About Private Service Connect interfaces
This page provides an overview of Private Service Connectinterfaces.
A Private Service Connect interface is a resource that lets aproducer Virtual Private Cloud (VPC) network initiate connections to variousdestinations in a consumer VPC network. Producer and consumernetworks can be in different projects and organizations.
To create a Private Service Connect interface connection, youneed a virtual machine (VM) instance that has at least two network interfaces.The first interface connects to asubnet in a producer VPC network. The other interfaces can bePrivate Service Connect interfaces that request connections tonetwork attachments indifferent consumer VPC networks.If a connection is accepted, Google Cloud assigns thePrivate Service Connect interface an internal IP address from theconsumer subnet that is specified by the network attachment.
This Private Service Connect interface connection letsproducer and consumer organizations configure their VPC networksso that the two networks are connected and can communicate by using internal IPaddresses. For example, the producer organization can update the producerVPC network toadd routes for consumer subnets.
Figure 1. In a producer VPC network, vm-1 has two network interfaces. One virtual network interface (vNIC) connects to a subnet in the producer network. The other interface is a virtual Private Service Connect interface that connects to a network attachment in a consumer network (click to enlarge).
A connection between a Private Service Connect interface and anetwork attachment is similar to the connection between aPrivate Service Connectendpointand aservice attachment, butit has two key differences:
- A Private Service Connect interface lets a producerVPC network initiate connections to a consumer VPCnetwork (managed service egress). An endpoint works in the reverse direction,letting a consumer VPC network initiate connections to a producerVPC network (managed service ingress).
- A Private Service Connect interface connection is transitive.This means that workloads in a producer network can initiate connections toother workloads that are connected to the consumer VPC network.Private Service Connect endpoints can only initiate connectionsto the producer VPC network.
Figure 2. Private Service Connect endpoints let service consumers initiate connections to service producers, while Private Service Connect interfaces let service producers initiate connections to service consumers (click to enlarge).
Connecting to workloads in other networks
Because Private Service Connect interface connections aretransitive, if the consumer VPC network configuration allows it,resources in producer VPC networks can communicate with workloadsthat are connected to the consumer network. This includes the following:
- Workloads in networks that are connected to the consumerVPC network throughCloud VPN tunnels,Cloud Interconnect,orVPC Network Peering.
- Workloads that have external IP addresses that are reachable from theconsumer VPC network throughCloud NAT.
- Google APIs and services that are reachable from the consumerVPC network throughPrivate Google Access orVPC Service Controls.Extra configuration isrequired to use VPC Service Controls with Private Service Connectinterfaces.
- Published services and Google APIs that are reachable from the consumerVPC network through Private Service Connectendpoints andbackends.
- Workloads inVPC spokes that are connected to the consumer VPCnetwork.
Figure 3. A producer VPC network that's connected to a consumer VPC network through a Private Service Connect interface connection can communicate with workloads that are connected to the consumer VPC (click to enlarge).
Example use cases
An example use case for Private Service Connect interfaces is amanaged service that needs to initiate connections to a consumerVPC network to access consumer data. The service might also needaccess to data or services that are available in a consumer's on-premisesnetwork, through a VPN or Cloud Interconnect connection, or from athird-party service. A Private Service Connect interfaceconnection can fulfill all of these requirements.
Another use case is a managed service that provides an API gateway. As theservice receives calls for different APIs, it usesPrivate Service Connect interfaces to initiate connections toconsumer VPC networks. The gateway service sends API requests tobackend targets that process the requests.
Private Service Connect interfaces andPrivate Service Connect endpoints are complementary and can beused together in the same VPC network.
For example, figure 4 describes the network configuration of a managed servicethat provides analytics. The analytics service can initiate connections to theconsumer VPC network by using aPrivate Service Connect interface. APrivate Service Connect endpoint in the consumer network lets theanalytics service initiate connections to a database service in anotherVPC network. Traffic from the analytics service to the databaseservice passes through the consumer network, which lets the consumer monitor andprovide security for traffic between the two services.
Figure 4. Private Service Connect interfaces and Private Service Connect endpoints are complementary in this example configuration. The interface lets the analytics service initiate connections to the consumer VPC network. The endpoint lets the analytics service initiate connections from the consumer VPC network to the database service (click to enlarge).
Private Service Connect interface types
There are two types of Private Service Connectinterfaces:
Virtual Private Service Connect interfaces are based onthevirtual network interfaces (vNICs)that are used by Compute Engine VMs.
Dynamic Private Service Connect interfacesare based onDynamic NICs.
The main differences between virtual and dynamicPrivate Service Connect interfaces are described in the followingtable:
| Type | Max Private Service Connect interfaces per VM | Interface management | Supported guest OS |
|---|---|---|---|
| Virtual Private Service Connect interface | Up to 9 (depends on number of vCPUs) | Added at VM creation time; removed with VM deletion | Linux, Windows |
| Dynamic Private Service Connect interface | Up to 15 (depends on number of vCPUs) | Added at any time; can be removed independently of VM | Linux only |
Consider using virtual Private Service Connect interfaces whenyou expect your interface configuration to remain unchanged throughout theVM's lifecycle.
