# Configure GCP Private Service Connect with the Cloud API > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt) --- title: Configure GCP Private Service Connect with the Cloud API latest-operator-version: v26.1.4 latest-console-tag: v3.7.3 latest-connect-version: 4.93.0 latest-redpanda-tag: v26.1.9 docname: dedicated/gcp/configure-psc-in-api page-component-name: cloud-data-platform page-version: master page-component-version: master page-component-title: Cloud page-relative-src-path: dedicated/gcp/configure-psc-in-api.adoc page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/networking/pages/dedicated/gcp/configure-psc-in-api.adoc description: Set up GCP Private Service Connect to securely access Redpanda Cloud. page-git-created-date: "2025-06-23" page-git-modified-date: "2026-02-02" --- > 📝 **NOTE** > > - This guide is for configuring GCP Private Service Connect using the Redpanda Cloud API. To configure and manage Private Service Connect on an existing cluster with **public** networking, you must use the Cloud API. See [Configure Private Service Connect in the Cloud UI](https://docs.redpanda.com/cloud-data-platform/networking/configure-private-service-connect-in-cloud-ui/) to set up the endpoint service using the Redpanda Cloud UI. > > - The latest version of Redpanda GCP Private Service Connect (available March, 2025) supports AZ affinity. This allows requests from Private Service Connect endpoints to stay within the same availability zone, avoiding additional networking costs. > > - DEPRECATION: The original Redpanda GCP Private Service Connect is deprecated and will be removed in a future release. For more information, see [Deprecated features](https://docs.redpanda.com/cloud-data-platform/manage/maintenance/#deprecated-features). The Redpanda GCP Private Service Connect service provides secure access to Redpanda Cloud from your VPC network. Traffic over Private Service Connect remains within GCP’s private network, avoiding the public internet. Your VPC network can access the Redpanda VPC network, but Redpanda cannot access your VPC network. Consider using Private Service Connect if you have multiple VPC networks and could benefit from a more simplified approach to network management. > 📝 **NOTE** > > - Each consumer VPC network can have one Private Service Connect endpoint connected to the Redpanda service attachment. > > - Private Service Connect allows overlapping [CIDR ranges](https://docs.redpanda.com/cloud-data-platform/networking/cidr-ranges/) in VPC networks. > > - The number of connections is limited only by your Redpanda [usage tier](https://docs.redpanda.com/cloud-data-platform/reference/tiers/). Private Service Connect does not add extra connection limits. > > - You control from which GCP projects connections are allowed. ## [](#prerequisites)Prerequisites - In this guide, you use the [Redpanda Cloud API](https://docs.redpanda.com/api/doc/cloud-controlplane/topic/topic-cloud-api-overview) to enable the Redpanda endpoint service for your clusters. Follow the steps on this page to [get an access token](#get-a-cloud-api-access-token). - Use the [gcloud](https://cloud.google.com/sdk/docs/install) command-line interface (CLI) to create the consumer-side resources, such as a VPC and forwarding rule, or to modify existing resources to use the Private Service Connect attachment created for your cluster. - The consumer VPC network must be in the same region as your Redpanda cluster. ## [](#get-a-cloud-api-access-token)Get a Cloud API access token 1. Save the base URL of the Redpanda Cloud API in an environment variable: ```bash export PUBLIC_API_ENDPOINT="https://api.cloud.redpanda.com" ``` 2. In the Redpanda Cloud UI, go to the [**Organization IAM**](https://cloud.redpanda.com/organization-iam) page, and select the **Service account** tab. If you don’t have an existing service account, you can create a new one. Copy and store the client ID and secret. ```bash export CLOUD_CLIENT_ID= export CLOUD_CLIENT_SECRET= ``` 3. Get an API token using the client ID and secret. You can click the **Request an API token** link to see code examples to generate the token. ```bash export AUTH_TOKEN=`curl -s --request POST \ --url 'https://auth.prd.cloud.redpanda.com/oauth/token' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=client_credentials \ --data client_id="$CLOUD_CLIENT_ID" \ --data client_secret="$CLOUD_CLIENT_SECRET" \ --data audience=cloudv2-production.redpanda.cloud | jq -r .access_token` ``` You must send the API token in the `Authorization` header when making requests to the Cloud API. ## [](#create-a-new-cluster-with-private-service-connect)Create a new cluster with Private Service Connect 1. In the [Redpanda Cloud Console](https://cloud.redpanda.com/), go to **Resource groups** and select the resource group in which you want to create a cluster. Copy and store the resource group ID (UUID) from the URL in the browser. ```bash export RESOURCE_GROUP_ID= ``` 2. Make a request to the [`POST /v1/networks`](https://docs.redpanda.com/api/doc/cloud-controlplane/operation/operation-networkservice_createnetwork) endpoint to create a network. ```bash NETWORK_POST_BODY=`cat << EOF { "network": { "cloud_provider": "CLOUD_PROVIDER_GCP", "cluster_type": "TYPE_DEDICATED", "name": "", "resource_group_id": "$RESOURCE_GROUP_ID", "region": "" } } EOF` curl -vv -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$NETWORK_POST_BODY" $PUBLIC_API_ENDPOINT/v1/networks ``` Replace the following placeholder variables for the request body: - ``: The name for the network. - ``: The GCP region where the network will be created. - ``: The ID of the GCP project where your VPC is created. - ``: The name of your VPC. - ``: The name of the Google Storage bucket you created for the cluster. 3. Store the network ID (`metadata.network_id`) returned in the response to the Create Network request. ```bash export NETWORK_ID= ``` 4. Make a request to the [`POST /v1/clusters`](https://docs.redpanda.com/api/doc/cloud-controlplane/operation/operation-clusterservice_createcluster) endpoint to create a Redpanda Cloud cluster with Private Service Connect enabled. ```bash export CLUSTER_POST_BODY=`cat << EOF { "cluster": { "cloud_provider": "CLOUD_PROVIDER_GCP", "connection_type": "CONNECTION_TYPE_PRIVATE", "type": "TYPE_DEDICATED", "name": "", "resource_group_id": "$RESOURCE_GROUP_ID", "network_id": "$NETWORK_ID", "region": "", "zones": , "throughput_tier": "", "redpanda_version": "", "gcp_private_service_connect": { "enabled": true, "consumer_accept_list": } } } EOF` curl -vv -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$CLUSTER_POST_BODY" $PUBLIC_API_ENDPOINT/v1/clusters ``` - ``: Provide a name for the new cluster. - ``: Choose a GCP region where the network will be created. - ``: Provide the list of GCP zones where the brokers will be deployed. Format: `["", "", ""]` - ``: Choose a Redpanda Cloud cluster tier. For example, `tier-1-gcp-v2-x86`. - ``: Choose the Redpanda Cloud version. - ``: The list of IDs of GCP projects from which Private Service Connect connection requests are accepted. Format: `[{"source": ""}, {"source": ""}, {"source": ""}]` ## [](#enable-private-service-connect-on-an-existing-cluster)Enable Private Service Connect on an existing cluster > ⚠️ **CAUTION** > > Enabling Private Service Connect on your VPC interrupts all communication on existing Redpanda bootstrap server and broker ports due to the change of private DNS resolution. > > To avoid disruption, consider using a staged approach. See: [Switch from VPC peering to Private Service Connect](https://docs.redpanda.com/cloud-data-platform/networking/dedicated/gcp/vpc-peering-gcp/#switch-from-vpc-peering-to-private-service-connect). 