About network attachments
This page provides an overview of network attachments.
A network attachment is a resource that lets a producer Virtual Private Cloud (VPC) network initiate connections to a consumer VPC network through a Private Service Connect interface.
If a network attachment accepts a connection from an interface, Google Cloud allocates the interface an IP address from a consumer subnet that's specified by the network attachment. The networks are connected and can communicate by using internal IP addresses.
A connection between a network attachment and a Private Service Connect interface is similar to the connection between a Private Service Connect endpoint and a service attachment, but it has two key differences:
- A network attachment lets a producer network initiate connections to a consumer network (managed service egress), while an endpoint lets a consumer network initiate connections to a producer network (managed service ingress).
- A Private Service Connect interface connection is transitive. This means that a producer network can communicate with other networks that are connected to the consumer network.
For example, a service consumer organization might want to provide a managed service access to consumer data that is only available in the consumer's VPC network. The service might also need access to data or services that are available on-premises, through a VPN or Cloud Interconnect connection, or from a third-party service. Additionally, the consumer might want to require that any internet-bound traffic that uses their data travels through their own egress gateway. This lets the consumer monitor the traffic and provide custom security.
A Private Service Connect interface connection can fulfill all of these requirements.
Network attachments have the following specifications:
- A network attachment is a regional resource that represents the consumer side of a Private Service Connect interface connection.
- Network attachments let you explicitly or automatically accept connections from Private Service Connect interfaces.
- A network attachment is associated with a single subnet.
- When a connection request is accepted, the Private Service Connect interface is allocated an IP address from the network attachment's subnet.
- Multiple Private Service Connect interfaces can connect to the same network attachment.
- Network attachments support Shared VPC. You can create a network attachment in a service project, but the attachment's subnet must be in a host project.
- A connection between a network attachment and a Private Service Connect interface is bi-directional.
When you create a network attachment, you must assign it a single subnet. If a connection request from a producer interface is accepted, either because the attachment is configured to automatically accept connections or the producer project is included in the accept list, that interface is allocated an IP address from the subnet's IP address range.
This subnet has the following characteristics:
- It must have be a regular, user-created subnet a purpose set to None in
the Google Cloud console or
PRIVATEin the Google Cloud CLI or API.
- IP addresses in the subnet are not reserved, and you can assign other resources to the subnet.
- You cannot delete the subnet while it is assigned to a network attachment.
- You cannot change the subnet that is assigned to a network attachment without deleting the attachment and creating a new one.
- You can expand the CIDR range of the subnet, and new address allocations will use the expanded range.
When a network attachment accepts a connection request from a Private Service Connect interface, a logical connection is formed. This connection is the tuple consisting of the network attachment and the network interface that refers to it. The interface of a producer VM logically belongs to the consumer VPC network, but its lifecycle is managed by the producer.
For example, the network attachment in figure 1 has two connections.
Connection policies control how a network attachment determines the state of a connection when a Private Service Connect interface connects to a network attachment. A connection policy is composed of the following three fields of a network attachment:
- Connection preference: can be either
ACCEPT_AUTOMATIC: new connections are automatically accepted.
ACCEPT_MANUAL: the state of new connections is determined by a network attachment's accept list and reject list.
- Accept list: a list of project IDs. New connections from projects on this
list enter the
- Reject list: a list of project IDs. New connections from projects on this
list enter the
- A network attachment cannot be updated. If you want to update a network attachment, delete it and create a new one.
- You cannot delete a network attachment if it has any open connections. In this case, the producer organization must first delete the associated Private Service Connect interface.
Pricing for network attachments is described on the VPC pricing page.
There is a limit for how many network attachments you can create per region in a single project. For more information, see the per-project quotas in the VPC documentation.