Access Google APIs through endpoints

This document explains how to use Private Service Connectendpoints to connect to Google APIs. Instead of sending API requests to thepublicly available IP addresses for service endpoints such asstorage.googleapis.com, you can send the requests to the internal IP addressof an endpoint.

You can also use Private Service Connect toaccess services inanother VPC networkand topublish services.

Roles

The followingIAM roles providethe permissions needed to perform the tasks in this guide.

Before you begin

• ReadAbout connecting to Google APIs by usingendpointsfor more information, including DNS configuration andlimitations.

• Private Service Connect does not automatically enable any API.You must separatelyenable the Google APIs youneed to use from theAPIs & services page inthe Google Cloud console.

• You mustenabletheCompute Engine API in your project.

• You mustenabletheService DirectoryAPI in your project.

• You mustenable theCloud DNS API in your project.

• You must choose an IP address to use for the endpoint. For information aboutwhat IP addresses you can use, seeIP address requirements.

• Egress firewall rules must permit traffic to theendpoint. The default firewallconfiguration for a VPC network permits this traffic, because itcontains an implied allow egress rule. Verify that you have not created a higherpriority egress rule that blocks the traffic.

• Virtual machine (VM) instances without an external IP address assigned mustuse a subnet withPrivate Google Accessenabled to access Google APIs and services usingan endpoint.

  A VM with an external IP address can access Google APIs and services usingendpoints even ifPrivate Google Access is disabled for its subnet. Connectivity to theendpoint stays within Google's network.

• If your VPC network does not contain anyendpoints, check if a Cloud DNSprivate zone exists forp.googleapis.com. If the zone exists, delete it beforeyou create the endpoint. If you don'tdelete it, creation of the Service Directory DNS zone used forPrivate Service Connect fails. For more information,seetroubleshooting.

• Endpoints are not accessible frompeered VPC networks.

Enable Private Google Access for a subnet

VMs without an external IP address assigned must be connected to a subnet withPrivate Google Access enabled to access Google APIs and services usingan endpoint.

If the VM has more than one interface, connect the interface that is configuredwith a default route (usuallynic0).

The source IP address of packets sent from the VM must match the VM interface'sprimary internal IPv4 address or an internal IPv4 address from an alias IP range.

To enable Private Google Access on a subnet, follow these steps.

resource "google_compute_network" "network" {  project                 = var.project # Replace this with your project ID in quotes  name                    = "tf-test"  auto_create_subnetworks = false}resource "google_compute_subnetwork" "vpc_subnetwork" {  project                  = google_compute_network.network.project  name                     = "test-subnetwork"  ip_cidr_range            = "10.2.0.0/16"  region                   = "us-central1"  network                  = google_compute_network.network.id  private_ip_google_access = true}

Create an endpoint

After you have chosen an IP address thatmeets the requirements,you can create an endpoint.

An endpoint connects to Google APIs andservices using a global forwarding rule. Each forwarding rule counts toward theper VPC network quota forPrivate Service Connect.

You can't update an endpoint for Google APIs and services after it is created.If you need to update an endpoint for Google APIs and services, delete theendpoint, and then create a new one.

resource "google_compute_global_address" "default" {  project      = google_compute_network.network.project  name         = "global-psconnect-ip"  address_type = "INTERNAL"  purpose      = "PRIVATE_SERVICE_CONNECT"  network      = google_compute_network.network.id  address      = "10.3.0.5"}

resource "google_compute_global_forwarding_rule" "default" {  project               = google_compute_network.network.project  name                  = "globalrule"  target                = "all-apis"  network               = google_compute_network.network.id  ip_address            = google_compute_global_address.default.id  load_balancing_scheme = ""}

Verify that the endpoint is working

Create a VM instance in the VPC network wherePrivate Service Connect is configured. Run the followingcommand on the VM to verify that the Private Service Connectendpoint is working. Endpointsdon't respond to ping (ICMP) requests.

curl -vENDPOINT_IP/generate_204

ReplaceENDPOINT_IP with the IP address of theendpoint.

If the endpoint is working, you see an HTTP204 response code.

List endpoints

You can list all configured endpoints.

gcloud compute forwarding-rules list  \--filter --global

NAME  REGION  IP_ADDRESS  IP_PROTOCOL  TARGETRULEIP          TCP          all-apis

Get information about an endpoint

You can view all the configuration details of anendpoint.

gcloud compute forwarding-rules describe \ENDPOINT_NAME --global

Label an endpoint

You can manage labels for endpoints. Seelabeling resources for more information.

Delete an endpoint

You can delete an endpoint.

    gcloud compute forwarding-rules delete \ENDPOINT_NAME --global

Use an endpoint

To use an endpoint, you send requests to aDNS hostname that resolves to the IP address of the endpoint.

• You can use the automatically createdp.googleapis.com DNS names if youcan configure your clients to use a custom endpoint and ifp.googleapis.comDNS records are created for the APIs and services that you want to use. For moreinformation, seeUsep.googleapis.com DNS names.

  For example, if your endpoint name isxyz, DNS records are created forstorage-xyz.p.googleapis.com,compute-xyz.p.googleapis.com, and othercommonly used APIs in the API bundle.

