Private Service Connect

When we set up a VPC network, we may not wish to allow Internet connectivity from that network. What this can mean is that applications running attached to that network may not be able to reach Google managed services such as Cloud Storage, Pubsub, BigQuery and many others. These services are exposed with public (Internet) IP addresses. Further, if there are on-premises applications that wish to avail themselves of the Google managed services, we may also wish to route on-premises traffic to our GCP network through VPN or other interconnect solutions and again we appear to have the same issue.

This is where the GCP Private Service Connect function comes into play. In this article, we are going to talk about using Private Service Connect to exclusively access Google managed services but it appears that Private Service Connect (can/will have additional uses).

The highest level notion of Private Service Connect is that we reserve an RFC1918 IP address within our VPC network. When configured correctly (which we will describe shortly), requests that are sent to the IP address that we chose are transparently and automatically routed to the correct Google managed service. What this means is that we can now interact with those services with no public IP addresses seen by anyone. All the IP addresses we are now considering are RFC1918 based and nothing goes near the Internet.

Setting up a Private Service Connect environment is straightforward. Here we will walk through a complete setup from scratch:

  • Start with an empty GCP project.
  • Create a new VPC Network. We will call ours my-network. Note specifically, that we must enable Private Google Access.
  • Under network services, select Private Service Connect.
  • Click the CONNECT SERVICE link. This is where we are going to create a Private Service Connect endpoint in our network which will be the path we will use to connect to GCP managed services.

We created a named static IP address called endpoint1.

  • Once done, we will now find that we have an entry that looks as follows:
  • Create a Cloud DNS Zone.
  • Add record sets
  • Create a new VM for testing on our network. Make sure it has no public IP address.
  • Set firewall rules to allow ingress.
  • Login to our VM via SSH.
  • Create a new GCS bucket.
gsutil mb gs://kolban-psc-test2
  • Demonstrate that we can access Google managed services through an Internet route.
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://storage.googleapis.com/storage/v1/b?project=$(gcloud config get-value project)"
  • Demonstrate that we can access Google managed services through Private Service Connect:
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://storage-endpoint1.p.googleapis.com/storage/v1/b?project=$(gcloud config get-value project)"
  • Delete the default Internet egress route for our network.
  • Re run the curl tests and we will see that the Internet path route fails.

In addition to this article, here is a YouTube video illustrating the walk through of the steps to create a Private Service Connect environment:

References:

--

--

--

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Recommended from Medium

Transmitting and Parsing Data from Fitness Devices Integrated with HUAWEI Health Kit

Two Pointers Technique

Our Headless WordPress Journey part I: speeding up the REST API

GIGINDIA IS HIRING!

Getting Started with Flask — Python

Chatfuel tutorial to save and read information from Google Sheets using Integromat

Welcome to Grammarly’s New Engineering Blog

Get Started With NATS on Kubernetes

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neil Kolban

Neil Kolban

IT specialist with 30+ years industry experience. I am also a Google Customer Engineer assisting users to get the most out of Google Cloud Platform.

More from Medium

Configure Google Cloud Armor using OpenAPI

Examining Gatekeeper: Extracting sample input for OPA Gatekeeper policy development

CI/CD with Cloud Build for deploying applications in Cloud Run

Managing GCP Filestore in Production — Backups & Monitoring