Build Private Service Access configurations for VPC peering with Google managed services.
Last verified: May 2026
Build Private Service Access configurations for VPC peering with Google managed services like Cloud SQL and Memorystore.
Required Fields
networkallocatedRangesconnection.serviceconnection.reservedPeeringRangesOutput will appear here...Build Private Service Access configurations for VPC peering with Google managed services. This tool helps GCP engineers generate valid configurations quickly without consulting documentation, reducing errors and accelerating infrastructure deployment. All processing runs in your browser with no data sent to external servers.
No. This tool runs entirely in your browser and generates configuration JSON that you can copy and paste into your infrastructure-as-code templates, CLI commands, or cloud console. It never connects to any cloud account or sends data externally.
The tool produces syntactically valid configurations based on current GCP service specifications. Always review generated configs against your organization security policies and test in a non-production environment before deploying.
Your team is provisioning Cloud SQL Postgres + Memorystore Redis for a new app. Without PSA, both would need public IPs (security risk + extra cost). The builder generates a PSA config: 10.100.0.0/16 reserved range for service peerings, single peering connection that covers Cloud SQL + Memorystore, route updates so VPC traffic to those services goes via private peering. Both services now reachable only from inside the VPC; no public exposure; no NAT egress costs for app→DB traffic.
The builder constructs Private Service Access configurations: global address resource (purpose=VPC_PEERING, address_type=INTERNAL, network reference, prefix_length for the CIDR range), service networking connection (network reference, peering range reference, service: servicenetworking.googleapis.com), and route updates to direct traffic to the peer. Output is generated as gcloud services vpc-peerings commands and Terraform google_compute_global_address + google_service_networking_connection resources.
Private Service Access (PSA) is for connecting to Google-managed services (Cloud SQL, Memorystore, AlloyDB, etc.) via private IP. The alternative — public IP access — exposes those services to the internet and adds NAT/egress costs. PSA is the right answer for any production data plane.
PSA uses VPC peering under the hood — Google's service producer VPC peers with your VPC. The peering is one-way (your VPC can reach the service, service can't reach your other resources). Allocate a /24 or larger CIDR range for the PSA peering; smaller ranges run out as you add services.
Multiple service producers (Cloud SQL + Memorystore + AlloyDB) can share the same PSA range. You don't need separate ranges per service — the peering accommodates all Google services that support PSA. Allocate one generous range upfront rather than fragmenting into per-service ranges.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.