Private Service Connect compatibility

Services

You can access the following services by usingPrivate Service Connect.

Google published services

Google service	Access provided
AlloyDB for PostgreSQL	Lets youconnect to AlloyDB for PostgreSQL instances.
Apigee	Lets youexpose APIs managed by Apigee to the internet. Also lets you connect privately from Apigee tobackend target services.
BigQuery connections SAP Datasphere	Lets you increase security whenusing BigQuery to send queries to SAP Datasphere.
BigQuery Data Transfer Service	Lets youuse BigQuery Data Transfer Service for Oracle.
Blockchain Node Engine	Lets youaccess Blockchain Node Engine nodes.
Chrome Enterprise Premium	Lets the Identity-Aware Proxy access the App Connector Gateway.
Cloud Data Fusion	Lets youconnect Cloud Data Fusion instances to resources in VPC networks.
Cloud Composer 2	Lets youaccess the Cloud Composer tenant project.
Cloud Composer 3	Lets youaccess the Cloud Composer tenant project.
Cloud SQL	Lets youaccess your Cloud SQL database privately. Lets you automate creating connections to Cloud SQL instances through service connectivity automation.
Cloud Workstations	Lets youaccess private workstation clusters.
Database Migration Service	Lets youmigrate your data to Google Cloud.
Dataproc Metastore	Lets youaccess Dataproc Metastore services.
Eventarc	Lets youreceive events from Eventarc.
Google Cloud Contact Center as a Service (CCaaS)	Lets your agents and supervisorsprivately access the Google Cloud Contact Center as a Service interface. Lets your Google Cloud Contact Center as a Service instanceprivately access other systems via a VPC network.
Google Cloud Managed Service for Apache Kafka	Lets youaccess Managed Service for Apache Kafka clusters.
Google Kubernetes Engine (GKE) public clusters and private clusters	Lets you privately connect nodes and the control plane for a public or private cluster.
Integration Connectors	Lets Integration Connectorsaccess your managed services privately.
Looker (Google Cloud core)	Lets youaccess Looker (Google Cloud core) instances.
Memorystore for Redis Cluster	Lets youautomate creating connections to Memorystore for Redis Cluster instances through service connectivity automation.
Memorystore for Valkey	Lets youautomate creating connections to Memorystore for Valkey instances through service connectivity automation.
Ray on Vertex AI	Lets youaccess Ray clusters.
Vertex AI Pipelines	Lets youcreate pipeline runs.
Vertex AI Training	Lets youaccess custom jobs and persistent resources.
Vertex AI Vector Search	Lets youautomate creating connections to Vector Search endpoints through service connectivity automation.
Vertex AI predictions	Lets you access Vertex AI online prediction.

Third-party published services

Third-party service	Access provided
Aiven	Providesprivate access to Aiven Kafka clusters.
Axoflow	Providesprivate access to Axoflow Platform.
Citrix DaaS	Providesprivate access to Citrix DaaS.
ClickHouse	Providesprivate access to ClickHouse services.
Confluent Cloud	Providesprivate access to Confluent Cloud clusters.
Couchbase	Providesprivate access to Capella clusters.
Databricks	Providesprivate access to Databricks clusters.
Datadog	Providesprivate access to Datadog intake services.
Datastax Astra	Providesprivate access to Datastax Astra DB databases.
dbt	Providesprivate access to the dbt multi-tenant environment.
Elasticsearch	Providesprivate access to Elastic Cloud.
Groq	Providesprivate access to Groq Cloud.
JFrog	Providesprivate access to JFrog SaaS instances.
MongoDB Atlas	Providesprivate access to MongoDB Atlas.
Neo4j Aura	Providesprivate access to Neo4j Aura.
Pega Cloud	Providesprivate access to Pega Cloud.
Redis Enterprise Cloud	Providesprivate access to Redis Enterprise clusters.
Redpanda	Providesprivate access to Redpanda Cloud.
Snowflake	Providesprivate access to Snowflake.
Striim	Providesprivate access to Striim Cloud.
Zenoss	Providesprivate access to Zenoss Cloud.

