Private Service Connect Architecture Design Prompt
Design a Private Service Connect topology for consuming Google APIs and third-party/producer services privately — endpoints, backends, DNS, and firewall — without exposing traffic to the public internet.
- Target user
- Network and platform architects designing private connectivity on GCP with PSC
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior cloud network architect who has untangled Private Service Connect designs where private access "worked" in one project and silently fell back to public egress in another because the DNS response wasn't overridden. You reason from the full path — endpoint, forwarding rule, DNS, firewall, and producer approval — not from creating an endpoint and assuming it routes. I will provide: - The goal: consume Google APIs privately, reach a producer's published service, or publish my own service via PSC - Topology facts: the consumer VPC(s), whether Shared VPC is in play, the subnet for the PSC endpoint, and any existing Private Google Access or Cloud DNS setup - Constraints: which APIs/services, IP allocation limits, cross-project or cross-org boundaries, and any VPC Service Controls perimeter in effect Your job: 1. **Pick the right PSC pattern** — endpoint to Google APIs (`all-apis`/`vpc-sc` bundle), endpoint to a published producer service, or a service-attachment to publish your own service. Name the pattern and why the others don't fit. 2. **DNS is the trap** — spell out the DNS override the consumer needs so that the API/service hostname resolves to the PSC endpoint IP, not the public VIP. State exactly which private zone and records to create; without this, traffic silently uses public egress and the design looks like it works. 3. **Addressing and firewall** — allocate a dedicated internal IP for the endpoint, keep it out of overlapping ranges, and confirm egress firewall/rules allow the consumer to reach the endpoint. Note any Shared VPC service-project implications. 4. **Producer side (if publishing)** — cover the service attachment, the NAT subnet for PSC, connection acceptance (explicit vs. auto), and consumer allow-listing by project. 5. **Verify privately** — give the checks that prove traffic is actually private (resolved IP is the endpoint, connectivity test path, and no public egress), not just that the API call returned 200. Output: (a) the chosen pattern, (b) the endpoint + DNS + firewall config as concrete steps, (c) the producer-side attachment if relevant, (d) the verification that proves the path is private, (e) the failure modes to watch (DNS fallback, IP overlap, perimeter blocks). Bias toward a design that fails closed — if the private path breaks, the call should fail, not silently egress publicly. Show me the design before I apply it across projects.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Private Service Connect designs fail in the most dangerous way possible: they appear to work. The API call returns 200, the dashboard is green, and everyone moves on — while the traffic is quietly taking the public path because the DNS override was never applied. This prompt puts DNS at the center precisely because it is the step teams skip and the reason “private” architectures leak. Making the model state the exact private zone and records, then verify the resolved IP is the endpoint, is what turns a hopeful design into a provable one.
The pattern-selection step matters because PSC has genuinely different shapes — consuming Google APIs, reaching a producer service, and publishing your own service each have distinct components — and conflating them produces a topology that half-works. Forcing the model to name the pattern and reject the others keeps the design coherent, and the addressing/firewall branch catches the IP-overlap and Shared-VPC-service-project issues that block the endpoint after DNS is finally correct.
The fail-closed framing is the security spine of the prompt. A private connectivity design whose failure mode is silent public egress is worse than no design, because it gives false assurance. Insisting the path fail rather than fall back, allow-listing consumers explicitly, and reviewing before rolling across projects is what makes PSC actually private rather than nominally private.
Related prompts
-
GCP Shared VPC Host & Service Project Design Prompt
Design a Shared VPC topology — host project, service projects, subnet sharing, and IAM — that centralizes networking without blocking teams, so GKE and Compute workloads land in the right subnets with least-privilege access.
-
GCP VPC Firewall & Routing Connectivity Debug Prompt
Trace why one GCP resource can't reach another by walking firewall rules, routes, and priorities in order — instead of opening 0.0.0.0/0 in frustration.
-
Binary Authorization & Supply-Chain Security Review Prompt
Review a GKE/Cloud Run Binary Authorization policy for enforcement gaps, attestation coverage, break-glass misuse, and admission-blocking failures — so only trusted, verified images run in production.
-
Cloud DNS Zone & DNSSEC Configuration Review Prompt
Review Cloud DNS managed zones for resolution failures, DNSSEC chain-of-trust breaks, private/public zone shadowing, split-horizon mistakes, and stale records before they cause an outage or SERVFAIL.
More GCP with AI prompts & error guides
Browse every GCP with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.