About service connection policies
This page provides an overview of service connection policies.
Service consumers can create service connection policies that automate deployment and connectivity for eligible managed service instances. This process is called Private Service Connect service connectivity automation.
For example, a consumer service administrator might be a database administrator who deploys a database and then configures Private Service Connect to reach that database. However, the database administrator might not have required Identity and Access Management (IAM) credentials or knowledge of how to deploy networking resources. If a service connection policy exists, and the producer service is configured for service automation, then the database administrator can request that an instance of the producer service be deployed and connected to their network through service connectivity automation.
Service connection policies are useful for the following roles:
- Consumer service administrators can deploy instances of managed producer services and configure connectivity to them through the administrative API or UI of the producer service. There is no additional step to configure Private Service Connect.
- Network administrators can create a single set of policies that control which services and subnets are used for connectivity.
- Service producers can simplify the process of sharing service attachments and guiding consumers through connectivity deployment. Consumers with service connection policies can configure a producer service by using the producer's administrative API or UI.
Service instance deployment
Deploying an instance of a managed service by using service connection policies involves the following steps, which are shown in figure 1:
A consumer network administrator creates a service connection policy for their VPC network. This network can optionally be a Shared VPC network.
The service connection policy lets Google automatically deploy Private Service Connect endpoints on behalf of the consumer service administrator. The service connection policy references a service class—a globally unique resource that identifies a specific producer service. A single service connection policy is scoped to a single service class and a single consumer VPC network, delegating the ability to configure connectivity within that scope.
A consumer service administrator deploys a managed service instance and configures connectivity to that instance by using the service's administrative API or UI.
If you created the service connection policy in a Shared VPC network, you can deploy the managed service instance in an attached service project.
The producer receives the consumer's connectivity configuration and passes this information to a service connection map.
The Network Connectivity Service Account creates an endpoint in the consumer VPC network. This endpoint connects to a service attachment in the producer VPC network.
Supported services
To find out whether a managed service supports service connection policies, contact the service provider. If a service supports service connection policies, the service provider can provide you with the associated service class.
Service classes, which enable producers to automate their services on behalf of consumers, are available to producers in limited Preview. For information about automating connectivity for your own managed services through service classes, contact your Google Cloud sales representative.
Service connection policies
A service connection policy is a regional Google Cloud resource. It lets a network administrator specify which producer services can be deployed and connected through service connectivity automation. If a service connection policy exists for a managed service, a consumer service administrator can deploy that service.
Service connection policies have the following fields:
- Service class: specifies the type of managed service that the policy is for. Each producer that supports service connection policies has its own globally unique service class.
- VPC network: specifies the VPC network that the policy is scoped for.
- Subnets: specifies the subnets that IP addresses for Private Service Connect endpoints are allocated from.
- Connection limit: specifies the maximum number of Private Service Connect connections that a producer can create in the policy's VPC network and region.
Specifications
Service connection policies have the following specifications:
- You can create a single service connection policy per a combination of network, region, and service class. This ensures that only one policy governs the creation of any Private Service Connect endpoint.
- If a service connection policy exists for a given service class, consumer service administrators can use the service's administrative API or UI to deploy that service and configure connectivity by using service connectivity automation.
- The subnets that are included in the service connection policy configuration provide IP addresses that are assigned to Private Service Connect endpoints. These subnets must be regular subnets, and they must be in the same region as the service connection policy. Regular subnets are different from Private Service Connect subnets.
- As a best practice, Google recommends using dedicated subnets with service connection policies. This helps ensure that the subnets' IP addresses aren't reused for different resources.
- Service connection policies can only be created in the same project as the VPC network that the policy applies to.
- If you want to use Private Service Connect service automation with multiple VPC networks that are in the same project, create a service connection policy for each network.
- You can use service connection policies with Shared VPC.
Producer configuration
The following sections describe resources that are used by service producers to configure service connectivity automation.
Service connection map
A service connection map is a producer-side resource that lets a producer specify a mapping between service attachments and Private Service Connect endpoints. This map contains a list of VPC network and project combinations that can be mapped to a list of service attachments.
Producers use service connection maps to define which consumer projects and Private Service Connect networks to use when endpoints are created through service automation.
When a consumer service administrator makes a request for a service instance to be deployed through service connectivity automation, the administrator specifies a VPC network. The managed service uses this information to update the corresponding service connection map and specify which service attachment to connect the consumer to.
Service class
A service class is a globally unique representation of a managed service type. Each producer exclusively owns their service class. Consumers reference the service class in their service connection policies, authorizing deployment and delegating connectivity to the producer.
Service classes can exist for Google published services, third-party services, and internal managed services that are self-hosted. Service connection policies can only be created for services that have a service class.
Authorization model
Service connection policies let consumers delegate the deployment of connectivity to producers. The producer does not have direct access or IAM privileges for the consumer project. Instead, the producer configures a service connection map in their own project. This lets the producer specify the consumer projects and VPC networks to deploy endpoints in.
When a service connection map is created or updated by a producer, Google Cloud makes the following authorization checks:
- The producer user who creates or updates the connection map has IAM ownership of the associated service class. This check helps prevent false representations of a public service class.
- The consumer network has a valid service connection policy that authorizes the VPC network, region, and service class that are specified by the service connection map. This check ensures that an administrator with IAM permissions to the VPC network explicitly delegates the ability to create Private Service Connect endpoints for the specified service type.
- The project that the consumer specified for connectivity in the managed service's UI or API is associated with the managed service instance. This check helps prevent spoofing or tricking a managed service into creating connectivity for unauthorized projects.
If each condition is met, the Network Connectivity Service Account creates the requested endpoints in the consumer network. The Network Connectivity Service Account is a service agent.
Limitations
- Service connection policies only support the automation of Private Service Connect endpoints within a consumer VPC network. Private Service Connect backends or service attachments are not supported.
- You cannot directly delete Private Service Connect endpoints that are created through service connectivity automation. To trigger deletion of these endpoints, decommission service connectivity.
- You can only update the subnets and connection limit for a service connection policy. If you want to update other fields, delete the policy and create a new one.
- Service connection policies supports creating endpoints with IPv4 addresses. Creating endpoints that have IPv6 addresses is not supported.
Pricing
Pricing for Private Service Connect is described on the VPC pricing page.