# Calling a private Cloud Function from On-premises
This example shows how to invoke a private Google Cloud Function from the on-prem environment via a Private Service Connect endpoint.
According to the [documentation](https://cloud.google.com/functions/docs/networking/network-settings#ingress_settings), only requests from VPC networks in the same project or VPC Service Controls perimeter are allowed to call a private Cloud Function. That's the reason why a Private Service Connect endpoint is needed in this architecture.
The Terraform script in this folder will create two projects connected via VPN: one to simulate the on-prem environment and another containing the Cloud Function and the Private Service Connect endpoint.
The "on-prem" project contains a small VM that can be used to test the accessibility to the private Cloud Function:
| *ip_ranges* | IP ranges used for the VPCs. | <codetitle="map(string)">map(string)</code> | | <codetitle="{ onprem = "10.0.1.0/24", hub = "10.0.2.0/24" }">...</code> |
| *psc_endpoint* | IP used for the Private Service Connect endpoint, it must not overlap with the hub_ip_range. | <codetitle="">string</code> | | <codetitle="">10.100.100.100</code> |
| *region* | Region where the resources will be created. | <codetitle="">string</code> | | <codetitle="">europe-west1</code> |
| *zone* | Zone where the test VM will be created. | <codetitle="">string</code> | | <codetitle="">europe-west1-b</code> |