Private Service Connect overview

This page describes concepts related to Private Service Connect. You can use Private Service Connect for the following purposes:

  • Connect to an AlloyDB for PostgreSQL instance from multiple Virtual Private Cloud (VPC) networks that belong to different groups, teams, projects, or organizations.
  • Connect to either a primary instance or any of its read replicas, or connect to a secondary instance.

Private Service Connect lets you create a private and secure connection between your VPC networks and a Google Cloud service, such as AlloyDB.

Private Service Connect uses the concept of consumer and producer. For example, your VPC network is the consumer of the AlloyDB service published by the Google Cloud, who is the producer. AlloyDB instances publish a service attachment URL, a unique identifier that is used to connect to an instance, and the allowed networks within the allowed projects create an endpoint to create a secure connection to the AlloyDB service.

For detailed information about using Private Service Connect in AlloyDB, see Connect to an instance using Private Service Connect.

Service attachment

When you create any AlloyDB instance within a Private Service Connect-enabled cluster, AlloyDB creates a service attachment unique to that instance. For each primary instance, read pool instance, or secondary instance created, a unique service attachment URL is generated. This service attachment URL is used to create a Private Service Connect endpoint for your project or network.

Private Service Connect endpoint

A Private Service Connect endpoint is a forwarding rule that's associated with an internal IP address. As part of creating the endpoint, you specify the service attachment that's associated with the AlloyDB instance. The VPC network can then access the instance through the endpoint.

DNS names and records

Since multiple endpoints can connect to a single service attachment, we recommend using a DNS name to consistently connect to the service attachment regardless of the network to which the endpoint belongs. The DNS name is used to create the DNS record in a private DNS zone for the corresponding VPC network.

Allowed Private Service Connect projects

When you create an AlloyDB instance, you can define which projects from your VPC network can access the AlloyDB instance within the AlloyDB cluster.

For each allowed project in your VPC network, create a unique Private Service Connect endpoint. If a project isn't allowed explicitly, then you can still create an endpoint for the instances in the project, but the endpoint remains in a PENDING state.

What's next