Monitor Private Service Connect connections

This page describes how to monitor both the producer and consumer sides ofPrivate Service Connect connections.

Private Service Connect exposes key metrics toCloud Monitoring that give you insights into yourPrivate Service Connect connections.

Metrics are sent automatically to Monitoring. There, you cancreate custom dashboards, set up alerts, and query the metrics.

For information about monitoring Private Service Connect connectionsthat aren't supported by Private Service Connect metrics, seeLimitations.

Monitor published services

You can monitor published services by using predefined dashboards orGoogle Cloud metrics.

View dashboards for published services

Private Service Connect provides a set of predefined dashboardsthat display the following metrics for a published service:

  • Connected forwarding rules
  • NAT IP addresses in use
  • Open connections
  • New connections
  • Closed connections
  • Network traffic
  • Network packets
  • Dropped sent packets
  • Dropped received packets

To view predefined dashboards from the details page of a particularPrivate Service Connect published service, follow these steps:

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page.

    Go to Private Service Connect

  2. Click thePublished services tab.

  3. Click an existing service.

  4. Click theMonitoring tab.

    You can change the view of the charts by using thecontrol at the top of the page. Hovering over apoint on the graph gives you details for that specific time.

Metrics for published services

The "metric type" strings in this table must be prefixedwithcompute.googleapis.com/. That prefix has beenomitted from the entries in the table.

For a full list of Google Cloud metrics, seeGoogle Cloud metrics.

For information about using these metrics for troubleshooting, seepublished service troubleshooting.

Metric type Launch stage(Resource hierarchy levels)
Display name
Kind, Type, Unit
Monitored resources		Description
Labels
private_service_connect/producer/closed_connections_countGA(project)
Closed connections count
DELTAINT64{connection}
gce_service_attachment		Count of TCP/UDP connections closed over a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/connected_consumer_forwarding_rulesGA(project)
Connected consumer forwarding rules
GAUGEINT641
gce_service_attachment		Number of Consumer Forwarding Rules connected to a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 165 seconds.
private_service_connect/producer/dropped_received_packets_countGA(project)
Received packets dropped count
DELTAINT64{packet}
gce_service_attachment		Count of received packets dropped by a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/dropped_sent_packets_countGA(project)
Sent packets dropped count
DELTAINT64{packet}
gce_service_attachment		Count of sent packets dropped by a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/nat_ip_address_capacityGA(project)
Nat ip address capacity
GAUGEINT641
gce_service_attachment		Number of total IP addresses of a PSC Service Attachment resource ID. (Value -1 means the number is larger than the max value of INT64.) Sampled every 60 seconds. After sampling, data is not visible for up to 165 seconds.
private_service_connect/producer/new_connections_countGA(project)
New connections count
DELTAINT64{connection}
gce_service_attachment		Count of new TCP/UDP connections created over a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/open_connectionsGA(project)
Open connections
GAUGEINT64{connection}
gce_service_attachment		Number of TCP/UDP connections currently open on a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/received_bytes_countGA(project)
Received bytes count
DELTAINT64By
gce_service_attachment		Count of bytes received (PSC -> Service) over a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/received_packets_countGA(project)
Received packets count
DELTAINT64{packet}
gce_service_attachment		Count of packets received (PSC -> Service) over a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/sent_bytes_countGA(project)
Sent bytes count
DELTAINT64By
gce_service_attachment		Count of bytes sent (Service -> PSC) over a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/sent_packets_countGA(project)
Sent packets count
DELTAINT64{packet}
gce_service_attachment		Count of packets sent (Service -> PSC) over a PSC Service Attachment resource ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
psc_connection_id: The Private Service Connect connection ID of the Private Service Connect Forwarding Rule.
private_service_connect/producer/used_nat_ip_addressesGA(project)
Used nat ip addresses
GAUGEINT641
gce_service_attachment		IP usage of the monitored service attachment. Sampled every 60 seconds. After sampling, data is not visible for up to 165 seconds.

