Private Service Connect for GCP
Connect your GCP workloads to Coralogix privately using Google Cloud's Private Service Connect. Traffic stays on Google's backbone network and never crosses the public internet.
Overview
Private Service Connect (PSC) creates a private endpoint inside your VPC that routes traffic directly to Coralogix through Google's internal network. This gives you:
- Private connectivity — no data exposure to the public internet
- Lower latency — traffic stays on Google's backbone
- No firewall rules needed — PSC handles connectivity through Google's private fabric
- Cross-region access — your workloads can reach the endpoint from any region in your VPC
Prerequisites
- A Google Cloud project with an existing VPC network
- Permissions to create subnets, addresses, forwarding rules, and DNS zones
- The Coralogix PSC Service Attachment URIs for your region (provided below)
Service attachments
Each Coralogix region exposes two service attachments — one for data ingestion (traces, metrics, logs) and one for the management API (queries, alerts, dashboards).
| Endpoint | Service Attachment URI | Region |
|---|---|---|
| Private Ingress | projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-ingress-v1 | us-central1 |
| Private API | projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-api-v1 | us-central1 |
Both use ACCEPT_AUTOMATIC — no approval needed from Coralogix.
Step 0 — Set your variables (CLI only)
If using the CLI, set these once and all later commands will reference them:
export PROJECT="your-gcp-project-id"
export REGION="us-central1"
export NETWORK="your-vpc-name"
export CX_DOMAIN="us3.coralogix.com"
export INGRESS_SA="projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-ingress-v1"
export API_SA="projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-api-v1"
Step 1 — Create the PSC subnet
A single subnet in the same region as the Coralogix service attachments. GCP uses it to allocate IPs for your PSC endpoints.
Make sure the CIDR range doesn't overlap with existing subnets in your VPC.
Console UI
- Go to VPC network → Subnets → Create subnet
- Fill in:
- Name:
psc-subnet - Region:
us-central1(must match the service attachment region) - IP range:
10.100.16.0/28 - Purpose: Leave as None (regular subnet)
- Click Create
gcloud CLI
gcloud compute networks subnets create psc-subnet \
--project=$PROJECT --network=$NETWORK --region=$REGION \
--range=10.100.16.0/28
Step 2 — Create PSC endpoints
These forwarding rules establish the private connections to Coralogix. GCP auto-allocates an IP from the subnet for each endpoint.
Console UI
- Go to Private Service Connect → Connected endpoints → Connect endpoint
- Create the ingress endpoint:
- Endpoint name:
psc-coralogix-ingress - Target: Select Published service
- Service attachment: Paste
projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-ingress-v1 - Network: Your VPC
- Subnetwork:
psc-subnet - IP address: Select Create IP address → name it
psc-ingress-ip→ Reserve - Enable global access: Check this box
- Click Create
- Create the API endpoint:
- Endpoint name:
psc-coralogix-api - Service attachment: Paste
projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-api-v1 - IP address: Select Create IP address → name it
psc-api-ip→ Reserve - Everything else same as above
- Click Create
- Verify both endpoints show Accepted status
- Note down the two IP addresses — you'll need them for DNS
gcloud CLI
gcloud compute addresses create psc-ingress-ip \
--project=$PROJECT --region=$REGION --subnet=psc-subnet
gcloud compute addresses create psc-api-ip \
--project=$PROJECT --region=$REGION --subnet=psc-subnet
gcloud compute forwarding-rules create psc-coralogix-ingress \
--project=$PROJECT --region=$REGION --network=$NETWORK \
--address=psc-ingress-ip \
--target-service-attachment=$INGRESS_SA \
--allow-psc-global-access
gcloud compute forwarding-rules create psc-coralogix-api \
--project=$PROJECT --region=$REGION --network=$NETWORK \
--address=psc-api-ip \
--target-service-attachment=$API_SA \
--allow-psc-global-access
Verify:
gcloud compute forwarding-rules describe psc-coralogix-ingress \
--project=$PROJECT --region=$REGION --format='table(name, IPAddress, pscConnectionStatus)'
gcloud compute forwarding-rules describe psc-coralogix-api \
--project=$PROJECT --region=$REGION --format='table(name, IPAddress, pscConnectionStatus)'
Both should show ACCEPTED. Save the IPs for the next step:
INGRESS_IP=$(gcloud compute forwarding-rules describe psc-coralogix-ingress \
--project=$PROJECT --region=$REGION --format='value(IPAddress)')
API_IP=$(gcloud compute forwarding-rules describe psc-coralogix-api \
--project=$PROJECT --region=$REGION --format='value(IPAddress)')
echo "Ingress IP: $INGRESS_IP"
echo "API IP: $API_IP"
Step 3 — Create Cloud DNS private zone and records
A private DNS zone so your workloads resolve *.private.us3.coralogix.com to the PSC endpoint IPs.
