Private Service Connect compatibility

Services

You can access the following services by using Private Service Connect.

Google published services

Google service	Access provided
AlloyDB for PostgreSQL	Lets you connect to AlloyDB for PostgreSQL instances .
Apigee	Lets you expose APIs managed by Apigee to the internet . Also lets you connect privately from Apigee to backend target services .
BigQuery connections SAP Datasphere	Lets you increase security when using BigQuery to send queries to SAP Datasphere .
BigQuery Data Transfer Service	Lets you use BigQuery Data Transfer Service for Oracle .
Blockchain Node Engine	Lets you access Blockchain Node Engine nodes .
Chrome Enterprise Premium	Lets the Identity-Aware Proxy access the App Connector Gateway.
Cloud Data Fusion	Lets you connect Cloud Data Fusion instances to resources in VPC networks .
Cloud Composer 2	Lets you access the Cloud Composer tenant project .
Cloud Composer 3	Lets you access the Cloud Composer tenant project .
Cloud SQL	Lets you access your Cloud SQL database privately . Lets you automate creating connections to Cloud SQL instances through service connectivity automation.
Cloud Workstations	Lets you access private workstation clusters .
Database Migration Service	Lets you migrate your data to Google Cloud .
Dataproc Metastore	Lets you access Dataproc Metastore services .
Eventarc	Lets you receive events from Eventarc .
Google Cloud Contact Center as a Service (CCaaS)	Lets your agents and supervisors privately access the Google Cloud Contact Center as a Service interface . Lets your Google Cloud Contact Center as a Service instance privately access other systems via a VPC network .
Google Cloud Managed Service for Apache Kafka	Lets you access Managed Service for Apache Kafka clusters .
Google Kubernetes Engine (GKE) public clusters and private clusters	Lets you privately connect nodes and the control plane for a public or private cluster .
Integration Connectors	Lets Integration Connectors access your managed services privately .
Looker (Google Cloud core)	Lets you access Looker (Google Cloud core) instances .
Memorystore for Redis Cluster	Lets you automate creating connections to Memorystore for Redis Cluster instances through service connectivity automation.
Memorystore for Valkey	Lets you automate creating connections to Memorystore for Valkey instances through service connectivity automation.
Ray on Vertex AI	Lets you access Ray clusters .
Vertex AI Pipelines	Lets you create pipeline runs .
Vertex AI Training	Lets you access custom jobs and persistent resources .
Vertex AI Vector Search	Lets you automate creating connections to Vector Search endpoints through service connectivity automation.
Vertex AI predictions	Lets you access Vertex AI online prediction .

Third-party published services

Third-party service	Access provided
Aiven	Provides private access to Aiven Kafka clusters .
Axoflow	Provides private access to Axoflow Platform .
Citrix DaaS	Provides private access to Citrix DaaS .
ClickHouse	Provides private access to ClickHouse services .
Confluent Cloud	Provides private access to Confluent Cloud clusters .
Couchbase	Provides private access to Capella clusters .
Databricks	Provides private access to Databricks clusters .
Datadog	Provides private access to Datadog intake services .
Datastax Astra	Provides private access to Datastax Astra DB databases .
dbt	Provides private access to the dbt multi-tenant environment .
Elasticsearch	Provides private access to Elastic Cloud .
Groq	Provides private access to Groq Cloud .
JFrog	Provides private access to JFrog SaaS instances .
MongoDB Atlas	Provides private access to MongoDB Atlas .
Neo4j Aura	Provides private access to Neo4j Aura .
Pega Cloud	Provides private access to Pega Cloud .
Redis Enterprise Cloud	Provides private access to Redis Enterprise clusters .
Redpanda	Provides private access to Redpanda Cloud .
Snowflake	Provides private access to Snowflake .
Striim	Provides private access to Striim Cloud .
Zenoss	Provides private access to Zenoss Cloud .

