Private connectivity

Configure private connectivity for enhanced security.

Google Cloud Platform to Google Cloud Platform

Implement private connectivity between your services running on Google Cloud and your commercetools Projects hosted in one of the Google Cloud Regions.

Private Service Connect

With Private Service Connect you can configure a secure, private connection to commercetools APIs. By creating a connection endpoint that targets the commercetools Private Service Connect service, you ensure that traffic between commercetools and your services remains private.

Create a Private Service Connect endpoint

Before setting up a Private Service Connect endpoint, ensure that you have:

A functioning Google Cloud Platform (GCP) project with Compute Engine and Cloud DNS APIs enabled.
Configured the correct firewall rules: ensure egress firewall rules allow traffic to the Private Service Connect endpoint's internal IP address. If you have deny rules or hierarchical policies, adjust them accordingly.

When creating a new endpoint, you must have the URI of the service attachment for the service you want to connect to. For connecting to the commercetools service attachment, use the following URIs depending on the Region your commercetools Project is hosted in:

Region	Target service attachment URI
North America (Google Cloud, Iowa)	`projects/ctp-production-us/regions/us-central1/serviceAttachments/api-private-service-connect-ilb`
Europe (Google Cloud, Belgium)	`projects/ctp-production-eu/regions/europe-west1/serviceAttachments/api-private-service-connect-ilb`
Australia (Google Cloud, Sydney)	`projects/ctp-production-au/regions/australia-southeast1/serviceAttachments/api-private-service-connect-ilb`

Configure DNS

The commercetools service attachment is configured to accept requests under the private.commercetools.com domain in your GCP Region. This means that API calls must resolve DNS names to the private IP provided by the Private Service Connect endpoint you created. The recommended solution in GCP is to configure a DNS private zone that resolves the API URLs.

As an example, if your service is running in the Europe (Google Cloud, Belgium) Region, your DNS zone would have the following entries mapped to your endpoint's IP address:

auth.europe-west1.gcp.private.commercetools.com for authentication.
api.europe-west1.gcp.private.commercetools.com for HTTP API requests.

Private Service Connect provides private connectivity for your applications running in GCP to commercetools APIs. However, requests to your commercetools Projects are still possible from the public internet.

For further help in setting up and testing Private Service Connect, refer to the Access published services through endpoints guide.

Private connectivity

Google Cloud Platform to Google Cloud Platform.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Private Service Connect.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Create a Private Service Connect endpoint.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Configure DNS.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Google Cloud Platform to Google Cloud Platform

Private Service Connect

Create a Private Service Connect endpoint

Configure DNS