Skip to content
Gallery
2. Networking
Core Networking
Hybrid Networking
Peering
Choosing a connection
Scalability
Threat Prevention and Detection
Networking Observability
VPC Service Controls
Share
Explore
Core Networking

icon picker
Private Service Connect

Private Service Connect is a capability of Google Cloud networking that allows consumers to access managed services privately from inside their VPC network.
Similarly, it allows managed service producers to host these services in their own separate VPC networks and offer a private connection to their consumers. For example, when you use Private Service Connect to access Cloud SQL, you are the service consumer, and Google is the service producer.
With Private Service Connect, consumers can use their own internal IP addresses to access services without leaving their VPC networks. Traffic remains entirely within Google Cloud. Private Service Connect provides service-oriented access between consumers and producers with granular control over how services are accessed.
Private Service Connect supports access to the following types of managed services:
Published VPC-hosted services, which include the following:
Google published services
, such as Apigee or the GKE control plane
Third-party published services
provided by Private Service Connect partners
Intra-organization
published services
, where the consumer and producer might be two different VPC networks within the same company
Google APIs
, such as Cloud Storage or BigQuery

image.png
Private Service Connect lets you send traffic to endpoints and backends that forward the traffic to managed services, including Google APIs and published services. Private Service Connect interfaces let managed services initiate connections to consumer VPC networks.

Private Service Connect provides private connectivity that has the following characteristics:
Service-oriented design: Producer services are published through load balancers that expose a single IP address to the consumer VPC network. Consumer traffic that accesses producer services is unidirectional and can only access the service IP address, rather than having access to an entire peered VPC network.
Explicit authorization: Private Service Connect provides an authorization model that gives consumers and producers granular control, ensuring that only the intended service endpoints and no other resources can connect to a service.
No shared dependencies: Traffic between consumer and producers uses NAT so that no IP address coordination or other shared resource dependencies exist between the consumer and producer VPC networks. This independence simplifies deployment and lets you more easily scale managed services.
Line-rate performance: Private Service Connect traffic goes directly from consumer clients to producer backends without intermediate hops or proxies. NAT is performed directly on the physical host machines that host the consumer and producer VMs, which reduces latency and increases bandwidth capacity. The bandwidth capacity of Private Service Connect is limited only by the bandwidth capacity of the client and server machines that are directly communicating.

Private Service Connect types

Private Service Connect is available in different types that provide different capabilities and modes of communication.
Service producers publish their applications to consumers by creating Private Service Connect services. Service consumers access those Private Service Connect services directly through one of these Private Service Connect types:
Private Service Connect endpoints
: Endpoints are deployed by using forwarding rules that provide the consumer an IP address that is mapped to the Private Service Connect service.
Private Service Connect backends
: Backends are deployed by using
network endpoint groups (NEGs)
that let consumers direct traffic to their load balancer before reaching a Private Service Connect service.
Service producers can initiate connections to service consumers by using
Private Service Connect interfaces
. Private Service Connect interfaces provide bidirectional communication and can be used in the same VPC network as endpoints and backends.

Endpoints

Private Service Connect endpoints are internal IP addresses in a consumer VPC network that can be directly accessed by clients in that network. Endpoints are created by deploying a
forwarding rule
that references a
service attachment
or a
bundle of Google APIs
.
The following diagram shows a Private Service Connect endpoint that targets a published service that is running in a separate VPC network and organization. Private Service Connect endpoints and published services let two independent companies communicate with each other by using internal IP addresses. For more information, see
About accessing published services through endpoints
.
image.png
image.png

Backends

Private Service Connect backends let Google Cloud load balancers send traffic through Private Service Connect to reach published services or Google APIs. The backends are deployed through Private Service Connect
network endpoint groups (NEGs)
that reference a producer service attachment or a supported Google API. Placing a load balancer in front of a managed service provides the consumer with more visibility and control than is possible through a Private Service Connect endpoint. Backends let you create configurations such as the following:
Customer-owned domains and certificates in front of managed services
Consumer-controlled failover between managed services in different regions
Centralized security configuration and access control for managed services
The following diagram shows an internal Application Load Balancer deployed with Private Service Connect backends that reference a published service. There are two load balancers in the configuration:
The consumer load balancer that provides control, visibility, and security of traffic to the service.
The producer load balancer that load balances traffic across the service backends.

image.png

image.png

Interfaces

A
Private Service Connect interface
is a special type of
network interface
that refers to a
network attachment
.
A service producer can create a Private Service Connect interface and request a connection to a network attachment. If the service consumer accepts the connection, Google Cloud allocates the interface an IP address from a subnet in the consumer VPC network that's specified by the network attachment. The VM of the Private Service Connect interface has a second standard network interface that connects to the producer's VPC network.
A connection between a Private Service Connect interface and a network attachment is similar to the connection between a Private Service Connect
endpoint
and a
service attachment
, but it has two key differences:
A Private Service Connect interface lets a producer VPC network initiate connections to a consumer VPC network (managed service egress). An endpoint works in the reverse direction, letting a consumer VPC network initiate connections to a producer VPC network (managed service ingress).
A Private Service Connect interface connection is transitive. This means that workloads in a producer network can initiate connections to other workloads that are
connected to the consumer VPC network
. Private Service Connect endpoints can only initiate connections to the producer VPC network.

Ref:
Private Service Connect  |  VPC  |  Google Cloud


Key Differences between PSC vs VPC Peering
Aspect
Private Service Connect
VPC Peering
Purpose
Access services privately (Google or third-party)
Direct communication between two VPCs.
Directionality
One-way (consumer to provider).
Bi-directional (both VPCs can communicate).
Network Overlap
IP overlap allowed (via private endpoints).
No overlapping IP ranges allowed.
Scope
Service-specific (e.g., APIs, SaaS, custom services).
General network connectivity.
Use Case
Access Google services or third-party SaaS.
Connect two VPCs for application/data sharing.
Setup Complexity
Involves service producer and consumer configuration.
Simpler; direct peer configuration.
Traffic Visibility
Endpoint-level visibility for specific services.
Full network traffic visibility.
Managed Services
Integrates seamlessly with managed services.
No direct integration with managed services.
There are no rows in this table

Private Service Connect types
Endpoints
Backends
Interfaces
Key Differences between PSC vs VPC Peering
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.