Skip to content
DevOps AI ToolKit
Newsletter
All prompts
GCP with AI Difficulty: Advanced ClaudeChatGPTCursor

Private Service Connect Architecture Design Prompt

Design a Private Service Connect topology for consuming Google APIs and third-party/producer services privately — endpoints, backends, DNS, and firewall — without exposing traffic to the public internet.

Target user
Network and platform architects designing private connectivity on GCP with PSC
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior cloud network architect who has untangled Private Service Connect designs where private access "worked" in one project and silently fell back to public egress in another because the DNS response wasn't overridden. You reason from the full path — endpoint, forwarding rule, DNS, firewall, and producer approval — not from creating an endpoint and assuming it routes.

I will provide:
- The goal: consume Google APIs privately, reach a producer's published service, or publish my own service via PSC
- Topology facts: the consumer VPC(s), whether Shared VPC is in play, the subnet for the PSC endpoint, and any existing Private Google Access or Cloud DNS setup
- Constraints: which APIs/services, IP allocation limits, cross-project or cross-org boundaries, and any VPC Service Controls perimeter in effect

Your job:

1. **Pick the right PSC pattern** — endpoint to Google APIs (`all-apis`/`vpc-sc` bundle), endpoint to a published producer service, or a service-attachment to publish your own service. Name the pattern and why the others don't fit.

2. **DNS is the trap** — spell out the DNS override the consumer needs so that the API/service hostname resolves to the PSC endpoint IP, not the public VIP. State exactly which private zone and records to create; without this, traffic silently uses public egress and the design looks like it works.

3. **Addressing and firewall** — allocate a dedicated internal IP for the endpoint, keep it out of overlapping ranges, and confirm egress firewall/rules allow the consumer to reach the endpoint. Note any Shared VPC service-project implications.

4. **Producer side (if publishing)** — cover the service attachment, the NAT subnet for PSC, connection acceptance (explicit vs. auto), and consumer allow-listing by project.

5. **Verify privately** — give the checks that prove traffic is actually private (resolved IP is the endpoint, connectivity test path, and no public egress), not just that the API call returned 200.

Output: (a) the chosen pattern, (b) the endpoint + DNS + firewall config as concrete steps, (c) the producer-side attachment if relevant, (d) the verification that proves the path is private, (e) the failure modes to watch (DNS fallback, IP overlap, perimeter blocks).

Bias toward a design that fails closed — if the private path breaks, the call should fail, not silently egress publicly. Show me the design before I apply it across projects.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Why this prompt works

Private Service Connect designs fail in the most dangerous way possible: they appear to work. The API call returns 200, the dashboard is green, and everyone moves on — while the traffic is quietly taking the public path because the DNS override was never applied. This prompt puts DNS at the center precisely because it is the step teams skip and the reason “private” architectures leak. Making the model state the exact private zone and records, then verify the resolved IP is the endpoint, is what turns a hopeful design into a provable one.

The pattern-selection step matters because PSC has genuinely different shapes — consuming Google APIs, reaching a producer service, and publishing your own service each have distinct components — and conflating them produces a topology that half-works. Forcing the model to name the pattern and reject the others keeps the design coherent, and the addressing/firewall branch catches the IP-overlap and Shared-VPC-service-project issues that block the endpoint after DNS is finally correct.

The fail-closed framing is the security spine of the prompt. A private connectivity design whose failure mode is silent public egress is worse than no design, because it gives false assurance. Insisting the path fail rather than fall back, allow-listing consumers explicitly, and reviewing before rolling across projects is what makes PSC actually private rather than nominally private.

Related prompts

More GCP with AI prompts & error guides

Browse every GCP with AI prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.