About service connection policies

This page provides an overview of service connection policies.

Service consumers can create service connection policies that automate deployment and connectivity for eligible managed service instances. This process is called Private Service Connect service connectivity automation.

For example, a consumer service administrator might be a database administrator who deploys a database and then configures Private Service Connect to reach that database. However, the database administrator might not have required Identity and Access Management (IAM) credentials or knowledge of how to deploy networking resources. If a service connection policy exists, and the producer service is configured for service automation, then the database administrator can request that an instance of the producer service be deployed and connected to their network through service connectivity automation.

Service connection policies are useful for the following roles:

  • Consumer service administrators can deploy instances of managed producer services and configure connectivity to them through the administrative API or UI of the producer service. There is no additional step to configure Private Service Connect.
  • Network administrators can create a single set of policies that control which services and subnets are used for connectivity.
  • Service producers can simplify the process of sharing service attachments and guiding consumers through connectivity deployment. Consumers with service connection policies can configure a producer service by using the producer's administrative API or UI.

Service instance deployment

Deploying an instance of a managed service by using service connection policies involves the following steps, which are shown in figure 1:

  1. A consumer network administrator creates a service connection policy for their VPC network. This policy lets Google automatically deploy Private Service Connect endpoints on behalf of a consumer service administrator.
  2. The service connection policy references a service class—a globally unique resource that identifies a specific producer service. A single service connection policy is scoped to a single service class and a single consumer VPC network, which delegates the ability to configure connectivity within that scope.
  3. A consumer service administrator deploys a managed service instance and configures connectivity to that instance by using the service's administrative API or UI.
  4. The producer receives the consumer's connectivity configuration and passes this information to a service connection map.
  5. Private Service Connect service connectivity automation creates an endpoint in the consumer VPC network. This endpoint connects to a service attachment in the producer VPC network.
Figure 1. A network administrator creates a service connection policy. A consumer service administrator can then deploy managed service instances by using that service's administrative API or UI.

Supported services

Service connection policies are available in Preview. To find out if a managed service supports service connection policies, contact the service provider. A managed service can provide you with their service class if they support service connection policies.

Service classes, which enable producers to automate their services on behalf of consumer, are available to producers in limited Preview. For information about automating connectivity for your own managed services through service classes, contact your Google Cloud sales representative.

Service connection policies

A service connection policy is a regional Google Cloud resource. It lets a network administrator specify which producer services can be deployed and connected through service connectivity automation. If a service connection policy exists for a managed service, a consumer service administrator can deploy that service.

Service connection policies have the following fields:

  • Service class: specifies the type of managed service that the policy is for. Each producer that supports service connection policies has its own globally unique service class.
  • VPC network: specifies the VPC network that the policy is scoped for.
  • Subnets: specifies the subnets that IP addresses for Private Service Connect endpoints are allocated from.
  • Connection limit: specifies the maximum number of Private Service Connect connections that a producer can create in the policy's VPC network and region.

Specifications

Service connection policies have the following specifications:

  • The subnets that are included in the service connection policy configuration provide IP addresses that are assigned to Private Service Connect endpoints. These subnets must be regular subnets, and they must be in the same region as the service connection policy. The subnets' IP addresses can also be used for other purposes such as deploying VMs. These consumer subnets are different than Private Service Connect subnets.
  • You can create a single service connection policy per a combination of network, region, and service class. This ensures that only one policy governs the creation of any Private Service Connect endpoint.
  • If you want to use Private Service Connect service automation with multiple VPC networks that are in the same project, create a service connection policy for each network.
  • Service connection policies can only be created in the same project as the VPC network that the policy applies to.
  • Service connection policies support Shared VPC, but additional configuration is required.

Producer configuration

The following sections describe resources that are used by service producers to configure service connectivity automation.

Service connection map

A service connection map is a producer-side resource that lets a producer specify a mapping between service attachments and Private Service Connect endpoints. This map contains a list of VPC network and project combinations that can be mapped to a list of service attachments.

Producers use service connection maps to define which consumer projects and Private Service Connect networks to use when endpoints are created through service automation.

When a consumer service administrator makes a request for a service instance to be deployed through service connectivity automation, the administrator specifies a VPC network. The managed service uses this information to update the corresponding service connection map and specify which service attachment to connect the consumer to.

Service class

A service class is a globally unique representation of a managed service type. Each producer exclusively owns their service class. Consumers reference the service class in their service connection policies, authorizing deployment and delegating connectivity to the producer.

Service classes can exist for Google published services, third-party services, and internal managed services that are self-hosted. Service connection policies can only be created for services that have a service class.

Authorization model

Service connection policies let consumers delegate the deployment of connectivity to producers. The producer does not have direct access or IAM privileges for the consumer project. Instead, the producer configures a service connection map in their own project. This lets the producer specify the consumer projects and VPC networks to deploy endpoints in.

When a service connection map is created or updated by a producer, Google Cloud makes the following authorization checks:

  • The producer user who creates or updates the connection map has IAM ownership of the associated service class. This check helps prevent false representations of a public service class.
  • The consumer network has a valid service connection policy that authorizes the VPC network, region, and service class that are specified by the service connection map. This check ensures that an administrator with IAM permissions to the VPC network explicitly delegates the ability to create Private Service Connect endpoints for the specified service type.
  • The project that the consumer specified for connectivity in the managed service's UI or API is associated with the managed service instance. This check helps prevent spoofing or tricking a managed service into creating connectivity for unauthorized projects.

If each condition is met, the Network Connectivity Service Account creates the requested endpoints in the consumer network. The Network Connectivity Service Account is a Google-managed service account.

Limitations

  • Service connection policies only support the automation of Private Service Connect endpoints within a consumer VPC network. Private Service Connect backends or service attachments are not supported.
  • You cannot directly delete Private Service Connect endpoints that are created through service connectivity automation. To trigger deletion of these endpoints, decommission service connectivity.
  • You can only update the subnets and connection limit for a service connection policy. If you want to update other fields, delete the policy and create a new one.

Pricing

Pricing for Private Service Connect is described on the VPC pricing page.

What's next