At a glance
- Feature: Private Service Connect (PSC)
- Purpose: Private, internal-IP access to Google-managed or third-party services
- Key benefits: Improved security, predictable routing, and often better performance
Core concepts
Service perimeter and authorized VPC
- A service perimeter acts as a security boundary around an authorized project. It restricts which services and external networks resources inside the perimeter can access.
- Inside that perimeter you typically run a Compute Engine VM or other workloads in an authorized VPC that need to call Google APIs (for example, Cloud Storage or BigQuery) without using public IPs.
Private connectivity to Google APIs
- Rather than calling public endpoints like
public.googleapis.com, use the restricted endpointrestricted.googleapis.comto keep traffic on Google’s private network. - A static route — commonly the block
199.36.153.4/30— directs traffic for the restricted endpoint to the private gateway so it never leaves Google’s backbone.
How PSC maps to the consumer–producer model
- PSC follows a consumer–producer model:
- Consumer: your project or VPC that needs to reach a service.
- Producer: the project (Google, partner, or another team) exposing the service.
- The consumer creates a Private Service Connect endpoint and attaches it to the producer’s service (a service attachment). This exposes the producer’s service as an internal IP in the consumer’s VPC.
- PSC supports cross-project and cross-organization use cases, enabling teams to share internal APIs privately.
Security and performance benefits
- Traffic stays on Google’s backbone and avoids the public internet, reducing exposure and attack surface.
- You can enforce access controls and keep traffic inside the service perimeter or an organization’s private network topology.
- Often yields lower latency and more predictable performance compared with public internet routing.
Typical uses and certification focus
- Common scenarios:
- Securely consuming managed Google services without public IPs.
- Exposing internal APIs across teams or projects.
- Migrating on-premises workloads while keeping traffic private.
- For exams, remember this pattern:
- Authorized VPC / VM →
restricted.googleapis.com→ static route (199.36.153.4/30) → private gateway / PSC → service attachment to the producer
- Authorized VPC / VM →
Example: static route for the restricted endpoint
Quick reference table
| Concept | Purpose | Example / Note |
|---|---|---|
| Service perimeter | Enforce security boundary around projects | See VPC Service Controls |
| Authorized VPC / VM | Workload source inside perimeter | Compute Engine VM in authorized project |
| Restricted endpoint | Private API access inside Google network | restricted.googleapis.com |
| Static route | Route restricted endpoint through private gateway | 199.36.153.4/30 |
| Private Service Connect (PSC) | Expose/consume services via internal IPs | Consumer creates PSC endpoint attached to producer service |
| Service attachment | Producer-side resource representing the service | Allows private access without public IPs |
Private Service Connect gives workloads a private, controlled path to Google APIs and partner services using internal IPs and service attachments—keeping traffic on Google’s network and off the public internet.
Links and references
- Private Service Connect (PSC)
- Private Google Access and restricted.googleapis.com
- VPC Service Controls (service perimeter)
- Compute Engine
- Cloud Storage
- BigQuery
Recap
- PSC provides private connectivity to Google-managed and partner services without public IPs.
- It uses a consumer–producer model with service attachments and internal IP endpoints.
- Traffic remains on Google’s backbone and can be restricted by service perimeters for added security.