Private Service Connect lets consumers access managed services privately from inside their Virtual Private Cloud (VPC) network. Similarly, it lets managed service producers host these services in their own separate VPC networks and projects and offer a private connection to their consumers. Private Service Connect connections are not transitive from peered VPCs. The propagation of Private Service Connect services through the Network Connectivity Center hub enables these services to be reachable by any other spoke VPC in the same hub.
The Network Connectivity Center Private Service Connect connection propagation feature benefits the following use case:
You can use a common services VPC network to create multiple Private Service Connect consumer endpoints. By adding a single common services VPC network to the Network Connectivity Center hub, all Private Service Connect consumer endpoints in the VPC network become transitively accessible to other VPC spokes through the Network Connectivity Center hub. This connectivity eliminates the need to individually manage each Private Service Connect endpoint in each VPC network.
When you connect a VPC spoke to a hub that has propagated connections enabled, Network Connectivity Center creates propagated connections in that spoke for any endpoints that are attached to the same hub, unless the endpoint's subnet is excluded from being exported. After a VPC network is added to a Network Connectivity Center hub as a VPC spoke, new Private Service Connect endpoints are also propagated, unless the endpoint's subnet is excluded from export.
To set up a hub with a Private Service Connect propagated connection
enabled, the hub administrator must create a hub
with Private Service Connect propagation or update the
propagation setting by using the
--export-psc flag. Then the hub administrator must
add the VPC networks as spokes to the hub. The hub administrator
can also use the --exclude-export-ranges flag to exclude specific
Private Service Connect allocated subnets from the
Network Connectivity Center routing so that specified subnets can't be reached from other
VPC networks, thus keeping them private to the local
VPC network.
For information about Private Service Connect propagated connections, see About Private Service Connect propagated connections.
For information about the --exclude-export-ranges flag, see VPC connectivity with export filters.
For detailed information about setting up a hub for a Private Service Connect propagated connection, see Configure a hub.
Connection propagation limit
For details about propagated connection limits, see Propagated connection limit.
Considerations
Consider the following before you enable a Private Service Connect propagated connection:
A Private Service Connect propagated connection works only with VPC spokes.
If you need to make propagated Private Service Connect connections available to on-premises networks connected to hybrid spokes:
Your Network Connectivity Center hub must have only one routing VPC network that contains all of its hybrid spokes.
The hub's single routing VPC network must also be a VPC spoke.
If a hub has two or more routing VPC networks, none of the routing VPC networks can also be VPC spokes. Consequently, hubs with two or more routing VPC networks can't make propagated Private Service Connect connections available to on-premises networks.
For Private Service Connect propagation to work with hybrid spokes, the routing VPC network must also be added as a VPC spoke.
Private Service Connect connection propagation might be delayed and event driven notification might be asynchronous; that is, the delivery notification might happen some time after the propagated connection.
Because the
--exclude-export-rangesfilter is not mutable for a spoke after the spoke is created, we recommend that you create two subnets to host Private Service Connect endpoints—one subnet for within-VPC-network-only Private Service Connect endpoints and the other for the Private Service Connect endpoints shared to the hub. When you add the VPC network to a hub as a spoke, add the IP address range of the subnet that hosts the within-VPC-network-only VPC network to the--exclude-export-rangesfilter so that it is not shared with the hub.The total number of Private Service Connect endpoints across all the spokes in the hub cannot be greater than 1,000. Propagation over this limit won't be established.
What's next
- To create hubs and spokes, see Work with hubs and spokes.
- To view a list of partners whose solutions are integrated with Network Connectivity Center, see Network Connectivity Center partners.
- To find solutions for common issues, see Troubleshooting.
- To get details about API and Google Cloud CLI commands, see APIs and reference.