Self-managed published services

Source of your service

Service producer configuration

Service consumer configuration

Cloud Load Balancing

Publish the service

Create an endpoint to access the published service
Create a backend to access the published service

Google Kubernetes Engine (GKE)

Publish the service: Route requests to your service through an internal LoadBalancer service and publish the service through a ServiceAttachment

Create an endpoint to access the published service
Create a backend to access the published service

Cloud Run and Cloud Run functions (2nd gen)

Choose one of the following:

run.app URL: you don't need additional configuration
cloudfunctions.net URL (for Cloud Run functions only): you don't need additional configuration
Published service: Route requests to your service through a load balancer with a Serverless NEG and publish the service

Choose the consumer option that corresponds with the service producer configuration:

cloudfunctions.net and run.app URLs: Create an endpoint to access those URLs
Published service:
- Create an endpoint to access the published service
- Create a backend to access the published service

Cloud Run functions (1st gen)

cloudfunctions.net URL: you don't need additional configuration

Create an endpoint to access cloudfunctions.net URLs

App Engine

You don't need additional configuration

Create an endpoint to access appspot.com URLs

Global Google APIs

Endpoints can target a bundle of global Google APIs or a single regional Google API. Backends can target a single global Google API or a single regional Google API.

Bundles of global Google APIs

You can use Private Service Connect endpoints to send traffic to a bundle of Google APIs.

When you create an endpoint to access Google APIs and services, you choose which bundle of APIs you need access to— All APIs( all-apis ) or VPC-SC( vpc-sc ):

The all-apis bundle provides access to most Google APIs and services, including all *.googleapis.com service endpoints.
The vpc-sc bundle provides access to APIs and services that support VPC Service Controls.

Note: Note: These bundles provide access to the same APIs that are available through the Private Google Access VIPs — all-apis is equivalent to private.googleapis.com and vpc-sc is equivalent to restricted.googleapis.com .

The API bundles support only HTTP-based protocols over TCP (HTTP, HTTPS, and HTTP/2). All other protocols, including MQTT and ICMP are not supported.

API bundle

Supported services

Example usage

all-apis

Enables API access to most Google APIs and services regardless of whether they are supported by VPC Service Controls. Includes API access to Google Maps, Google Ads, Google Cloud, and most other Google APIs, including the lists below. Does not support Google Workspace web applications such as Gmail and Google Docs. Does not support any interactive websites.

Domain names that match:

accounts.google.com (only supports paths needed for OAuth authentication of service accounts; user account authentication is interactive and not supported)
*.aiplatform-notebook.cloud.google.com
*.aiplatform-notebook.googleusercontent.com
appengine.google.com
*.appspot.com
*.backupdr.cloud.google.com
backupdr.cloud.google.com
*.backupdr.googleusercontent.com
backupdr.googleusercontent.com
*.cloudfunctions.net
*.cloudproxy.app
*.composer.cloud.google.com
*.composer.googleusercontent.com
*.datafusion.cloud.google.com
*.datafusion.googleusercontent.com
*.dataproc.cloud.google.com
dataproc.cloud.google.com
*.dataproc.googleusercontent.com
dataproc.googleusercontent.com
dl.google.com
gcr.io or *.gcr.io
*.googleapis.com
*.gke.goog
*.gstatic.com
*.kernels.googleusercontent.com
*.ltsapis.goog
*.notebooks.cloud.google.com
*.notebooks.googleusercontent.com
packages.cloud.google.com
pkg.dev or *.pkg.dev
pki.goog or *.pki.goog
*.run.app
source.developers.google.com
storage.cloud.google.com

Choose all-apis under these circumstances:

You don't use VPC Service Controls.
You do use VPC Service Controls, but you also need to access Google APIs and services that are not supported by VPC Service Controls. ¹

vpc-sc

Enables API access to Google APIs and services that are supported by VPC Service Controls .

Blocks access to Google APIs and services that do not support VPC Service Controls . Does not support Google Workspace APIs or Google Workspace web applications such as Gmail and Google Docs.

Choose vpc-sc when you only need access to Google APIs and services that are supported by VPC Service Controls. The vpc-sc bundle does not permit access to Google APIs and services that do not support VPC Service Controls. ¹

¹ If you need to restrict users to just the Google APIs and services that support VPC Service Controls , use vpc-sc , as it provides additional risk mitigation for data exfiltration. Using vpc-sc denies access to Google APIs and services that are not supported by VPC Service Controls. See Setting up private connectivity in the VPC Service Controls documentation for more details.

Single global Google API

You can use Private Service Connect backends to send requests to a single supported global Google API. The following APIs are supported:

Bigtable : bigtable.googleapis.com and bigtableadmin.googleapis.com
Cloud Logging : logging.googleapis.com
Spanner : spanner.googleapis.com
Cloud Storage : storage.googleapis.com
Pub/Sub : pubsub.googleapis.com

Regional Google APIs

You can use endpoints or backends to access regional Google APIs. For a list of supported regional Google APIs, see Regional service endpoints .

