Create a Private Service Connect backend

You can use Private Service Connect backendsto connect to supported services by using a load balancer for policyenforcement. You connect to the service through a forwarding rule that is mappedto a backend that contains a Private Service Connect networkendpoint group (NEG).

For more information about supported services and configurations, seeAbout Private Service Connectbackends.

This guide shows you how to add a Private Service Connect NEGto a load balancer to access either Google APIs or a published service. Thisguide does not include the full load balancer configuration.

For instructions that include creating a load balancer with aPrivate Service Connect backend, see the following:

Roles

TheCompute Load Balancer Adminrole(roles/compute.loadBalancerAdmin) contains the permission required to performthe tasks described in this guide.

Before you begin

  1. Determine which service you want to connect to:

    • For published services:

      • If you want to publish your own service, seePublish managed services.

      • If you are connecting to a Google Cloud or third-partypublished service, ask the producer for the followinginformation:

        • The URI of the service attachment for the service that you want toconnect to.

        • Optionally, which port the service uses. If youknow which port is used, you can specify it as part of thePrivate Service Connect NEG configuration.

        • Any requirements for what DNS names you use to send requests to. Youmight need to use specific DNS names in yourURL map configuration.

    • For Google APIs, do one of the following:

  2. Determine which load balancer type supports the service that you want toconnect to and make sure that you are familiar with the load balancer thatyou are updating. This guide describes how to add aPrivate Service Connect NEG to a load balancer, but you mightwant to perform additional configuration steps.

    For more information, seeSupported load balancers andtargets.

Create a Private Service Connect NEG

When you create a NEG, you choose which type of target it connects to:

  • A published service
  • A regional Google API
  • A global Google API

Create a NEG to connect to a published service

When you create a Private Service Connect NEG that points to apublished service, you need the service attachment URI for the service. Theservice attachment has this format:projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME

The service producer might also provide a port to use for this service. If theydo, make sure that you include the producer port in the NEG configuration.

For information about supported load balancers for this configuration, seePublished service targets.

Console

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. ClickCreate network endpoint group.

  3. Enter a name for the network endpoint group.

  4. For theNetwork endpoint group type, selectPrivate Service Connect NEG (Regional).

  5. Configure the target:

    1. ForTarget, selectPublished service.
    2. ForTarget service, enter the URI of the service attachment.
    3. Optional: ForProducer port, enter the port that the producerhas provided to you. If omitted, the port is automatically assigned.

    4. Select theNetwork andSubnetwork to create the networkendpoint group in.

      The subnet must be in the same region as the published service.

  6. ClickCreate.

gcloud

Use thegcloud compute network-endpoint-groups create command:

gcloud compute network-endpoint-groups createNEG_NAME \    --network-endpoint-type=private-service-connect \    --psc-target-service=TARGET_SERVICE \    --region=REGION \    --network=NETWORK \    --subnet=SUBNET

If you knowwhich port is being used by theproducer, you canspecify the port with--producer-port=PORT.

Replace the following:

  • NEG_NAME: a name for the network endpoint group.

  • TARGET_SERVICE: the URI of the service attachment.

  • REGION: the region to create the network endpoint groupin. The region must be the same region as the target service.

  • NETWORK: the network to create the network endpointgroup in. If omitted, the default network is used.

  • SUBNET: the subnet to create the network endpoint groupin. The subnet must be in the same region as the target service. A subnetmust be provided if you provide the network. If both network and subnet areomitted, the default network is used, and the default subnet inthe specifiedREGION is used.

  • PORT: the port that the producer is using for theservice.

Create a NEG to connect to a regional Google API

You can create a NEG to connect to a regional Google API.

For information about supported load balancers for this configuration, seeRegional Google API targets.

Console

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. ClickCreate network endpoint group.