Monitor endpoints and backends that connect to published services

This section describes how to monitor Private Service Connectendpoints and backends that connect to published services. The available optionsdepend on the type of consumer (endpoint or backend).

This section doesn't apply to endpoints or backends that connect to GoogleAPIs. For information about monitoring Google APIs, seeLimitations.

View dashboards for endpoints

Private Service Connect provides a set of predefined dashboardsthat display the following metrics for endpoints that connect to publishedservices:

  • Open connections
  • New connections
  • Closed connections
  • Network traffic
  • Network packets
  • Dropped sent packets
  • Dropped received packets

To view predefined dashboards from the details page of a particularPrivate Service Connect endpoint, follow these steps:

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page.

    Go to Private Service Connect

  2. Click theConnected endpoints tab.

  3. Click an endpoint that connects to a published service.

  4. Click theMonitoring tab.

    You can change the view of the charts by using thecontrol at the top of the page. Hovering over apoint on the graph gives you details for that specific time.

Metrics for endpoints and backends

Both Private Service Connectendpoints andbackends are monitored asPrivate Service Connect Endpoint resources.

The metrics in this table are not generated for endpoints or backends thatconnect to Google APIs.

The "metric type" strings in this table must be prefixedwithcompute.googleapis.com/. That prefix has beenomitted from the entries in the table.

For a full list of Google Cloud metrics, seeGoogle Cloud metrics.

For information about using these metrics to troubleshoot endpoints, seeendpoint troubleshooting.

For information about using these metrics to troubleshoot backends, seebackend troubleshooting.

Metric type Launch stage(Resource hierarchy levels)
Display name
Kind, Type, Unit
Monitored resources		Description
Labels
private_service_connect/consumer/closed_connections_countGA(project)
Closed connections count
DELTAINT64{connection}
compute.googleapis.com/PrivateServiceConnectEndpoint		Count of TCP/UDP connections closed over a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
private_service_connect/consumer/dropped_received_packets_countGA(project)
Received packets dropped count
DELTAINT64{packet}
compute.googleapis.com/PrivateServiceConnectEndpoint		Count of received packets dropped by a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
private_service_connect/consumer/dropped_sent_packets_countGA(project)
Sent packets dropped count
DELTAINT64{packet}
compute.googleapis.com/PrivateServiceConnectEndpoint		Count of sent packets dropped by a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
private_service_connect/consumer/new_connections_countGA(project)
New connections count
DELTAINT64{connection}
compute.googleapis.com/PrivateServiceConnectEndpoint		Count of new TCP/UDP connections created over a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
private_service_connect/consumer/open_connectionsGA(project)
Open connections
GAUGEINT64{connection}
compute.googleapis.com/PrivateServiceConnectEndpoint		Number of TCP/UDP connections currently open on a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
private_service_connect/consumer/received_bytes_countGA(project)
Received bytes count
DELTAINT64By
compute.googleapis.com/PrivateServiceConnectEndpoint		Count of bytes received (PSC -> Clients) over a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
private_service_connect/consumer/received_packets_countGA(project)
Received packets count
DELTAINT64{packet}
compute.googleapis.com/PrivateServiceConnectEndpoint		Count of packets received (PSC -> Clients) over a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
private_service_connect/consumer/sent_bytes_countGA(project)
Sent bytes count
DELTAINT64By
compute.googleapis.com/PrivateServiceConnectEndpoint		Count of bytes sent (Clients -> PSC) over a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.
private_service_connect/consumer/sent_packets_countGA(project)
Sent packets count
DELTAINT64{packet}
compute.googleapis.com/PrivateServiceConnectEndpoint		Count of packets sent (Clients -> PSC) over a PSC connection ID. Sampled every 60 seconds. After sampling, data is not visible for up to 345 seconds.
ip_protocol: The protocol of the connection. Can be TCP or UDP.

Define alerting policies

To create ametrics-based alerting policy,follow these steps. Use a resource type ofService Attachment for metricsabout published services. Use a resource type ofPrivate Service ConnectEndpoint for metrics about endpoints or backends.