Types

The following tables summarize compatibility information for different Private Service Connect configurations.

In the following tables, a checkmark indicates that a feature is supported, and a no symbol indicates that a feature isn't supported.

Endpoints and published services

This section summarizes the configuration options that are available for consumers and producers when using endpoints to access published services.

Consumer configuration

This table summarizes the supported configuration options and capabilities of endpoints that access published services based on target producer type.

Target producer

Consumer configuration (endpoint)

Consumer global access

Hybrid access

Automatic DNS configuration
(IPv4-only)

VPC Network Peering access

Network Connectivity Center connection propagation (IPv4 only)

Supported target services for IPv4 endpoints

Supported target services for IPv6 endpoints

Cross-region internal Application Load Balancer ( Preview )

IPv4 services

IPv4 services

Internal passthrough Network Load Balancer

Only if global access is enabled on the load balancer ( known issue )

IPv4 services

IPv4 services
IPv6 services

Internal protocol forwarding (target instance)

Only if global access is enabled on the producer forwarding rule ( known issue )

IPv4 services

IPv4 services
IPv6 services

Port mapping services

Only if global access is enabled on the producer forwarding rule

IPv4 services

IPv4 services
IPv6 services

Regional internal Application Load Balancer

Only if global access is enabled on the load balancer before the service attachment is created

IPv4 services

IPv4 services

Regional internal proxy Network Load Balancer

Only if global access is enabled on the load balancer before the service attachment is created

IPv4 services

IPv4 services

Secure Web Proxy

IPv4 services

IPv4 services

Endpoints that access a published service have the following limitations:

You can't create an endpoint in the same VPC network as the published service that you are accessing.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
Not all static routes with load balancer next hops are supported with Private Service Connect. For more information, see Static routes with load balancer next hops .
Connectivity Tests can't test connectivity between an IPv6 endpoint and a published service.

Producer configuration

This table summarizes the supported configuration options and capabilities of published services that are accessed by endpoints .

Producer type

Producer configuration (published service)

Supported producer backends

PROXY protocol (TCP traffic only)

IP version

Cross-region internal Application Load Balancer ( Preview )

GCE_VM_IP_PORT zonal NEGs
Hybrid NEGs
Serverless NEGs
Private Service Connect NEGs
Instance groups

IPv4

Internal passthrough Network Load Balancer

GCE_VM_IP zonal NEGs
Instance groups

IPv4
IPv6

Internal protocol forwarding (target instance)

Not applicable

IPv4
IPv6

Port mapping services

Port mapping NEG

IPv4
IPv6

Regional internal Application Load Balancer

GCE_VM_IP_PORT zonal NEGs
Hybrid NEGs
Serverless NEGs
Private Service Connect NEGs
Instance groups

IPv4

Regional internal proxy Network Load Balancer

GCE_VM_IP_PORT zonal NEGs
Hybrid NEGs
Private Service Connect NEGs
Instance groups

IPv4

Secure Web Proxy

Not applicable

IPv4

Published services have the following limitations:

Load balancers that are configured with multiple protocols —protocol set to L3_DEFAULT —are not supported.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
You must use the Google Cloud CLI or the API to create a service attachment that points to a forwarding rule that is used for internal protocol forwarding .

For issues and workarounds, see Known issues .

Different load balancers support different port configurations; some load balancers support a single port, some support a range of ports, and some support all ports. For more information, see Port specifications .

Backends and published services

A Private Service Connect backend for published services requires two load balancers—a consumer load balancer and a producer load balancer. This section summarizes the configuration options that are available for consumers and producers when using backends to access published services.

Consumer configuration

This table describes the consumer load balancers that are supported by Private Service Connect backends for published services, including which backend service protocols can be used with each consumer load balancer. The consumer load balancers can access published services that are hosted on supported producer load balancers .

Consumer load balancer

Protocols

IP version

Cross-region internal Application Load Balancer

HTTP
HTTPS
HTTP2

IPv4

Cross-region internal proxy Network Load Balancer

IPv4

Global external Application Load Balancer (supports multiple regions)

Note: Classic Application Load Balancer is not supported.

HTTP
HTTPS
HTTP2

IPv4

Global external proxy Network Load Balancer

To associate this load balancer with a Private Service Connect NEG, use the Google Cloud CLI or send an API request.

