About accessing Google APIs through endpoints

This document provides an overview of Private Service Connectendpoints that are used to access Google APIs.

By default, if you have an application that uses a Google service, such asCloud Storage, your application connects to the default DNS name for thatservice, such asstorage.googleapis.com. The default DNS names for Google servicesresolve to publicly routable IP addresses. However, traffic sent fromGoogle Cloud resources to those IP addresses remains within Google's network.

With Private Service Connect, you can create private endpointsusing global internal IP addresses within your VPC network. Youcan assign DNS names to these internal IP addresses with meaningful names likestorage-vialink1.p.googleapis.com andbigtable-adsteam.p.googleapis.com.These names and IP addresses are internal to your VPC network andany on-premises networks that are connected to it using Cloud VPNtunnels or VLAN attachments. You can control which traffic goes to whichendpoint, and can demonstrate that traffic stays within Google Cloud.

This option gives you access to all Google APIs and services that areincluded in theAPI bundles.

Figure 1. Private Service Connect lets you send traffic to Google APIs by using an endpoint that is private to your VPC network (click to enlarge).

Features and compatibility

This table summarizes the features that are supported by endpoints that are usedto access Google APIs.

ConfigurationDetails
Consumer configuration (endpoint)
Global reachabilityUses an internal global IP address
Cloud Interconnect traffic
Cloud VPN traffic
Access through VPC Network Peering
Connection propagation through Network Connectivity Center
Automatic DNS configuration
IP versionIPv4
Producer
Supported servicesSupported global Google APIs

On-premises access

Private Service Connect endpoints that you use to accessGoogle APIs can be accessed from supported connected on-premises hosts. Formore information, seeAccess the endpoint from on-premises hosts.

Private Service Connect and Service Directory

Endpoints are registered withService Directory.Service Directory is a platform to store, manage, and publishservices. When you create an endpoint toaccess Google APIs and services, you select a Service Directoryregion and a Service Directory namespace.

Service Directory region

Service Directory is a regional service; the region you selectdefines where the Service Directory control plane resides. Thereis no functional difference between regions, but you might have a preference foradministrative reasons.

When you create the first endpoint forGoogle APIs in a VPC network, the region that you select isused as the default region for all subsequent endpoints created in thatnetwork. If a region is not already set for a network, and you don't specify aregion, the region is set tous-central1. All endpoints in a network mustuse the same Service Directory region.

Service Directory namespace

When you create the first endpoint forGoogle APIs in a VPC network, the namespace that you select isused as the default namespace for all subsequent endpoints created in thatnetwork. If the namespace is not already set for a network, and you don'tspecify a namespace, a system-generated namespace is used. All endpoints in anetwork must use the same Service Directory namespace. Thenamespace that you choose must be used only forendpoints that are used to access GoogleAPIs. You can use the same namespace for endpoints in multiple networks.

When you create an endpoint, the followingDNS configurations are created:

  • AService Directory private DNSzone is created forp.googleapis.com

  • DNS recordsare created inp.googleapis.com for somecommonly used Google APIs and services that are available usingPrivate Service Connect and have default DNS names that end ingoogleapis.com.

    Seecreating DNS recordsfor instructions to create DNS records for APIs and services that do not have a DNS record inp.googleapis.com.

The available services vary depending on whether you select theall-apis orvpc-scAPI bundle.

One Service Directory DNS zone is created for eachVPC network that contains anendpoint.

The DNS names for an endpoint areaccessible in all regions in your VPC network.

Supported APIs

When you create an endpoint to access Google APIs and services, you choose which bundle of APIs you need access to—All APIs (all-apis) orVPC-SC (vpc-sc):

Note: Note: These bundles provide access to the same APIs that are available through thePrivate Google Access VIPsall-apis is equivalent toprivate.googleapis.com andvpc-sc is equivalent torestricted.googleapis.com.

The API bundles support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All otherprotocols, including MQTT and ICMP are not supported.

API bundleSupported servicesExample usage
all-apis

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.

Domain names that match:

  • accounts.google.com (only supports paths needed for OAuth authentication of service accounts; user account authentication is interactive and not supported)
  • *.aiplatform-notebook.cloud.google.com
  • *.aiplatform-notebook.googleusercontent.com
  • appengine.google.com
  • *.appspot.com
  • *.backupdr.cloud.google.com
  • backupdr.cloud.google.com
  • *.backupdr.googleusercontent.com
  • backupdr.googleusercontent.com
  • *.cloudfunctions.net
  • *.cloudproxy.app
  • *.composer.cloud.google.com
  • *.composer.googleusercontent.com
  • *.datafusion.cloud.google.com
  • *.datafusion.googleusercontent.com
  • *.dataproc.cloud.google.com
  • dataproc.cloud.google.com
  • *.dataproc.googleusercontent.com
  • dataproc.googleusercontent.com
  • dl.google.com
  • gcr.io or*.gcr.io
  • *.googleapis.com
  • *.gke.goog
  • *.gstatic.com
  • *.kernels.googleusercontent.com
  • *.ltsapis.goog
  • *.notebooks.cloud.google.com
  • *.notebooks.googleusercontent.com
  • packages.cloud.google.com
  • pkg.dev or*.pkg.dev
  • pki.goog or*.pki.goog
  • *.run.app
  • source.developers.google.com
  • storage.cloud.google.com

Chooseall-apis under these circumstances:

  • You don't use VPC Service Controls.
  • You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls.1

vpc-sc

Enables API access toGoogle APIs and services that are supported by VPC Service Controls.

