About accessing published services through endpoints

This document provides an overview of connecting to services in another VPC network by using Private Service Connect endpoints. You can connect to your own services, or those provided by other service producers, including by Google.

Clients connect to the endpoint by using internal IP addresses. Private Service Connect performs network address translation (NAT) to route the request to the service.

For more information about published services, see About published services.

A Private Service Connect endpoint lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network. The consumer, endpoint, and service must all be in the same region. (click to enlarge).

Features and compatibility

In the following tables, a checkmark indicates that a feature is supported, and a no symbol indicates that a feature isn't supported.

Consumer configuration

This table summarizes the supported configuration options and capabilities of endpoints that access published services.

Consumer configuration (endpoint) Producer load balancer
Internal passthrough Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer Internal protocol forwarding (target instance)
Consumer global access

Independent of global access setting on load balancer

Only if global access is enabled on the load balancer before the service attachment is created

Only if global access is enabled on the load balancer before the service attachment is created

Independent of global access setting on load balancer

Interconnect traffic

Cloud VPN traffic
Automatic DNS configuration IPv4 only IPv4 only IPv4 only IPv4 only
Connection propagation IPv4 only IPv4 only IPv4 only IPv4 only
IPv4 endpoints
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
IPv6 endpoints
  • IPv4 producer forwarding rules
  • IPv6 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv6 producer forwarding rules

Producer configuration

This table summarizes the supported configuration options and capabilities of published services that are accessed by endpoints.

Producer configuration (published service) Producer load balancer
Internal passthrough Network Load Balancer Regional internal Application Load Balancer Regional internal proxy Network Load Balancer Internal protocol forwarding (target instance)

Supported producer backends:

  • GCE_VM_IP zonal NEGs
  • Instance groups
  • Port mapping NEGs
  • GCE_VM_IP_PORT zonal NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
  • GCE_VM_IP_PORT zonal NEGs
  • Hybrid NEGs
  • Serverless NEGs
  • Private Service Connect NEGs
  • Instance groups
Not applicable
PROXY protocol TCP traffic only TCP traffic only
Session affinity modes NONE (5-tuple)
CLIENT_IP_PORT_PROTO
Not applicable Not applicable Not applicable
IP version
  • IPv4 producer forwarding rules
  • IPv6 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv4 producer forwarding rules
  • IPv6 producer forwarding rules

Different load balancers support different port configurations; some load balancers support a single port, some support a range of ports, and some support all ports. For more information, see Port specifications.

Limitations

Endpoints that access a published service have the following limitations:

  • You can't create an endpoint in the same VPC network as the published service that you are accessing.

  • Endpoints are not accessible from peered VPC networks.

  • Packet Mirroring can't mirror packets for Private Service Connect published services traffic.

  • Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, see Static routes with load balancer next hops.

  • Connectivity Tests can't test connectivity between an IPv6 endpoint and a published service.

On-premises access

Endpoints that you use to access Google APIs can be accessed from supported connected on-premises hosts. For more information, see Access endpoints from hybrid networks.

Specifications

  • Private Service Connect endpoints must be created in the same region as the published service that is the target of the endpoint.
  • The endpoint must be created in a different VPC network than the VPC network that contains the target service.
  • If you're using Shared VPC, you can create the endpoint in either the host project or a service project.
  • By default, the endpoint can be accessed only by clients that are in the same region and the same VPC network (or Shared VPC network) as the endpoint. For information about making endpoints available in other regions, see Global access.
  • The IP address that you assign to the endpoint must be from a regular subnet.
  • When you create an endpoint to connect to a service, if the service has a DNS domain name configured, private DNS entries are automatically created in your VPC network for the endpoint.
  • Each endpoint has its own unique IP address and optionally its own unique DNS name.

Connection statuses

Private Service Connect endpoints, backends, and service attachments have a connection status that describes the state of their connection. The consumer and producer resources that form the two sides of a connection always have the same status. You can view connection statuses when you view endpoint details, describe a backend, or view details for a published service.

The following table describes the possible statuses.

Connection status Description
Accepted The Private Service Connect connection is established. The two VPC networks have connectivity, and the connection is functioning normally.
Pending

The Private Service Connect connection is not established, and network traffic can't travel between the two networks. A connection might have this status for the following reasons:

Connections that are blocked for these reasons remain in the pending state indefinitely until the underlying issue is resolved.

Rejected

The Private Service Connect connection is not established. Network traffic can't travel between the two networks. A connection might have this status for the following reasons:

Needs attention or Unspecified There is an issue on the producer side of the connection. Some traffic might be able to flow between the two networks, but some connections might not be functional. For example, the producer's NAT subnet might be exhausted and unable to allocate IP addresses for new connections.
Closed

The service attachment was deleted, and the Private Service Connect connection is closed. Network traffic can't travel between the two networks.

A closed connection is a terminal state. To restore the connection, you must recreate both the service attachment and the endpoint or backend.

IP version translation

For Private Service Connect endpoints that connect to published services (service attachments), the IP version of the consumer forwarding rule's IP address determines the IP version of the endpoint and traffic that egresses the endpoint. The IP address can come from an IPv4-only, IPv6-only (Preview), or dual-stack subnet. The IP version of the endpoint can be either IPv4 or IPv6, but not both.

