Private Service Connect connection propagation through Network Connectivity Center

Private Service Connect lets consumers access managed services privately from inside their Virtual Private Cloud (VPC) network. Similarly, it lets managed service producers host these services in their own separate VPC networks and projects and offer a private connection to their consumers. Private Service Connect connections are not transitive from peered VPCs. The propagation of Private Service Connect services through the Network Connectivity Center hub enables these services to be reachable by any other spoke VPC in the same hub.

The Network Connectivity Center Private Service Connect connection propagation feature benefits the following use case:

You can use a common services VPC network to create multiple Private Service Connect consumer endpoints. By adding a single common services VPC network to the Network Connectivity Center hub, all Private Service Connect consumer endpoints in the VPC network become transitively accessible to other VPC spokes through the Network Connectivity Center hub. This connectivity eliminates the need to individually manage each Private Service Connect endpoint in each VPC network.

When you connect a VPC spoke to a hub that has propagated connections enabled, Network Connectivity Center creates propagated connections in that spoke for any endpoints that are attached to the same hub, unless the endpoint's subnet is excluded from being exported. After a VPC network is added to a Network Connectivity Center hub as a VPC spoke, new Private Service Connect endpoints are also propagated, unless the endpoint's subnet is excluded from export.

To set up a hub with a Private Service Connect propagated connection enabled, the hub administrator must create a hub with Private Service Connect propagation or update the propagation setting by using the --export-psc flag. Then the hub administrator must add the VPC networks as spokes to the hub. The hub administrator can also use the --exclude-export-ranges flag to exclude specific Private Service Connect allocated subnets from the Network Connectivity Center routing so that specified subnets can't be reached from other VPC networks, thus keeping them private to the local VPC network.

For information about Private Service Connect propagated connections, see About Private Service Connect propagated connections.

For information about the --exclude-export-ranges flag, see VPC connectivity with export filters.

Pour en savoir plus sur la configuration d'un hub pour une connexion propagée Private Service Connect, consultez Configurer un hub.

Limite de propagation des connexions

For details about propagated connection limits, see Propagated connection limit.

Remarques

Consider the following before you enable a Private Service Connect propagated connection:

  • Une connexion propagée Private Service Connect ne fonctionne qu'avec les spokes VPC.

  • The landing VPC of a hybrid spoke can't be a VPC spoke.

  • La propagation de la connexion Private Service Connect peut être retardée et la notification basée sur les événements peut être asynchrone, ce qui veut dire que la notification de livraison peut se produire quelque temps après la propagation de la connexion.

  • Comme le filtre --exclude-export-ranges n'est pas modifiable pour un spoke après sa création, nous vous recommandons de créer deux sous-réseaux pour héberger les points de terminaison Private Service Connect : un sous-réseau pour les points de terminaison Private Service Connect uniquement au sein du réseau VPC, et un autre sous-réseau pour les points de terminaison Private Service Connect partagés avec le hub. Lorsque vous ajoutez le réseau VPC à un hub en tant que spoke, ajoutez la plage d'adresses IP du sous-réseau qui héberge le réseau VPC uniquement dans le réseau VPC au filtre --exclude-export-ranges afin qu'il ne soit pas partagé avec le hub.

  • The total number of Private Service Connect endpoints across all the spokes in the hub cannot be greater than 1,000. Propagation over this limit won't be established.

Étapes suivantes