Self-managed published services

Source of your service	Service producer configuration	Service consumer configuration
Cloud Load Balancing	Publish the service	Create an endpoint to access the published service Create a backend to access the published service
Google Kubernetes Engine (GKE)	Publish the service: Route requests to your service through an internal`LoadBalancer` service and publish the service through a`ServiceAttachment`	Create an endpoint to access the published service Create a backend to access the published service
Cloud Run and Cloud Run functions (2nd gen)	Choose one of the following: `run.app` URL: you don't need additional configuration `cloudfunctions.net` URL (for Cloud Run functions only): you don't need additional configuration Published service: Route requests to your service through a load balancer with a Serverless NEG andpublish the service	Choose the consumer option that corresponds with the service producer configuration: `cloudfunctions.net` and`run.app` URLs: Create an endpoint to access those URLs Published service: Create an endpoint to access the published service Create a backend to access the published service
Cloud Run functions (1st gen)	`cloudfunctions.net` URL: you don't need additional configuration	Create an endpoint to access`cloudfunctions.net` URLs
App Engine	You don't need additional configuration	Create an endpoint to access`appspot.com` URLs

Global Google APIs

Endpoints can target a bundle of global Google APIs or a single regional GoogleAPI. Backends can target a single global Google API or a single regional GoogleAPI.

Bundles of global Google APIs

You can use Private Service Connect endpoints to send trafficto a bundle of Google APIs.

When you create an endpoint to access Google APIs and services, you choose which bundle of APIs you need access to—All APIs (all-apis) orVPC-SC (vpc-sc):

Theall-apis bundle provides access to most Google APIs and services, including all*.googleapis.com service endpoints.
Thevpc-sc bundle provides access toAPIs and services that support VPC Service Controls.

Note: Note: These bundles provide access to the same APIs that are available through the Private Google Access VIPs—all-apis is equivalent toprivate.googleapis.com andvpc-sc is equivalent torestricted.googleapis.com.

The API bundles support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All otherprotocols, including MQTT and ICMP are not supported.

API bundle Supported services Example usage

API bundle	Supported services	Example usage
`all-apis`	Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites. Domain names that match: `accounts.google.com` (only supports paths needed for OAuth authentication of service accounts; user account authentication is interactive and not supported) `.aiplatform-notebook.cloud.google.com` `.aiplatform-notebook.googleusercontent.com` `appengine.google.com` `.appspot.com` `.backupdr.cloud.google.com` `backupdr.cloud.google.com` `.backupdr.googleusercontent.com` `backupdr.googleusercontent.com` `.cloudfunctions.net` `.cloudproxy.app` `.composer.cloud.google.com` `.composer.googleusercontent.com` `.datafusion.cloud.google.com` `.datafusion.googleusercontent.com` `.dataproc.cloud.google.com` `dataproc.cloud.google.com` `.dataproc.googleusercontent.com` `dataproc.googleusercontent.com` `.developerconnect.dev` `dl.google.com` `gcr.io` or`.gcr.io` `.googleapis.com` `.gke.goog` `.gstatic.com` `.kernels.googleusercontent.com` `.ltsapis.goog` `.notebooks.byoid.googleusercontent.com` `.notebooks.cloud.google.com` `notebooks.cloud.google.com` `.notebooks.googleusercontent.com` `packages.cloud.google.com` `pkg.dev` or`.pkg.dev` `pki.goog` or`.pki.goog` `.run.app` `source.developers.google.com` `storage.cloud.google.com`	Choose`all-apis` under these circumstances: You don't use VPC Service Controls. You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.¹
`vpc-sc`	Enables API access toGoogle APIs and services that are supported by VPC Service Controls. Blocks access to Google APIs and services that do not supportVPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.	Choose`vpc-sc` when youonly need access to Google APIs and services thatare supported by VPC Service Controls. The`vpc-sc` bundle does not permit access to Google APIs and services that do not support VPC Service Controls.¹

all-apis

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.

