Also read - Private Subnets in GCP and Azure Private Links versus Private Endpoints

How does a compute instance access public PaaS services (e.g. a storage bucket or a cloud function?)

To avoid going over the internet to access a PaaS resource, both AWS and GCP define a private access route to get from inside the cloud environment to these public resources.

S3 VPC Endpoint

when you define the endpoint in AWS's VPC, you get to choose the service (e.g. S3) and the route table within the VPC to apply this private route to. Typically, you  would select the PRIVATE route (see routing in AWS vs GCP)

Private Google  Access ( on GCP)

The idea is exactly the same as the AWS VPC Endpoint. The primary difference is that this is defined at the SUBNET LEVEL (as opposed to the VPC level in AWS).

Private access  allows VMs to reach Google services via a private route. Services such as BigQuery, Cloud Bigtable, container registry, Cloud Dataproc, cloud storage can all be reached internally through Private Google access.

What is Private Service  Connect ( on GCP)? 

Confusingly named, the idea behind Private Service Access is to allow cross VPC (or cross Org) access to your deployed PaaS services. Say you have two different organizations with deployed GCP services - and you would like to grant private access between these two. Normally, a lot of NATing, Public IPs and such would be involved. With Private Service access, GCP offers a way to go from a private IP of a deployed service to another private IP (in the second org). This is made possible through a Private zone (private DNS) that is shared between the two organizations.

 



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.