For published services (service attachments), the IP version of the service attachment's NAT subnet must be compatible with the producer forwarding rule's IP address. The NAT subnet can be an IPv4-only or dual-stack subnet. If the NAT subnet is a dual-stack subnet, either the IPv4 or IPv6 address range is used, but not both. Private Service Connect doesn't support using an IPv6-only subnet (Preview) for the NAT subnet.

Private Service Connect doesn't support connecting an IPv4 endpoint with an IPv6 service attachment. In this case, the endpoint creation fails with the following error message:

Private Service Connect forwarding rule with an IPv4 address cannot target an IPv6 service attachment.

The following combinations are possible for supported configurations:

  • IPv4 endpoint to IPv4 service attachment
  • IPv6 endpoint to IPv6 service attachment
  • IPv6 endpoint to IPv4 service attachment

    In this configuration, Private Service Connect automatically translates between the two IP versions.

Connection propagation

With propagated connections, services that are accessible in one consumer VPC spoke through Private Service Connect endpoints can be privately accessed by other consumer VPC spokes that are connected to the same Network Connectivity Center hub.

For more information, see About propagated connections.

Global access

Private Service Connect endpoints that are used to access services are regional resources. However, you can make an endpoint available in other regions by configuring global access.

Global access lets resources in any region send traffic to Private Service Connect endpoints. You can use global access to provide high availability across services that are hosted in multiple regions, or to allow clients to access a service that is not in the same region as the client.

The following diagram illustrates clients in different regions accessing the same endpoint:

  • The endpoint is in us-west1 and has global access configured.

  • The VM in us-west1 can send traffic to the endpoint, and the traffic stays within the same region.

  • The VM in us-east1 and the VM from the on-premises network can also connect the endpoint in us-west1, even though they are in different regions. The dotted lines represent the inter-regional traffic path.

    A Private Service Connect endpoint with global access lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network. The client can be in the same region or a different region as the endpoint (click to enlarge).

Global access specifications

  • You can turn global access on or off at any time for an endpoint.

    • Turning on global access does not cause traffic disruption for existing connections.
    • Turning off global access terminates any connections from regions other than the region where the endpoint is located.
  • Not all Private Service Connect services support endpoints with global access. Check with your service producer to verify if their service supports global access. For more information, see Supported configurations.

  • Global access does not provide a single global IP address or DNS name for multiple global access endpoints.

Shared VPC

Service Project Admins can create endpoints in Shared VPC service projects that use IP addresses from Shared VPC networks. The configuration is the same as for a regular endpoint, but the endpoint uses an IP address that's reserved from a shared subnet of the Shared VPC.

The IP address resource can be reserved in the service project or the host project. The source of the IP address must be a subnet that is shared with the service project.

For more information, see Create an endpoint with an IP address from a Shared VPC network.

VPC Service Controls

VPC Service Controls and Private Service Connect are compatible with each other. If the VPC network where the Private Service Connect endpoint is deployed is in a VPC Service Controls perimeter, the endpoint is part of the same perimeter. Any VPC Service Controls-supported services that are accessed through the endpoint are subject to the policies of that VPC Service Controls perimeter.

When you create an endpoint, control-plane API calls are made between the consumer and producer projects to establish a Private Service Connect connection. Establishing a Private Service Connect connection between consumer and producer projects that are not in the same VPC Service Controls perimeter does not require explicit authorization with egress policies. Communication to VPC Service Controls-supported services through the endpoint is protected by the VPC Service Controls perimeter.

Static routes with load balancer next hops

Static routes can be configured to use the forwarding rule of an internal passthrough Network Load Balancer as the next hop (--next-hop-ilb). Not all routes of this type are supported with Private Service Connect.

Static routes that use --next-hop-ilb to specify the name of an internal passthrough Network Load Balancer forwarding rule can be used to send and receive traffic to a Private Service Connect endpoint when the route and the endpoint are in the same VPC network and region.

The following routing configurations are not supported with Private Service Connect:

  • Static routes that use --next-hop-ilb to specify the IP address of an internal passthrough Network Load Balancer forwarding rule.
  • Static routes that use --next-hop-ilb to specify the name or IP address of a Private Service Connect endpoint forwarding rule.

Logging

  • You can enable VPC Flow Logs on subnets containing VMs that are accessing services in another VPC network using endpoints. The logs show flows between the VMs and the endpoint.

  • You can view changes in connection status for endpoints using audit logs. Changes in connection status for the endpoint are captured in system event metadata for the resource type GCE forwarding rule. You can filter for pscConnectionStatus to view these entries.

    For example, when a service producer allows connections from your project, the connection status of the endpoint changes from PENDING to ACCEPTED, and this change is reflected in the audit logs.

Pricing

Pricing for Private Service Connect is described in the VPC pricing page.

Quotas

The number of endpoints that you can create for accessing published services is controlled by the PSC Internal LB Forwarding Rules quota. For more information, see quotas.

Organization policy constraints

An Organization Policy Administrator can use the constraints/compute.disablePrivateServiceConnectCreationForConsumers constraint to define the set of endpoint types for which users cannot create forwarding rules.

For information about creating an organization policy that uses this constraint, see Block consumers from deploying endpoints by connection type.

What's next