# Private Service Connect (PSC) for GCP Connect your GCP workloads to Coralogix privately using Google Cloud's Private Service Connect. Traffic stays on Google's backbone network and never crosses the public internet. ## Overview Private Service Connect (PSC) creates a private endpoint inside your VPC that routes traffic directly to Coralogix through Google's internal network. This gives you: - **Private connectivity** — no data exposure to the public internet - **Lower latency** — traffic stays on Google's backbone - **No firewall rules needed** — PSC handles connectivity through Google's private fabric - **Cross-region access** — your workloads can reach the endpoint from any region in your VPC ## Prerequisites - A Google Cloud project with an existing VPC network - Permissions to create subnets, addresses, forwarding rules, and DNS zones - The Coralogix PSC Service Attachment URIs for your region (provided below) ## Service Attachments Each Coralogix region exposes two service attachments — one for **data ingestion** (traces, metrics, logs) and one for the **management API** (queries, alerts, dashboards). **Private Ingress** — us-central1 ```text projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-ingress-v1 ``` **Private API** — us-central1 ```text projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-api-v1 ``` Both use `ACCEPT_AUTOMATIC` — no approval needed from Coralogix. ______________________________________________________________________ ## Step 0 — Set your variables (CLI only) If using the CLI, set these once and all later commands will reference them: ```bash export PROJECT="your-gcp-project-id" export REGION="us-central1" export NETWORK="your-vpc-name" export CX_DOMAIN="us3.coralogix.com" export INGRESS_SA="projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-ingress-v1" export API_SA="projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-api-v1" ``` ______________________________________________________________________ ## Step 1 — Create the PSC subnet A single subnet in the same region as the Coralogix service attachments. GCP uses it to allocate IPs for your PSC endpoints. > Make sure the CIDR range doesn't overlap with existing subnets in your VPC. ### Console UI 1. Go to **VPC network** → **VPC networks** → **Your network** → **Subnets** → **Add subnet** 1. Fill in: - **Name:** `cx-psc-subnet` - **Region:** `us-central1` (must match the service attachment region) - **Purpose:** Leave as **None** (regular subnet) - **IP range:** `10.100.16.0/28` 1. Click **Add** ### gcloud CLI ```bash gcloud compute networks subnets create cx-psc-subnet \ --project=$PROJECT --network=$NETWORK --region=$REGION \ --range=10.100.16.0/28 ``` ______________________________________________________________________ ## Step 2 — Create PSC endpoints These forwarding rules establish the private connections to Coralogix. GCP auto-allocates an IP from the subnet for each endpoint. ### Console UI 1. Go to **Network Services** → **Private Service Connect** → **Connected endpoints** → **+ Connect endpoint** 1. Create the **ingress** endpoint: - **Target:** Select **Published service** - **Target service:** Paste the following URI: ```text projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-ingress-v1 ``` - **Endpoint name:** `psc-coralogix-ingress` - **Network:** - **Subnetwork:** `cx-psc-subnet` - **IP address:** Select **Create IP address** → name it `cx-psc-ingress-ip` → **Reserve** - **Enable global access:** Check this box 1. Click **Add endpoint** 1. Create the **API** endpoint: - **Target:** Select **Published service** - **Service attachment:** Paste the following URI: ```text projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-api-v1 ``` - **Endpoint name:** `psc-coralogix-api` - **Network:** Your VPC - **Subnetwork:** `cx-psc-subnet` - **IP address:** Select **Create IP address** → Name it `cx-psc-api-ip` → **Reserve** - **Enable global access:** Check this box 1. Click **Add endpoint** 1. Verify both endpoints show **Accepted** status 1. Record the two IP addresses — you'll need them for DNS ### gcloud CLI ```bash gcloud compute addresses create psc-ingress-ip \ --project=$PROJECT --region=$REGION --subnet=cx-psc-subnet gcloud compute addresses create psc-api-ip \ --project=$PROJECT --region=$REGION --subnet=cx-psc-subnet gcloud compute forwarding-rules create psc-coralogix-ingress \ --project=$PROJECT --region=$REGION --network=$NETWORK \ --address=psc-ingress-ip \ --target-service-attachment=$INGRESS_SA \ --allow-psc-global-access gcloud compute forwarding-rules create psc-coralogix-api \ --project=$PROJECT --region=$REGION --network=$NETWORK \ --address=psc-api-ip \ --target-service-attachment=$API_SA \ --allow-psc-global-access ``` **Verify:** ```bash gcloud compute forwarding-rules describe psc-coralogix-ingress \ --project=$PROJECT --region=$REGION --format='table(name, IPAddress, pscConnectionStatus)' gcloud compute forwarding-rules describe psc-coralogix-api \ --project=$PROJECT --region=$REGION --format='table(name, IPAddress, pscConnectionStatus)' ``` Both should show `ACCEPTED`. Record the IPs for the next step: ```bash INGRESS_IP=$(gcloud compute forwarding-rules describe psc-coralogix-ingress \ --project=$PROJECT --region=$REGION --format='value(IPAddress)') API_IP=$(gcloud compute forwarding-rules describe psc-coralogix-api \ --project=$PROJECT --region=$REGION --format='value(IPAddress)') echo "Ingress IP: $INGRESS_IP" echo "API