Console UI
- Go to Cloud DNS → Create zone
- Fill in:
- Zone type: Private
- Zone name:
private-coralogix - DNS name:
private.us3.coralogix.com - Networks: Select your VPC
- Click Create
- Inside the zone, click Add standard
- Create the ingress record:
- DNS name:
ingress.private.us3.coralogix.com - Type: A
- TTL: 300
- IP address: The ingress endpoint IP from Step 2
- Click Create
- Create the API record:
- DNS name:
api.private.us3.coralogix.com - Type: A
- TTL: 300
- IP address: The API endpoint IP from Step 2
- Click Create
gcloud CLI
gcloud dns managed-zones create private-coralogix \
--project=$PROJECT \
--dns-name="private.${CX_DOMAIN}." \
--description="Coralogix PSC private DNS" \
--visibility=private --networks=$NETWORK
gcloud dns record-sets create "ingress.private.${CX_DOMAIN}." \
--project=$PROJECT --zone=private-coralogix \
--type=A --ttl=300 --rrdatas=$INGRESS_IP
gcloud dns record-sets create "api.private.${CX_DOMAIN}." \
--project=$PROJECT --zone=private-coralogix \
--type=A --ttl=300 --rrdatas=$API_IP
Verification
Run these from a VM or GKE pod inside your VPC.
DNS resolution
Expected output:
Server: 10.102.0.10
Address: 10.102.0.10:53
Name: ingress.private.us3.coralogix.com
Address: 10.100.17.2 ← your PSC ingress IP
Expected output:
Server: 10.102.0.10
Address: 10.102.0.10:53
Name: api.private.us3.coralogix.com
Address: 10.100.17.3 ← your PSC API IP
TCP connectivity (telnet)
Expected output:
Press Ctrl+] then type quit to exit.
TLS handshake (curl verbose)
Expected output:
* Host ingress.private.us3.coralogix.com:443 was resolved.
* IPv4: 10.100.17.2 ← private IP, not public
* Trying 10.100.17.2:443...
* Connected to ingress.private.us3.coralogix.com (10.100.17.2) port 443
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=*.us3.coralogix.com
* subjectAltName: host "ingress.private.us3.coralogix.com" matched cert's "*.private.us3.coralogix.com"
* SSL certificate verify ok.
Key things to confirm: the IP is private (not public), TLS handshake completed, and the certificate matched.
Connection timing (curl)
curl -sk --connect-timeout 5 -o /dev/null \
-w "tcp:%{time_connect} tls:%{time_appconnect}\n" \
https://ingress.private.us3.coralogix.com
Expected output:
Both values should be very low (under 100ms) since traffic stays on Google's backbone.
From a GKE pod
If you don't have a VM, you can run any of the above from a temporary pod:
kubectl run test --rm -it --restart=Never --image=curlimages/curl:8.5.0 \
-- curl -sv --connect-timeout 5 https://ingress.private.us3.coralogix.com 2>&1 | head -20
Expected output is the same as the TLS handshake test above.
Using the private endpoints
Once verified, configure your telemetry pipelines to use the private endpoints:
| Use case | Public endpoint | Private endpoint (via PSC) |
|---|---|---|
| OTLP gRPC (traces, metrics, logs) | ingress.us3.coralogix.com:443 | ingress.private.us3.coralogix.com:443 |
| OTLP HTTP | https://ingress.us3.coralogix.com | https://ingress.private.us3.coralogix.com |
| Fluent Bit / log ingestion | ingress.us3.coralogix.com | ingress.private.us3.coralogix.com |
| REST API / DataPrime queries | api.us3.coralogix.com | api.private.us3.coralogix.com |
No other changes are needed — TLS works the same way, and the Coralogix certificates are valid for the private DNS names.
Cleanup
To remove all PSC resources:
Console UI — Delete in reverse order: DNS records → DNS zone → Forwarding rules → Static IPs → Subnet.
gcloud CLI
# Delete forwarding rules
gcloud compute forwarding-rules delete psc-coralogix-ingress \
--project=$PROJECT --region=$REGION --quiet
gcloud compute forwarding-rules delete psc-coralogix-api \
--project=$PROJECT --region=$REGION --quiet
# Delete static IPs
gcloud compute addresses delete psc-ingress-ip \
--project=$PROJECT --region=$REGION --quiet
gcloud compute addresses delete psc-api-ip \
--project=$PROJECT --region=$REGION --quiet
# Delete DNS records and zone
gcloud dns record-sets delete "ingress.private.${CX_DOMAIN}." \
--project=$PROJECT --zone=private-coralogix --type=A
gcloud dns record-sets delete "api.private.${CX_DOMAIN}." \
--project=$PROJECT --zone=private-coralogix --type=A
gcloud dns managed-zones delete private-coralogix \
--project=$PROJECT --quiet
# Delete subnet
gcloud compute networks subnets delete psc-subnet \
--project=$PROJECT --region=$REGION --quiet