Configure Google Cloud Private Service Connect

Published

October 3, 2024

To keep your network traffic private and minimize its attack surface, configure Private Service Connect to establish a private connection between ValidMind and your company network.

A graphic showing Google Private Service Connect establishing a private connection to ValidMind

Google Private Service Connect establishing a private connection to ValidMind

Private Service Connect is a networking service that allows secure and private communication between Google Virtual Private Cloud (VPC) resources and services hosted in other VPCs or Google partner services, such as ValidMind. By creating private endpoints within your VPC, Private Service Connect allows you to connect to services over the Google network without needing to expose your network traffic to the public internet.

The responsibility of setting up endpoints for Private Service Connect falls to your IT department, such as the cloud engineering, infrastructure, or security teams.


To learn more about Private Service Connect, check the official Google documentation.1

Prerequisites

You must have access to the Google Cloud Console for your company and the necessary expertise to set up, configure, and maintain Google Cloud services.

These steps assume that you already have established connectivity between your own company network and Google VPC and know which company VPC you want to connect to.

VPC service information

Name Provider Region Service name Private DNS name
US3 GCP us-west1 Email Email

Configure your Google Cloud Platform project

Enable the APIs for cloud DNS and networking to get ready for the next steps:

  1. Log into the Google Cloud Console.

  2. From the Select a project drop-down at the top of the console, select the project where you want to enable the Google APIs.

  3. In the navigation menu on the left, click APIs & Services and then Library.

  4. In the API Library, search for “Cloud DNS API” and click the result to open the API page.

  5. On the API page for Cloud DNS, click Enable to activate the API for your project.

  6. Repeat these steps for the Networking API:

    1. Click Library in the left navigation to return to the API Library.
    2. Search for “Google Compute Engine API” which includes networking services.
    3. Click on the search result and click Enable to activate the API.

After these steps, both the Cloud DNS and the Google Compute Engine API should be enabled for your project, allowing you to manage DNS configurations and networking resources.

Request access from ValidMind

Contact ValidMind at support@validmind.ai to get your new VPC endpoint connection request accepted. Include the following information:

  • The project name
  • The project ID

Please provide this information to ValidMind at least 24 hours before attempting to connect, so that we can add your project to the allowlist.

Prepare your network for connection

Create a private subnet in a supported GCP region that can be used to expose ValidMind services:

  1. In Google Cloud Console, create the subnet:

    1. On the VPC networks page, click Create VPC network.
    2. Name your network.
    3. Configure the IP address range to ensure it includes at least a /28 of usable private IP address space.
    4. Click Create.
  2. Optional: Enable Private Google Access to provide access to Google APIs and services.2

  3. Provision two IP addresses in this subnet for later use:

    1. On the VPC networks page, select your subnet.
    2. Note the available IP address range.
    3. Reserve two IP addresses within this range for future use.

Create an endpoint to connect to ValidMind

Create a Private Service Connect endpoint for accessing ValidMind services securely and privately, with service discovery managed via Google Cloud’s Service Directory.

Screenshot of an endpoint being created with the options specified in the steps

Creating an endpoint in the Google Cloud Console

Steps

  1. In Google Cloud Console, open Network services and click Private Service Connect.

  2. Create the endpoint:

    1. Click Create Connection Endpoint.

    2. Check Published service for the target.

    3. For Endpoint name, enter private.

    4. For Target service, enter:

      projects/validmind-us3-prod/regions/us-central1/serviceAttachments/private.

    5. For IP address, enter validmind.

      Make sure this name resolves to an appropriate IP in your network settings or is preconfigured in your DNS.

    6. Enable Service Directory for this endpoint to provide DNS resolution and enable service discovery.

      Choose the same region as your endpoint to ensure low latency and local management of services.

    7. For Namespace, enter validmind.

    8. Click Add Endpoint.

After the endpoint is active, test that the service is reachable through the private connection and that DNS requests resolve as expected.

Active endpoint being shown in the Google Cloud Console

Active private endpoint in the Google Cloud Console

Create an endpoint to connect to the ValidMind authentication service

Repeat the steps to create an endpoint to connect to ValidMind3 to add another endpoint for the ValidMind authentication service.

Screenshot of an endpoint being created with the options specified in the steps

Creating an endpoint in the Google Cloud Console

Steps

  1. Check Published service for the target.

  2. For Target service, enter:

    projects/validmind-us3-prod/regions/us-central1/serviceAttachments/auth.

  3. For Endpoint name, enter auth.

  4. Enable Service Directory for this endpoint

  5. For Namespace, enter validmind.

After the endpoint is active, test that the service is reachable through the private connection and that DNS requests resolve as expected.

Active endpoint being shown in the Google Cloud Console

Active auth endpoint in the Google Cloud Console

Test connectivity

As a final step, test that everything everything is set up correctly and that you can reach the ValidMind services:

  1. Under Network Services > Cloud DNS, verify that DNS and service discovery are functioning as expected.

  2. Test your connection to the following hosts: