授權政策可控管網路連結是否接受來自 Private Service Connect 介面的連線。授權政策由網路附件的下列三個欄位組成:
連線偏好設定:可以是 ACCEPT_AUTOMATIC 或 ACCEPT_MANUAL。
ACCEPT_AUTOMATIC:系統會自動接受新的連線。
ACCEPT_MANUAL:新連線的狀態取決於網路附件的接受清單。
接受清單:網路連結的專案 ID 清單,這些網路連結具有 ACCEPT_MANUAL 連線偏好設定。系統會接受來自這份清單中專案的新連線。如果 Private Service Connect 介面要求連線,且介面的專案不在這個清單中,則 Private Service Connect 介面的 VM 建立作業會失敗。
拒絕清單:網路連結的專案 ID 清單,這些網路連結的連線偏好設定為 ACCEPT_MANUAL。系統會明確拒絕來自這份清單中專案的新連線,且 Private Service Connect 介面的 VM 建立作業會失敗。
如果網路連結設為手動接受連線,且您將生產端專案同時加入接受和拒絕清單,系統就會拒絕該專案的連線要求。無法建立 Private Service Connect 介面的 VM。
連線
當網路連結接受來自 Private Service Connect 介面的連線要求時,就會形成邏輯連線。這個連線是由網路附件和參照該附件的網路介面所組成的元組。供應商 VM 的介面在邏輯上屬於用戶虛擬私有雲網路,但其生命週期由供應商管理。舉例來說,圖 1 中的網路附件有兩個連線。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-05 (世界標準時間)。"],[],[],null,["# About network attachments\n=========================\n\nThis page provides an overview of network attachments.\n\nA network attachment is a resource that lets a producer\nVirtual Private Cloud (VPC) network initiate connections to a consumer\nVPC network through a\n[Private Service Connect interface](/vpc/docs/about-private-service-connect-interfaces).\n\nIf a network attachment accepts a connection from a\nPrivate Service Connect interface, Google Cloud\nallocates to the interface an internal IP address from a consumer subnet that's\nspecified by the network attachment. The Private Service Connect\ninterface's virtual machine (VM) instance has at least one more regular network\ninterface that connects to a producer subnet.\n\nThis Private Service Connect interface connection lets\nproducer and consumer organizations configure their VPC networks\nso that the two networks are connected and can communicate by using internal IP\naddresses. For example, the producer organization can update the producer\nVPC network to\n[add routes for consumer subnets](/vpc/docs/create-manage-private-service-connect-interfaces#add-routes).\n\nA connection between a network attachment and a\nPrivate Service Connect interface is similar to the connection\nbetween a Private Service Connect\n[endpoint](/vpc/docs/private-service-connect#endpoints) and a\n[service attachment](/vpc/docs/private-service-connect#service-attachments), but\nit has two key differences:\n\n- A network attachment lets a producer VPC network initiate connections to a consumer VPC network (managed service egress). An endpoint works in the reverse direction, letting a consumer VPC network initiate connections to a producer VPC network (managed service ingress).\n- A Private Service Connect interface connection is transitive. This means that workloads in a producer VPC network can initiate connections to workloads in [other VPC networks that are connected to the consumer VPC network](/vpc/docs/about-private-service-connect-interfaces#other-networks).\n\nFor example, a service consumer organization might want to provide a managed\nservice access to consumer data that is only available in the consumer's\nVPC network. The service might also need access to data or\nservices that are available on-premises, through a VPN or Cloud Interconnect\nconnection, or from a third-party service. Additionally, the consumer might want\nto require that any internet-bound traffic that uses their data travels through\ntheir own egress gateway. This lets the consumer monitor the traffic and provide custom security.\n\nA Private Service Connect interface connection can fulfill all of\nthese requirements.\n[](/static/vpc/images/psc-interfaces/network-attachment-overview.svg) **Figure 1.** A network attachment in a consumer\nVPC network is connected to two\nPrivate Service Connect interfaces in a producer\nVPC network (click to enlarge).\n\nSpecifications\n--------------\n\nNetwork attachments have the following specifications:\n\n- A network attachment is a regional resource that represents the consumer side of a [Private Service Connect interface](/vpc/docs/about-private-service-connect-interfaces) connection.\n- Network attachments let you explicitly or automatically accept connections from Private Service Connect interfaces.\n- A network attachment is associated with a single subnet. You can use IPv4-only\n or dual-stack subnets with network attachments. For more information, see\n [Subnet assignment](#subnet-assignment).\n\n You can't use IPv6-only subnets with network attachments.\n- When a connection request is accepted, the\n Private Service Connect interface is allocated an IP address\n from the network attachment's subnet.\n\n- Multiple Private Service Connect interfaces can connect to the\n same network attachment.\n\n- Network attachments support [Shared VPC](/vpc/docs/shared-vpc). You\n can create a network attachment in a service project, but the attachment's\n subnet must be in a host project.