This chapter covers Private Service Connect (PSC) and Private Access, two critical Google Cloud networking features that enable private connectivity to Google APIs and managed services without traversing the public internet. For the Google Cloud Digital Leader (GCDL) exam, this topic appears in approximately 5-8% of questions, typically testing your understanding of when to use each option and their key benefits. Mastering these concepts is essential for designing secure, cost-effective hybrid cloud architectures.
Jump to a section
Imagine a large office building (your VPC) where every employee has a dedicated desk phone (VM instance). Outside the building, there are service providers (Google-managed services like Cloud SQL or third-party services) that offer valuable tools. Normally, if an employee wants to use a provider's tool, they must call through the public phone network (the internet), which is insecure, slow, and costs per minute. Private Service Connect (PSC) is like installing a private phone exchange (the PSC endpoint) that directly connects the building's internal network to the provider's private branch exchange (the service attachment). Each endpoint gets an internal extension (an internal IP address from the VPC subnet). When an employee dials that extension, the call is routed entirely through the private exchange – no public network touch. The provider sees the call as coming from the building's private exchange, not from a random public number. This gives the security of a private line, lower latency (no public switching), and predictable costs. The building manager (network admin) can control exactly which employees (VMs) can use which extensions (services) via firewall rules. Importantly, the outside provider never sees the individual employee's extension; they only see the building's exchange address (the PSC endpoint IP). This mirrors how PSC provides private connectivity to Google APIs or managed services using internal IPs, eliminating egress costs and exposure to the internet.
What is Private Service Connect (PSC)?
Private Service Connect is a Google Cloud networking capability that allows consumers (your VPC) to privately access managed services (producers) using internal IP addresses. It was introduced in 2021 as an evolution of Private Google Access and VPC Service Controls. PSC is built on the concept of a *service attachment* (on the producer side) and an *endpoint* (on the consumer side). The consumer creates a PSC endpoint in their VPC, which gets an internal IP address from a subnet. Traffic to that IP is forwarded over Google's internal network directly to the producer's service attachment, bypassing the public internet entirely.
Why PSC Exists
Before PSC, accessing Google APIs or managed services from a VPC required either: - Public internet: Unsecure, high latency, and incurs egress costs. - Private Google Access: Allows VMs without external IPs to reach Google APIs, but traffic still traverses Google's external network (though not the public internet). It does not provide a private IP address for the service; the destination IP is still a public IP (like 172.217.x.x). - VPC Peering: Only works for services that support it (e.g., Cloud SQL), and requires the service to be in a different project/VPC.
PSC solves these by giving the service a private RFC 1918 IP address within your VPC. This means:
Traffic never leaves Google's network.
You can use firewall rules based on internal IPs.
You can connect to services in other organizations (e.g., SaaS providers) without peering.
How PSC Works Internally
PSC uses a producer/consumer model:
- Producer: The service provider (e.g., Google Cloud SQL, or a third-party SaaS) creates a *service attachment* in their VPC. This is a resource that exposes the service to consumers. The service attachment is associated with a *service project* and a *service name* (a URN like projects/PROJECT_ID/regions/REGION/serviceAttachments/NAME).
- Consumer: The customer creates a *Private Service Connect endpoint* (also called a *forwarding rule* of type private-service-connect) in their VPC. The endpoint is assigned an internal IP from a subnet. The consumer then publishes a DNS zone (e.g., googleapis.com) that resolves the service's DNS name to this internal IP.
When a VM sends a packet to the endpoint's IP, the following happens: 1. The packet reaches the VPC's subnet where the endpoint resides. 2. The forwarding rule (which is a regional resource) intercepts the packet because it matches the endpoint IP. 3. The packet is encapsulated and forwarded over Google's internal backbone to the producer's service attachment. 4. The producer's service attachment decapsulates the packet and delivers it to the actual service (e.g., Cloud SQL instance). 5. Return traffic follows the reverse path.
This process is transparent to the VM – it sees a normal internal IP connection.
Key Components and Defaults
Service Attachment: Created by the producer. It includes:
A *connection preference*: ACCEPT_AUTOMATIC (any consumer can connect) or ACCEPT_MANUAL (consumer must be approved).
A list of *consumer project IDs* that are allowed (if manual).
A *service name* (URN).
Endpoint (Forwarding Rule): Created by the consumer. Type must be private-service-connect. It requires:
A target service attachment (specified by the service name URN).
An internal IP address (either static or ephemeral) from a subnet in the same region.
DNS: The consumer must configure DNS to resolve the service's public hostname (e.g., sql.googleapis.com) to the endpoint's internal IP. This is typically done using a private DNS zone in Cloud DNS.
Firewall: Standard VPC firewall rules apply to the endpoint IP. You must allow ingress/egress to the endpoint IP.
