Private Service Connect connection propagation through Network Connectivity Center

Private Service Connect lets consumers access managed services privately from inside their Virtual Private Cloud (VPC) network. Similarly, it lets managed service producers host these services in their own separate VPC networks and projects and offer a private connection to their consumers. Private Service Connect connections are not transitive from peered VPCs. The propagation of Private Service Connect services through the Network Connectivity Center hub enables these services to be reachable by any other spoke VPC in the same hub.

The Network Connectivity Center Private Service Connect connection propagation feature benefits the following use case:

You can use a common services VPC network to create multiple Private Service Connect consumer endpoints. By adding a single common services VPC network to the Network Connectivity Center hub, all Private Service Connect consumer endpoints in the VPC network become transitively accessible to other VPC spokes through the Network Connectivity Center hub. This connectivity eliminates the need to individually manage each Private Service Connect endpoint in each VPC network.

When you connect a VPC spoke to a hub that has propagated connections enabled, Network Connectivity Center creates propagated connections in that spoke for any endpoints that are attached to the same hub, unless the endpoint's subnet is excluded from being exported. After a VPC network is added to a Network Connectivity Center hub as a VPC spoke, new Private Service Connect endpoints are also propagated, unless the endpoint's subnet is excluded from export.

To set up a hub with a Private Service Connect propagated connection enabled, the hub administrator must create a hub with Private Service Connect propagation or update the propagation setting by using the --export-psc flag. Then the hub administrator must add the VPC networks as spokes to the hub. The hub administrator can also use the --exclude-export-ranges flag to exclude specific Private Service Connect allocated subnets from the Network Connectivity Center routing so that specified subnets can't be reached from other VPC networks, thus keeping them private to the local VPC network.

For information about Private Service Connect propagated connections, see About Private Service Connect propagated connections.

For information about the --exclude-export-ranges flag, see VPC connectivity with export filters.

For detailed information about setting up a hub for a Private Service Connect propagated connection, see Configure a hub.

Connection propagation limit

For details about propagated connection limits, see Propagated connection limit.

Considerations

Consider the following before you enable a Private Service Connect propagated connection:

  • A Private Service Connect propagated connection works only with VPC spokes.

  • The landing VPC of a hybrid spoke can't be a VPC spoke.

  • Private Service Connect connection propagation might be delayed and event driven notification might be asynchronous; that is, the delivery notification might happen some time after the propagated connection.

  • Because the --exclude-export-ranges filter is not mutable for a spoke after the spoke is created, we recommend that you create two subnets to host Private Service Connect endpoints—one subnet for within-VPC-network-only Private Service Connect endpoints and the other for the Private Service Connect endpoints shared to the hub. When you add the VPC network to a hub as a spoke, add the IP address range of the subnet that hosts the within-VPC-network-only VPC network to the --exclude-export-ranges filter so that it is not shared with the hub.

  • The total number of Private Service Connect endpoints across all the spokes in the hub cannot be greater than 1,000. Propagation over this limit won't be established.

What's next