Private services access

This page provides an overview of private services access.

Google and third parties (together known as service producers) can offer VPC-hosted services—services that run on VMs that are hosted in a VPC network. Private services access lets you reach those services by creating a private connection between your VPC network and the service producer's VPC network. The private connection establishes a VPC Network Peering connection between your network and the service producer's network.

Private services access traffic travels internally within Google's network, not through the public internet. Instances in your VPC network can reach the service by using their internal IPv4 addresses. Your instances can have external IP addresses, but external IP addresses aren't required for, and aren't used by, private services access.

Supported services

The following Google VPC-hosted services support private services access:

Private services access and VPC Network Peering

In a private connection, the service producer network and your network are connected through VPC Network Peering. For routing between the two networks to work correctly, the two networks must use distinct IP address ranges. To avoid overlaps, you create one or more allocated ranges in your network to use with the private connection.

When you allocate a range in your VPC network, that range can't be used for other resources, such as subnets or destinations of custom static routes.

For information about choosing an allocated range, see Choose an IP address range for the allocated range.

Private services access workflow

When you use private services access, resources are deployed in both your VPC network and the service producer's network. The following steps outline the process:

As a service consumer, you deploy a service instance with private services access. The details might vary depending on which service you are deploying. The following steps might be performed by you, or might be automated by the service producer as part of service instance deployment:
1. You allocate an IP address range in your VPC network. This allocated range is reserved exclusively for the service producer.
2. You create a private connection to the service producer, specifying the allocated range that you created.
3. You provision a service instance—for example, a Cloud SQL instance—referencing the private connection that you've created.
The service producer provisions resources for your service instance.
1. The service producer creates a project for your service instance. The project is isolated, meaning no other customers share it and the service consumer is billed for only the resources that the service consumer provisions.
2. Within that project, the service producer creates a VPC network that is dedicated to you.
3. Within that network, the service producer creates a subnet. The IP address range for this subnet is selected from the allocated range that you provided. The service producer typically chooses a /29 to /24 CIDR block. You can't select or modify the service producer's subnet IP address range.
4. The service instance is assigned an IP address from the new subnet.
The private connection becomes active.
1. The VPC Network Peering connection is established.
2. Your VPC network imports routes from the service producer's network.
3. VMs in your network can communicate with the service instance by using its internal IP address. Traffic travels entirely within Google's network and not through the public internet.

You can take the following actions after the initial deployment is created:

Provisioning more resources: when you provision additional resources for the same service, the service producer places them in existing subnets if there is space. If a subnet is full, a new subnet is created in that region from the allocated range.
Deleting resources: a subnet in the service producer's network is deleted only when you delete all the service resources within it. For information about deleting resources, see the relevant service producer's documentation.

Example

The following diagram shows using a private connection to access service instances.

Resources in a service consumer network can access a Cloud SQL instance
through private services access. — Private services access (click to enlarge).

In this example, the service consumer VPC network allocated the 10.240.0.0/16 address range for Google services and established a private connection that uses the allocated range.

The private connection is assigned the 10.240.0.0/16 allocated range.
Google creates a project and a VPC network for the service consumer's resources. The VPC networks are connected by using VPC Network Peering.
The service producer creates a subnet that uses the IP address range 10.240.0.0/24.
The Cloud SQL instance is assigned the IP address 10.240.0.2.
After the subnet is created, the service consumer network imports routes from the service network.
In the service consumer VPC network, requests with a destination of 10.240.0.2 are routed to the private connection over to the service producer's network.
The service consumer deploys a service instance for a different Google service in europe-west1. Because Google is the service producer, the same project and network can be used. However, because the instance is in a different region, a new subnet is required. Google creates a new subnet that uses the IP address range 10.240.10.0/24 and assigns the service instance the IP address 10.240.10.2.

Reachability of service instances

Only one service consumer VPC network can create a private connection to a given managed service instance. However, there are ways to make the private connection available to resources that are outside of that VPC network:

To make the service instances available from other VPC networks, consider the following options:
- Accessing through Network Connectivity Center.
- Accessing through Shared VPC.
To make the service instances available from connected networks, such as on-premises networks, see Accessing through hybrid connectivity.

If none of these options work for your use case, the service producer might offer other ways to connect to the service that are a better fit—for example, through Private Service Connect. For more information, see the documentation for the service.

Accessing through Network Connectivity Center

For some services that are available through private services access, you can use Network Connectivity Center to make the service reachable by other spokes on a hub by creating a producer VPC spoke. For more information, including which services are supported, see Producer VPC spokes.

Accessing through Shared VPC

If you are using Shared VPC, create the allocated IP range and private connection in the host project. Typically, a network administrator in the host project must do these tasks. After the host project is set up, VM instances in service projects can use the private connection.

Accessing through hybrid connectivity

In hybrid networking scenarios, an on-premises network is connected to a VPC network either through a Cloud VPN or Cloud Interconnect connection. By default, on-premises hosts can't reach the service producer's network by using private services access.

In the VPC network, you might have custom static or dynamic routes to correctly direct traffic to your on-premises network. However, the service producer's network doesn't contain those same routes. When you create a private connection, the VPC network and service producer network exchange subnet routes only.

The service producer's network contains a default route (0.0.0.0/0) that goes to the internet. If you export a default route to the service producer's network, it is ignored because the service producer network's default route takes precedence. Instead, define and export a custom route with a more specific destination.

For more information, see Configure hybrid connectivity.

Service producer network

On the service producer's side of the private connection is a VPC network, where your service resources are provisioned. The service producer's network is created exclusively for you and contains only your resources.

A resource in the service producer network is similar to other resources in your VPC network. For example, it's reachable through internal IP addresses by other resources in your VPC network. You can also create firewall rules in your VPC network to control access to the service producer's network.

For more information about the service producer side, see Enable private services access in the Service Infrastructure documentation. This documentation is for your information only and is not required for you to enable or use private services access.

Pricing

For private services access pricing, see Private services access on the VPC pricing page.

Limitations

The following limitations apply to private services access:

Because a private connection is implemented as a VPC Network Peering connection, the behaviors and constraints of peering connections also apply to private connections. For example, because VPC Network Peering isn't transitive, a private connection isn't available to peered VPC networks.

For more information, see VPC Network Peering, VPC Network Peering limitations, and Quotas and limits.
Only one service consumer VPC network can create a private connection that connects to a given managed service instance. However, there are ways to make the private connection available to resources that are outside of that VPC network. For more information, see Reachability of service instances.
You can't change the IP address range that's associated with an allocated range. However, you can modify which allocated ranges are associated with a private connection.
Using IPv6 address ranges with private services access isn't supported.

What's next

To allocate IP address ranges, create private connections, or share private DNS zones, see Configure private services access.