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

  1. In the Google Cloud console, go to the Alerting page:

    Go toAlerting

    If you use the search bar to find this page, then select the result whose subheading isMonitoring.

  2. If you haven't created your notification channels and if you want to be notified, then clickEdit Notification Channels and add your notification channels. Return to theAlerting page after you add your channels.
  3. From theAlerting page, selectCreate policy.
  4. To select the metric, expand theSelect a metric menu and then do the following:
    1. To limit the menu to relevant entries, enterthe resource type into the filter bar. If there are no results after you filter the menu, then disable theShow only active resources & metrics toggle.
    2. For theResource type, select the resource type.
    3. For theMetric category, selectPrivate_service_connect.
    4. For theMetric, select the metric to use for this policy.
    5. SelectApply.
  5. ClickNext.
  6. The settings in theConfigure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, seeCreate metric-threshold alerting policies.
  7. ClickNext.
  8. Optional: To add notifications to your alerting policy, clickNotification channels. In the dialog, select one or more notification channels from the menu, and then clickOK.
  9. Optional: Update theIncident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
  10. Optional: ClickDocumentation, and then add any information that you want included in a notification message.
  11. ClickAlert name and enter a name for the alerting policy.
  12. ClickCreate Policy.
For more information, seeAlerting overview.

View logs

You can view logs for Private Service Connect endpoints and published services by using Cloud Logging.Cloud Logging is a fully managed service that lets you store, search, analyze, monitor, and alert on logging data and events.

  • Audit logs let you monitor Private Service Connect activity.Admin Activity audit logs are always written.
  • VPC Flow Logs lets you monitor Private Service Connect traffic. You mustenable VPC Flow Logs foreach subnet, VLAN attachment for Cloud Interconnect, or Cloud VPN tunnelthat you want to monitor.

You can use these logs to correlate events between the service consumer and service producer. For example, if the connection status of a consumer forwarding rule changes unexpectedly, you can request that the service producer verify their logs for any service attachment deletion or update events.

Console

  1. In the Google Cloud console, go to theLogs Explorer page.

    Go to Logs Explorer

  2. If you don't see the query editor field in theQuery pane, click theShow query toggle.

  3. In the query editor field, enter a query. For example, to view an endpoint'sconnection status change, enter the following query, replacingCONSUMER_PROJECT_ID with the consumer project ID:

    resource.type="gce_forwarding_rule"log_name="projects/CONSUMER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event"protoPayload.methodName="LogPscConnectionStatusUpdate"

    For more examples of queries that you can run to view common loggingevents, seeCommon logging events for endpoints.

  4. ClickRun query.

For more information about querying your audit logs, seeViewing audit logs.

Common logging events for published services

The following table lists common logging events for Private Service Connect published services.

Event descriptionLogging advanced filter
Service attachment deletion
resource.type="audited_resource"log_name="projects/PRODUCER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"resource.labels.method="compute.serviceAttachments.delete"
Service attachment enabling connection reconciliation
resource.type="audited_resource"log_name="projects/PRODUCER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"resource.labels.method="compute.serviceAttachments.patch"protoPayload.request.reconcileConnections="true"
Service attachment rejecting a consumer project URI
resource.type="audited_resource"log_name="projects/PRODUCER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"protoPayload.request.consumerRejectLists="CONSUMER_PROJECT_ID"
Endpoint connection status change due to service attachment connection policy or organization policy
resource.type="gce_service_attachment"log_name="projects/PRODUCER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event"protoPayload.methodName="LogPscProducerConnectionStatusChange"
VPC Flow Logs for traffic from a Private Service Connect subnet to any backend VM instance (including GKE nodes)
resource.type="gce_subnetwork"logName="projects/PRODUCER_PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"json_payload.connection.src_ip=~"PSC_SUBNET_REGEX.*"jsonPayload.dest_instance.vm_name=~"VM_INSTANCE_PREFIX.*"

Replace the following:

  • PRODUCER_PROJECT_ID: the project ID of the service producer.
  • CONSUMER_PROJECT_ID: the project ID of the service consumer.
  • PSC_SUBNET_REGEX: a regular expression that matches apattern in the Private Service Connect subnet. For example, replacePSC_SUBNET_REGEX with172\.16\.[0-1] if the Private Service Connect subnet is172.16.0.0/23.
  • VM_INSTANCE_PREFIX: the prefix of the backend VM instances.

