By default, if you have an application that uses a Google service, such as
Cloud Storage, your application connects to the default DNS name for that
service, such as
storage.googleapis.com. Even though the IP addresses for the
default DNS names are publicly routable, traffic sent from Google Cloud
resources remains within Google's network.
With Private Service Connect, you can create private endpoints
using global internal IP addresses within your VPC network. You
can assign DNS names to these internal IP addresses with meaningful names like
These names and IP addresses are internal to your VPC network and
any on-premises networks that are connected to it using Cloud VPN
tunnels or Cloud Interconnect attachments (VLANs). You can control
which traffic goes to which endpoint, and can demonstrate that traffic stays
within Google Cloud.
See use cases for more information about Private Service Connect configurations.
To use Private Service Connect, virtual machine (VM) instances without external IP addresses must have their primary interface in a subnet with Private Google Access enabled.
A VM with an external IP address can access Google APIs and services using Private Service Connect endpoints whether or not Private Google Access is enabled for its subnet. Connectivity to the Private Service Connect endpoint stays within Google's network.
Private Service Connect endpoints are not accessible from peered VPC networks.
When you create a Private Service Connect endpoint, you choose which bundle of
APIs you need access to:
The API bundles give access to the same APIs that are available through the Private Google Access VIPs.
all-apisbundle provides access to the same APIs as
vpc-scbundle provides access to the same APIs as
|API bundle||Supported services||Example usage|
||Enables API access to most Google APIs and services regardless of
whether they are supported by VPC Service Controls. Includes API access to
Maps, Google Ads, Google Cloud, and most other
Google APIs, including the lists below. Does not support Google Workspace web
applications. Does not support any interactive websites.
Domain names that end with:
|Enables API access to
Google APIs and
services that are supported by VPC Service Controls.
Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace web applications or Google Workspace APIs.
You must configure a private DNS zone to serve the DNS records of the services you want to use. You can create a private DNS zone using Cloud DNS or another DNS solution.
All names in a Cloud DNS private zone are accessible only from within the zone's authorized VPC networks. If you want to resolve these names from outside Google Cloud (for example, from on-premises hosts), set up inbound DNS forwarding.
For each service that you want to use, create a DNS record that points to your Private Service Connect endpoint IP address. The DNS names must be in one of these formats:
For example, to access Cloud Storage using Private Service Connect endpoint
xyz, create a DNS record
storage-xyz.p.googleapis.comthat points to the Private Service Connect endpoint IP address.
The default DNS name of the service endpoint, for example,
If you use the
names in the private DNS zone, the following applies:
You must configure any applications or client libraries to use these new names.
See the documentation for your client or client library for details. For example:
Python: You can configure
api_endpointin the Client options class in the
Go: You can configure
WithEndpointin the Client options package in the
gcloud: You can configure
api_endpoint_overridesusing this command.
gcloud config set api_endpoint_overrides/SERVICE ENDPOINT_URL
gcloud config set api_endpoint_overrides/storage https://storage-xyz.p.googleapis.com/storage/v1/
By configuring which endpoint your client uses, you can control which Private Service Connect endpoint a given client points to. You can also leave the client unchanged to access the APIs directly.
If you override the default DNS names in the private DNS zone, the following applies:
You don't need to modify your applications or client libraries to use different names.
Any VMs or on-premises hosts that use this private zone send all API requests to a Private Service Connect endpoint.
You can create multiple Private Service Connect endpoints in the same VPC network. There is no limit on bandwidth to a particular endpoint. Because Private Service Connect endpoints use global internal IP addresses, they can be used by any resource in your VPC network.
With multiple endpoints, you can specify different network paths using Cloud Router and firewall rules.
You can create firewall rules to prevent some VMs from accessing Google APIs through a Private Service Connect endpoint, while allowing other VMs to have access.
You can have a firewall rule on a VM instance that disallows all traffic to the internet; traffic sent to Private Service Connect endpoints still reaches Google.
If you have on-premises hosts that are connected to a VPC using a Cloud VPN tunnel or a Cloud Interconnect attachment (VLAN), you can send some requests through the tunnel or VLAN while sending other requests over the public internet. This configuration lets you bypass the tunnel or VLAN for services such as Google Books that are not supported by Private Google Access.
To create this configuration, create a Private Service Connect endpoint, advertise the Private Service Connect endpoint IP addresses using Cloud Router custom route advertisements, and enable a Cloud DNS inbound forwarding policy. The application can send some requests through the Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) by using the name of the Private Service Connect endpoint, and others over the internet by using the default DNS name.
If you connect your on-premises network to your VPC network using multiple Cloud Interconnect attachments (VLANs), you can send some traffic from on-premises over one VLAN and the rest over others, as shown in figure 2. This lets you use your own wide-area networking instead of Google's, and to control data movement to meet geographic requirements.
To create this configuration, create two Private Service Connect endpoints. Create a custom route advertisement for the first endpoint on the BGP session of the Cloud Router managing the first VLAN, and create a different custom route advertisement for the second endpoint on the BGP session of the Cloud Router managing the second VLAN. On-premises hosts that are configured to use the Private Service Connect endpoint name send traffic over the corresponding Cloud Interconnect attachment (VLAN).
You can also use multiple Cloud Interconnect attachments (VLANs) in an active/active topology. If you advertise the same Private Service Connect endpoint IP address using custom route advertisements for the BGP sessions on the Cloud Routers managing the VLANs, packets sent from on-premises systems to the endpoints are routed across the VLANs using ECMP.
Pricing for Private Service Connect is described in the VPC pricing page. Pricing applies during the Preview period.