Configure private connectivity for enhanced security.
Google Cloud Platform to Google Cloud Platform
Private Service Connect
Create a Private Service Connect endpoint
Before setting up a Private Service Connect endpoint, ensure that you have:
- A functioning Google Cloud Platform (GCP) project with Compute Engine and Cloud DNS APIs enabled.
- Configured the correct firewall rules: ensure egress firewall rules allow traffic to the Private Service Connect endpoint's internal IP address. If you have deny rules or hierarchical policies, adjust them accordingly.
Region | Target service attachment URI |
---|---|
North America (Google Cloud, Iowa) | projects/ctp-production-us/regions/us-central1/serviceAttachments/api-private-service-connect-ilb |
Europe (Google Cloud, Belgium) | projects/ctp-production-eu/regions/europe-west1/serviceAttachments/api-private-service-connect-ilb |
Australia (Google Cloud, Sydney) | projects/ctp-production-au/regions/australia-southeast1/serviceAttachments/api-private-service-connect-ilb |
Configure DNS
private.commercetools.com
domain in your GCP Region. This means that API calls must resolve DNS names to the private IP provided by the Private Service Connect endpoint you created. The recommended solution in GCP is to configure a DNS private zone that resolves the API URLs.As an example, if your service is running in the Europe (Google Cloud, Belgium) Region, your DNS zone would have the following entries mapped to your endpoint's IP address:
auth.europe-west1.gcp.private.commercetools.com
for authentication.api.europe-west1.gcp.private.commercetools.com
for HTTP API requests.import.europe-west1.gcp.private.commercetools.com
for Import API requests.
Private Service Connect provides private connectivity for your applications running in GCP to commercetools APIs. However, requests to your commercetools Projects are still possible from the public internet.
Extend with other clouds
Deploy a reverse proxy service on Cloud Run
Before setting up, ensure that you have:
- A functioning Google Cloud Platform (GCP) project with Compute Engine and Cloud Run APIs enabled.
- The
accesscontextmanager.*
permissions in your GCP organization. - Configured network connections between your internal API network and your VPC on GCP via Google Cloud Connectivity.
server {
listen 8080;
server_name _;
location / {
proxy_pass http://your.api.example.com;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
}
upstream your.api.example.com {
server x.x.x.x:80 fail_timeout=10s;
}
VPC Service Control
To ensure your user accounts have access on Cloud Run service, create an ingress policy for identities in your organization to have access to the Cloud Run Admin API.
Create API Extension
After successful completion of these steps, the commercetools GCP platform can call your extension API in your own cloud through the private network.