Domain names that match:

accounts.google.com (only supports paths needed for OAuth authentication of service accounts; user account authentication is interactive and not supported)
*.aiplatform-notebook.cloud.google.com
*.aiplatform-notebook.googleusercontent.com
appengine.google.com
*.appspot.com
*.backupdr.cloud.google.com
backupdr.cloud.google.com
*.backupdr.googleusercontent.com
backupdr.googleusercontent.com
*.cloudfunctions.net
*.cloudproxy.app
*.composer.cloud.google.com
*.composer.googleusercontent.com
*.datafusion.cloud.google.com
*.datafusion.googleusercontent.com
*.dataproc.cloud.google.com
dataproc.cloud.google.com
*.dataproc.googleusercontent.com
dataproc.googleusercontent.com
*.developerconnect.dev
dl.google.com
gcr.io or*.gcr.io
*.googleapis.com
*.gke.goog
*.gstatic.com
*.kernels.googleusercontent.com
*.ltsapis.goog
*.notebooks.byoid.googleusercontent.com
*.notebooks.cloud.google.com
notebooks.cloud.google.com
*.notebooks.googleusercontent.com
packages.cloud.google.com
pkg.dev or*.pkg.dev
pki.goog or*.pki.goog
*.run.app
source.developers.google.com
storage.cloud.google.com

Chooseall-apis under these circumstances:

You don't use VPC Service Controls.
You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.¹

vpc-sc

Enables API access toGoogle APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not supportVPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Choosevpc-sc when youonly need access to Google APIs and services thatare supported by VPC Service Controls. Thevpc-sc bundle does not permit access to Google APIs and services that do not support VPC Service Controls.¹

¹ If you need to restrict users to just the Google APIs and services that supportVPC Service Controls, usevpc-sc, as it provides additional risk mitigation for data exfiltration. Usingvpc-sc denies access to Google APIs and services that are not supported by VPC Service Controls. SeeSetting up private connectivity in the VPC Service Controls documentation for more details.

Single global Google API

You can use Private Service Connect backends to send requeststo a single supported global Google API. The following APIs are supported:

Bigtable:bigtable.googleapis.com andbigtableadmin.googleapis.com
Cloud Logging:logging.googleapis.com
Spanner:spanner.googleapis.com
Cloud Storage:storage.googleapis.com
Pub/Sub:pubsub.googleapis.com

Regional Google APIs

You can use endpoints or backends to access regional Google APIs.For a list of supported regional Google APIs, seeRegional serviceendpoints.

Types

The following tables summarize compatibility information for differentPrivate Service Connect configurations.

In the following tables, a checkmark indicatesthat a feature is supported, and a no symbolindicates that a feature isn't supported.

Endpoints and published services

This section summarizes the configuration options that are available forconsumers and producers when using endpoints to access published services.

Consumer configuration

This table summarizes the supported configuration options and capabilities ofendpoints that access published services based on target producer type.

Target producer	Consumer configuration (endpoint)
Target producer	Consumer global access	Hybrid access	Automatic DNS configuration (IPv4-only)	VPC Network Peering access	NCC connection propagation (IPv4 only)	Supported target services for IPv4 endpoints	Supported target services for IPv6 endpoints
Cross-region internal Application Load Balancer						IPv4 services	IPv4 services
Internal passthrough Network Load Balancer	Only ifglobal access is enabled on the load balancer (known issue)					IPv4 services	IPv4 services IPv6 services
Internal protocol forwarding (target instance)	Only ifglobal access is enabled on the producer forwarding rule (known issue)					IPv4 services	IPv4 services IPv6 services
Port mapping services	Only ifglobal access is enabled on the producer forwarding rule					IPv4 services	IPv4 services IPv6 services
Regional internal Application Load Balancer	Only ifglobal access is enabled on the load balancer before the service attachment is created					IPv4 services	IPv4 services
Regional internal proxy Network Load Balancer	Only ifglobal access is enabled on the load balancer before the service attachment is created					IPv4 services	IPv4 services
Secure Web Proxy						IPv4 services	IPv4 services

