About Private Service Connect backends
You can access Google APIs and published services by creating aPrivate Service Connect endpoint (based on a forwardingrule) or aPrivate Service Connect backend (based on a loadbalancer).This guide focuses on Private Service Connect backends.
Private Service Connect backends use a load balancer configuredwith Private Service Connect network endpoint group (NEG)backends. This configuration was previously referred to as aPrivate Service Connect endpoint with consumer HTTP(S) servicecontrols.
Accessing APIs and services through a consumer-managed load balancer providesseveral benefits. Load balancers can act as a centralized policy enforcementpoint where security policies (such asGoogle Cloud Armor policiesandSSL policies) orrouting policies (such asGoogle Cloud URL maps)are enforced. They provide centralized metrics and logging that a publishedservice might not provide, and they allow consumers to control their ownrouting and failover.
Figure 1 shows a load balancer with aPrivate Service Connect NEG connecting to a published service.Client traffic goes to a load balancer that processes the traffic andthen routes it to a Private Service Connect backend that maps toa published service that runs in a different VPCnetwork.
Figure 1. Using a global external Application Load Balancer lets service consumers with internet access send traffic to services in the service producer's VPC network (click to enlarge).
Deployment overview
To access APIs and services through Private Service Connectbackends, do the following:
Identify the service that you want to connect to.
For published services: Ask the service producer for theserviceattachment URI.
For Google APIs, do one of the following:
Choose aregional serviceendpoint.
Choose aglobal serviceendpoint.
Deploy a load balancer to send traffic to your published service.Choose aload balancer that fits your requirements, including whether you haveinternet clients, internal clients, or require regional isolation. You canalso reuse an existing load balancer.
Deploy the Private Service Connect NEGs and add themto your load balancer backend service. CreatePrivate Service Connect NEGs that reference your publishedservice. Then add the NEGs to the load balancer's backend service so thatthe load balancer can send them traffic.
Supported load balancers and targets
You can use a backend to access a published service or a supported Google API.
See the load balancing documentation for more information about the loadbalancer that you want to add a Private Service Connect backendto.
- For information about global external Application Load Balancers and regional external Application Load Balancers,seeExternal Application Load Balancer overview.
- For information about internal Application Load Balancers and Cross-region internal Application Load Balancers,seeInternal Application Load Balancer overview.
- For information about regional internal proxy Network Load Balancers, seeRegional internal proxy Network Load Balanceroverview.
- For information about regional external proxy Network Load Balancers, seeRegional external proxy Network Load Balancer overview.
- For information about global external proxy Network Load Balancers, seeExternal proxy Network Load Balancer overview.
Published service targets
A Private Service Connect backend for published servicesrequires two load balancers—a consumer load balancer and a producer loadbalancer.
Consumer configuration
This table describes the consumer load balancers that are supported by Private Service Connect backends for published services, including which backend service protocols can be used with each consumer load balancer. The consumer load balancers can access published services that are hosted onsupported producer load balancers.
| Consumer load balancer | Protocols | IP version | Cross-region failover |
|---|---|---|---|
| IPv4 | ||
| IPv4 | ||
Global external Application Load Balancer Note:
|
| IPv4 | |
Global external proxy Network Load Balancer To associate this load balancer with a Private Service Connect NEG, use the Google Cloud CLI or send an API request. Note: Classic proxy Network Load Balancer is not supported. |
| IPv4 | |
| IPv4 | ||
| IPv4 | ||
| IPv4 | ||
| IPv4 |
Producer configuration
This table describes the configuration for producer load balancersthat are supported by Private Service Connect backends forpublished services.
| Producer type | Producer configuration (published service) | |||||
|---|---|---|---|---|---|---|
| Supported producer backends | Forwarding rule protocols | Forwarding rule ports | PROXY protocol | IP version | Private Service Connect health support | |
| Cross-region internal Application Load Balancer |
|
| Supports one, multiple, or all ports | IPv4 | ||
| Internal passthrough Network Load Balancer |
|
| SeeProducer port configuration | IPv4 | ||
| Regional internal Application Load Balancer |
|
| Supports a single port | IPv4 | ||
Regional internal proxy Network Load Balancer Note: Connections from consumer global external Application Load Balancers aren't supported. |
|
| Supports a single port | IPv4 | ||
| Secure Web Proxy |
|
| Not applicable | IPv4 | ||
For an example backend configuration that uses a global external Application Load Balancer, seeAccess published services throughbackends.
Regional Google API targets
This table describes which load balancers can use aPrivate Service Connect backend to access regional Google APIs.
For an example configuration that uses an internal Application Load Balancer, seeAccess Google APIs throughbackends.
| Configuration | Details |
|---|---|
| Consumer configuration (Private Service Connect backend) | |
| Supported consumer load balancers |
|
| IP version | IPv4 |
| Producer | |
| Supported services | Supported regional Google APIs |
Global Google API targets
This table describes which load balancers can use aPrivate Service Connect backend to access a global Google API.
| Configuration | Details |
|---|---|
| Consumer configuration (Private Service Connect backend) | |
| Supported consumer load balancers |
|
| IP version | IPv4 |
| Producer | |
| Supported services |
|
Connection statuses
Private Service Connect endpoints, backends, and service attachments have connection statuses that describe the state of their connections. The consumer and producer resources that form the two sides of a connection always have the same status. You can view connection statuses when youview endpoint details, describe a backend, or view details for a published service.