\n\n- A connection between a network attachment and a\n Private Service Connect interface is bi-directional.\n\n- A connection between a network attachment and a\n Private Service Connect interface is\n [transitive](/vpc/docs/about-private-service-connect-interfaces#other-networks).\n Workloads in the producer VPC network can communicate with\n workloads that are connected to the consumer VPC network.\n\n- A network attachment can connect to both virtual and dynamic\n Private Service Connect interfaces.\n\nSubnet assignment\n-----------------\n\nWhen you create a network attachment, you must assign it a single subnet. If a\nconnection request from a producer interface is accepted, either because the\nattachment is configured to automatically accept connections or the producer\nproject is included in the accept list, that interface is\nallocated an IP address from the subnet's IP address range.\n\nThis subnet has the following characteristics:\n\n- It must be a [regular subnet](/vpc/docs/subnets#purpose).\n- It can be an IPv4-only subnet or a dual-stack subnet with an internal IPv6 address range. If you want to send IPv6 traffic to the Private Service Connect interface, use a dual-stack subnet. However, not all service producers support IPv6.\n- IP addresses in the subnet are not reserved, and you can assign other resources to the subnet.\n- You cannot delete the subnet while it is assigned to a network attachment.\n- You can replace the subnet, and existing connections are not affected. Connections that are established after the subnet is replaced use the new subnet.\n- You can [expand the CIDR\n range](/vpc/docs/create-modify-vpc-networks#expand-subnet) of the subnet, and new address allocations will use the expanded range.\n\nAuthorization policies\n----------------------\n\nAuthorization policies control whether a network attachment accepts\na connection from a Private Service Connect interface. An\nauthorization policy is composed of the following three fields of a\nnetwork attachment:\n\n- *Connection preference* : can be either `ACCEPT_AUTOMATIC` or `ACCEPT_MANUAL`.\n - `ACCEPT_AUTOMATIC`: new connections are automatically accepted.\n - `ACCEPT_MANUAL`: the state of new connections is determined by a network attachment's accept list.\n- *Accept list* : a list of project IDs for network attachments that have the `ACCEPT_MANUAL` connection preference. New connections from projects in this list are accepted. If a Private Service Connect interface requests a connection, and the interface's project is not in this list, creation of the Private Service Connect interface's VM fails.\n- *Reject list* : a list of project IDs for network attachments that have the `ACCEPT_MANUAL` connection preference. New connections from projects in this list are explicitly rejected, and creation of the Private Service Connect interface's VM fails.\n\nIf a network attachment is configured to manually accept connections,\nand you add a producer project to both the accept and reject lists,\nconnection requests from that project are rejected. Creation of the\nPrivate Service Connect interface's VM fails.\n\nConnections\n-----------\n\nWhen a network attachment accepts a connection request from a\nPrivate Service Connect interface, a logical\nconnection is formed. This connection is\nthe tuple consisting of the network attachment and the network interface\nthat refers to it. The interface of a producer VM logically belongs to the\nconsumer VPC network, but its lifecycle is managed by the\nproducer. For example, the network attachment in figure 1 has two connections.\n\nYou can view accepted connections when you\n[Describe a network attachment](/vpc/docs/create-manage-network-attachments#describe).\n\nLimitations\n-----------\n\n- You can only update the subnet, accept list, reject list, and description of a network attachment. If you want to update other fields, delete the attachment and create a new one.\n- You cannot delete a network attachment if it has any open connections. In this case, the producer organization must first delete the associated Private Service Connect interfaces.\n- Private Service Connect interfaces don't support external IP addresses.\n\nPricing\n-------\n\nPricing for network attachments is described on the\n[VPC pricing page](/vpc/pricing#psc-network-interface).\n\nQuota\n-----\n\nThere is a limit for how many network attachments you can create per region in a\nsingle project. For more information, see the per-project\n[quotas](/vpc/docs/quota#network-attachments-quota) in the VPC\ndocumentation.\n\nWhat's next\n-----------\n\n- [Create and manage network attachments](/vpc/docs/create-manage-network-attachments)"]]