Limits: By default, you can create up to 100 endpoints per VPC network (adjustable via quota). Each endpoint can connect to one service attachment.
Configuration Example
To create a PSC endpoint using gcloud:
gcloud compute forwarding-rules create PSC_ENDPOINT_NAME \
--region=us-central1 \
--network=my-vpc \
--subnet=my-subnet \
--ip-version=IPV4 \
--target-service-attachment=projects/PROJECT_ID/regions/us-central1/serviceAttachments/SA_NAMETo verify the endpoint:
gcloud compute forwarding-rules describe PSC_ENDPOINT_NAME --region=us-central1Look for pscServiceAttachmentId and pscConnectionStatus which should be ACCEPTED.
Private Google Access (PGA)
Private Google Access is a VPC subnet-level setting that allows VMs without external IPs to reach Google APIs and services (like Cloud Storage, BigQuery) using Google's private network. When enabled, traffic from VMs to Google API public IPs (e.g., 172.217.x.x) is routed through Google's internal infrastructure rather than the public internet. However, the destination IP is still a public IP – it's not a private IP within your VPC. PGA is simpler than PSC but does not give you a private IP for the service.
Private Services Access (PSA)
Private Services Access is used for Google-managed services that support VPC peering (e.g., Cloud SQL, Memorystore). You allocate an IP range in your VPC and peer it with the service's VPC. This gives the service a private IP from your range. PSA is different from PSC in that it requires VPC peering and is limited to services that explicitly support it. PSC is more flexible as it works with any producer that creates a service attachment.
How PSC Interacts with Related Technologies
VPC Service Controls: PSC can be used with VPC Service Controls to add additional security boundaries. The PSC endpoint can be restricted to only access services within a service perimeter.
Cloud NAT: If a VM needs to access the internet (not just Google APIs), Cloud NAT is still required. PSC only covers traffic to the specific service attachment.
Hybrid Connectivity: PSC endpoints can be reached from on-premises via Cloud VPN or Cloud Interconnect, as long as the on-premises network can route to the endpoint IP.
DNS: You must manage DNS resolution yourself. Typically, you create a private DNS zone for googleapis.com (or the specific service domain) with an A record pointing to the endpoint IP.
Performance and Scaling
PSC uses Google's global network with low latency. Each endpoint can handle up to 10 Gbps of throughput (default). For higher throughput, you can create multiple endpoints and use load balancing. The producer service attachment also has its own capacity limits (e.g., a single Cloud SQL instance can handle up to 60,000 connections).
Producer creates service attachment
The service provider (e.g., a SaaS company) creates a service attachment in their VPC. This resource defines the service being offered. The producer specifies the connection preference (automatic or manual) and optionally a list of allowed consumer projects. The service attachment is associated with a specific region and a forwarding rule that points to the actual service (e.g., a load balancer). The producer also generates a service name URN, which is shared with consumers.
Consumer creates PSC endpoint
The consumer creates a forwarding rule of type `private-service-connect` in their VPC, specifying the target service attachment URN. The endpoint is assigned an internal IP from a subnet in the same region. The consumer can choose an ephemeral or static internal IP. The endpoint acts as a virtual IP that represents the service within the consumer's VPC.
Connection acceptance
If the producer set connection preference to `ACCEPT_AUTOMATIC`, the connection is established immediately. If `ACCEPT_MANUAL`, the producer must approve the consumer's project. The producer can use gcloud or the console to list pending connections and accept them. The status changes from `PENDING` to `ACCEPTED`. The consumer can verify the status using `gcloud compute forwarding-rules describe`.
DNS configuration
The consumer configures DNS to resolve the service's hostname (e.g., `sql.googleapis.com`) to the endpoint's internal IP. This is typically done by creating a private DNS zone in Cloud DNS for the service domain (e.g., `googleapis.com`) and adding an A record. The VPC must have DNS resolution enabled for private zones. Optionally, the consumer can use a DNS peering zone if using shared VPC.
Traffic flow
When a VM sends a packet to the endpoint IP, the VPC's forwarding rule intercepts it. The packet is encapsulated with Google's internal headers and forwarded over the Google backbone to the producer's service attachment. The producer's service attachment decapsulates and delivers the packet to the actual service. Return traffic follows the reverse path. The VM sees a standard TCP/IP connection to an internal IP.
Enterprise Scenario 1: Secure Access to Google APIs
A large financial services company requires all traffic to Google APIs (e.g., BigQuery, Cloud Storage) to remain within Google's network and not traverse the public internet. They have thousands of VMs in a shared VPC across multiple regions. Previously, they used Private Google Access, but that still resolved APIs to public IPs (e.g., 172.217.x.x). With PSC, they create endpoints in each region for the googleapis.com service attachment (published by Google). They configure private DNS zones to resolve *.googleapis.com to the endpoint IPs. This ensures all API calls use private IPs, reducing attack surface and eliminating egress costs. The network team monitors endpoint utilization via Cloud Monitoring. A common issue is forgetting to update DNS when an endpoint IP changes (if ephemeral), so they use static internal IPs for endpoints.
