Stay organized with collectionsSave and categorize content based on your preferences.
Private access options for services
Virtual machine (VM) instances in Virtual Private Cloud (VPC) networks can reach
Google and third-party APIs and services without anexternal IP address. All Google Cloud APIs and
services support private access.
The access methods are different for services in VPC networks
compared to services in Google's production infrastructure. The former use
peering or Private Service Connect; the latter use
Private Google Access or Private Service Connect.
The following sections summarize the private access options in each category:
Use this option to connect to supported services in another
VPC network through a consumer-managed load balancer.
You don't need to assign external IP addresses to your
Google Cloud resources.
Google Cloud VM instances with or without external IP
addresses.
Connect to services in another VPC network through an
endpoint.
Supports specific Google and third-party services. To find out
whether a service supports service connection policies, contact the
service provider.
Use this option to deploy a managed service instance and
configure connectivity through a service's administrative API or UI.
The service instance is deployed in a producer VPC network
that is connected to your VPC network through an endpoint.
You don't need to assign external IP addresses to your
Google Cloud resources.
Use this option to connect to specific Google and third-party services
without assigning external IP addresses to your Google Cloud and
Google or third-party resources.
Connect from serverless Google services to VPC networks
You can useDirect VPC egressto let Cloud Run, App Engine
standard, and Cloud Run functions environments send packets to the internal IPv4
addresses of resources in a VPC network. If Direct VPC egress
isn't an option for you, you can configure aServerless VPC Accessconnector instead. Both options also support sending packets to other networks
connected to the selected VPC network.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Private access options for services\n===================================\n\nVirtual machine (VM) instances in Virtual Private Cloud (VPC) networks can reach\nGoogle and third-party APIs and services without an\n[external IP address](/vpc/docs/ip-addresses). All Google Cloud APIs and\nservices support private access.\n\nThe access methods are different for services in VPC networks\ncompared to services in Google's production infrastructure. The former use\npeering or Private Service Connect; the latter use\nPrivate Google Access or Private Service Connect.\n\nThe following sections summarize the private access options in each category:\n\n- [Connect to Google APIs in Google's production infrastructure](#connect-google-apis)\n- [Connect to services in VPC networks](#connect-services)\n- [Connect from serverless Google services to VPC\n networks](#connect-serverless-vpc)\n\nYou can configure one or all of these options. They operate independently of each other.\n\nConnect to Google APIs\n----------------------\n\nThe following table shows the options for connecting to services in Google's\nproduction networks:\n\n^1^ Use [private services access or Private Service Connect](#connect-services) to connect to Google services that are not supported by Private Service Connect for Google APIs or Private Google Access.\n\nConnect to services in VPC networks\n-----------------------------------\n\nThe following table shows the options for connecting to services in\nVPC networks:\n\n^2^ Use [Private Service Connect for\nGoogle APIs or Private Google Access](#connect-google-apis) to connect to Google services that are not supported by private services access or Private Service Connect for published services.\n\nConnect from serverless Google services to VPC networks\n-------------------------------------------------------\n\nYou can use [Direct VPC egress](/run/docs/configuring/vpc-direct-vpc) to let Cloud Run, App Engine\nstandard, and Cloud Run functions environments send packets to the internal IPv4\naddresses of resources in a VPC network. If Direct VPC egress\nisn't an option for you, you can configure a [Serverless VPC Access](/vpc/docs/serverless-vpc-access)\nconnector instead. Both options also support sending packets to other networks\nconnected to the selected VPC network."]]
