Increase security and reduce costs through VPN connections between AWS and GCP step by step — (2) GCP Private Service Connect and other GCP Private Access methods

6 min readAug 6, 2023

This is the second story in the above posts.

In a previous blog post, I introduced how to connect VPNs between AWS and GCP. However, just because it is VPN-linked, the traffic that was going on the NAT Gateway does not immediately move to the VPN. I have only made a foundation for network communication based on IP. In fact, changing an existing route to a VPN requires additional work.

If you don’t use NAT Gateway when you use googleapis.com , you can even save money.

First, in order to access the GCP Managed Service (BigQuery, Pub/Sub, etc.) through VPN in AWS mentioned in the first scenario, two tasks are required.

Configures Private Service Connect (PSC) to access GCP Managed Service with Private IP
Set up Private DNS Zone for googleapis.com and register records for PSC IP

First of all, I will briefly introduce how to access Google Managed Google Services (APIs) privately from a GCP VPC, including GCP Private Service Connect.

GCP Private Access options for Google APIs

1. Private Google Access

PGA (Private Google Access) is a way for resources within a VPC to access Google Apis without a public ip.

When PGA is enabled for subnet, resources within the subnet can access Google Apis without public ip
After PGA setup, VMs with only private ip access to Google Apis when using Google APIs without exposure to the Internet environment
DNS settings must be configured to route to the ip band (1993.36.153.8–11) specified by Google for the googleapis.com domain
If your VM has external ip, you can access Google APIs regardless of whether you have PGA enabled or not

2. Private Service Connect

Private Service Connect (PSC) allows you to access Google APIs or access other unpeered resources without using public ip.

You can assign one ip for PSC and make it accessible to multiple Google APIs with that ip
In addition to Google APIs, Google services such as Apigee/GKE control plane, third-party published services with PSC support, and Peering can work with resources from other VPCs without having to have a Peering
The advantage of PSC is that GCP services can only be accessed from the user’s internal IP
It is a service similar to AWS VPC Endpoints(Note)

Private access to GCP Managed Services via PSC IP

I can use both PGA and PSC methods to access GCP APIs, but I chose PSC (Private Service Connect) because AWS/GCP does not use Public IP and I need to access Google’s managed service an IP that I can assign.

3. Private Service Access

Private Service Access (PSA) allows VPCs to access resources on other VPCs without using public ip through private connections (peering) to Google and third-party services.

It is a way to access resources privately located within a VPC managed by Google and peering with a user VPC.
There are limited services accessible by the PSA method(Vertex AI, Cloud SQL, etc.).
Private communication is possible with your Cloud SQL instance on a private ip directly from your VPC without a public IP.

4. Serverless VPC Access

Serverless VPC Access lets you connect serverless products such as Cloud Run, App Engine, and Cloud Functions directly to the VPC.

Enables serverless products (Cloud Run, App Engine, Cloud Functions, etc.) to communicate with resources within the user’s VPC directly
Requests to resources within a user’s VPC are not exposed to the Internet environment, and are much less latencies than the Internet

Among the above four options, I chose PSC (Private Service Connect) to privately configure the connection to googleapis.com, which is used to access various Google Managed Services, including BigQuery, Pub/Sub, GCS, etc. in AWS/GCP.

## Private Service Connect 설정

I will explain how to set up Private Service Connect in GCP.

How to Configure Private Service Connect

Click GCP Network services > Private Service Connect
Create Private Service Connect
Select All Google Apis.
Set the endpoints name as want.
Select the GCP VPC you want to work with as network.

You can also specify the IP address you want, and if you don’t have a pre-generated IP, or you can create a new one.
Unlike AWS VPC Endpoints, you must specify a separate IP that does not overlap with the IP in the VPC Subnet that you want to work with, rather than assigning the IP of the VPC Subnet.

Create Private DNS zone for Private Service Connect

Configure Private DNS Zone for googleapis.com

Create GCP Network services > Cloud DNS > DNS zone.
Zone type must be set to Private and DNS Name must be set to googleapis.com . The public zone for domain ‘googleapis.com ‘ will be owned by Google. If the Public Zone and the Private Zone overlap, the domain of the Private Zone takes precedence.
Options sets Default(private).
And because it’s a Private DNS Zone, you can link certain GCP VPCs. Link the GCP VPC that will use the PSC.

Add a record so that the domain ‘*.googleapis.com ‘ can be domain-looked up to PSC IP.

GCP VPC to access Google APIs via PSC IP

If you register the IP of the PSC you just created in the record, you will now access it through Private Service Connect when using the ‘googleapis.com ‘ domain in the linked GCP VPC.
Unlike the AWS VPC endpoints service, you do not need to create endpoints for each managed service. When AWS creates Interface Endpoints, it needs to create separate interfaces for each region, for each managed service.

Advertise PSC IP on GCP Cloud Router so that we can use Private Service Connect on AWS.

Advertise custom ranges for PSC IP on GCP Cloud Router

AWS also needs to have a path to that PSC ip, so it needs to be advertised through VPN.
GCP Hybrid Connectivity > Cloud Router, which you created when you set up a VPN, advertises the bands that contain PSC ip in Custom ranges.
Since PSC ip is not a subnet band of GCP vpc, it should be advertised separately as Custom ranges.

AWS knows the path to TGW for PSC IP advertised by GCP, but resources in the aws subnet do not know the path to GCP PSC IP.
Therefore, the AWS subnet that you want to work with must have a separate path to the PSC IP with Static Routing.
And when you do a domain query for 'googleapis.com' on the AWS subnet, you have to set it up to get PSC IP.
You can create an AWS Route53 Private Zone for the 'googleapis.com' domain separately and work with the AWS VPC, but you can also use the 'googleapis.com' GCP Cloud DNS Private Zone that was already set in GCP for AWS VPC, so we'll summarize this method in the next post.