Private Service Connect vs Private Google Access for the PDE Exam

Private networking questions show up on the Professional Data Engineer exam in a pretty predictable way. You get a scenario with a Cloud Function, a Cloud Composer environment in a private subnet, a Dataflow job pulling from BigQuery, or a third-party API, and you have to pick the right way to keep traffic off the public internet. The two answers that come up over and over are Private Google Access and Private Service Connect. They sound similar, and people mix them up, but on the exam they are not interchangeable.

Here is how I keep them straight when I am working a Professional Data Engineer question, and how I decide which one a scenario is actually asking for.

Private Google Access: outbound to Google APIs, subnet-wide

Private Google Access is a setting you flip on at the subnet level. Once it is enabled, any VM or managed resource in that subnet that only has an internal IP can reach Google APIs and services. That means BigQuery, Cloud Storage, Pub/Sub, the whole catalog of *.googleapis.com endpoints become reachable from a private workload without giving it a public IP.

The defining traits to remember for the exam:

• Subnet-level enablement. You turn it on for the subnet, not per workload and not per API. Every internal-only resource in that subnet inherits the access.
• Outbound only. Private Google Access is one-directional. It lets your VM reach Google APIs. It does not let anything reach into your VM.
• All Google APIs. It is not fine-grained. You are not picking which API the subnet can reach. If you enable it, the door is open to the full set of Google service endpoints.
• No custom DNS or IP. Resolution still goes to the standard googleapis.com hostnames. You are not assigning an internal address that maps to a specific service.

Private Google Access fits the boring, common case. A Dataproc cluster on internal IPs needs to read from Cloud Storage and write to BigQuery. A private Compute Engine VM running an ingestion script needs to publish to Pub/Sub. Flip on Private Google Access for the subnet and the workload is done.

Private Service Connect: a private endpoint you control

Private Service Connect works differently. Instead of a subnet-wide flag, you create a Private Service Connect endpoint inside your VPC. That endpoint is an internal IP address that you assign, and it maps to a specific producer service on the other side. The producer can be a Google service like Cloud SQL or Cloud Composer, a managed service in another organization, or even a third-party API that has been exposed as a PSC producer.

What that gives you:

• Consumer-side internal IP. Your workload talks to a private address inside your VPC. The routing to the producer is handled for you.
• Custom DNS. You point a private DNS name at the PSC endpoint, so applications can use a hostname like composer.internal.mycompany.com instead of a public Google hostname.
• Fine-grained, per-service. One endpoint maps to one producer service. You decide which services your VPC can reach this way, rather than opening access to the entire Google API surface.
• Cross-VPC and cross-org. PSC was built to handle the case where the producer and consumer are in different VPCs, different projects, or different organizations entirely.
• Supports inbound patterns. A producer can publish a service via PSC and accept private connections from consumer VPCs, which is the connectivity Private Google Access does not give you.

The classic Professional Data Engineer scenario for PSC is the one where a Cloud Function needs to trigger an Airflow DAG in a Cloud Composer environment that lives in a private subnet with no internet access. The Cloud Function is not even in your VPC. Private Google Access cannot help here, because the Function is not the one reaching out to a Google API in the normal sense. You stand up a PSC endpoint in the VPC that fronts Cloud Composer, and the Cloud Function calls the Airflow REST API through that endpoint.

How I decide on the exam

When I read a Professional Data Engineer scenario, I ask three questions in order:

• Is the workload internal-only and just calling standard Google APIs like BigQuery, Cloud Storage, or Pub/Sub? If yes, Private Google Access is almost always the right answer. It is the cheapest, simplest, most idiomatic choice for a private data job that needs Google service access.
• Does the scenario involve a specific managed service that lives in another VPC, another project, another org, or a third party? If yes, Private Service Connect is the answer. Cloud SQL with a private endpoint, Cloud Composer in a different project, a partner SaaS exposed via PSC, all of these are PSC territory.
• Does the scenario require inbound private connectivity, custom DNS, or a private IP mapped to a particular service? If yes, you are on PSC. Private Google Access cannot do any of those.

A quick wrong-answer filter that helps. If a question gives you a multi-tenant or partner connectivity setup and one of the options is Private Google Access, that option is wrong. Private Google Access does not cross organization boundaries and does not give you a service-specific endpoint. Conversely, if the scenario is a single project doing internal-only data work against Google APIs and one option is Private Service Connect, PSC is usually overkill compared to the simpler PGA answer.

One more nuance to keep in mind

Private Google Access has a couple of variants worth recognizing by name. Private Google Access for on-premises hosts uses a restricted or private VIP and lets your on-prem network reach Google APIs over a Cloud Interconnect or VPN. There is also the older Private Service Access pattern for some managed services. The exam will not usually trip you up on naming, but if you see private.googleapis.com or restricted.googleapis.com in an answer choice, that is the PGA family.

My Professional Data Engineer course covers Private Service Connect and Private Google Access in the networking module, including the Cloud Function to Cloud Composer scenario and how to spot which of the two a question is really asking about so you do not lose easy points on private networking on exam day.