IP: $API_IP" ``` ______________________________________________________________________ ## Step 3 — Create Cloud DNS private zone and records A private DNS zone so your workloads resolve `*.private.us3.coralogix.com` to the PSC endpoint IPs. ### Console UI 1. Go to **Network Services** → **Cloud DNS** → **Create zone** 1. Fill in: - **Zone type:** Private - **Zone name:** `private-coralogix` - **DNS name:** `private.us3.coralogix.com` - **Networks:** Select your VPC 1. Click **Create** 1. Inside the zone, click **Add standard** 1. Create the **ingress** record: - **DNS name:** `ingress.private.us3.coralogix.com` - **Type:** A - **TTL:** 300 - **IP address:** The ingress endpoint IP from Step 2 1. Click **Create** 1. Create the **API** record: - **DNS name:** `api.private.us3.coralogix.com` - **Type:** A - **TTL:** 300 - **IP address:** The API endpoint IP from Step 2 1. Click **Create** ### gcloud CLI ```bash gcloud dns managed-zones create private-coralogix \ --project=$PROJECT \ --dns-name="private.${CX_DOMAIN}." \ --description="Coralogix PSC private DNS" \ --visibility=private --networks=$NETWORK gcloud dns record-sets create "ingress.private.${CX_DOMAIN}." \ --project=$PROJECT --zone=private-coralogix \ --type=A --ttl=300 --rrdatas=$INGRESS_IP gcloud dns record-sets create "api.private.${CX_DOMAIN}." \ --project=$PROJECT --zone=private-coralogix \ --type=A --ttl=300 --rrdatas=$API_IP ``` ______________________________________________________________________ ## Verification Run these from a VM or GKE pod inside your VPC. ### DNS resolution ```bash nslookup ingress.private.us3.coralogix.com ``` Expected output: ```text Server: 10.102.0.10 Address: 10.102.0.10:53 Name: ingress.private.us3.coralogix.com Address: 10.100.17.2 ← your PSC ingress IP ``` ```bash nslookup api.private.us3.coralogix.com ``` Expected output: ```text Server: 10.102.0.10 Address: 10.102.0.10:53 Name: api.private.us3.coralogix.com Address: 10.100.17.3 ← your PSC API IP ``` ### TCP connectivity (telnet) ```bash telnet ingress.private.us3.coralogix.com 443 ``` Expected output: ```text Connected to ingress.private.us3.coralogix.com ``` Press `Ctrl+]` then type `quit` to exit. ### TLS handshake (curl verbose) ```bash curl -sv --connect-timeout 5 https://ingress.private.us3.coralogix.com 2>&1 | head -20 ``` Expected output: ```text * Host ingress.private.us3.coralogix.com:443 was resolved. * IPv4: 10.100.17.2 ← private IP, not public * Trying 10.100.17.2:443... * Connected to ingress.private.us3.coralogix.com (10.100.17.2) port 443 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * Server certificate: * subject: CN=*.us3.coralogix.com * subjectAltName: host "ingress.private.us3.coralogix.com" matched cert's "*.private.us3.coralogix.com" * SSL certificate verify ok. ``` Key things to confirm: the IP is **private** (not public), TLS handshake **completed**, and the certificate **matched**. ### Connection timing (curl) ```bash curl -sk --connect-timeout 5 -o /dev/null \ -w "tcp:%{time_connect} tls:%{time_appconnect}\n" \ https://ingress.private.us3.coralogix.com ``` Expected output: ```text tcp:0.041413 tls:0.083697 ``` Both values should be very low (under 100ms) since traffic stays on Google's backbone. ### From a GKE pod If you don't have a VM, you can run any of the above from a temporary pod: ```bash kubectl run test --rm -it --restart=Never --image=curlimages/curl:8.5.0 \ -- curl -sv --connect-timeout 5 https://ingress.private.us3.coralogix.com 2>&1 | head -20 ``` Expected output is the same as the TLS handshake test above. ______________________________________________________________________ ## Using the private endpoints Once verified, configure your telemetry pipelines to use the private endpoints: **OTLP gRPC (traces, metrics, logs)** - Public: `ingress.us3.coralogix.com:443` - Private: `ingress.private.us3.coralogix.com:443` **OTLP HTTP** - Public: `https://ingress.us3.coralogix.com` - Private: `https://ingress.private.us3.coralogix.com` **Fluent Bit / log ingestion** - Public: `ingress.us3.coralogix.com` - Private: `ingress.private.us3.coralogix.com` **REST API / DataPrime queries** - Public: `api.us3.coralogix.com` - Private: `api.private.us3.coralogix.com` No other changes are needed — TLS works the same way, and the Coralogix certificates are valid for the private DNS names. ______________________________________________________________________ ## Cleanup To remove all PSC resources: ### Console UI Delete in reverse order: DNS records → DNS zone → Forwarding rules → Static IPs → Subnet. ### gcloud CLI ```bash # Delete forwarding rules gcloud compute forwarding-rules delete psc-coralogix-ingress \ --project=$PROJECT --region=$REGION --quiet gcloud compute forwarding-rules delete psc-coralogix-api \ --project=$PROJECT --region=$REGION --quiet # Delete static IPs gcloud compute addresses delete psc-ingress-ip \ --project=$PROJECT --region=$REGION --quiet gcloud compute addresses delete psc-api-ip \ --project=$PROJECT --region=$REGION --quiet # Delete DNS records and zone gcloud dns record-sets delete "ingress.private.${CX_DOMAIN}." \ --project=$PROJECT --zone=private-coralogix --type=A gcloud dns record-sets delete "api.private.${CX_DOMAIN}." \ --project=$PROJECT --zone=private-coralogix --type=A gcloud dns managed-zones delete private-coralogix \ --project=$PROJECT --quiet # Delete subnet gcloud compute networks subnets delete cx-psc-subnet \ --project=$PROJECT --region=$REGION --quiet ```