VPN Peering over Private Service Connect when connecting two different organizations in GCP

Google Cloud Compute Infrastructure
, ,
2

Hi @Nikp ,

Welcome to Google Cloud Community!

Both VPC Peering and Private Service Connect can be effective solutions for secure connection between two different organizations in Google Cloud Platform (GCP) and enable bidirectional data transfer.

VPC Peering is a method of connecting two Virtual Private Clouds (VPCs) so that resources in both VPCs can communicate with each other using private IP addresses. Traffic between the two VPCs remains within Google’s network and is not exposed to the public internet, ensuring security.

  • Note that you need to configure IAM policies to grant the appropriate permissions for each Cloud Storage bucket, after creating the peering connection between the two VPCs in each separate organization).
  • Enable Private Google Access on the VPC subnets to ensure that API requests to Google Cloud services, including Cloud Storage, are routed over Google’s private network.
  • Misconfigurations can still lead to data exposure. You’ll need careful firewall rules on both sides to restrict access to only the necessary resources.
  • VPC peering is non-transitive, meaning if there are more than two VPCs, one cannot route traffic through a peered VPC to another VPC.

PSC allows the creation of private endpoints for services like Cloud Storage. This can enable secure data transfers between organizations over private IPs.

  • Unlike VPC peering, which relies on network-level security, PSC provides additional layers of service-level security, such as granular access policies on the service itself.
  • No IP Overlap Issues since PSC doesn’t have the same IP range restrictions as VPC Peering, so it’s useful in situations where the VPCs might have overlapping IP ranges.
  • You’ll need to configure DNS routing for the Cloud Storage service so that requests are directed to the private endpoints.
  • Set IAM policies to ensure that each organization has the appropriate permissions to access the Cloud Storage buckets.

You can use PSC if you want to use only private IPs to access your Cloud Run(and other google published services) or other third party services. You may check this list for reference.

Other references:

Set up and manage VPC Network Peering

About accessing published services through endpoints

Private Service Connect architecture and performance

Google Cloud Skills Boost

Integrate Private Service Connect with Service Directory

I hope the information above is helpful.

1 Like