Private Service Connect (PSC) for GCP
Connect your GCP workloads to Coralogix privately using Google Cloud's Private Service Connect. Traffic stays on Google's backbone network and never crosses the public internet.
Overview
Private Service Connect (PSC) creates a private endpoint inside your VPC that routes traffic directly to Coralogix through Google's internal network. This gives you:
- Private connectivity — no data exposure to the public internet
- Lower latency — traffic stays on Google's backbone
- No firewall rules needed — PSC handles connectivity through Google's private fabric
- Cross-region access — your workloads can reach the endpoint from any region in your VPC
Prerequisites
- A Google Cloud project with an existing VPC network
- Permissions to create subnets, addresses, forwarding rules, and DNS zones
- The Coralogix PSC Service Attachment URIs for your region (provided below)
Service Attachments
Each Coralogix region exposes two service attachments — one for data ingestion (traces, metrics, logs) and one for the management API (queries, alerts, dashboards).
Private Ingress — us-central1
Private API — us-central1
Both use ACCEPT_AUTOMATIC — no approval needed from Coralogix.
Step 0 — Set your variables (CLI only)
If using the CLI, set these once and all later commands will reference them:
export PROJECT="your-gcp-project-id"
export REGION="us-central1"
export NETWORK="your-vpc-name"
export CX_DOMAIN="us3.coralogix.com"
export INGRESS_SA="projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-ingress-v1"
export API_SA="projects/coralogix-prod-saas-service/regions/us-central1/serviceAttachments/us3-psc-api-v1"
Step 1 — Create the PSC subnet
A single subnet in the same region as the Coralogix service attachments. GCP uses it to allocate IPs for your PSC endpoints.
Make sure the CIDR range doesn't overlap with existing subnets in your VPC.
Console UI
- Go to VPC network → VPC networks → Your network → Subnets → Add subnet
- Fill in:
- Name:
cx-psc-subnet - Region:
us-central1(must match the service attachment region) - Purpose: Leave as None (regular subnet)
- IP range:
10.100.16.0/28
- Name:
- Click Add
gcloud CLI
gcloud compute networks subnets create cx-psc-subnet \
--project=$PROJECT --network=$NETWORK --region=$REGION \
--range=10.100.16.0/28
Step 2 — Create PSC endpoints
These forwarding rules establish the private connections to Coralogix. GCP auto-allocates an IP from the subnet for each endpoint.
Console UI
Go to Network Services → Private Service Connect → Connected endpoints → + Connect endpoint
Create the ingress endpoint:
- Target: Select Published service
- Target service: Paste the following URI:
- Endpoint name:
psc-coralogix-ingress - Network:
- Subnetwork:
cx-psc-subnet - IP address: Select Create IP address → name it
cx-psc-ingress-ip→ Reserve - Enable global access: Check this box
Click Add endpoint
Create the API endpoint:
- Target: Select Published service
- Service attachment: Paste the following URI:
- Endpoint name:
psc-coralogix-api - Network: Your VPC
- Subnetwork:
cx-psc-subnet - IP address: Select Create IP address → Name it
cx-psc-api-ip→ Reserve - Enable global access: Check this box
Click Add endpoint
Verify both endpoints show Accepted status
Record the two IP addresses — you'll need them for DNS
gcloud CLI
gcloud compute addresses create psc-ingress-ip \
--project=$PROJECT --region=$REGION --subnet=cx-psc-subnet
gcloud compute addresses create psc-api-ip \
--project=$PROJECT --region=$REGION --subnet=cx-psc-subnet
gcloud compute forwarding-rules create psc-coralogix-ingress \
--project=$PROJECT --region=$REGION --network=$NETWORK \
--address=psc-ingress-ip \
--target-service-attachment=$INGRESS_SA \
--allow-psc-global-access
gcloud compute forwarding-rules create psc-coralogix-api \
--project=$PROJECT --region=$REGION --network=$NETWORK \
--address=psc-api-ip \
--target-service-attachment=$API_SA \
--allow-psc-global-access
Verify:
gcloud compute forwarding-rules describe psc-coralogix-ingress \
--project=$PROJECT --region=$REGION --format='table(name, IPAddress, pscConnectionStatus)'
gcloud compute forwarding-rules describe psc-coralogix-api \
--project=$PROJECT --region=$REGION --format='table(name, IPAddress, pscConnectionStatus)'
Both should show ACCEPTED. Record the IPs for the next step:
INGRESS_IP=$(gcloud compute forwarding-rules describe psc-coralogix-ingress \
--project=$PROJECT --region=$REGION --format='value(IPAddress)')
API_IP=$(gcloud compute forwarding-rules describe psc-coralogix-api \
--project=$PROJECT --region=$REGION --format='value(IPAddress)')
echo "Ingress IP: $INGRESS_IP"
echo "API IP: $API_IP"
Step 3 — Create Cloud DNS private zone and records
A private DNS zone so your workloads resolve *.private.us3.coralogix.com to the PSC endpoint IPs.