Blocks access to Google APIs and services that do not supportVPC Service Controls. Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Choosevpc-sc when youonly need access to Google APIs and services thatare supported by VPC Service Controls. Thevpc-sc bundle does not permit access to Google APIs and services that do not support VPC Service Controls.1

1 If you need to restrict users to just the Google APIs and services that supportVPC Service Controls, usevpc-sc, as it provides additional risk mitigation for data exfiltration. Usingvpc-sc denies access to Google APIs and services that are not supported by VPC Service Controls. SeeSetting up private connectivity in the VPC Service Controls documentation for more details.

IP address requirements

When you configure Private Service Connect on aVPC network, you provide an IP address to use for theendpoint.

The address counts toward theproject's quotafor global internal IP addresses.

The IP address must meet the following specifications:

  • It must be a single IP address and not an address range.

  • It must be a valid IPv4 address. It can be an RFC 1918 address or a non-RFC1918 address. IPv6 addresses are not supported forPrivate Service Connect.

  • It cannot be within the range of subnets configured in the VPCnetwork.

  • It cannot be within a primary or secondary IP address range of anysubnet in the VPC network or a network connected to theVPC network using VPC Network Peering.

  • It cannot overlap with a/32 custom static route in the localVPC network. For example, if the VPC network has acustom static route for10.10.10.10/32, you cannot reserve address10.10.10.10 for Private Service Connect.

  • It cannot overlap with a/32 peering custom static route ifyou've configured the peered network toexport customroutes and you'veconfigured your VPC network to import custom routes.

  • It cannot be within any of theauto-mode IP ranges(in10.128.0.0/9) if the local VPC network is anauto modenetwork or if it is peered with an auto modenetwork.

  • It cannot be within anallocatedIP range in thelocal VPC network. However, it can be within an allocatedIP range in a peered VPC network.

  • If an endpoint overlaps with a customdynamic route whose destination is the same/32, theendpoint takes priority.

  • If an endpoint IP address is locatedwithin the destination range of alocal staticroute,local dynamicroute, orpeering customroute, and that route has a subnet maskshorter than/32, the endpoint hashigher priority.

Use cases

You can create multiple endpoints in thesame VPC network. There is no limit on total bandwidth sent to aparticular endpoint. Because endpoints useglobal internal IP addresses, they can be used by any resource in yourVPC network or an on-premises network connected usingCloud VPN tunnels or Cloud Interconnect attachments.

With multiple endpoints, you can specify different network paths usingCloud Router and firewall rules.

  • You can create firewall rules to prevent some VMs from accessing Google APIsthrough an endpoint, while allowing otherVMs to have access.

  • You can have a firewall rule on a VM instance that disallows all traffic tothe internet; traffic sent to Private Service Connectendpoints still reaches Google.

  • If you have on-premises hosts that are connected to a VPC usinga Cloud VPN tunnel or a VLAN attachment, you can send some requeststhrough the tunnel or VLAN while sending other requests over the publicinternet. This configuration lets you bypass the tunnel or VLAN for servicessuch as Google Books that are not supported by Private Google Access.

    To create this configuration, create a Private Service Connectendpoint, advertise the endpoint IPaddressesusing Cloud Router custom routeadvertisements,and enable aCloud DNS inbound forwardingpolicy. The application can send some requeststhrough the Cloud VPN tunnel or VLAN attachment by using the name ofthe endpoint, and it can send other requests over theinternet by using the default DNS name.

  • If you connect your on-premises network to your VPC networkusing multiple VLAN attachments, you can send some traffic from on-premises overone VLAN and the rest over others, as shown in figure 2. This lets you use yourown wide-area networking instead of Google's, and to control data movement tomeet geographic requirements.

    To create this configuration, create twoendpoints. Create a custom routeadvertisement for the first endpoint on the BGP session of theCloud Router managing the first VLAN, and create a different customroute advertisement for the second endpoint on the BGP session of theCloud Router managing the second VLAN. On-premises hosts that areconfigured to use the endpoint namesend traffic over the corresponding VLAN attachment.

  • You can also use multiple VLAN attachments inan active/active topology. If you advertise the sameendpoint IP address using custom routeadvertisements for the BGP sessions on the Cloud Routers managing theVLANs, packets sent from on-premises systems to the endpoints are routed acrossthe VLANs using ECMP.

    Figure 2. By configuring Private Service Connect, Cloud Router, and on-premises hosts, you can control which VLAN attachment is used to send traffic to Google APIs (click to enlarge).

Pricing

Pricing for Private Service Connect is described in theVPC pricing page.

Quotas

The number of Private Service Connectendpoints that you can create for accessing Google APIs is controlled by thePSC Google APIs Forwarding Rules per VPC Network quota.For more information, seequotas.

Organization policy constraints

An Organization Policy Administrator can use theconstraints/compute.disablePrivateServiceConnectCreationForConsumers constraintto define the set of endpoint types forwhich users cannot create forwarding rules.

For information about creating an organization policy that uses this constraint,seeBlock consumers from deploying endpoints by connection type.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.