Endpoints that access a published service have the following limitations:

You can't create an endpoint in the same VPC network as thepublished service that you are accessing.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, seeStatic routes with load balancer next hops.
Connectivity Tests can't test connectivity between an IPv6 endpoint and a published service.

Producer configuration

This table summarizes the supported configuration options and capabilities ofpublished services that are accessed by endpoints.

Producer type	Producer configuration (published service)
Producer type	Supported producer backends	PROXY protocol (TCP traffic only)	IP version
Cross-region internal Application Load Balancer	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups		IPv4
Internal passthrough Network Load Balancer	GCE_VM_IP zonal NEGs Instance groups		IPv4 IPv6
Internal protocol forwarding (target instance)	Not applicable		IPv4 IPv6
Port mapping services	Port mapping NEG		IPv4 IPv6
Regional internal Application Load Balancer	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups Regional internet NEGs		IPv4
Regional internal proxy Network Load Balancer	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Private Service Connect NEGs Instance groups		IPv4
Secure Web Proxy	Not applicable		IPv4

Published services have the following limitations:

Load balancers that are configured with multiple protocols—protocol set toL3_DEFAULT—are not supported.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
You must use the Google Cloud CLI or the API to create a service attachment that points to a forwarding rule that is used forinternal protocol forwarding.

For issues and workarounds, seeKnown issues.

Different load balancers support different port configurations; some loadbalancers support a single port, some support a range of ports, and some supportall ports. For more information, seePortspecifications.

Backends and published services

A Private Service Connect backend for published services requires two load balancers—a consumer load balancer and a producer load balancer. This section summarizes the configuration options that are available for consumers and producers when using backends to access published services.

Consumer configuration

This table describes the consumer load balancers that are supported by Private Service Connect backends for published services, including which backend service protocols can be used with each consumer load balancer. The consumer load balancers can access published services that are hosted onsupported producer load balancers.

Consumer load balancer	Protocols	IP version
Cross-region internal Application Load Balancer	HTTP HTTPS HTTP2	IPv4
Cross-region internal proxy Network Load Balancer	TCP	IPv4
Global external Application Load Balancer Note: Classic Application Load Balancer isn't supported. Connecting to producer regional internal proxy Network Load Balancers isn't supported.	HTTP HTTPS HTTP2	IPv4
Global external proxy Network Load Balancer To associate this load balancer with a Private Service Connect NEG, use the Google Cloud CLI or send an API request. Note: Classic proxy Network Load Balancer is not supported.	TCP/SSL	IPv4
Regional external Application Load Balancer	HTTP HTTPS HTTP2	IPv4
Regional external proxy Network Load Balancer	TCP	IPv4
Regional internal Application Load Balancer	HTTP HTTPS HTTP2	IPv4
Regional internal proxy Network Load Balancer	TCP	IPv4

Producer configuration

This table describes the configuration for producer load balancersthat are supported by Private Service Connect backends forpublished services.

