:
Key concepts for service producers
To make a service available to consumers, you create one or more dedicated subnets to use for network address translation (NAT) of customer IP addresses. You then create a service attachment which refers to those subnets.
Private Service Connect subnets
To expose a service, the service producer first creates one or more subnets with purpose Private Service Connect.
When a request is sent from a consumer VPC network, the consumer's source IP address is translated using source NAT (SNAT) to an IP address selected from one of the Private Service Connect subnets.
If you want to retain the consumer connection IP address information, see Viewing consumer connection information.
These subnets cannot be used for resources such as VM instances or forwarding rules. The subnets are used only to provide IP addresses for SNAT of incoming consumer connections.
The Private Service Connect subnet must contain at least one IP address for every 64 consumer VMs so that each consumer VM is allocated 1,024 source tuples for network address translation.
The minimum size for a Private Service Connect subnet is
The SNAT configuration for Private Service Connect subnets includes the following:
When SNAT is performed, each client VM in the consumer VPC network is given 1,024 source address and source port tuples using IP addresses in the Private Service Connect subnet.
The UDP Mapping Idle Timeout is 30 seconds and cannot be configured.
The TCP Established Connection Idle Timeout is 20 minutes and cannot be configured.
The TCP Transitory Connection Idle Timeout is 30 seconds and cannot be configured.
There is a two-minute delay before any 5-tuple (Private Service Connect subnet source IP address and source port plus destination protocol, IP address, and destination port) can be reused.
Service producers expose their service through a service attachment.
To expose a service, a service producer creates a service attachment that refers to the service's load balancer forwarding rule.
To access a service, a service consumer creates an endpoint that refers to the service attachment.
When you create a service, you choose how to make it available. There are two options:
Automatically accept connections for all projects - any service consumer can configure an endpoint and connect to the service automatically.
Accept connections for selected projects - service consumers configure an endpoint to connect to the service and the service producer accepts or rejects the connection requests.
Private Service Connect endpoints used to access Google APIs can be accessed from supported connected on-premises hosts. For more information, see Using Private Service Connect from on-premises hosts.
Private Service Connect endpoints used to access services in another VPC network do not support access from on-premises hosts during Preview.
Pricing for Private Service Connect is described in the VPC pricing page. Pricing applies during the Preview period.
There are quotas for Private Service Connect endpoints and service attachments. For more information, see quotas.