Stay organized with collections
Save and categorize content based on your preferences.
If your Contact Center AI Platform (CCAI Platform) instance is set up for data egress to services
that support capabilities such as CRM apps, media storage, or co-browse, you can
use Private Service Connect to set up private egress to these services,
keeping your traffic private and within Google Cloud.
Before you begin
The following list contains egress components for the types of data that an
instance sends out, along with instructions for setting up data egress to
services that receive that data:
Keep the following points in mind when setting up data egress from a
CCAI Platform instance:
The host URL that you specify when you set up data egress must be a URL
containing the fully qualified domain name (FQDN) of the target service.
Specifying an IP address causes egress to be blocked.
The certificates of the FQDNs that you specify when setting up data egress
must be publicly available.
Publish a service
Publishing a service makes it available to receive private egress traffic from a
CCAI Platform instance. To publish a service, you
create a service attachment in the project that contains the service. The
instance that you configure for private
egress uses the service
attachment details to connect to the service. Publishing a service also includes
creating an internal load balancer that directs the egress traffic to the
service.
To publish a service, follow these steps:
In the Google Cloud console, go to the project selector dashboard and select the
project that contains the service that you want to publish.
Keep the following points in mind when you publish a service:
When you create a service connection, set a connection limit of at least 10
additional endpoints. Google recommends setting the connection limit to a
much higher number to ensure that you have the capacity to connect as many
endpoints as required.
If you've set up data egress for multiple egress components, it's possible
that the egress traffic for both components is directed to the same service.
For example, you might send both MEDIA egress traffic and CRM egress
traffic to the same external storage service. In that case, use the same
service attachment for both types of egress traffic. Otherwise, the behavior
of the egress traffic is undefined.
Configure a CCAI Platform instance for private egress
You can create a new instance configured for private egress or update an
existing instance for private egress, depending on your situation.
Keep the following points in mind when you configure a CCAI Platform
instance for private egress:
When you configure an instance for private egress to a Google Cloud
service such as Cloud Storage, you don't need to publish a
service to implement private egress because the request
will use Private Google Access.
If the instance that you configure for private egress is within a
VPC Service Controls perimeter, then the service attachment from
your published service needs to be within that perimeter. Otherwise you'll
generate a VPC Service Controls violation.
Create a new instance configured for private egress
To create a new instance configured for private egress, do the following:
In the Name column, click the instance that you want to edit. The CCAI
Platform Detail page appears.
Click Edit, and then click Configure private access.
To configure private egress
(Preview), do the following:
Under Egress, click Add setting. In the Component type
field, select the component type for the type of data that you're
configuring private egress for. For more information, see
Components.
In the Service attachment field, enter the service attachment that
you created in Publish a service, and then click
Done.
Optional: Click Add setting and repeat the previous two steps for
every additional private egress setting that you need.
Click Save.
After your private egress settings are saved, they appear under Private
access on your instance's detail page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eCCAI Platform instances can use Private Service Connect for private data egress to services like CRM apps, media storage, and co-browse, keeping traffic within Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eData egress from a CCAI Platform instance must use a host URL with a fully qualified domain name (FQDN), not an IP address, and the FQDN certificates must be publicly available.\u003c/p\u003e\n"],["\u003cp\u003eTo publish a service for private egress, you must create a service attachment and an internal load balancer, and ensure a connection limit of at least 10 endpoints, with Google recommending higher.\u003c/p\u003e\n"],["\u003cp\u003eYou can configure a new or update an existing CCAI Platform instance for private egress, and for private egress to Google Cloud services, you do not have to publish a service.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring private egress is a preview feature, and components include \u003ccode\u003eCRM\u003c/code\u003e, \u003ccode\u003eMEDIA\u003c/code\u003e, \u003ccode\u003eDIRECT_ACCESS_POINT\u003c/code\u003e, \u003ccode\u003eEMAIL\u003c/code\u003e, \u003ccode\u003eCOBROWSE\u003c/code\u003e, and \u003ccode\u003eWORKFORCE_MANAGEMENT\u003c/code\u003e, each with their own specific configuration documentation.\u003c/p\u003e\n"]]],[],null,["# Set up private egress\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nIf your Contact Center AI Platform (CCAI Platform) instance is set up for data egress to services\nthat support capabilities such as CRM apps, media storage, or co-browse, you can\nuse Private Service Connect to set up private egress to these services,\nkeeping your traffic private and within Google Cloud.\n\nBefore you begin\n----------------\n\nThe following list contains egress components for the types of data that an\ninstance sends out, along with instructions for setting up data egress to\nservices that receive that data:\n\n- **`CRM`** . For more information, see [CCAI Platform portal\n configuration](/contact-center/ccai-platform/docs/Custom_CRM#ccai_platform_portal_configuration).\n\n- **`MEDIA`** . For more information, see [External\n storage](/contact-center/ccai-platform/docs/external-storage).\n\n- **`DIRECT_ACCESS_POINT`** . For more information, see [API\n DAPs](/contact-center/ccai-platform/docs/routing#api-daps).