The following table describes the possible statuses.
| Connection status | Description |
|---|---|
| Accepted | The Private Service Connect connection is established. The two VPC networks have connectivity, and the connection is functioning normally. |
| Pending | The Private Service Connect connection is not established, and network traffic can't travel between the two networks. A connection might have this status for the following reasons:
Connections that are blocked for these reasons remain in the pending state indefinitely until the underlying issue is resolved. |
| Rejected | The Private Service Connect connection is not established. Network traffic can't travel between the two networks. A connection might have this status for the following reasons:
|
| Needs attention | There is an issue on the producer side of the connection. Some traffic might be able to flow between the two networks, but some connections might not be functional. For example, the producer'sNAT subnet might be exhausted and unable to allocate IP addresses for new connections. |
| Closed | The service attachment was deleted, and the Private Service Connect connection is closed. Network traffic can't travel between the two networks. A closed connection is aterminal state. To restore the connection, you must recreate both the service attachment and the endpoint or backend. |
Specifications
All Private Service Connect backends have the followingspecifications:
- Only thesupported load balancers can usePrivate Service Connect NEGs as backends.
- Private Service Connect NEGs cannot be mixed with other NEGtypes in the same backend service. However, self-hosted applications andmanaged services can both be backends of the same load balancer as long asthey are part of separate backend services.
- Backend services with Private Service Connect NEGs don'tsupport health checks. Health check resources are not configured withbackend services used for Private Service Connect.
- Backend services with Private Service Connect NEGs don'tsupportsession affinity.
- If a Private Service Connect NEG references a serviceattachment, the service attachment must be in a different VPCnetwork from the NEG and the load balancer.
- Private Service Connect NEGs can't reference serviceattachments that are configured forport mapping services.
Private Service Connect backends that are used in global backendservices have additional specifications:
- Multiple Private Service Connect NEGs can be in the samebackend service as long as they are from different regions. You can't addmultiple Private Service Connect NEGs from the same regionto the same backend service.
- You can take advantage of automatic cross-region failover by associatingmultiple Private Service Connect NEGs with the same backendservice. For more information, see the following section.
Automatic cross-region failover
Accessing published services using Private Service Connectbackends that are based on global or cross-regional load balancers letsyou take advantage of automatic cross-region failover.
With automatic failover, if a service instance in one region becomes unhealthy,your consumer load balancer stops routing traffic to the unhealthy instance andinstead routes traffic to a healthy service instance in an alternate region.
To support automatic failover, both the service producer and the serviceconsumer must configure their resources for a multi-region deployment, asdescribed in this section. For information about additional producerrequirements for failover with Private Service Connect health, seePrivate Service Connect health specifications.
Producer configuration:
- Deploy the service in each region. Each regional instance of the service must be configured on a regional load balancer thatsupports access by a backend.
- Create a service attachment to publish each regional instance of the service.
Consumer configuration:
- Create a Private Service Connect backend to access published services. The backend must be based on aload balancer that supports cross-region failover and includes the following configuration:
- A Private Service Connect NEG in each region that points to that region's service attachment
- A global backend service that contains the NEG backends
The following diagram shows a multi-region deployment:
A global external Application Load Balancer with multiple Private Service Connect NEGs connects to a service that is published in multiple regions. This multi-region deployment lets the consumer load balancer fail over when a service instance becomes unhealthy, routing traffic to a healthy service instance in an alternate region (click to enlarge).
Automatic failover can be triggered in two ways:
Failover with outlier detection: The load balancer's standard failovermechanism, which is enabled by default in multi-region deployments. Trafficis directed away from Private Service Connect NEGs thatreceive a high rate of errors from the published service.
Enhanced failover with Private Service Connect health: Service producers canconfigure Private Service Connect health toprovide more detailed health signals for their services.
Failover through outlier detection
When multiple Private Service Connect NEGs are configured ina global backend service,outlier detectionis automatically enabled on the backend service.
When outlier detection identifies failures in responses sent by a publishedservice, such as5xx response codes, the consumer load balancer fails over,temporarily redirecting traffic to a healthy service instance in an alternateregion.
You can replace the default outlier detection policy by applying your ownoutlier detection configuration to the backend service,or you can disable the feature by configuring a singlePrivate Service Connect NEG in the backend service and routing100% of your traffic to this NEG.
Enhanced failover through Private Service Connect health
Preview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
With Private Service Connect health, a consumer load balancer can fail over basedon a direct health signal that is configured by the service producer.
The producer defines conditions that create a single composite health state foreach regional published service instance. The composite health state is based onthe health of the service's backends, such as VM instances or network endpoints.For example, a producer can specify that their service is considered healthyonly when a certain percentage of its backend instances are healthy.
For supported load balancers in multi-region deployments,no additional configuration is required from consumers to use health signalsfrom Private Service Connect health.
For information about how service producers can configurePrivate Service Connect health, seeAbout Private Service Connect health.
Pricing
For pricing information, see the following sections of the VPCpricing page:
Using a Private Service Connect backend to access a published service.
Using a Private Service Connect backend to access Google APIs.
What's next
- Create a Private Service Connect backend
- Access regional Google APIs through backends
- Access global Google APIs through backends
- Access published services through backends
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.