1. In the Redpanda Cloud Console, go to the cluster overview and copy the cluster ID from the **Details** section. ```bash export CLUSTER_ID= ``` 2. Make a [`PATCH /v1/clusters/{cluster.id}`](https://docs.redpanda.com/api/doc/cloud-controlplane/operation/operation-clusterservice_updatecluster) request to update the cluster to enable Private Service Connect. ```bash CLUSTER_PATCH_BODY=`cat << EOF { "gcp_private_service_connect": { "enabled": true, "consumer_accept_list": } } EOF` curl -v -X PATCH \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/clusters/$CLUSTER_ID ``` Replace the following placeholder: ``: A JSON list specifying the projects from which incoming connections will be accepted. All other sources are rejected. For example, `[{"source": "consumer-project-ID-1"},{"source": "consumer-project-ID-2"}]`. Wait for the cluster to apply the new configuration (around 15 minutes). The Private Service Connect attachment is available when the cluster update is complete. To monitor the service attachment creation, run the following `gcloud` command with the project ID: ```bash gcloud compute service-attachments list --project '' ``` ## [](#deploy-consumer-side-resources)Deploy consumer-side resources For each consumer VPC network, you must complete the following steps to successfully connect to the service attachment and use the Kafka API and other Redpanda services, such as HTTP Proxy. 1. In **Dataplane settings**, copy the **DNS zone** and **Service attachment URL** under **Private Service Connect**. Use this URL to create the Private Service Connect endpoint in GCP. 2. Get the name of the consumer VPC network and the subnet ``, where the Private Service Connect endpoint forwarding rule will be created. 3. Create a Private Service Connect IP address for the endpoint: ```bash gcloud compute addresses create --subnet= --addresses= --region= ``` 4. Create the Private Service Connect endpoint forwarding rule: > 📝 **NOTE** > > If you enabled global access when creating the cluster, you must include the `--allow-psc-global-access` flag to configure the endpoint to accept client connections from different regions. ```bash gcloud compute forwarding-rules create --region= --network= --address= --target-service-attachment= ``` 5. Create firewall rules allowing egress traffic to the Private Service Connect endpoint: ```bash gcloud compute firewall-rules create redpanda-psc-egress \ --description="Allow access to Redpanda PSC endpoint" \ --network="" \ --direction="EGRESS" \ --destination-ranges= \ --allow="tcp:443,tcp:30081,tcp:30282,tcp:30292,tcp:32092-32141,tcp:35082-35131,tcp:32192-32241,tcp:35182-35231,tcp:32292-32341,tcp:35282-35331" ``` 6. Create a private DNS zone. Use the cluster **DNS zone** value as the DNS name: ```bash gcloud dns managed-zones create \ --project= \ --description="Redpanda Private Service Connect DNS zone" \ --dns-name="" \ --visibility="private" \ --networks="" ``` 7. In the newly-created DNS zone, create a wildcard DNS record using the cluster **DNS record** value: ```bash gcloud dns record-sets create '*.' \ --project= \ --zone="" \ --type="A" \ --ttl="300" \ --rrdatas="" ``` ## [](#access-redpanda-services-through-private-service-connect-endpoint)Access Redpanda services through Private Service Connect endpoint After you have enabled Private Service Connect for your cluster, your connection URLs are available in the **How to Connect** section of the cluster overview in the Redpanda Cloud UI. You can access Redpanda services such as Redpanda Console, Schema Registry, and HTTP Proxy from the client VPC or virtual network; for example, from a compute instance in the VPC or network. The bootstrap server hostname is unique to each cluster. The service attachment exposes a set of bootstrap ports for access to Redpanda services. These ports load balance requests among brokers. Make sure you use the following ports for initiating a connection from a consumer: | Redpanda service | Default port | | --- | --- | | Kafka API | 30292 | | HTTP Proxy | 30282 | | Schema Registry | 30081 | | Redpanda Console | 443 | ### [](#access-kafka-api-seed-service)Access Kafka API seed service Use port `30292` to access the Kafka API seed service. ```bash export RPK_BROKERS=':30292' rpk cluster info -X tls.enabled=true -X user= -X pass= ``` When successful, the `rpk` output should look like the following: ```bash CLUSTER ======= redpanda.rp-cki01qgth38kk81ard3g BROKERS ======= ID HOST PORT RACK 0* 0-3da65a4a-0532364.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 32092 use2-az1 1 1-3da65a4a-63b320c.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 32093 use2-az1 2 2-3da65a4a-36068dc.