  3. Enter a name for the network endpoint group.

  4. For theNetwork endpoint group type, selectPrivate Service Connect NEG (Regional).

  5. Configure the target:

    1. ForTarget, selectGoogle APIs.
    2. Select aRegion and theTarget service.

  6. ClickCreate.

gcloud

Use thegcloud compute network-endpoint-groups create command:

gcloud compute network-endpoint-groups createNEG_NAME \    --network-endpoint-type=private-service-connect \    --psc-target-service=TARGET_SERVICE \    --region=REGION

Replace the following:

  • NEG_NAME: a name for the network endpoint group.

  • TARGET_SERVICE: theregional service endpoint thatyou want to connect to.

  • REGION: the region to create the network endpointgroup in. The region must be the same region as the target service.

Create a NEG to connect to a global Google API

You can create a Private Service Connect NEG to connect to aglobal Google API. NEGs are regional, even when they are connecting toglobal APIs. In this configuration, the region is ignored.

For information about supported load balancers for this configuration, seeGlobal Google API targets.

For complete instructions about creating a cross-region internal Application Load Balancer and aPrivate Service Connect NEG to access global Google APIs, seeAccess global Google APIs.

Console

  1. In the Google Cloud console, go to theNetwork endpoint groups page.

    Go to Network endpoint groups

  2. ClickCreate network endpoint group.

  3. Enter a name for the network endpoint group.

  4. For theNetwork endpoint group type, selectPrivate Service Connect NEG (Regional).

  5. Configure the target:

    1. ForTarget, selectGlobal Google APIs.
    2. Select aRegion and theTarget service.

  6. ClickCreate.

gcloud

Use thegcloud compute network-endpoint-groups create command:

gcloud compute network-endpoint-groups createNEG_NAME \    --network-endpoint-type=private-service-connect \    --psc-target-service=TARGET_SERVICE \    --region=REGION

Replace the following:

  • NEG_NAME: a name for the network endpoint group.

  • TARGET_SERVICE: theglobal GoogleAPI thatyou want to connect to.

  • REGION: the region to create the network endpointgroup in.

Add a Private Service Connect backend to a load balancer

You can configure asupported load balancerto direct traffic to a Private Service Connect NEG backend.

For more information about supported configurations, seeSpecifications.

Add a backend to an Application Load Balancer

Add a NEG to an Application Load Balancer.

Console

Edit the load balancer

  1. In the Google Cloud console, go to theLoad balancing page.

    Go to Load balancing

  2. Click the load balancer that you want to modify.

  3. ClickEdit.

Update the backend configuration

  1. ClickBackend configuration.
  2. Expand the list of backend services, and selectCreate a backend service.
  3. Enter a name for the backend service.
  4. Set theBackend type toPrivate Service Connect network endpointgroup.
  5. In theBackends section, click thePrivate Service Connectnetwork endpoint group list, and selectthe Private Service Connect NEG that you created.ClickDone.

  6. If you are configuring a global external Application Load Balancer to connect to a publishedservice in multiple regions, and you have created morethan one Private Service Connect NEG,clickAdd backend to select another NEG.

    Repeat this step until all NEGs for this managed service are added tothe backend service.

  7. ClickCreate.

Update the routing rules

  1. ClickRouting rules.
  2. Enter aHost andPath for each backend service that you have added.
  3. To review the configuration, clickReview and finalize.
  4. ClickCreate.

gcloud

Update the backend configuration

  1. Create a backend service for the target service.

    • If you are adding the backend service to a regional load balancer,use the--region flag to specify the same region as the loadbalancer.

      gcloud compute backend-services createBACKEND_SERVICE_NAME \    --load-balancing-scheme=SCHEME \    --protocol=HTTPS \    --region=REGION

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of the backendservice.
      • SCHEME: the load balancing scheme for the loadbalancer that you are modifying:
        • For a regional external Application Load Balancer, useEXTERNAL_MANAGED.
        • For an internal Application Load Balancer, useINTERNAL_MANAGED.
      • REGION: the region of the backend service.Use the same region as the NEG.