Consider using dynamic Private Service Connect interfaces whenthe following is true:
- You need to dynamically manage connections to consumer VPCnetworks.
- You need more Private Service Connect interfaces per VM.
- You need to avoid downtime during Private Service Connectinterface changes.
Specifications
A Private Service Connect interface is a special type ofnetwork interface that connects to a network attachment.
Network interfacespecificationsalso apply to Private Service Connect interfaces.
The following specifications apply to both types ofPrivate Service Connect interfaces:
- A VM that uses Private Service Connect interfaces requiresat least two network interfaces. The first network interface isthe default network interface, named
nic0. This interface connectsto a producer subnet. The second interface is aPrivate Service Connect interface that requests a connectionto a consumer subnet. - When a consumer project accepts aconnectionfrom a Private Service Connect interface, Google Cloudconfigures the interface with internal IP addresses from the networkattachment's subnet. Thestack type of thenetwork attachment's subnet determines the possible stack types of theinterface.
- Google Cloud validates that IP addresses that are allocated to aPrivate Service Connect interface don't overlap with theaddress ranges of subnets that are connected to the VM's other networkinterfaces.
- If a network attachment doesn't have enough IP addresses to allocatefor Private Service Connect interfaces, the creation ofthe interface fails and returns an error:
- If the failure happens when creating a VM, the VM isn't created.
- If the failure happens when adding a dynamicPrivate Service Connect interface to an existing VM,the interface isn't added.
- You mustmanually configure the guest OS of a Private Service Connect interface's VMto route traffic through the interface.
- Private Service Connect interfaces supportalias IPranges. Alias IP ranges must come from theprimaryIPv4 address range of the networkattachment's subnet.
- A Private Service Connect interface communicates in the sameway as a network interface.
- A connection between a network attachment and aPrivate Service Connect interface is bi-directional andtransitive. Workloads in the producer VPC network caninitiate connections to workloads that areconnected to the consumerVPC network.
- Dynamic and virtual Private Service Connect interfaces cancoexist on the same VM.
- Private Service Connect interfaces supportVPC Service Controls.This combination requiresadditional routing configuration.
Virtual Private Service Connect interface specifications
The following specifications are specific to virtualPrivate Service Connect interfaces.
- Virtual Private Service Connect interfaces can only becreated at VM-creation time, and they can only be removed by deletingthe associated VM.
- You can create a maximum of nine virtualPrivate Service Connect interfaces on a single VM,depending on the number of vCPUsin the VM.
Dynamic Private Service Connect interface specifications
The following specifications are specific to dynamicPrivate Service Connect interfaces.
- Theproperties andlimitations of Dynamic NICs also apply to dynamic Private Service Connect interfaces.
- You can add or remove dynamic Private Service Connect interfaces at any time, without needing to restart the VM.
- A single VM can have up to 15 dynamicPrivate Service Connect interfaces,depending on the number of vCPUsin the VM.
- Themaximum transmission unit (MTU) of a network interfaceis set to the MTU of the VPC network that it connects to.The MTU of a dynamic Private Service Connect interface mustbe less than or equal to the MTU of its parent network interface, or elseinterface creation fails with an error.
Limitations
A Private Service Connect interface connection can only beterminated in the following ways:
- A producer deletes the interface's VM.
- A producer removes a dynamic Private Service Connectinterface.
- A consumer deletes a project that is connected to aPrivate Service Connect interface. This action stops theinterface's VM.
- A consumer disables the Compute Engine API in a project that isconnected to a Private Service Connect interface. Thisaction stops the interface's VM.
If a VM has multiple Private Service Connect interfaces, eachinterface must connect to a unique network attachment, and each networknetwork attachment must be in a different consumer VPCnetwork.
You can't assignexternal (publicly advertised) IPaddresses to Private Service Connect interfaces.
Dynamic Private Service Connect interfaces aren't supportedon VMs that use Windows guest OS. While this configuration isn't preventedby the API, packets don't flow because Windows guest OS drivers don'tsupport Dynamic NICs.
Support for dynamic Private Service Connect interfaces onContainer-Optimized OS VMs is limited tomilestone 129or later.
A Private Service Connect interface can't be the next hop of aninternal forwarding rule.
You can't directly associate Private Service Connect interfaceswith Google Kubernetes Engine (GKE) nodes or Pods. However, service egress ispossible with GKE throughPrivate Service Connect interfaces that are configured onproxy VMs.
VMs with Private Service Connect interfaces can't be partofbackend services that targetCompute Engine VMs. This is because the VMs must be in the same projectas the backend service.
Pricing
Pricing for Private Service Connect interfaces is described ontheVPC pricing page.
What's next
- Learn how toCreate and manage Private Service Connect interfaces.
- Complete thePrivate Service Connect interface managed services Codelab.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.