Stay organized with collections
Save and categorize content based on your preferences.
Private connectivity for on-premise or other cloud providers
This page describes how to set up private connectivity from Integration Connectors to your backend service such as MySQL, Postgres, and SQL Server hosted in your on-premise data center or other cloud providers.
The following image shows the private network connectivity setup from Integration Connectors to your backend service hosted in your on-premise network.
This page assumes that you are familiar with the following concepts:
When you create a PSC service attachment, consider the following key points:
As a service producer, you must configure a PSC service attachment that Integration Connectors can use to consume the service. After the service attachment is ready, you can configure the connection to consume the service attachment using an endpoint attachment.
The PSC service attachment and the load balancer must be in different subnets
within the same VPC. And specifically, the service attachment must be in a NAT subnet.
Software running on your backend VMs must respond to both load balanced
traffic and health check probes sent to each forwarding
rule's IP address (the software must listen on 0.0.0.0:<port>
and not on a specific IP address assigned to a network interface).
For more information, see
Health check.
Configure the firewall rules to facilitate the traffic flow.
Ingress rules
Traffic from the PSC service attachment's subnet must reach the ILB's subnet.
Within the ILB's subnet, ILB must be able to send traffic to your backend system.
The health check probe must be able to access your backend system. The
Google Cloud health check probes have a fixed IP range (35.191.0.0/16, 130.211.0.0/22).
So these IPs can be allowed to send traffic to your backend server.
Egress rules
Egress traffic is enabled by default in a Google Cloud project, unless specific
deny rules are configured.
All your Google Cloud components such as the PSC service attachment and the load balancer must be in the same region.
Your backend system must not be open to the public network, as this can be a security concern. However, ensure that your backend system accepts traffic in the following scenario:
Proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB): All new requests
originate from the load balancer. Therefore, your backend must accept requests from the
proxy subnet of your VPC network. For more information, see Proxy-only subnets for Envoy-based load balancers.
Configure private connectivity
To configure private connectivity, do the following tasks:
Create a PSC service attachment.
Create an endpoint attachment to consume the PSC service attachment.
Configure your connection to use the endpoint attachment.
Create a PSC service attachment
In order to establish private connectivity from Integration connectors, you must expose the service to Integration Connectors using a PSC service attachment. A service attachment always targets a load balancer. Therefore, if your service isn't behind a load balancer, a load balancer must be configured.
To create a PSC service attachment, do the following:
Create a service attachment in the same region as the service's load balancer. For information about creating a service attachment, see Publish a service.
In certain cases such as TLS enabled backends, the destination requires you to use
hostnames instead of private IPs to perform TLS validation. In those cases where a private
DNS is used instead of an IP address for the host destination, in addition to creating an endpoint
attachment as an IP address, you must also configure managed zones. For instructions on how to
create an endpoint attachment as a hostname,
see Create an endpoint attachment as a hostname.
Later, when you configure your connection to use the endpoint attachment, you can select this endpoint attachment.
Configure a connection to use the endpoint attachment
Now that you have created an endpoint attachment, use the endpoint attachment in your connection. When you create a new connection or update an existing connection, in the Destinations section, select Endpoint attachment as the Destination Type and select the endpoint attachment that you created from the Endpoint Attachment list.
If you created a managed zone, select Host Address as the Destination Type and use the A-record that you created while creating the managed zone.
Troubleshooting tips
If you are having issues with private connectivity, follow the guidelines listed in this section to avoid common issues.
To verify that the endpoint attachment is set up correctly and the PSC connection is established, check the connection status. For more information, see Verify the endpoint attachment connection.
Ensure the following configuration for the firewall rules:
Traffic from the PSC service attachment's subnet must be allowed to reach your backend service.
The load balancer must be able to send traffic to your backend system. Hybrid NEGs are
supported on proxy load balancers only. Requests from a proxy load balancer originate
from the proxy only subnet of the region. Therefore, your firewall rules need to be configured
to allow requests from proxy only subnet ranges to reach your backend.