Enterprise Scenario 2: Connecting to a Third-Party SaaS
A retail company uses a third-party inventory management SaaS that runs on Google Cloud. The SaaS provider creates a service attachment in their project and shares the service name URN with the retailer. The retailer creates a PSC endpoint in their VPC and configures DNS. This allows the retailer's applications to connect to the SaaS using a private IP, ensuring low latency and security. The retailer can control access via firewall rules on the endpoint IP. Performance considerations: if the SaaS is in a different region, latency increases; they should create endpoints in the same region as the SaaS. A misconfiguration occurs if the retailer's VPC subnet for the endpoint is in a different region than the service attachment – the endpoint creation will fail.
Enterprise Scenario 3: Hybrid Connectivity with On-Premises
A healthcare organization has an on-premises data center connected to Google Cloud via Cloud Interconnect (VLAN attachment). They want on-premises servers to access a Google-managed Cloud SQL database privately. They create a PSC endpoint in their VPC and configure Cloud Router to advertise the endpoint's IP range to on-premises via BGP. On-premises servers can then connect to the Cloud SQL instance using the endpoint IP (which resolves via DNS). This eliminates the need for a public IP on Cloud SQL. A common mistake is not advertising the endpoint IP range, causing on-premises traffic to be dropped. They also need to ensure firewall rules on-premises allow traffic to the endpoint IP.
What GCDL Tests
The GCDL exam (Objective 2.4) focuses on understanding the differences between Private Google Access, Private Services Access, and Private Service Connect. You must know which option to use in specific scenarios. Key exam topics: - Private Google Access (PGA): Enables VMs without external IPs to reach Google APIs. Traffic stays within Google's network but uses public IPs for destination. Simple, no private IP. - Private Services Access (PSA): Used for Google-managed services that support VPC peering (e.g., Cloud SQL, Memorystore). Requires allocating an IP range and peering. Gives a private IP from your range. - Private Service Connect (PSC): For any service that exposes a service attachment (including third-party). Gives a private IP from your subnet. More flexible but requires DNS configuration.
Common Wrong Answers
"Private Google Access provides a private IP for the service." – Wrong. PGA still uses public IPs (e.g., 172.217.x.x). It only ensures traffic doesn't go over the public internet.
"Private Service Connect requires VPC peering." – Wrong. PSC does not use peering; it uses forwarding rules and service attachments.
"Private Services Access can be used for any Google API." – Wrong. PSA only works for services that explicitly support it (like Cloud SQL, Memorystore). Not for generic Google APIs.
"PSC endpoints must be in the same region as the service." – Partially true: the endpoint and service attachment must be in the same region, but the service itself (e.g., Cloud SQL) can be global? Actually, the service attachment is regional, so the consumer endpoint must be in the same region as the service attachment. The actual service (like a Cloud SQL instance) can be in a different region? No, the service attachment is tied to the service's region. So the endpoint must be in the same region as the service.
Numbers and Values
PSC endpoint limit: 100 per VPC (default).
Throughput per endpoint: up to 10 Gbps.
Supported protocols: TCP, UDP, ICMP.
Service attachment types: private-service-connect.
DNS zone: typically private zone for googleapis.com.
Edge Cases
Shared VPC: PSC endpoints can be created in a service project if the host project allows. The endpoint IP comes from the shared VPC subnet.
Global services: For services like Cloud DNS, which are global, you might need endpoints in multiple regions.
Firewall: The endpoint IP is a normal internal IP, so firewall rules apply. Ensure you allow traffic to/from the endpoint.
How to Eliminate Wrong Answers
If the question asks for "private IP for the service," eliminate PGA. If it mentions "VPC peering," it's likely PSA. If it involves a third-party service or generic Google APIs, it's PSC. Look for keywords: "internal IP address" → PSC or PSA; "no external IP" → PGA; "service attachment" → PSC.
Private Google Access (PGA) allows VMs without external IPs to reach Google APIs using public IPs internally.
Private Services Access (PSA) uses VPC peering to give Google-managed services a private IP from your allocated range.
Private Service Connect (PSC) provides a private IP from your subnet for any service that exposes a service attachment.
PSC endpoints are regional and must be in the same region as the service attachment.
PSC does not require VPC peering; it uses forwarding rules of type 'private-service-connect'.
Default PSC endpoint limit is 100 per VPC; throughput up to 10 Gbps per endpoint.
DNS configuration is required for PSC to resolve service hostnames to the endpoint IP.
