About accessing published services throughendpoints

This document provides an overview of connecting to services in anotherVPC network by using Private Service Connectendpoints. You can connect to your own services, or those provided by otherservice producers, including by Google.

Clients connect to the endpoint by using internal IP addresses.Private Service Connect performs network address translation(NAT) to route the request to the service.

For more information about published services, seeAbout published services.

A Private Service Connect endpoint privately connects to a managed service that is hosted in another VPC network. — A Private Service Connect endpoint lets service consumers send traffic from the consumer's VPC network to services in the service producer's VPC network. The consumer, endpoint, and service must all be in the same region. (click to enlarge).

Features and compatibility

In the following tables, acheckmark indicatesthat a feature is supported, and ano symbolindicates that a feature isn't supported.

Consumer configuration

This table summarizes the supported configuration options and capabilities ofendpoints that access published services.

Target producer	Consumer configuration (endpoint)
Target producer	Consumer global access	Hybrid access	Automatic DNS configuration (IPv4-only)	VPC Network Peering access	NCC connection propagation (IPv4 only)	Supported target services for IPv4 endpoints	Supported target services for IPv6 endpoints
Cross-region internal Application Load Balancer						IPv4 services	IPv4 services
Internal passthrough Network Load Balancer	Only ifglobal access is enabled on the load balancer (known issue)					IPv4 services	IPv4 services IPv6 services
Internal protocol forwarding (target instance)	Only ifglobal access is enabled on the producer forwarding rule (known issue)					IPv4 services	IPv4 services IPv6 services
Port mapping services	Only ifglobal access is enabled on the producer forwarding rule					IPv4 services	IPv4 services IPv6 services
Regional internal Application Load Balancer	Only ifglobal access is enabled on the load balancer before the service attachment is created					IPv4 services	IPv4 services
Regional internal proxy Network Load Balancer	Only ifglobal access is enabled on the load balancer before the service attachment is created					IPv4 services	IPv4 services
Secure Web Proxy						IPv4 services	IPv4 services

Producer configuration

This table summarizes the supported configuration options and capabilitiesofpublished services that are accessed by endpoints.

Producer type	Producer configuration (published service)
Producer type	Supported producer backends	PROXY protocol (TCP traffic only)	IP version
Cross-region internal Application Load Balancer	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups		IPv4
Internal passthrough Network Load Balancer	GCE_VM_IP zonal NEGs Instance groups		IPv4 IPv6
Internal protocol forwarding (target instance)	Not applicable		IPv4 IPv6
Port mapping services	Port mapping NEG		IPv4 IPv6
Regional internal Application Load Balancer	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups Regional internet NEGs		IPv4
Regional internal proxy Network Load Balancer	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Private Service Connect NEGs Instance groups		IPv4
Secure Web Proxy	Not applicable		IPv4

Different load balancers support different port configurations; some loadbalancers support a single port, some support a range of ports, and some supportall ports. For more information, seePortspecifications.

Limitations

Endpoints that access a published service have the following limitations:

You can't create an endpoint in the same VPC network as thepublished service that you are accessing.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, seeStatic routes with load balancer next hops.
Connectivity Tests can't test connectivity between an IPv6 endpoint and a published service.

On-premises access

Endpoints that you use to accessGoogle APIs can be accessed from supported connected on-premises hosts. Formore information, seeAccess endpoints from hybrid networks.

Specifications

Private Service Connect endpoints must be created in the same region as the published service that is the target of the endpoint.
The endpoint must be created in a different VPC network than the VPC network that contains the target service.
If you're using Shared VPC, you can create the endpoint in either the host project or a service project.
By default, the endpoint can be accessed only by clients that are in the same region and the same VPC network (or Shared VPC network) as the endpoint. For information about making endpoints available in other regions, seeGlobal access.
The IP address that you assign to the endpoint must be from aregular subnet.
- You can use an IPv4 address from an IPv4-only subnet or a dual-stack subnet.
- You can use an IPv6 address from an IPv6-only or dual-stack subnet if the subnet has aninternal IPv6 address range.
- The IP version of the IP address affects which published services the endpoint can connect to. For more information, see IP version translation.
- The IP address counts toward the project's quota forstatic internal IPv4 addresses or static internal IPv6 addresses.
When you create an endpoint to connect to a service, if the service has a DNS domain name configured, private DNS entries are automatically created in your VPC network for the endpoint.
Each endpoint has its own unique IP address and optionally its own unique DNS name.