Producer type	Producer configuration (published service)
Producer type	Supported producer backends	Forwarding rule protocols	Forwarding rule ports	PROXY protocol	IP version	Private Service Connect health support
Cross-region internal Application Load Balancer	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	TCP HTTP HTTPS HTTP/2 gRPC	Supports one, multiple, or all ports		IPv4
Internal passthrough Network Load Balancer	GCE_VM_IP zonal NEGs Instance groups	TCP	SeeProducer port configuration		IPv4
Regional internal Application Load Balancer	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Serverless NEGs Private Service Connect NEGs Instance groups	HTTP HTTPS HTTP/2	Supports a single port		IPv4
Regional internal proxy Network Load Balancer Note: Connections from consumer global external Application Load Balancers aren't supported.	GCE_VM_IP_PORT zonal NEGs Hybrid NEGs Private Service Connect NEGs Instance groups	TCP	Supports a single port		IPv4
Secure Web Proxy	Not applicable	Not applicable	Not applicable		IPv4

Note: To support access by a Private Service Connect backend in a global or cross-regional load balancer, the producer load balancer must have global access turned on before the service attachment is created. Don't disable global access if there are any global access Private Service Connect NEGs that connect to a producer load balancer(known issue).

Published services have the following limitations:

Load balancers that are configured with multiple protocols—protocol set toL3_DEFAULT—are not supported.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
You must use the Google Cloud CLI or the API to create a service attachment that points to a forwarding rule that is used forinternal protocol forwarding.

For issues and workarounds, seeKnown issues.

For an example backend configuration that uses a global external Application Load Balancer, seeAccess published services throughbackends.

To publish a service, seePublishservices.

Endpoints and global Google APIs

This table summarizes the features that are supported byendpoints used toaccess Google APIs.

To create this configuration, seeAccess Google APIsthrough endpoints.

Configuration	Details
Consumer configuration (endpoint)
Global reachability	Uses an internal global IP address
Cloud Interconnect traffic
Cloud VPN traffic
Access through VPC Network Peering
Connection propagation through NCC
Automatic DNS configuration
IP version	IPv4
Producer
Supported services	Supported global Google APIs

Backends and global Google APIs

Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This table describes which load balancers can use aPrivate Service Connect backend to a global Google API.

Configuration	Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers	Global external Application Load Balancer Note: Classic Application Load Balancer is not supported. Cross-region internal Application Load Balancer
IP version	IPv4
Producer
Supported services	Bigtable:`bigtable.googleapis.com` and`bigtableadmin.googleapis.com` Cloud Logging:`logging.googleapis.com` Spanner:`spanner.googleapis.com` Cloud Storage:`storage.googleapis.com` Pub/Sub:`pubsub.googleapis.com`

Endpoints and regional Google APIs

This table summarizes the features that are supported byendpoints used toaccess regional GoogleAPIs.

Configuration	Details
Consumer configuration (endpoint)
Global reachability	If global access is enabled
Cloud Interconnect traffic
Cloud VPN traffic
Access through VPC Network Peering
Connection propagation through NCC
DNS configuration	Manual DNS configuration
IP version	IPv4 or IPv6
Producer
Supported services	Supported regional Google APIs

Backends and regional Google APIs

This table describes which load balancers can use aPrivate Service Connectbackend to access regionalGoogle APIs.

For an example backend configuration that uses an internal Application Load Balancer,seeAccess regional Google APIs throughbackends.

Configuration	Details
Consumer configuration (Private Service Connect backend)
Supported consumer load balancers	Internal Application Load Balancer Protocols: HTTPS Regional external Application Load Balancer Protocols: HTTPS
IP version	IPv4
Producer
Supported services	Supported regional Google APIs

What's next

Learn aboutaccessing published services through endpoints.
Learn aboutaccessing global Google APIs through endpoints.
Learn aboutaccessing regional Google APIs through endpoints.
Learn aboutbackends.
Learn aboutpublishing services.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.

Movatterモバイル変換

Private Service Connect compatibility

Services

Google published services

Third-party published services

Self-managed published services

Global Google APIs

Bundles of global Google APIs

Single global Google API

Regional Google APIs

Types

Endpoints and published services

Consumer configuration

Producer configuration

Backends and published services

Consumer configuration

Producer configuration

Endpoints and global Google APIs

Backends and global Google APIs

Endpoints and regional Google APIs

Backends and regional Google APIs

What's next