Console UI
- Go to Network Services → Cloud DNS → Create zone
- Fill in:
- Zone type: Private
- Zone name:
private-coralogix - DNS name:
private.us3.coralogix.com - Networks: Select your VPC
- Click Create
- Inside the zone, click Add standard
- Create the ingress record:
- DNS name:
ingress.private.us3.coralogix.com - Type: A
- TTL: 300
- IP address: The ingress endpoint IP from Step 2
- DNS name:
- Click Create
- Create the API record:
- DNS name:
api.private.us3.coralogix.com - Type: A
- TTL: 300
- IP address: The API endpoint IP from Step 2
- DNS name:
- Click Create
gcloud CLI
gcloud dns managed-zones create private-coralogix \
--project=$PROJECT \
--dns-name="private.${CX_DOMAIN}." \
--description="Coralogix PSC private DNS" \
--visibility=private --networks=$NETWORK
gcloud dns record-sets create "ingress.private.${CX_DOMAIN}." \
--project=$PROJECT --zone=private-coralogix \
--type=A --ttl=300 --rrdatas=$INGRESS_IP
gcloud dns record-sets create "api.private.${CX_DOMAIN}." \
--project=$PROJECT --zone=private-coralogix \
--type=A --ttl=300 --rrdatas=$API_IP
Verification
Run these from a VM or GKE pod inside your VPC.
DNS resolution
Expected output:
Server: 10.102.0.10
Address: 10.102.0.10:53
Name: ingress.private.us3.coralogix.com
Address: 10.100.17.2 ← your PSC ingress IP
Expected output:
Server: 10.102.0.10
Address: 10.102.0.10:53
Name: api.private.us3.coralogix.com
Address: 10.100.17.3 ← your PSC API IP
TCP connectivity (telnet)
Expected output:
Press Ctrl+] then type quit to exit.
TLS handshake (curl verbose)
Expected output:
* Host ingress.private.us3.coralogix.com:443 was resolved.
* IPv4: 10.100.17.2 ← private IP, not public
* Trying 10.100.17.2:443...
* Connected to ingress.private.us3.coralogix.com (10.100.17.2) port 443
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=*.us3.coralogix.com
* subjectAltName: host "ingress.private.us3.coralogix.com" matched cert's "*.private.us3.coralogix.com"
* SSL certificate verify ok.
Key things to confirm: the IP is private (not public), TLS handshake completed, and the certificate matched.
Connection timing (curl)
curl -sk --connect-timeout 5 -o /dev/null \
-w "tcp:%{time_connect} tls:%{time_appconnect}\n" \
https://ingress.private.us3.coralogix.com
Expected output:
Both values should be very low (under 100ms) since traffic stays on Google's backbone.
From a GKE pod
If you don't have a VM, you can run any of the above from a temporary pod:
kubectl run test --rm -it --restart=Never --image=curlimages/curl:8.5.0 \
-- curl -sv --connect-timeout 5 https://ingress.private.us3.coralogix.com 2>&1 | head -20
Expected output is the same as the TLS handshake test above.
Using the private endpoints
Once verified, configure your telemetry pipelines to use the private endpoints:
OTLP gRPC (traces, metrics, logs)
- Public:
ingress.us3.coralogix.com:443 - Private:
ingress.private.us3.coralogix.com:443
OTLP HTTP
- Public:
https://ingress.us3.coralogix.com - Private:
https://ingress.private.us3.coralogix.com
Fluent Bit / log ingestion
- Public:
ingress.us3.coralogix.com - Private:
ingress.private.us3.coralogix.com
REST API / DataPrime queries
- Public:
api.us3.coralogix.com - Private:
api.private.us3.coralogix.com
No other changes are needed — TLS works the same way, and the Coralogix certificates are valid for the private DNS names.
Cleanup
To remove all PSC resources:
Console UI
Delete in reverse order: DNS records → DNS zone → Forwarding rules → Static IPs → Subnet.
gcloud CLI
# Delete forwarding rules
gcloud compute forwarding-rules delete psc-coralogix-ingress \
--project=$PROJECT --region=$REGION --quiet
gcloud compute forwarding-rules delete psc-coralogix-api \
--project=$PROJECT --region=$REGION --quiet
# Delete static IPs
gcloud compute addresses delete psc-ingress-ip \
--project=$PROJECT --region=$REGION --quiet
gcloud compute addresses delete psc-api-ip \
--project=$PROJECT --region=$REGION --quiet
# Delete DNS records and zone
gcloud dns record-sets delete "ingress.private.${CX_DOMAIN}." \
--project=$PROJECT --zone=private-coralogix --type=A
gcloud dns record-sets delete "api.private.${CX_DOMAIN}." \
--project=$PROJECT --zone=private-coralogix --type=A
gcloud dns managed-zones delete private-coralogix \
--project=$PROJECT --quiet
# Delete subnet
gcloud compute networks subnets delete cx-psc-subnet \
--project=$PROJECT --region=$REGION --quiet