\n\n- **`EMAIL`** . For more information, see [Email channel\n configuration](/contact-center/ccai-platform/docs/email-channel-config).\n\n- **`COBROWSE`** . For more information, see [Set up\n co-browse](/contact-center/ccai-platform/docs/set-up-cobrowse).\n\n- **`WORKFORCE_MANAGEMENT`** . For more information, see [Workforce\n management](/contact-center/ccai-platform/docs/wfm).\n\nKeep the following points in mind when setting up data egress from a\nCCAI Platform instance:\n\n- The host URL that you specify when you set up data egress must be a URL\n containing the fully qualified domain name (FQDN) of the target service.\n Specifying an IP address causes egress to be blocked.\n\n- The certificates of the FQDNs that you specify when setting up data egress\n must be publicly available.\n\nPublish a service\n-----------------\n\nPublishing a service makes it available to receive private egress traffic from a\nCCAI Platform instance. To [publish a service](/vpc/docs/configure-private-service-connect-producer#publish-service), you\ncreate a service attachment in the project that contains the service. The\ninstance that you [configure for private\negress](#configure-a-ccaip-instance-for-private-egress) uses the service\nattachment details to connect to the service. Publishing a service also includes\ncreating an internal load balancer that directs the egress traffic to the\nservice.\n\nTo publish a service, follow these steps:\n\n1. In the Google Cloud console, go to the project selector dashboard and select the\n project that contains the service that you want to publish.\n\n\n [Project selector dashboard](https://console.cloud.google.com/projectselector2/home/dashboard)\n\n \u003cbr /\u003e\n\n2. Publish your service according to the instructions in [Publish a\n service](/vpc/docs/configure-private-service-connect-producer#publish-service).\n\n3. Save the service attachment value to use in [Configure a\n CCAI Platform instance for private\n egress](#configure-a-ccaip-instance-for-private-egress).\n\nKeep the following points in mind when you publish a service:\n\n- When you create a service connection, set a connection limit of at least 10\n additional endpoints. Google recommends setting the connection limit to a\n much higher number to ensure that you have the capacity to connect as many\n endpoints as required.\n\n- If you've set up data egress for multiple egress components, it's possible\n that the egress traffic for both components is directed to the same service.\n For example, you might send both `MEDIA` egress traffic and `CRM` egress\n traffic to the same external storage service. In that case, use the same\n service attachment for both types of egress traffic. Otherwise, the behavior\n of the egress traffic is undefined.\n\nConfigure a CCAI Platform instance for private egress\n-----------------------------------------------------\n\nYou can create a new instance configured for private egress or update an\nexisting instance for private egress, depending on your situation.\n\nDo one of the following:\n\n- [Create a new instance configured for private\n egress](#create-a-new-instance-where-configured-for-private-egress).\n\n- [Configure an existing instance for private\n egress](#configure-an-existing-instance-for-private-egress).\n\nKeep the following points in mind when you configure a CCAI Platform\ninstance for private egress:\n\n- When you configure an instance for private egress to a Google Cloud\n service such as Cloud Storage, you don't need to [publish a\n service](#publish-a-service) to implement private egress because the request\n will use [Private Google Access](/vpc/docs/private-google-access).\n\n- If the instance that you configure for private egress is within a\n [VPC Service Controls](/vpc-service-controls/docs/overview) perimeter, then the service attachment from\n your published service needs to be within that perimeter. Otherwise you'll\n generate a VPC Service Controls violation.\n\n### Create a new instance configured for private egress\n\nTo create a new instance configured for private egress, do the following:\n\n- Create an instance as described in [Get started with Contact Center AI\n Platform](/contact-center/ccai-platform/docs/get-started) and include the optional steps for configuring private egress.\n\nAfter your private egress settings are saved, they appear under **Private\naccess** on your instance's detail page.\n\n### Configure an existing instance for private egress\n\nTo configure an existing instance for private egress, follow these steps:\n\n1. In the Google Cloud console, go to the project selector dashboard and select the\n project that contains the instance that you want to edit.\n\n\n [Project selector dashboard](https://console.cloud.google.com/projectselector2/home/dashboard)\n\n \u003cbr /\u003e\n\n2. In the navigation menu, click **CCAI Platform**.\n\n\n [CCAI Platform instances](https://console.cloud.google.com/contact-center-ai-platform)\n\n \u003cbr /\u003e\n\n The **CCAI Platform instances** page appears.\n3. In the **Name** column, click the instance that you want to edit. The **CCAI\n Platform Detail** page appears.\n\n4. Click **Edit** , and then click **Configure private access**.\n\n5. To configure private egress\n ([Preview](/products#product-launch-stages)), do the following:\n\n 1. Under **Egress** , click **Add setting** . In the **Component type**\n field, select the component type for the type of data that you're\n configuring private egress for. For more information, see\n [Components](/contact-center/ccai-platform/docs/ccaip-custom-constraints#components).\n\n 2. In the **Service attachment** field, enter the service attachment that\n you created in [Publish a service](#publish-a-service), and then click\n **Done**.\n\n 3. Optional: Click **Add setting** and repeat the previous two steps for\n every additional private egress setting that you need.\n\n 4. Click **Save**.\n\nAfter your private egress settings are saved, they appear under **Private\naccess** on your instance's detail page.\n\nWhat's next\n-----------\n\n- [Set up private ingress](/contact-center/ccai-platform/docs/private-ingress)\n\n- [Custom constraints](/contact-center/ccai-platform/docs/ccaip-custom-constraints)"]]
