Private Connectivity

Overview

Private, direct connection — no public internet. Arcfeed supports private connectivity via GCP Private Service Connect (PSC). Traffic travels entirely within the GCP backbone; it never touches the public internet.

PSC eliminates the internet leg — latency below our published figures for same-region deployments. Your application continues to connect to stream.arcfeed.finance:443 exactly as before. No code changes are required. DNS is configured automatically by GCP when you create the endpoint.

The customer setup is three steps:

1. Enable the required GCP APIs
2. Reserve an internal IP address
3. Create a PSC forwarding rule pointing at the Arcfeed Service Attachment

Arcfeed publishes the Service Attachment at no charge. You pay GCP for the endpoint resource (typically a few dollars per month).

How it works

Your application
    │  dials stream.arcfeed.finance:443
    ▼
Cloud DNS private zone  ← automatically created by GCP
    │  resolves stream.arcfeed.finance → your PSC endpoint IP
    ▼
PSC endpoint (your VPC, internal IP)
    │  traffic stays on GCP backbone — no public internet
    ▼
Arcfeed Service Attachment  (europe-west4)
    ▼
Arcfeed StreamService  [TLS cert: stream.arcfeed.finance ✓]

When you create the PSC forwarding rule, GCP automatically creates a private Cloud DNS zone in your VPC. This zone contains a single A record: stream.arcfeed.finance → your PSC endpoint IP. The zone is scoped to your VPC — it overrides public DNS only for workloads inside that VPC.

Because the hostname is unchanged, the TLS certificate presented by Arcfeed's StreamService (stream.arcfeed.finance) continues to match. No certificate pinning changes, no custom CA, no --insecure flags.

This gives the same outcome as VPC Peering or Direct Interconnect — without peering entire VPCs. Your PSC endpoint works transparently within your existing VPC Peering or Direct Interconnect topology.

Prerequisites

Enable the Compute, Cloud DNS, and Service Directory APIs. Cloud DNS and Service Directory are required for automatic DNS zone creation.

gcloud services enable compute.googleapis.com dns.googleapis.com servicedirectory.googleapis.com \
  --project=YOUR_PROJECT

Required IAM roles on your project:

• roles/compute.networkAdmin — to create addresses and forwarding rules
• roles/dns.admin — to view the automatically created DNS zone

Step 1 — Get the Service Attachment URI

Your Service Attachment URI is listed on the Private Connectivity page in your dashboard. PSC is available to all Arcfeed customers by default — no request or approval needed.

Current URI for europe-west4:

projects/obsidian-1929/regions/europe-west4/serviceAttachments/streamservice-psc-europe-west4

Step 2 — Reserve an internal IP address

Reserve a static internal IP in the subnet where your workloads run. This IP becomes the PSC endpoint address — it is what stream.arcfeed.finance will resolve to inside your VPC.

gcloud compute addresses create arcfeed-psc-ip \
  --region=europe-west4 \
  --subnet=YOUR_SUBNET \
  --project=YOUR_PROJECT

# Find the assigned IP
gcloud compute addresses describe arcfeed-psc-ip \
  --region=europe-west4 \
  --project=YOUR_PROJECT \
  --format='get(address)'

Step 3 — Create the PSC endpoint

Create a forwarding rule targeting the Arcfeed Service Attachment URI. Use --network (not --subnetwork) for the PSC consumer forwarding rule.

gcloud compute forwarding-rules create arcfeed-psc-endpoint \
  --region=europe-west4 \
  --network=YOUR_VPC \
  --address=arcfeed-psc-ip \
  --target-service-attachment=projects/obsidian-1929/regions/europe-west4/serviceAttachments/streamservice-psc-europe-west4 \
  --project=YOUR_PROJECT

# Verify the endpoint was accepted
gcloud compute forwarding-rules describe arcfeed-psc-endpoint \
  --region=europe-west4 \
  --project=YOUR_PROJECT \
  --format='get(pscConnectionStatus)'
# Expected output: ACCEPTED

Once the status is ACCEPTED, GCP automatically creates the private DNS zone in your VPC. This typically takes under a minute.

Step 4 — Verify DNS and connectivity

GCP creates the DNS zone automatically — you do not need to create any DNS records manually. Verify that the zone exists and that stream.arcfeed.finance resolves to your PSC endpoint IP, then test the gRPC connection.

# Confirm the private DNS zone was created automatically
gcloud dns managed-zones list \
  --filter="visibility=private" \
  --project=YOUR_PROJECT

# Confirm stream.arcfeed.finance resolves to your PSC endpoint IP
dig stream.arcfeed.finance

# Test the gRPC connection — TLS must succeed using the original hostname
grpcurl \
  -H "authorization: YOUR_API_TOKEN" \
  stream.arcfeed.finance:443 \
  arcfeed.streamservice.v1.StreamService/StreamData

Terraform

Complete working example. No DNS resources are needed — GCP creates the private zone automatically.

resource "google_compute_address" "arcfeed_psc" {
  name         = "arcfeed-psc-ip"
  region       = "europe-west4"
  address_type = "INTERNAL"
  subnetwork   = var.subnet_self_link
  project      = var.project_id
}

resource "google_compute_forwarding_rule" "arcfeed_psc" {
  name                  = "arcfeed-psc-endpoint"
  region                = "europe-west4"
  project               = var.project_id
  network               = var.vpc_self_link
  ip_address            = google_compute_address.arcfeed_psc.self_link
  target                = "projects/obsidian-1929/regions/europe-west4/serviceAttachments/streamservice-psc-europe-west4"
  load_balancing_scheme = ""  # empty string = PSC consumer endpoint
}

# No google_dns_managed_zone or google_dns_record_set resources needed.
# GCP creates the private DNS zone automatically when the endpoint is accepted.

Declare the following input variables in your module: project_id, vpc_self_link, subnet_self_link.

Hybrid networks

If your workloads connect via Cloud Interconnect or Cloud VPN, on-premises DNS resolvers cannot query the private Cloud DNS zone by default. You need a Cloud DNS inbound server policy so that on-premises resolvers can forward stream.arcfeed.finance queries to Cloud DNS and receive the private zone answer.

The PSC endpoint itself works without any changes — only the DNS forwarding path from on-premises needs the inbound policy.

Troubleshooting

Endpoint status is not ACCEPTED

Check that the Service Attachment URI is copied exactly as shown in your dashboard and that the region in the URI matches the region of your forwarding rule (europe-west4). A mismatched region returns PENDING indefinitely.

DNS zone not created automatically

Verify all three APIs are enabled:

gcloud services list --enabled --project=YOUR_PROJECT | grep -E 'dns|servicedirectory|compute'

The automatic DNS zone requires the Cloud DNS API and the Service Directory API to be enabled before the endpoint is created. If you enabled them after creating the endpoint, delete and recreate the forwarding rule.

Also confirm the forwarding rule has an IPv4 address assigned — the automatic DNS zone is only created for endpoints with an IPv4 address.

TLS handshake fails

The private DNS zone may not have propagated yet. Wait approximately one minute after the endpoint reaches ACCEPTED status, then retry. If dig stream.arcfeed.finance returns the public IP rather than your PSC endpoint IP, the private zone is not yet bound to your VPC — check the zone's network binding in the GCP console under Network Services → Cloud DNS.