Connection statuses

Private Service Connect endpoints, backends, and service attachments have connection statuses that describe the state of their connections. The consumer and producer resources that form the two sides of a connection always have the same status. You can view connection statuses when youview endpoint details, describe a backend, or view details for a published service.

The following table describes the possible statuses.

Connection status	Description
Accepted	The Private Service Connect connection is established. The two VPC networks have connectivity, and the connection is functioning normally.
Pending	The Private Service Connect connection is not established, and network traffic can't travel between the two networks. A connection might have this status for the following reasons: The service attachment requiresexplicit approval, and the consumer is not in the consumer accept list. The number of connections exceeds the service attachment'sconnection limit. Connections that are blocked for these reasons remain in the pending state indefinitely until the underlying issue is resolved.
Rejected	The Private Service Connect connection is not established. Network traffic can't travel between the two networks. A connection might have this status for the following reasons: A producerorganization policy rejected the connection. Aconsumer reject list rejected the connection.
Needs attention	There is an issue on the producer side of the connection. Some traffic might be able to flow between the two networks, but some connections might not be functional. For example, the producer'sNAT subnet might be exhausted and unable to allocate IP addresses for new connections.
Closed	The service attachment was deleted, and the Private Service Connect connection is closed. Network traffic can't travel between the two networks. A closed connection is aterminal state. To restore the connection, you must recreate both the service attachment and the endpoint or backend.

IP version translation

For Private Service Connect endpoints that connect to published services (service attachments), the IP version of the consumer forwarding rule's IP address determines the IP version of the endpoint and traffic that egresses the endpoint. The IP address can come from an IPv4-only, IPv6-only, or dual-stack subnet. The IP version of the endpoint can be either IPv4 or IPv6, but not both.

For published services, the IP version of the service attachment is determined by the IP address of the associated forwarding rule or Secure Web Proxy instance. This IP address must be compatible with the stack type of the service attachment'sNAT subnet. The NAT subnet can be an IPv4-only, IPv6-only, or dual-stack subnet. If the NAT subnet is a dual-stack subnet, either the IPv4 or IPv6 address range is used, but not both.

Private Service Connect doesn't support connecting an IPv4 endpoint with an IPv6 service attachment. In this case, the endpoint creation fails with the following error message:

Private Service Connect forwarding rule with an IPv4 address cannot target an IPv6 service attachment.

The following combinations are possible forsupported configurations:

IPv4 endpoint to IPv4 service attachment
IPv6 endpoint to IPv6 service attachment
IPv6 endpoint to IPv4 service attachment
In this configuration, Private Service Connect automatically translates between the two IP versions.

Connection propagation

With propagated connections, services that are accessible in oneconsumerVPC spoke throughPrivate Service Connect endpointscan be privately accessed by other consumer VPC spokes that areconnected to the same Network Connectivity Center hub.

For more information, seeAbout propagated connections.

Global access

Private Service Connect endpoints that are used to accessservices are regional resources. However, you can make an endpoint available inother regions byconfiguring globalaccess.

Global access lets resources in any region send traffic toPrivate Service Connect endpoints. You can use global access toprovide high availability across services that are hosted in multiple regions,or to allow clients to access a service that is not in the same region as theclient.

The following diagram illustrates clients in different regions accessing thesame endpoint:

The endpoint is inus-west1 and has global access configured.
The VM inus-west1 can send traffic to the endpoint, and the traffic stayswithin the same region.
The VM inus-east1 and the VM from the on-premises network can alsoconnect the endpoint inus-west1, even though they are in differentregions. The dotted lines represent the inter-regional traffic path.
A Private Service Connect endpoint with global accesslets service consumers send traffic from the consumer's VPCnetwork to services in the service producer's VPC network.The client can be in the same region or a different region as the endpoint(click to enlarge).