Note: Classic proxy Network Load Balancer is not supported.

TCP/SSL

IPv4

Regional external Application Load Balancer

HTTP
HTTPS
HTTP2

IPv4

Regional external proxy Network Load Balancer

IPv4

Regional internal Application Load Balancer

HTTP
HTTPS
HTTP2

IPv4

Regional internal proxy Network Load Balancer

IPv4

Producer configuration

This table describes the configuration for producer load balancers that are supported by Private Service Connect backends for published services.

Producer type

Producer configuration (published service)

Supported producer backends

Forwarding rule protocols

Forwarding rule ports

PROXY protocol

IP version

Cross-region internal Application Load Balancer ( Preview )

GCE_VM_IP_PORT zonal NEGs
Hybrid NEGs
Serverless NEGs
Private Service Connect NEGs
Instance groups

TCP
HTTP
HTTPS
HTTP/2
gRPC

Supports one, multiple, or all ports

IPv4

Internal passthrough Network Load Balancer

GCE_VM_IP zonal NEGs
Instance groups

See Producer port configuration

IPv4

Regional internal Application Load Balancer

GCE_VM_IP_PORT zonal NEGs
Hybrid NEGs
Serverless NEGs
Private Service Connect NEGs
Instance groups

HTTP
HTTPS
HTTP/2

Supports a single port

IPv4

Regional internal proxy Network Load Balancer

GCE_VM_IP_PORT zonal NEGs
Hybrid NEGs
Private Service Connect NEGs
Instance groups

Supports a single port

IPv4

Secure Web Proxy

Not applicable

Not applicable

Not applicable

IPv4

Published services have the following limitations:

Load balancers that are configured with multiple protocols —protocol set to L3_DEFAULT —are not supported.
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
You must use the Google Cloud CLI or the API to create a service attachment that points to a forwarding rule that is used for internal protocol forwarding .

For issues and workarounds, see Known issues .

For an example backend configuration that uses a global external Application Load Balancer, see Access published services through backends .

To publish a service, see Publish services .

Endpoints and global Google APIs

This table summarizes the features that are supported by endpoints used to access Google APIs .

To create this configuration, see Access Google APIs through endpoints .

Configuration

Details

Consumer configuration (endpoint)

Global reachability

Uses an internal global IP address

Cloud Interconnect traffic

Cloud VPN traffic

Access through VPC Network Peering

Connection propagation through Network Connectivity Center

Automatic DNS configuration

IP version

IPv4

Producer

Supported services

Supported global Google APIs

Backends and global Google APIs

This table describes which load balancers can use a Private Service Connect backend to a global Google API.

Configuration

Details

Consumer configuration (Private Service Connect backend)

Supported consumer load balancers

Global external Application Load Balancer

Note: Classic Application Load Balancer is not supported.
Cross-region internal Application Load Balancer

IP version

IPv4

Producer

Supported services

Bigtable : bigtable.googleapis.com and bigtableadmin.googleapis.com
Cloud Logging : logging.googleapis.com
Spanner : spanner.googleapis.com
Cloud Storage : storage.googleapis.com
Pub/Sub : pubsub.googleapis.com

Endpoints and regional Google APIs

This table summarizes the features that are supported by endpoints used to access regional Google APIs .

Configuration

Details

Consumer configuration (endpoint)

Global reachability

If global access is enabled

Cloud Interconnect traffic

Cloud VPN traffic

Access through VPC Network Peering

Connection propagation through Network Connectivity Center

DNS configuration

Manual DNS configuration

IP version

IPv4 or IPv6

Producer

Supported services

Supported regional Google APIs

Backends and regional Google APIs

This table describes which load balancers can use a Private Service Connect backend to access regional Google APIs.

For an example backend configuration that uses an internal Application Load Balancer, see Access regional Google APIs through backends .

Configuration

Details

Consumer configuration (Private Service Connect backend)

Supported consumer load balancers

Internal Application Load Balancer

Protocols: HTTPS
Regional external Application Load Balancer

Protocols: HTTPS

IP version

IPv4

Producer

Supported services

Supported regional Google APIs

What's next

Learn about accessing published services through endpoints .
Learn about accessing global Google APIs through endpoints .
Learn about accessing regional Google APIs through endpoints .
Learn about backends .
Learn about publishing services .