Three Private Service Connect patterns - Networking basics

Private Service Connect (PSC) allows private communications between service consumers and service producers. In this blog we will discuss a few ways you can use PSC for private communication.

Components of Design

PSC comprises of several components explained below:

• Consumers - Access managed services via private IP from within their own VPC.

• Producers -  Have the ability to expose services to consumers via service attachments.

• Service attachments - These link to producer load balancers. Security can be applied with a consumer accept list. Consumers can configure endpoints linked to service attachment to establish private connection from within their VPC.

• Endpoint - These are private IP addresses in a consumer VPC that are mapped to a service attachment and forward request to the attached service.

• Backends - These use PSC Network Endpoint groups and reference a producer service attachment or a regional Google API.

• Google API - These are service created by Google which are accessible via public API and reside on the Google Network

• Published service - These are service that are not classified as Google APIs

Some benefits of Private Service Connect

PSC offer some benefit such as:

• Private direct connectivity between consumer and producer managed service.

• No overlapping IP constraints as NAT is used between the communications.

• The ability to enforce authorization control.

• Enhance line-rate performance by removing intermediate hops.
  

From consumer to producer flow 

The diagram shows the options to connect to a producer using PSC. You can create an endpoint or backend to target the necessary services.

# 1 - Consumer using endpoint to published service

In this design the consumer initiates the request to the producer service. The producer and consumer can be in separate organizations, with their own VPC, IPs, and projects. The producer exposes the service via a service attachment and allows access based on the allow list option.

On the consumer side they create a PSC endpoint, assign a private IP address and link to the service attachment address. Once the connection is established, clients in the consumer network can access the service via the PSC endpoint address in their VPC.

See documentation About accessing published services through endpoints. 

# 2 - Consumer using backend to published service

This is similar to the example above but the configuration on the consumer end is different.

On the consumer side they create a PSC Network Endpoint group (NEG), link it to the producer's service attachment and expose the PSC NEG via a supported Load balancer type.

See documentation About Private Service Connect backends.

# 3 - Hybrid consumer using global access endpoint

In this design the consumer enables global access on the endpoint which makes it available to  resources in other regions. In this case on-premises clients are connected to Google Cloud via Cloud Interconnect in the us-east1 region. With global access configuration enabled they can send traffic to the endpoint located in us-west1 and connect to the producer service.

See documentation Global Access.

Learn more about PSC

• Hands-on labs - Codelabs

• Documentation - https://cloud.google.com/vpc/docs/private-service-connect

• YouTube Demo - https://youtu.be/8sGs3b5zFOE
  

Want to ask a question, find out more or share a thought? Please connect with me on Linkedin