Global access specifications

You can turn global access on or off at any time for an endpoint.
- Turning on global access does not cause traffic disruption for existingconnections.
- Turning off global access terminates any connections from regions otherthan the region where the endpoint is located.
Not all Private Service Connect services support endpointswith global access. If you connect a global access endpoint to a servicethat isn't configured for global access, traffic might be sent tounheatlhy backends and dropped (known issue).
Check with your service producer to verify if theirservice supports global access. For more information, seeSupportedconfigurations.
Global access does not provide a single global IP address or DNS name formultiple global access endpoints.

Shared VPC

Service Project Admins can createendpoints in Shared VPC serviceprojects that use IP addresses fromShared VPC networks. Theconfiguration is the same as for a regular endpoint, but the endpoint uses an IPaddress that's reserved from a shared subnet of the Shared VPC.

The IP address resource can be reserved in the service project or the hostproject. The source of the IP address must be a subnet that isshared with the service project.

For more information, seeCreate an endpoint with an IP address from a Shared VPC network.

VPC Service Controls

VPC Service Controls and Private Service Connect arecompatible with each other. If the VPC network where thePrivate Service Connect endpoint is deployed is in aVPC Service Controls perimeter, theendpoint is part of the same perimeter. AnyVPC Service Controls-supported servicesthat are accessed through the endpointare subject to the policies of that VPC Service Controls perimeter.

When you create an endpoint, control-planeAPI calls are made between the consumer and producer projects to establish aPrivate Service Connect connection. Establishing aPrivate Service Connect connection between consumer and producerprojects that are not in the same VPC Service Controls perimeter does notrequire explicit authorization with egress policies. Communication toVPC Service Controls-supported services through theendpoint is protected by theVPC Service Controls perimeter.

Static routes with load balancer next hops

Static routes can be configured to use theforwarding rule of aninternal passthrough Network Load Balancer as the nexthop(--next-hop-ilb). Not all routes of this type are supported withPrivate Service Connect.

Static routes that use--next-hop-ilb to specify thename of aninternal passthrough Network Load Balancer forwarding rule can be used to send and receive traffic to aPrivate Service Connect endpoint when the route and the endpointare in the same VPC network and region.

The following routing configurations are not supported withPrivate Service Connect:

Static routes that use--next-hop-ilb to specify theIP address of aninternal passthrough Network Load Balancer forwarding rule.
Static routes that use--next-hop-ilb to specify thename orIP address of a Private Service Connect endpoint forwardingrule.

Logging

You can enable VPC Flow Logs on subnets containing VMs that are accessingservices in another VPC network usingendpoints. The logs show flows betweenthe VMs and the endpoint.
You can view changes inconnectionstatusfor endpoints usingauditlogs. Changes in connectionstatus for the endpoint are captured in system event metadata for the resourcetypeGCE forwarding rule. You can filter forpscConnectionStatus to view these entries.
For example, when a service producer allows connections from your project, theconnection status of the endpoint changes fromPENDING toACCEPTED, andthis change is reflected in the audit logs.
- To view audit logs, seeView logs.
- To set alerts based on audit logs, seeManaging log-basedalerts.

Pricing

Pricing for Private Service Connect is described in theVPC pricing page.

Quotas

The number ofendpoints that you can create for accessing published servicesis controlled by thePSC Internal LB Forwarding Rules quota.For more information, seequotas.

Organization policy constraints

An Organization Policy Administrator can use theconstraints/compute.disablePrivateServiceConnectCreationForConsumers constraintto define the set of endpoint types forwhich users cannot create forwarding rules.

For information about creating an organization policy that uses this constraint,seeBlock consumers from deploying endpoints by connection type.

What's next

Access published services by using endpoints

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.

Movatterモバイル変換