    • If you are adding the backend service to a global external Application Load Balancer,use the--global flag.

      gcloud compute backend-services createBACKEND_SERVICE_NAME \    --load-balancing-scheme=EXTERNAL_MANAGED \    --protocol=HTTPS \    --global

      ReplaceBACKEND_SERVICE_NAME with the name of thebackend service.

  2. Add the Private Service Connect NEG that points to thetarget service.

    • If you are adding a backend service to a regional load balancer,use the--region flag to specify the same region as the loadbalancer.

      gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \    --network-endpoint-group=NEG_NAME \    --network-endpoint-group-region=NEG_REGION \    --region=REGION

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of the backend service.
      • NEG_NAME: the name of the network endpoint group.
      • NEG_REGION: the region of the network endpoint group.
      • REGION: the region of the backend service.

    • If you are adding a backend service to a global external Application Load Balancer,use the--global flag.

      If you havecreated multiple NEGs indifferent regions for the same service, repeat this step to addall of the NEGs to the backend service.

      gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \    --network-endpoint-group=NEG_NAME \    --network-endpoint-group-region=NEG_REGION \    --global

      Replace the following:

      • BACKEND_SERVICE_NAME: the name of the backend service.
      • NEG_NAME: the name of the network endpoint group.
      • NEG_REGION: the region of the network endpoint group.

Update the routing rules

  1. For each backend service that you created, add a path matcher to theload balancer's URL map.

    • If the URL map is regional, specify the region by using the--region flag.

      gcloud compute url-maps add-path-matcherURL_MAP_NAME \    --path-matcher-name=PATH_MATCHER \    --default-service=BACKEND_SERVICE_NAME \    --region=REGION

      Replace the following:

      • URL_MAP_NAME: the name of the URL map.
      • PATH_MATCHER: a name for the path matcher.
      • BACKEND_SERVICE_NAME: the name of the backend service.
      • REGION: the region of the URL map.

    • If the URL map is global, specify the--global flag.

      gcloud compute url-maps add-path-matcherURL_MAP_NAME \    --path-matcher-name=PATH_MATCHER \    --default-service=BACKEND_SERVICE_NAME \    --global

      Replace the following:

      • URL_MAP_NAME: the name of the URL map.
      • PATH_MATCHER: a name for the path matcher.
      • BACKEND_SERVICE_NAME: the name of the backend service.

  2. For each hostname, add a host rule.

    Each host rule can reference only one path matcher, but two or more hostrules can reference the same path matcher.

    • If the URL map is regional, specify the region by using the--region flag.

      gcloud compute url-maps add-host-ruleURL_MAP_NAME \    --hosts=HOST \    --path-matcher-name=PATH_MATCHER \    --region=REGION

      Replace the following:

      • URL_MAP_NAME: the name of the URL map.
      • HOST: the hostname to send requests to forthis service.
      • PATH_MATCHER: the name of the path matcher.
      • REGION: the region of the URL map.

    • If the URL map is global, specify the--global flag.

      gcloud compute url-maps add-host-ruleURL_MAP_NAME \    --hosts=HOST \    --path-matcher-name=PATH_MATCHER \    --global

      Replace the following:

      • URL_MAP_NAME: the name of the URL map.
      • HOST: the hostname to send requests to forthis service.
      • PATH_MATCHER: the name of the path matcher.

Add a backend to a regional internal proxy Network Load Balancer

You can add a Private Service Connect NEG backend to aregional internal proxy Network Load Balancer if the NEG is pointing to a published service.Regional internal proxy Network Load Balancers support only one backend service.

To configure the regional internal proxy Network Load Balancer, follow the instructions toset up aregional internal proxy Network Load Balancer with zonalbackends, but don'tcomplete the "Create the zonal NEGs" steps or configure health checks. Insteadof configuring a zonal NEG, use the following instructions to add thePrivate Service Connect NEG that you created to aPrivate Service Connect backend.

