Check Private Service Connect requirements and DNS configuration for GCP services.
Last verified: May 2026
Output will appear here...The GCP Private Service Connect Checker validates the requirements and DNS configuration needed to consume Google APIs and third-party services over private networking using Private Service Connect. It checks endpoint configuration, DNS resolution, and routing to ensure traffic stays on Google's network rather than traversing the public internet.
Private Service Connect (PSC) creates private endpoints in your VPC that provide connectivity to Google APIs, supported Google services, and third-party services without using external IP addresses. Traffic stays on Google's network, improving security and performance.
Private Google Access allows VMs without external IPs to reach Google APIs over default routes. PSC goes further by creating an explicit endpoint with a private IP in your VPC, providing finer-grained DNS and firewall control. PSC also supports connecting to published third-party services.
Yes. PSC requires DNS configuration so that API hostnames (e.g., storage.googleapis.com) resolve to your PSC endpoint's private IP instead of the public IP. This typically involves creating private DNS zones with CNAME or A records pointing to the PSC endpoint.
Your security team mandates that no traffic to Cloud Storage may traverse the public internet. You set up PSC for googleapis.com but Cloud Audit Logs still show traffic egressing through the default internet gateway. The checker reveals that your private DNS zone for googleapis.com is missing the *.googleapis.com wildcard CNAME — only the bare domain was overridden. You add the wildcard, restart the affected workloads, and confirm via VPC flow logs that all Cloud Storage traffic now hits the PSC endpoint IP.
The checker walks through each requirement for a working PSC setup: the PSC endpoint exists with the correct service attachment URI, the consumer VPC has private DNS zones configured to override Google API hostnames, the firewall rules allow egress from clients to the endpoint IP, and any required IAM permissions are granted. Each gap surfaces a remediation step with the exact gcloud command to fix it.
PSC endpoints don't work with default Google API hostnames automatically — you must override DNS so storage.googleapis.com resolves to your PSC endpoint IP. Use a private DNS zone for googleapis.com with a CNAME record pointing to the PSC endpoint, applied to all VPCs that need private access.
PSC endpoints for Google APIs require enabling the underlying API service first. If you create the endpoint and clients still hit the public IP, check that you've also added the IAM permission for the project to consume the PSC endpoint — both pieces are needed.
PSC for third-party services (e.g., Snowflake, MongoDB Atlas) creates a separate forwarding rule per service. These don't share quota with PSC for Google APIs, but they DO consume your VPC's static IP quota. Plan IP allocation for each PSC endpoint you'll create over time.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.