PSC supports both Google and third-party services, making it the most flexible private access option.
These come up on the exam all the time. Here's how to tell them apart.
Private Google Access (PGA)
Enables VMs without external IPs to reach Google APIs.
Destination IPs are public (e.g., 172.217.x.x).
No private IP assigned in your VPC.
Simple to enable at subnet level.
Only works for Google APIs, not third-party services.
Private Service Connect (PSC)
Provides a private IP in your VPC for the service.
Traffic stays within Google's network.
Requires creating an endpoint and DNS configuration.
Works with any producer that exposes a service attachment (including third-party).
More complex but offers private IP and firewall control.
Private Services Access (PSA)
Uses VPC peering between your VPC and service VPC.
Requires allocating an IP range for the service.
Only for specific Google-managed services (Cloud SQL, Memorystore, etc.).
Service gets an IP from your allocated range.
Simple DNS (service name resolves to private IP automatically).
Private Service Connect (PSC)
Uses forwarding rules and service attachments, no peering.
Endpoint gets an IP from your existing subnet.
Works with any service that exposes a service attachment (Google or third-party).
Service attachment is regional; endpoint must be in same region.
Requires manual DNS configuration.
Mistake
Private Google Access assigns a private IP address to the Google API.
Correct
Private Google Access does not assign a private IP. VMs without external IPs can still reach Google APIs, but the destination IP is a public IP (e.g., 172.217.x.x). The traffic is routed internally by Google, but the IP is not private.
Mistake
Private Service Connect requires VPC peering.
Correct
PSC does not use VPC peering. It uses a forwarding rule (endpoint) and a service attachment. No peering is established between the consumer and producer VPCs.
Mistake
Private Services Access works for all Google Cloud services.
Correct
PSA only works for services that explicitly support it, such as Cloud SQL, Memorystore, and Cloud Bigtable. For generic Google APIs (like BigQuery), you must use PGA or PSC.
Mistake
PSC endpoints can be created in any region regardless of the service location.
Correct
The PSC endpoint must be in the same region as the service attachment. The service attachment is regional, so the endpoint must match that region. The actual service (e.g., Cloud SQL instance) is also regional, so the endpoint must be in the same region as the service.
Mistake
PSC eliminates the need for Cloud NAT.
Correct
PSC only handles traffic to the specific service attachment. If VMs need to reach the internet (e.g., for updates), Cloud NAT is still required. PSC does not provide general internet access.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Private Google Access (PGA) allows VMs without external IPs to reach Google APIs, but the destination IP is still a public IP (e.g., 172.217.x.x). Private Service Connect (PSC) gives you a private IP in your VPC for the service, so traffic stays within your network and you can use firewall rules based on internal IPs. PGA is simpler but does not provide a private IP; PSC is more complex but offers better security and control.
Use Private Services Access (PSA) when you need to connect to a Google-managed service that supports it, such as Cloud SQL or Memorystore, and you want the service to have an IP from a dedicated range you allocate. PSA is simpler for these services because DNS is automatic. Use Private Service Connect (PSC) when you need to connect to services that do not support PSA, such as third-party SaaS or generic Google APIs, or when you want the endpoint IP to come from your existing subnet.
Yes. If you have a hybrid connection (Cloud VPN or Cloud Interconnect), you can reach PSC endpoints from on-premises as long as the on-premises network can route to the endpoint's IP range. You must advertise the endpoint's subnet via BGP (using Cloud Router) to on-premises. Additionally, ensure firewall rules allow traffic from on-premises to the endpoint IP.
Google provides a service attachment for `googleapis.com` that covers most Google APIs (e.g., BigQuery, Cloud Storage, Pub/Sub). However, not all APIs may be supported; check the documentation. For APIs not covered, you may need to use Private Google Access. PSC also works with third-party services that expose their own service attachments.
Create a private DNS zone in Cloud DNS for the service's domain (e.g., `googleapis.com`) and add an A record that points the service hostname (e.g., `bigquery.googleapis.com`) to the PSC endpoint's internal IP. Ensure the DNS zone is associated with your VPC. You can also use a wildcard record to cover all subdomains.
Each PSC endpoint can handle up to 10 Gbps of throughput. For higher throughput, you can create multiple endpoints and use load balancing. The producer's service attachment also has its own limits (e.g., based on the underlying service). Latency is minimal as traffic stays within Google's network.
Yes. PSC is designed for cross-organization connectivity. The producer shares the service attachment URN, and the consumer creates an endpoint referencing it. The producer can control access via connection preference (manual or automatic) and allowed projects. This is useful for SaaS providers offering services to multiple customers.
You've just covered Private Service Connect and Private Access — now see how well it sticks with free GCDL practice questions. Full explanations included, no account needed.
Done with this chapter?