Console

  1. In the regional internal proxy Network Load Balancer that you are creating, clickBackendconfiguration.
  2. ForBackend type, selectPrivate Service Connect network endpointgroup.
  3. ForNew backend, select the NEG that you created.
  4. Retain the remaining default values, and then clickDone.
  5. In the Google Cloud console, verify that there is a check mark next toBackend configuration. If not, double-check that you have completedall of the steps.

gcloud

  1. Create a backend service for the target service.

    gcloud compute backend-services createBACKEND_SERVICE_NAME \    --load-balancing-scheme=INTERNAL_MANAGED \    --protocol=TCP \    --region=REGION

    Replace the following:

    • BACKEND_SERVICE_NAME: the name of the backend service.
    • REGION: the region of the backend service.Use the same region as the NEG.

  2. Add the Private Service Connect NEG that points to thetarget service.

    gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \    --network-endpoint-group=NEG_NAME \    --network-endpoint-group-region=NEG_REGION \    --region=REGION

    Replace the following:

    • BACKEND_SERVICE_NAME: the name of the backend service.
    • NEG_NAME: the name of the network endpoint group.
    • NEG_REGION: the region of the network endpoint group.
    • REGION: the region of the backend service.

Add a backend to a regional external proxy Network Load Balancer

You can add a Private Service Connect NEG backend to aregional external proxy Network Load Balancer if the NEG is pointing to a published service.This load balancer supports only one backend service.

To configure the load balancer, follow the instructions toset up aregional external proxy Network Load Balancer with zonalbackends, but don'tcomplete the "Create the zonal NEGs" steps or configure health checks. Insteadof configuring a zonal NEG, use the following instructions to add thePrivate Service Connect NEG that you created to aPrivate Service Connect backend.

Console

  1. In the regional external proxy Network Load Balancer that you are creating, clickBackendconfiguration.
  2. ForBackend type, selectPrivate Service Connect network endpointgroup.
  3. ForNew backend, select the NEG that you created.
  4. Retain the remaining default values, and then clickDone.
  5. In the Google Cloud console, verify that there is a check mark next toBackend configuration. If not, double-check that you have completedall of the steps.

gcloud

  1. Create a backend service for the target service.

    gcloud compute backend-services createBACKEND_SERVICE_NAME \    --load-balancing-scheme=EXTERNAL_MANAGED \    --protocol=TCP \    --region=REGION

    Replace the following:

    • BACKEND_SERVICE_NAME: the name of the backend service.
    • REGION: the region of the backend service.Use the same region as the NEG.

  2. Add the Private Service Connect NEG that points to thetarget service.

    gcloud compute backend-services add-backendBACKEND_SERVICE_NAME \    --network-endpoint-group=NEG_NAME \    --network-endpoint-group-region=NEG_REGION \    --region=REGION

    Replace the following:

    • BACKEND_SERVICE_NAME: the name of the backend service.
    • NEG_NAME: the name of the network endpoint group.
    • NEG_REGION: the region of the network endpoint group.
    • REGION: the region of the backend service.

List backends

You can list all configured Private Service Connect backends.

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page.

    Go to Private Service Connect

  2. Click theConnected endpoints tab.

    The Private Service Connect backendsare displayed in theLoad balancer endpoints section.

Describe a backend

You can describe a Private Service Connect backend to view itsdetails, including its connection status.

Console

  1. List the available backends.
  2. Click the backend that you want to describe.

Troubleshooting

Error accessing load balancer's forwarding rule

If you see a404 error when you try to access your load balancer'sforwarding rule, the error might have one of the following causes:

  • The URL map hasn't propagated yet.

    If you just created the load balancer, try waiting a few minutes.

  • The URL that you are using in your request does not match a URL defined inthe URL map.

    Verify that the URL you are trying matches the URL map configuration in yourload balancer.

  • The service producer backend does not support the URL that you are trying toaccess

    Ask the service producer to verify which URL you should use to access theirservice.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.