Access regional Google APIs through public endpoints

You can access regional and multiregional endpoints publicly over the internet or privately from within your Virtual Private Cloud. This document explains how to access the endpoints publicly.

When you access regional endpoints from the public internet, traffic is routed through Google Cloud Standard Tier networking. The connection, including TLS termination, is handled within the destination region.

Configure public internet access to the APIs

To configure public internet access to regional API endpoints, follow these steps.

Roles

To get the permissions that you need to create a regional endpoint, ask your administrator to grant you the following IAM roles on your VPC network:

Compute Network Admin role (roles/compute.networkAdmin)
DNS Administrator role (roles/dns.admin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Before you begin

Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:
```
$ gcloud init
```
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.
Enable the Compute Engine, Network Connectivity Center, and Cloud DNS APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.
Enable the APIs
Additionally, enable the API for the target service that you want to access through the endpoint. For example, if you want to access spanner.me-central2.rep.googleapis.com, enable the Cloud Spanner API.
Ensure that egress firewall rules permit traffic to the endpoint. The default firewall configuration for a VPC network permits this traffic because it contains an implied allow egress rule. Verify that you haven't created a higher priority egress rule that blocks the traffic.

Identify the endpoint

Determine the service and the specific region or multiregion required for your workload.

Regional endpoints have the following format: SERVICE.REGION.rep.googleapis.com
Multiregional endpoints have the following format: SERVICE.MULTIREGION.rep.googleapis.com

Modify the DNS configuration

If your environment overrides public DNS for googleapis.com using a private DNS zone, which is common in hybrid configurations, take these steps:

Update your DNS configuration to exclude rep.googleapis.com. For more information, see Add, update, and delete records.
Modify the DNS zone setup to exclude the rep.googleapis.com subdomain. Forward those queries to public DNS resolvers. For more information, see Create, modify, and delete zones.

Configure the Google Cloud CLI

To override the default API endpoint for specific services, use the Google Cloud CLI. The following example uses the gcloud config set command to set an override for Cloud Storage in us-central1 and an override for Compute Engine in europe-west1.

# Set an override for Cloud Storage in us-central1.

gcloud config set api_endpoint_overrides/storage https://storage.us-central1.rep.googleapis.com/

# Set an override for Compute Engine in europe-west1.

gcloud config set api_endpoint_overrides/compute https://compute.europe-west1.rep.googleapis.com/compute/v1/

After you set the override, gcloud CLI commands for that service use the regional endpoint. To revert to using the default global endpoint, use the gcloud config unset command:

gcloud config unset api_endpoint_overrides/SERVICE

Update the client SDKs

Most Google Cloud client libraries let you specify a custom endpoint during client initialization.

Python

Use client_options with api_endpoint.

from google.cloud import SERVICE
from google.api_core.client_options import ClientOptions

options = ClientOptions(api_endpoint='https://SERVICE.REGION.rep.googleapis.com')
SERVICE_client = SERVICE.Client(client_options=options, project='PROJECT_ID')
# ... use SERVICE_client as usual

Replace the following:

SERVICE: the name of your service
REGION: the region for your endpoint
PROJECT_ID: the ID of your Google Cloud project

Go

Use option.WithEndpoint during client creation.

client, err := SERVICE.NewClient(ctx, projID, 
option.WithEndpoint("https://SERVICE-my-endpoint.REGION.rep.googleapis.com"), // Override endpoint

Replace the following:

SERVICE: the name of your service
REGION: the region for your endpoint

.NET

Configure Endpoint in the client builder.

Java

Use setEndpoint on the service settings builder.

The following example uses Java to connect to the endpoint for the Cloud Vision API.

ImageAnnotatorSettings settings = ImageAnnotatorSettings.newBuilder()
.setEndpoint("https://vision.REGION.rep.googleapis.com")
.build();
ImageAnnotatorClient client = ImageAnnotatorClient.create(settings);

Reference documentation

Use the Google Cloud CLI to manage regional endpoints.
See the regionalEndpoints REST documentation.

What's next

Access regional Google APIs through backends.
See the Google Cloud supported regional service endpoints.