Back to all videos

Private routing to Google with Network Connectivity Center

By Google Cloud Tech

Cloud ComputingNetwork ArchitectureGoogle Cloud PlatformHybrid Connectivity
Share:

Key Concepts

  • Private Service Connect (PSC): A networking service enabling private access to Google services and services across organizations without using public IPs. It exists in three forms: Endpoints, Backends, and Interfaces.
  • Private Service Connect for Google APIs (PSC for Google APIs): Specifically for API-based Google services like Gemini, Cloud Storage, and BigQuery.
  • Private Google Access: A method for API-based private connectivity using Google-provided VIPs.
  • Private Services Access (PSA): An older method relying on VPC peering for private connectivity.
  • Network Connectivity Center (NCC): A hub-and-spoke model for managing network connectivity, including private connectivity options.
  • Producer Spokes: NCC feature to connect PSA VPCs to the NCC hub for full routability.
  • Service Attachments: Components in the producer VPC that PSC endpoints and backends connect to.
  • Network Endpoint Groups (NEGs): Used with PSC Backends and Google Cloud’s proxy-based load balancers.

Private Connectivity to Google Services: PSC vs. PSA

This video details the methods for establishing private connectivity to Google services, focusing on the differences between Private Service Connect (PSC) and Private Services Access (PSA) within a Network Connectivity Center (NCC)-based architecture. The speaker, Lauren Price, a Networking Specialist Customer Engineer, emphasizes the importance of selecting the correct method based on the specific service being accessed.

API-Based Services Connectivity

The video begins by outlining connectivity options for API-based services such as Gemini, Cloud Storage, and BigQuery. Two primary methods are discussed:

  • PSC for Google APIs: This method requires creating a global PSC endpoint in each Virtual Private Cloud (VPC) requiring API access. Crucially, the “private Google access” flag must be enabled on all subnets. PSC endpoints are not accessible over VPC peering, necessitating a dedicated endpoint per VPC. A private Cloud DNS zone ( *.p.googleapis.com) is automatically created for each endpoint, requiring application-level redirection to utilize this domain. Manual DNS zone creation for *.googleapis.com and googleis.com is also possible for hybrid scenarios, requiring configured DNS forwarding (inbound or outbound). Because PSC for Google APIs uses a global endpoint, it doesn’t utilize IPs from regional subnets and therefore requires custom route advertisement on hybrid links for connectivity.
  • Private Google Access: This alternative uses a Google-provided VIP. It requires proper route configuration for the VIP and is limited to the *.google APIs domain.

Infrastructure-Based Services Connectivity

The discussion then shifts to infrastructure-based services like Cloud SQL, Apogee, and Cloud Composer. These services primarily leverage PSC, which manifests in three distinct forms:

  • PSC Endpoints: These provide one-way, consumer-initiated connectivity, mitigating IP overlap concerns between consumer and producer environments. A PSC endpoint presents as a single IP address in the consumer VPC, connecting to a service attachment in the producer VPC.
  • PSC Backends: These are specialized Network Endpoint Groups (NEGs) used with Google Cloud’s proxy-based load balancers. They also connect to producer service attachments, but the use of a load balancer adds traffic routing capabilities. PSC propagation, when enabled on the NCC hub, makes all PSC endpoints fully routable across VPC spokes and hybrid environments. However, PSC propagation does not apply to PSC backends, as load balancers are inherently fully routable.
  • PSC Interfaces: These enable bidirectional traffic between consumer and producer. Producer services create PSC interfaces utilizing IP addresses from a designated network attachment in the consumer VPC. IP overlap is generally not a concern, unless specifically stated by the service. Because PSC interfaces appear as "nyx" in the consumer VPC, they are fully routable by default across the NCC hub and in hybrid environments.

Private Services Access (PSA) and NCC Integration

The video acknowledges the existence of Private Services Access (PSA), which relies on VPC peering. NCC offers a “producer spokes” feature, allowing PSA VPCs to be connected as spokes to the NCC hub, thereby making PSA services fully routable within the NCC environment. However, the speaker advises using PSA only if the service doesn’t support PSC or if there’s a specific feature gap between the two methods. The linked documentation is referenced as a resource for determining service compatibility.

Serverless Products & Conclusion

The video notes that serverless products like Cloud Run will be covered in a subsequent video.

The key takeaway is to always verify the required connectivity method for each service. PSC for Google APIs and standard PSC function differently, and incorrect implementation can disrupt access. Services fall into three categories – API-based, infrastructure-based, and serverless – each with its own specific connectivity requirements, detailed in the service documentation.

“Always check which connectivity method your service requires. PSC for Google APIs and standard PSC behave differently, and using the wrong one can break access.” - Lauren Price.

“Services are either API based, infrastructure-based, or serverless, which all have their specific connectivity methods. Service documentation will always explain the requirements for connectivity. So, please check that out.” - Lauren Price.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Private routing to Google with Network Connectivity Center". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video