Stay organized with collections
Save and categorize content based on your preferences.
Private network access enables supported Google Cloud products to send HTTP requests
to a customer Virtual Private Cloud (VPC) network resource. The requests are sent
over the private network while enforcing
Identity and Access Management (IAM) and
VPC Service Controls.
The network resources supported as destinations are:
Virtual machine (VM) instances
Internal passthrough Network Load Balancers
Regional internal Application Load Balancers
On-premises IP addresses, reached through Cloud Interconnect or
Cloud VPN
With Private Service Connect, you
can create private endpoints within your VPC network by using
internal IP addresses. Private network access extends the capability and helps
Google Cloud services connect directly to VPC networks.
Private network access offers the following features:
Provides a unified way of managing customer network,
security, and access policies applied to all network paths.
Enables Google Cloud products to reach one or more HTTP(S) endpoints in
customer private networks through the private network of Google rather than
the internet. It also provides a VPC Service Controls-compliant option. The
communication helps in providing better security, managing network security
policies, and protecting against exfiltration while using Google Cloud
features such as HTTP
Push.
The following diagram shows how Dialogflow connects to a
Google Cloud VM through the internet without private network access. Note that
Dialogflow runs within Google Cloud.
Dialogflow connectivity without private network access (click to enlarge)
The following diagram shows how Dialogflow connects to a
Google Cloud VM through the private network with private network access.
Dialogflow connectivity with private network access (click to enlarge)
Calls from Google Cloud services that use private network access don't count against
your quotas.
Service Directory pricing applies for calls from
Google Cloud services that use private network access. Because Service Directory
charges are per API call against the Service Directory service, each
private network access is charged as one API call.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Private network access overview\n\nPrivate network access enables supported Google Cloud products to send HTTP requests\nto a customer Virtual Private Cloud (VPC) network resource. The requests are sent\nover the private network while enforcing\n[Identity and Access Management (IAM)](/iam/docs/overview) and\n[VPC Service Controls](/vpc-service-controls/docs/overview).\n\nThe network resources supported as destinations are:\n\n- Virtual machine (VM) instances\n- Internal passthrough Network Load Balancers\n- Regional internal Application Load Balancers\n- On-premises IP addresses, reached through Cloud Interconnect or Cloud VPN\n\nWith [Private Service Connect](/vpc/docs/private-service-connect), you\ncan create private endpoints within your VPC network by using\ninternal IP addresses. Private network access extends the capability and helps\nGoogle Cloud services connect directly to VPC networks.\n\nPrivate network access offers the following features:\n\n- Provides a unified way of managing customer network, security, and access policies applied to all network paths.\n- Enables Google Cloud products to reach one or more HTTP(S) endpoints in customer private networks through the private network of Google rather than the internet. It also provides a VPC Service Controls-compliant option. The communication helps in providing better security, managing network security policies, and protecting against exfiltration while using Google Cloud features such as [HTTP\n Push](https://wikipedia.org/wiki/HTTP/2_Server_Push).\n\nThe following diagram shows how Dialogflow connects to a\nGoogle Cloud VM through the internet without private network access. Note that\nDialogflow runs within Google Cloud.\n[](/static/service-directory/images/without_pna.svg) Dialogflow connectivity without private network access (click to enlarge)\n\nThe following diagram shows how Dialogflow connects to a\nGoogle Cloud VM through the private network with private network access.\n[](/static/service-directory/images/with_pna.svg) Dialogflow connectivity with private network access (click to enlarge)\n\nFor detailed information about VPC Service Controls, see the [VPC Service Controls\ndocumentation](/vpc-service-controls/docs).\n\nFor information about how to configure private network access, see [Configuring\nprivate network access](/service-directory/docs/configuring-private-network-access).\n\nFor information about how you can use Service Directory private network access with\nDialogflow, see [Using Service Directory for\nprivate network access](/dialogflow/cx/docs/concept/webhook#sd).\n\nQuotas and limits\n-----------------\n\nThe following quotas and limits apply for private network access:\n\n- [Service Directory limits](/service-directory/quotas#limits) apply when you use private network access.\n- Calls from Google Cloud services that use private network access don't count against your quotas.\n- [Service Directory pricing](/service-directory/pricing) applies for calls from Google Cloud services that use private network access. Because Service Directory charges are per API call against the Service Directory service, each private network access is charged as one API call.\n\nWhat's next\n-----------\n\n- To learn about Service Directory, see [Service Directory\n overview](/service-directory/docs/overview).\n- To learn how to configure private network access, see [Configure\n private network access](/service-directory/docs/configuring-private-network-access).\n- To find solutions for common problems that you might experience when using Service Directory, see [Troubleshooting](/service-directory/docs/troubleshooting)."]]