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 32094 use2-az1 ``` ### [](#access-schema-registry-seed-service)Access Schema Registry seed service Use port `30081` to access the Schema Registry seed service. ```bash curl -vv -u : -H "Content-Type: application/vnd.schemaregistry.v1+json" --sslv2 --http2 :30081/subjects ``` ### [](#access-http-proxy-seed-service)Access HTTP Proxy seed service Use port `30282` to access the Redpanda HTTP Proxy seed service. ```bash curl -vv -u : -H "Content-Type: application/vnd.kafka.json.v2+json" --sslv2 --http2 :30282/topics ``` ### [](#verify-the-redpanda-console-network-path)Verify the Redpanda Console network path When you configure private connectivity through the Cloud API, set `connect_console: true` on the network configuration to enable Console access through the cluster’s private endpoint. The Cloud UI sets this for you when you enable private connectivity. The Redpanda Console URL is served on port `443` (HTTPS) and follows the form `[https://console-.](https://console-\.\);`. The `` is a per-cluster suffix assigned by the Redpanda control plane and is opaque to you; the full URL is shown in the **How to Connect** section of the cluster overview in the Redpanda Cloud Console. To verify that the network path to Redpanda Console is open, run the following commands from a host in the client network. First, confirm DNS resolves the hostname to a private IP on the cluster’s private endpoint: ```bash dig +short console-. ``` The response is a private IP from your client network’s address range, for example: ```bash 10.0.0.42 ``` Then confirm Redpanda Console responds over HTTPS through the endpoint: ```bash curl -sS -o /dev/null -w "%{http_code}\n" https://console-./ ``` Expected output: ```bash 200 ``` A 200 response confirms the network path. The Console UI itself does not expose a standalone login form: sign in to [cloud.redpanda.com](https://cloud.redpanda.com), navigate to the cluster, and use the cluster’s left navigation (**Topics**, **Brokers**, **Consumer groups**) to interact with Redpanda Console. > 📝 **NOTE** > > - DNS resolution for the Redpanda Console hostname is handled automatically by the cluster’s private endpoint. You don’t need to create a private hosted zone or override DNS in the client network. > > - Ensure your network access rules (for example, AWS security groups, Azure NSGs, or GCP firewall rules) on the private endpoint allow inbound TCP on port `443` from your client workload sources only (for example, the client network’s CIDR or specific client access groups). Avoid broad source ranges such as `0.0.0.0/0`. ## [](#test-the-connection)Test the connection You can test the Private Service Connect connection from any VM or container in the consumer VPC. If configuring a client isn’t possible right away, you can do these checks using `rpk` or curl: 1. Set the following environment variables. ```bash export RPK_BROKERS=':30292' export RPK_TLS_ENABLED=true export RPK_SASL_MECHANISM="" export RPK_USER= export RPK_PASS= ``` 2. Create a test topic. ```bash rpk topic create test-topic ``` 3. Produce to the test topic. ### rpk ```bash echo 'hello world' | rpk topic produce test-topic ``` ### curl ```bash curl -s \ -X POST \ "/topics/test-topic" \ -H "Content-Type: application/vnd.kafka.json.v2+json" \ -d '{ "records":[ { "value":"hello world" } ] }' ``` 4. Consume from the test topic. ### rpk ```bash rpk topic consume test-topic -n 1 ``` ### curl ```bash curl -s \ "/topics/test-topic/partitions/0/records?offset=0&timeout=1000&max_bytes=100000"\ -H "Accept: application/vnd.kafka.json.v2+json" ``` ## [](#disable-private-service-connect)Disable Private Service Connect Make a [`PATCH /v1/clusters/{cluster.id}`](https://docs.redpanda.com/api/doc/cloud-controlplane/operation/operation-clusterservice_updatecluster) request to update the cluster to disable Private Service Connect. ```bash CLUSTER_PATCH_BODY=`cat << EOF { "gcp_private_service_connect": { "enabled": false } } EOF` curl -v -X PATCH \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/clusters/$CLUSTER_ID ```