The health check probe must be able to access your backend system. The Google Cloud
health check probes have a fixed IP range (35.191.0.0/16, 130.211.0.0/22). So
these IP addresses must be allowed to send traffic to your backend server.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis page details how to establish private connectivity from Integration Connectors to backend services like MySQL, Postgres, and SQL Server, whether they are on-premise or hosted by other cloud providers.\u003c/p\u003e\n"],["\u003cp\u003eSetting up a Private Service Connect (PSC) service attachment is crucial, as it enables Integration Connectors to consume the service, which requires the service to be behind a load balancer, with both in the same region, but different subnets.\u003c/p\u003e\n"],["\u003cp\u003eFirewall rules are critical for traffic flow, ensuring that traffic from the PSC service attachment's subnet and the load balancer can reach the backend system, and that health check probes from specific Google Cloud IP ranges can access the backend.\u003c/p\u003e\n"],["\u003cp\u003eEndpoint attachments, either as IP addresses or hostnames, are used to consume the PSC service attachment, allowing connections to be configured accordingly, with the option to use managed zones for hostnames.\u003c/p\u003e\n"],["\u003cp\u003eTroubleshooting private connectivity involves verifying endpoint attachment status, confirming firewall rules, and utilizing Google Cloud Connectivity tests to identify network configuration issues, also ensuring that the backend system should not be open to the public network.\u003c/p\u003e\n"]]],[],null,["# Private connectivity for on-premise or other cloud providers\n============================================================\n\nThis page describes how to set up private connectivity from Integration Connectors to your backend service such as MySQL, Postgres, and SQL Server hosted in your on-premise data center or other cloud providers.\n\nThe following image shows the private network connectivity setup from Integration Connectors to your backend service hosted in your on-premise network.\n\nThis page assumes that you are familiar with the following concepts:\n\n- [Endpoint attachments](/integration-connectors/docs/network-connectivity-private#endpoint-attachments)\n- [Managed zones](/dns/docs/zones)\n- [Private Service Connect (PSC)](/vpc/docs/private-service-connect)\n- [Google Cloud load balancer](/load-balancing)\n\nConsiderations\n--------------\n\nWhen you create a PSC service attachment, consider the following key points:\n\n- As a service producer, you must configure a PSC service attachment that Integration Connectors can use to consume the service. After the service attachment is ready, you can configure the connection to consume the service attachment using an endpoint attachment.\n- The PSC service attachment and the load balancer must be in different subnets within the same VPC. And specifically, the service attachment must be in a NAT subnet.\n- Software running on your backend VMs must respond to both load balanced traffic and health check probes sent to each forwarding rule's IP address (the software must listen on `0.0.0.0:\u003cport\u003e` and not on a specific IP address assigned to a network interface). For more information, see [Health check](/load-balancing/docs/internal#health-checking).\n- Configure the firewall rules to facilitate the traffic flow. **Ingress rules**\n\n - Traffic from the PSC service attachment's subnet must reach the ILB's subnet.\n - Within the ILB's subnet, ILB must be able to send traffic to your backend system.\n - The health check probe must be able to access your backend system. The Google Cloud health check probes have a fixed IP range (`35.191.0.0/16, 130.211.0.0/22`). So these IPs can be allowed to send traffic to your backend server.\n\n **Egress rules**\n\n Egress traffic is enabled by default in a Google Cloud project, unless specific\n deny rules are configured.\n- All your Google Cloud components such as the PSC service attachment and the load balancer must be in the same region.\n- Your backend system must not be open to the public network, as this can be a security concern. However, ensure that your backend system accepts traffic in the following scenario:\n\n **Proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB)** : All new requests\n originate from the load balancer. Therefore, your backend must accept requests from the\n proxy subnet of your VPC network. For more information, see [Proxy-only subnets for Envoy-based load balancers](/load-balancing/docs/proxy-only-subnets).