Private Service Connect
When we set up a VPC network, we may not wish to allow Internet connectivity from that network. What this can mean is that applications running attached to that network may not be able to reach Google managed services such as Cloud Storage, Pubsub, BigQuery and many others. These services are exposed with public (Internet) IP addresses. Further, if there are on-premises applications that wish to avail themselves of the Google managed services, we may also wish to route on-premises traffic to our GCP network through VPN or other interconnect solutions and again we appear to have the same issue.
This is where the GCP Private Service Connect function comes into play. In this article, we are going to talk about using Private Service Connect to exclusively access Google managed services but it appears that Private Service Connect (can/will have additional uses).
The highest level notion of Private Service Connect is that we reserve an RFC1918 IP address within our VPC network. When configured correctly (which we will describe shortly), requests that are sent to the IP address that we chose are transparently and automatically routed to the correct Google managed service. What this means is that we can now interact with those services with no public IP addresses seen by anyone. All the IP addresses we are now considering are RFC1918 based and nothing goes near the Internet.
Setting up a Private Service Connect environment is straightforward. Here we will walk through a complete setup from scratch:
- Start with an empty GCP project.
- Create a new VPC Network. We will call ours
my-network. Note specifically, that we must enable Private Google Access.
- Under network services, select Private Service Connect.
- Click the CONNECT SERVICE link. This is where we are going to create a Private Service Connect endpoint in our network which will be the path we will use to connect to GCP managed services.
We created a named static IP address called
- Once done, we will now find that we have an entry that looks as follows:
- Create a Cloud DNS Zone.
- Add record sets
- Create a new VM for testing on our network. Make sure it has no public IP address.
- Set firewall rules to allow ingress.
- Login to our VM via SSH.
- Create a new GCS bucket.
gsutil mb gs://kolban-psc-test2
- Demonstrate that we can access Google managed services through an Internet route.
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://storage.googleapis.com/storage/v1/b?project=$(gcloud config get-value project)"
- Demonstrate that we can access Google managed services through Private Service Connect:
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://storage-endpoint1.p.googleapis.com/storage/v1/b?project=$(gcloud config get-value project)"
- Delete the default Internet egress route for our network.
- Re run the
curltests and we will see that the Internet path route fails.
In addition to this article, here is a YouTube video illustrating the walk through of the steps to create a Private Service Connect environment:
- Docs: Private Service Connect
- Docs: Configuring Private Service Connect
- Blog: New Private Service Connect simplifies secure access to services — 2020–07
- YouTube: Google’s new Private Service Connect simplifies secure access to cloud services at scale 2:13–2020–07
- YouTube: Private Service Connect and Service Directory: A revolution to connect your application in Cloud — 22:22–2020–09