• You can create DNS records by using the default DNS names if you are using aclient that hasn't been configured to use a custom endpoint, or if ap.googleapis.com DNS record does not exist for the service that you want touse. For more information, seeCreate DNS records by using default DNS names.

  For example, create DNS records forstorage.googleapis.com,compute.googleapis.com, or*.gke.goog.

• Python: you can configureapi_endpoint inClientoptions.

• Go: you can configureWithEndpoint inClientOptions.

• .NET: you can configureEndpoint inthe client's builder class.

• gcloud: you can configureapi_endpoint_overrides in thegcloud CLI.

Create DNS records by using default DNS names

You need to create DNS records to direct the default DNS names for APIs andservices to your endpoint in thesecircumstances:

• Your client or application cannot be configured to use ap.googleapis.comDNS name.

• You need to access a supported service, but there is no automatically createdp.googleapis.com DNS name for that service.

To create DNS records that point to your Private Service Connectendpoint, follow these instructions:

1. Create a DNS zone for the domain you need to use (for example,googleapis.com orgcr.io). Considercreating a Cloud DNS privatezone for this purpose.

2. In this DNS zone:

   1. Create anA record for the domain (zone) name itself; for example,googleapis.com orgcr.io. Point thisA record to the IP address of theendpoint. If you're usingCloud DNS, seeadding a record.

   2. Create aCNAME record for all of the additional domain's possible hostnames by using an asterisk and a dot followed by the domain (zone) name; forexample,*.googleapis.com or*.gcr.io. Point thisCNAME record to theA record in the same zone. For example, point*.googleapis.com togoogleapis.com or point*.gcr.io togcr.io.

Access the endpoint from on-premises hosts

If your on-premises network is connected to a VPC network, youcan use Private Service Connect to access Google APIs andservices from on-premises hosts by using the internal IP address of theendpoint.

• Your on-premises network must be connected to a VPC networkusing either Cloud VPN tunnels or VLAN attachments forCloud Interconnect.

• The endpoint must be in the VPC network that is connected to youron-premises network.

• The on-premises network must have appropriate routes for the endpoint.Configure aCloud Router custom routeadvertisementto announce routes for the endpoint on the BGP session that manages routesfor the Cloud VPN tunnel or VLAN attachment.

  • If your on-premises network uses equal-cost multi-path (ECMP) routing todistribute traffic to Private Service Connect endpoints,you must ensure that all packets for a single TCP connection are routedthrough the same Cloud VPN tunnel or VLAN attachment. Ifpackets for an established TCP connection are routed over multiplepaths, you might experience intermittent TCP resets (RSTs).To help prevent resets, configure your on-premises peer routers tomaintain consistent next hop destinations.

• You must configure on-premises systems so that they can make queries to yourprivate DNS zones.

  If you've implemented the private DNS zones using Cloud DNS,complete the following steps:

  • Create aninbound server policy in theVPC network to which your on-premises network connects.

  • Identify theinbound forwarder entrypoints, in the regions whereyour Cloud VPN tunnels and VLAN attachments are located, in theVPC network to which your on-premises network connects.

  • Configure on-premises systems and on-premises DNS name servers toforward theDNS names for the Private Service Connectendpoints to an inbound forwarder entry point in thesame region as the Cloud VPN tunnel or VLAN attachment thatconnects to the VPC network.

Troubleshooting

The following sections contain information about resolving issues withPrivate Service Connect endpoints that are used to access GoogleAPIs.

Private DNS zone creation fails

When you create an endpoint, aService Directory DNS zone is created. Zone creation can failfor these reasons:

• You haven't enabled the Cloud DNS API in your project.

• You don't have the required permissions to create aService Directory DNS zone.

• A DNS zone with the same zone name exists in this VPC network.

• A DNS zone forp.googleapis.com already exists in this VPCnetwork.

Conflicting zones might exist because a previousdeletionfailed.

To create the Service Directory DNS zone, do the following:

1. Verify that the Cloud DNS API isenabled in your project.

2. Verify that you have the required permissions to create theService Directory DNS zone:

   • dns.managedZones.create
   • servicedirectory.namespaces.associatePrivateZone

3. Delete the DNS zone.

4. Create a Service Directory DNSzonebacked by the Service Directory namespace associated with yourendpoint.

   Use the following values when you create the zone:

   • Zone name: Use the same zone name that the system used during the failedcreation attempt. The error message displays what zone name was used.

   • DNS name:p.googleapis.com. (include the trailing dot).

   • Service Directory namespace:Find the Service Directorynamespace for the Private Service Connectendpoint you created, and use this namespace when you create theService Directory DNS zone.

   The Service Directory namespace has the following format:goog-psc-NETWORK_NAME-NETWORK_ID.

Private DNS zone deletion fails

When you delete the last endpoint in aVPC network, the associated Service Directoryconfiguration including the DNS zone is deleted.

This deletion can fail for these reasons:

• You don't have the required permissions to delete the DNS zone.

• The zone contains user-defined DNS entries that were not created byService Directory.

To resolve this issue, do the following:

1. Verify that you have thedns.managedZones.delete permission. For moreinformation, seeAccess Control in theCloud DNS documentation.

2. Delete the DNS zone.