Private connectivity

Configure private connectivity for enhanced security.

Google Cloud Platform to Google Cloud Platform

Implement private connectivity between your services running on Google Cloud and your commercetools Projects hosted in one of the Google Cloud Regions.

Private Service Connect

With Private Service Connect you can configure a secure, private connection to commercetools APIs. By creating a connection endpoint that targets the commercetools Private Service Connect service, you ensure that traffic between commercetools and your services remains private.

Create a Private Service Connect endpoint

Before setting up a Private Service Connect endpoint, ensure that you have:

A functioning Google Cloud Platform (GCP) project with Compute Engine and Cloud DNS APIs enabled.
Configured the correct firewall rules: ensure egress firewall rules allow traffic to the Private Service Connect endpoint's internal IP address. If you have deny rules or hierarchical policies, adjust them accordingly.

When creating a new endpoint, you must have the URI of the service attachment for the service you want to connect to. For connecting to the commercetools service attachment, use the following URIs depending on the Region your commercetools Project is hosted in:

Region	Target service attachment URI
North America (Google Cloud, Iowa)	`projects/ctp-production-us/regions/us-central1/serviceAttachments/api-private-service-connect-ilb`
Europe (Google Cloud, Belgium)	`projects/ctp-production-eu/regions/europe-west1/serviceAttachments/api-private-service-connect-ilb`
Australia (Google Cloud, Sydney)	`projects/ctp-production-au/regions/australia-southeast1/serviceAttachments/api-private-service-connect-ilb`

Configure DNS

The commercetools service attachment is configured to accept requests under the private.commercetools.com domain in your GCP Region. This means that API calls must resolve DNS names to the private IP provided by the Private Service Connect endpoint you created. The recommended solution in GCP is to configure a DNS private zone that resolves the API URLs.

As an example, if your service is running in the Europe (Google Cloud, Belgium) Region, your DNS zone would have the following entries mapped to your endpoint's IP address:

auth.europe-west1.gcp.private.commercetools.com for authentication.
api.europe-west1.gcp.private.commercetools.com for HTTP API requests.
import.europe-west1.gcp.private.commercetools.com for Import API requests.

Private Service Connect provides private connectivity for your applications running in GCP to commercetools APIs. However, requests to your commercetools Projects are still possible from the public internet.

For further help in setting up and testing Private Service Connect, refer to the Access published services through endpoints guide.

Extend with other clouds

If you want to use API Extensions implemented on your own infrastructure hosted on-premises or clouds other than the Google Cloud Platform (GCP), you can do this with the help of GCP project acting as a bridge between your Composable Commerce Project and your own cloud. This section explains how you setup and configure the Cloud Run service on your own GCP project to forward all extension requests from the commercetools GCP platform to your extension API through the private network. The final setup will look like this:

Deploy a reverse proxy service on Cloud Run

Before setting up, ensure that you have:

A functioning Google Cloud Platform (GCP) project with Compute Engine and Cloud Run APIs enabled.
The accesscontextmanager.* permissions in your GCP organization.
Configured network connections between your internal API network and your VPC on GCP via Google Cloud Connectivity.

Follow the Deploy container images and Frontend proxying using Nginx guides to deploy a Nginx reverse proxy on Cloud Run.

Example Nginx confignginx

server {
  listen 8080;
  server_name _;
  location / {
    proxy_pass http://your.api.example.com;
    proxy_set_header Host $proxy_host;
    proxy_set_header X-Real-Ip $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_redirect off;
  }
}
upstream your.api.example.com {
  server x.x.x.x:80 fail_timeout=10s;
}

VPC Service Control

Follow the create a service perimeter guide to restrict the source GCP project for which only commercetools can accesss your Cloud Run Admin API by configuring the ingress policy.

To configure the ingress policy, specify the commercetools GCP project number as the source of your ingress policy rule.

Contact your Customer Success Manager to obtain the required commercetools GCP project number.

To ensure your user accounts have access on Cloud Run service, create an ingress policy for identities in your organization to have access to the Cloud Run Admin API.

Create API Extension

Create an API Extension with a HTTP Destination targeting the extension API in your own cloud.

After successful completion of these steps, the commercetools GCP platform can call your extension API in your own cloud through the private network.

Private connectivity

Google Cloud Platform to Google Cloud Platform.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Private Service Connect.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Create a Private Service Connect endpoint.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Configure DNS.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Extend with other clouds.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Deploy a reverse proxy service on Cloud Run.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

VPC Service Control.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Create API Extension.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}