\n\nConfigure private connectivity\n------------------------------\n\n| This steps described in this section assume that private connectivity is already established between your Google Cloud project and your on-premise data center or other cloud providers, by using [Cloud VPN](/network-connectivity/docs/vpn/concepts/overview) or [Cloud Interconnect](/network-connectivity/docs/interconnect/concepts/overview)\n\nTo configure private connectivity, do the following tasks:\n\n1. Create a PSC service attachment.\n2. Create an endpoint attachment to consume the PSC service attachment.\n3. Configure your connection to use the endpoint attachment.\n\n### Create a PSC service attachment\n\nIn order to establish private connectivity from Integration connectors, you must expose the service to Integration Connectors using a PSC service attachment. A service attachment always targets a load balancer. Therefore, if your service isn't behind a load balancer, a load balancer must be configured.\nTo create a PSC service attachment, do the following:\n\n1. Create a [health check probe](/load-balancing/docs/internal#health-checking) and then create a load balancer. For information about setting up a regional internal proxy Network Load Balancer, see [Set up a regional internal proxy Network Load Balancer with hybrid connectivity](/load-balancing/docs/tcp/set-up-int-tcp-proxy-hybrid).\n2. Create a service attachment in the same region as the service's load balancer. For information about creating a service attachment, see [Publish a service](/vpc/docs/configure-private-service-connect-producer#publish-service).\n\n### Create an endpoint attachment\n\n**Endpoint attachment as an IP address**\n\nFor instructions on how to create an endpoint attachment as an IP address,\nsee [Create an endpoint attachment as an IP address](/integration-connectors/docs/create-endpoint-attachment#create-ep-ipaddr).\n**Endpoint attachment as a hostname**\n\nIn certain cases such as TLS enabled backends, the destination requires you to use\nhostnames instead of private IPs to perform TLS validation. In those cases where a private\nDNS is used instead of an IP address for the host destination, in addition to creating an endpoint\nattachment as an IP address, you must also configure managed zones. For instructions on how to\ncreate an endpoint attachment as a hostname,\nsee [Create an endpoint attachment as a hostname](/integration-connectors/docs/create-endpoint-attachment#create-ep-hostname).\n\nLater, when you configure your connection to use the endpoint attachment, you can select this endpoint attachment.\n\n### Configure a connection to use the endpoint attachment\n\nNow that you have created an endpoint attachment, use the endpoint attachment in your connection. When you create a new connection or update an existing connection, in the Destinations section, select **Endpoint attachment** as the **Destination Type** and select the endpoint attachment that you created from the **Endpoint Attachment** list.\n\nIf you created a managed zone, select **Host Address** as the **Destination Type** and use the A-record that you created while creating the managed zone.\n\nTroubleshooting tips\n--------------------\n\nIf you are having issues with private connectivity, follow the guidelines listed in this section to avoid common issues.\n\n- To verify that the endpoint attachment is set up correctly and the PSC connection is established, check the connection status. For more information, see [Verify the endpoint attachment connection](/integration-connectors/docs/create-endpoint-attachment#verify-ep-connection).\n- Ensure the following configuration for the firewall rules:\n - Traffic from the PSC service attachment's subnet must be allowed to reach your backend service.\n - The load balancer must be able to send traffic to your backend system. Hybrid NEGs are supported on proxy load balancers only. Requests from a proxy load balancer originate from the proxy only subnet of the region. Therefore, your firewall rules need to be configured to allow requests from proxy only subnet ranges to reach your backend.\n - The health check probe must be able to access your backend system. The Google Cloud health check probes have a fixed IP range (35.191.0.0/16, 130.211.0.0/22). So these IP addresses must be allowed to send traffic to your backend server.\n- [Google Cloud Connectivity test](/network-intelligence-center/docs/connectivity-tests/concepts/overview) can be used to identify any gaps in your network configuration. For more information, see [Create and run Connectivity Tests](/network-intelligence-center/docs/connectivity-tests/how-to/running-connectivity-tests).\n- Ensure that firewall rules are updated in on-premises or other cloud environments to allow traffic from the Google Cloud region's [proxy-only subnet](/load-balancing/docs/proxy-only-subnets)."]]