Common logging events for endpoints

The following table lists common logging events for Private Service Connect endpoints.

Event descriptionLogging advanced filter
Private Service Connect endpoint creation
resource.type="gce_forwarding_rule"log_name="projects/CONSUMER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"protoPayload.methodName="v1.compute.forwardingRules.insert""compute.forwardingRules.pscCreate"
Private Service Connect endpoint creation failure
resource.type="gce_forwarding_rule"log_name="projects/CONSUMER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"protoPayload.methodName="v1.compute.forwardingRules.insert""compute.forwardingRules.pscCreate"severity>=ERROR
Private Service Connect endpoint connection status change
resource.type="gce_forwarding_rule"log_name="projects/CONSUMER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event"protoPayload.methodName="LogPscConnectionStatusUpdate"
Rejected Private Service Connect endpoint connection
resource.type="gce_forwarding_rule"log_name="projects/CONSUMER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event"protoPayload.methodName="LogPscConnectionStatusUpdate"protoPayload.metadata.pscConnectionStatus="REJECTED"
QuotaPSC_INTERNAL_LB_FORWARDING_RULES exceeded
resource.type="gce_forwarding_rule"log_name="projects/CONSUMER_PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"protoPayload.methodName="v1.compute.forwardingRules.insert""QUOTA_EXCEEDED"severity=ERROR
VPC Flow Logs for traffic from a VM instance to a Private Service Connect endpoint
resource.type="gce_subnetwork"logName="projects/CONSUMER_PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"jsonPayload.connection.dest_ip="PSC_ENDPOINT_IP_ADDRESS"jsonPayload.src_instance.vm_name="VM_INSTANCE_NAME"
VPC Flow Logs for traffic from a gateway to a Private Service Connect endpoint
resource.type="vpc_flow_logs_config"logName="projects/CONSUMER_PROJECT_ID/logs/networkmanagement.googleapis.com%2Fvpc_flows"jsonPayload.connection.dest_ip="PSC_ENDPOINT_IP_ADDRESS"jsonPayload.src_gateway.name="GATEWAY_NAME"

Replace the following:

  • CONSUMER_PROJECT_ID: the project ID of the service consumer.
  • PSC_ENDPOINT_IP_ADDRESS: the IP address of thePrivate Service Connect endpoint.
  • VM_INSTANCE_NAME: the name of a source VM instance in theproject of the service consumer.
  • GATEWAY_NAME: the name of a source VLAN attachment orCloud VPN tunnel in the project of the service consumer.

Limitations

Private Service Connect metrics have the following limitations:

  • Unsupported load balancers: Private Service Connectmetrics aren't generated for services that are published throughglobal external proxy Network Load Balancers or global external Application Load Balancers.

    To monitor services that use these load balancers, use the load balancer'smetrics and logs. For more information, see the following:

  • Google APIs: Private Service Connect metrics aren'tavailable for endpoints or backends that connect to Google APIs. You can useone of the following alternative methods to monitor connectionsto Google APIs:

    • Use load balancer monitoring with Private Service Connect backends:If you connect to Google APIs by using aPrivate Service Connect backend, you can use the loadbalancer's metrics and logging to monitor API traffic. For moreinformation, seeExternal Application Load Balancer logging and monitoring.
    • Use VPC Flow Logs with Private Service Connect endpoints:If you connect to Google APIs by using aPrivate Service Connect endpoint, you can monitor APItraffic by configuringVPC Flow Logs.You can analyze information from VPC Flow Logs by usingFlow Analyzer.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.