Deploy a managed service instance by using service connection policies
This page describes how a consumer service administrator can deploy an instance of a managed service and configure connectivity by using service connection policies.
Before you begin
Make sure that the managed service that you want to deploy supports service connection policies. Making services available for deployment by using service connection maps is available in a limited Preview. For more information about services that support service connection maps, see Supported services.
You need a service connection policy for the VPC network, region, and managed service that you want to deploy.
Required roles
Consumer service administrators don't need any IAM permissions for the VPC network because these permissions are delegated by the service connection policy. However, IAM permissions might be required for specific managed services that are deployed by using service connection policies. For information about IAM permissions that are required by a specific managed service, check the service's documentation.
Deploy a managed service instance and configure connectivity
If a service connection policy exists for a service, a consumer service administrator can deploy a managed service instance and configure connectivity directly through the administrative API or UI of the managed service.
To deploy managed service connectivity, follow these steps. The steps might vary depending on the managed service.
In the administrative API or UI of the managed service, specify Private Service Connect as your connectivity type. The service might provide the option to specify the VPC network to deploy Private Service Connect endpoints in.
If all authorization checks pass, then connectivity is deployed. The Network Connectivity Service Account creates an internal IP address and Private Service Connect endpoint in the specified VPC network.
The lifecycle of your endpoint matches the lifecycle of your managed service instance. The endpoint remains active and stable unless you reconfigure connectivity or decommission the service instance
After the Network Connectivity Service Account creates your endpoint, the endpoint's forwarding rule is visible in the project that you configured in step 1. This forwarding rule indicates that the connection has been accepted by the producer and includes the IP address that was assigned to your endpoint.
The names of all forwarding rules that are created by using service connection policies start with
sca-auto-. The following is an example of a forwarding rule that was created by using a service connection policy.kind: compute#forwardingRule name: sca-auto-ab3f45d IPAddress: 10.33.2.8 allowPscGlobalAccess: true network: https://www.googleapis.com/compute/v1/projects/consumer-project/global/networks/vpc1 pscConnectionStatus: ACCEPTED region: https://www.googleapis.com/compute/v1/projects/consumer-project/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/consumer-project/regions/us-central1/forwardingRules/sca-auto-ab3f45d serviceDirectoryRegistrations: -namespace: goog-psc-default target: https://www.googleapis.com/compute/v1/projects/producer-project/regions/us-central1/serviceAttachments/producer-saYour service might provide information about how to connect to the new endpoint—for example, by providing an IP address. Use the provided IP address to communicate with your service through internal IP addresses within Google Cloud.
For more information about how to configure a specific service, see that service's documentation.
Decommission service connectivity
To decommission service connectivity or decommission a managed service instance that's deployed by using service connection policies, use the administrative API or UI of the managed service. Delete each service instance that's associated with the managed service. When service instances are deleted, Google Cloud deletes the associated connections and endpoints.