Private Service Connect

By default, if you have an application that uses a Google service, such as Cloud Storage, your application connects to the default DNS name for that service, such as storage.googleapis.com. Even though the IP addresses for the default DNS names are publicly routable, traffic sent from Google Cloud resources remains within Google's network.

With Private Service Connect, you can create private endpoints using global internal IP addresses within your VPC network. You can assign DNS names to these internal IP addresses with meaningful names like storage-vialink1.p.googleapis.com and bigtable-adsteam.p.googleapis.com. These names and IP addresses are internal to your VPC network and any on-premises networks that are connected to it using Cloud VPN tunnels or Cloud Interconnect attachments (VLANs). You can control which traffic goes to which endpoint, and can demonstrate that traffic stays within Google Cloud.

See use cases for more information about Private Service Connect configurations.

Figure 1. Private Service Connect lets you send traffic to Google APIs using a Private Service Connect endpoint that is private to your VPC network.

Network requirements

To use Private Service Connect, virtual machine (VM) instances without external IP addresses must have their primary interface in a subnet with Private Google Access enabled.

A VM with an external IP address can access Google APIs and services using Private Service Connect endpoints whether or not Private Google Access is enabled for its subnet. Connectivity to the Private Service Connect endpoint stays within Google's network.

Private Service Connect endpoints are not accessible from peered VPC networks.

Supported APIs

When you create a Private Service Connect endpoint, you choose which bundle of APIs you need access to: all-apis or vpc-sc.

The API bundles give access to the same APIs that are available through the Private Google Access VIPs.

  • The all-apis bundle provides access to the same APIs as private.googleapis.com.

  • The vpc-sc bundle provides access to the same APIs as restricted.googleapis.com.

API bundle Supported services Example usage
all-apis Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications. Does not support any interactive websites.

Domain names that end with:
  • googleapis.com
  • googleadapis.com
  • ltsapis.goog
  • gcr.io
  • pkg.dev
  • gstatic.com
  • appspot.com
  • cloudfunctions.net
  • pki.goog
  • cloudproxy.app
  • run.app
  • datafusion.googleusercontent.com
  • datafusion.cloud.google.com
Host/domain names that match:
  • packages.cloud.google.com
  • gcr.io
  • pkg.dev
  • appengine.google.com
  • pki.goog
Choose all-apis under these circumstances:
  • You don't use VPC Service Controls.
  • You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.
vpc-sc Enables API access to Google APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not support VPC Service Controls. Does not support Google Workspace web applications or Google Workspace APIs.

Choose vpc-sc when you only need access to Google APIs and services that are supported by VPC Service Controls. The vpc-sc bundle does not permit access to Google APIs and services that do not support VPC Service Controls.

DNS configuration

You must configure a private DNS zone to serve the DNS records of the services you want to use. You can create a private DNS zone using Cloud DNS or another DNS solution.

All names in a Cloud DNS private zone are accessible only from within the zone's authorized VPC networks. If you want to resolve these names from outside Google Cloud (for example, from on-premises hosts), set up inbound DNS forwarding.

For each service that you want to use, create a DNS record that points to your Private Service Connect endpoint IP address. The DNS names must be in one of these formats:

  • SERVICE-ENDPOINT.p.googleapis.com

    For example, to access Cloud Storage using Private Service Connect endpoint xyz, create a DNS record storage-xyz.p.googleapis.com that points to the Private Service Connect endpoint IP address.

  • The default DNS name of the service endpoint, for example, storage.googleapis.com.

If you use the SERVICE-ENDPOINT.p.googleapis.com names in the private DNS zone, the following applies:

  • You must configure any applications or client libraries to use these new names.

    See the documentation for your client or client library for details. For example:

    • Python: You can configure api_endpoint in the Client options class in the google-api-core package.

    • Go: You can configure WithEndpoint in the Client options package in the api package.

    • gcloud: You can configure api_endpoint_overrides using this command.

      gcloud config set api_endpoint_overrides/SERVICE ENDPOINT_URL

      For example: gcloud config set api_endpoint_overrides/storage https://storage-xyz.p.googleapis.com/storage/v1/

  • By configuring which endpoint your client uses, you can control which Private Service Connect endpoint a given client points to. You can also leave the client unchanged to access the APIs directly.

If you override the default DNS names in the private DNS zone, the following applies:

  • You don't need to modify your applications or client libraries to use different names.

  • Any VMs or on-premises hosts that use this private zone send all API requests to a Private Service Connect endpoint.

Use cases

You can create multiple Private Service Connect endpoints in the same VPC network. There is no limit on bandwidth to a particular endpoint. Because Private Service Connect endpoints use global internal IP addresses, they can be used by any resource in your VPC network.

With multiple endpoints, you can specify different network paths using Cloud Router and firewall rules.

  • You can create firewall rules to prevent some VMs from accessing Google APIs through a Private Service Connect endpoint, while allowing other VMs to have access.

  • You can have a firewall rule on a VM instance that disallows all traffic to the internet; traffic sent to Private Service Connect endpoints still reaches Google.

  • If you have on-premises hosts that are connected to a VPC using a Cloud VPN tunnel or a Cloud Interconnect attachment (VLAN), you can send some requests through the tunnel or VLAN while sending other requests over the public internet. This configuration lets you bypass the tunnel or VLAN for services such as Google Books that are not supported by Private Google Access.

    To create this configuration, create a Private Service Connect endpoint, advertise the Private Service Connect endpoint IP addresses using Cloud Router custom route advertisements, and enable a Cloud DNS inbound forwarding policy. The application can send some requests through the Cloud VPN tunnel or Cloud Interconnect attachment (VLAN) by using the name of the Private Service Connect endpoint, and others over the internet by using the default DNS name.

  • If you connect your on-premises network to your VPC network using multiple Cloud Interconnect attachments (VLANs), you can send some traffic from on-premises over one VLAN and the rest over others, as shown in figure 2. This lets you use your own wide-area networking instead of Google's, and to control data movement to meet geographic requirements.

    To create this configuration, create two Private Service Connect endpoints. Create a custom route advertisement for the first endpoint on the BGP session of the Cloud Router managing the first VLAN, and create a different custom route advertisement for the second endpoint on the BGP session of the Cloud Router managing the second VLAN. On-premises hosts that are configured to use the Private Service Connect endpoint name send traffic over the corresponding Cloud Interconnect attachment (VLAN).

  • You can also use multiple Cloud Interconnect attachments (VLANs) in an active/active topology. If you advertise the same Private Service Connect endpoint IP address using custom route advertisements for the BGP sessions on the Cloud Routers managing the VLANs, packets sent from on-premises systems to the endpoints are routed across the VLANs using ECMP.

    Figure 2. By configuring Private Service Connect, Cloud Router, and on-premises hosts, you can control which Cloud Interconnect attachment (VLAN) is used to send traffic to Google APIs.

Pricing

Pricing for Private Service Connect is described in the VPC pricing page. Pricing applies during the Preview period.

What's next