About service connection policies

This page provides an overview of service connection policies.

Service consumers can create service connection policies that automate deployment and connectivity for eligible managed service instances. This process is called Private Service Connect service connectivity automation.

For example, a consumer service administrator might be a database administrator who deploys a database and then configures Private Service Connect to reach that database. However, the database administrator might not have required Identity and Access Management (IAM) credentials or knowledge of how to deploy networking resources. If a service connection policy exists, and the producer service is configured for service automation, then the database administrator can request that an instance of the producer service be deployed and connected to their network through service connectivity automation.

Service connection policies are useful for the following roles:

  • Consumer service administrators can deploy instances of managed producer services and configure connectivity to them through the administrative API or UI of the producer service. There is no additional step to configure Private Service Connect.
  • Network administrators can create a single set of policies that control which services and subnets are used for connectivity.
  • Service producers can simplify the process of sharing service attachments and guiding consumers through connectivity deployment. Consumers with service connection policies can configure a producer service by using the producer's administrative API or UI.

Service instance deployment

Deploying an instance of a managed service by using service connection policies involves the following steps, which are shown in figure 1:

  1. A consumer network administrator creates a service connection policy for their VPC network. This policy lets Google automatically deploy Private Service Connect endpoints on behalf of a consumer service administrator.
  2. The service connection policy references a service class—a globally unique resource that identifies a specific producer service. A single service connection policy is scoped to a single service class and a single consumer VPC network, which delegates the ability to configure connectivity within that scope.
  3. A consumer service administrator deploys a managed service instance and configures connectivity to that instance by using the service's administrative API or UI.
  4. The producer receives the consumer's connectivity configuration and passes this information to a service connection map.
  5. Private Service Connect service connectivity automation creates an endpoint in the consumer VPC network. This endpoint connects to a service attachment in the producer VPC network.
Figure 1. A network administrator creates a service connection policy. A consumer service administrator can then deploy managed service instances by using that service's administrative API or UI.

Supported services

Service connection policies are available in Preview. To find out if a managed service supports service connection policies, contact the service provider. A managed service can provide you with their service class if they support service connection policies.

Service classes, which enable producers to automate their services on behalf of consumer, are available to producers in limited Preview. For information about automating connectivity for your own managed services through service classes, contact your Google Cloud sales representative.

Service connection policies

A service connection policy is a regional Google Cloud resource. It lets a network administrator specify which producer services can be deployed and connected through service connectivity automation. If a service connection policy exists for a managed service, a consumer service administrator can deploy that service without needing IAM permissions for the VPC network that the service is deployed in.

Service connection policies have the following fields:

  • Service class: specifies the type of managed service that the policy is for. Each producer that supports service connection policies has its own globally unique service class.
  • VPC network: specifies the VPC network that the policy is scoped for.
  • Subnet: specifies the subnet that Private Service Connect IP addresses are allocated from.

Specifications

Service connection policies have the following specifications:

  • The subnet that's used for Private Service Connect IP addresses must be a regular, user-created subnet with a purpose set to None in the Google Cloud console or PRIVATE in the Google Cloud CLI. This subnet's IP addresses can also be used for other purposes such as deploying VMs. This consumer subnet is different than a Private Service Connect NAT subnet that has a purpose of PRIVATE_SERVICE_CONNECT.
  • You can create a single service connection policy per a combination of network, region, and service class. This ensures that only one policy governs the creation of any Private Service Connect endpoint.
  • If you want to use Private Service Connect service automation with multiple VPC networks that are in the same project, create a service connection policy for each network.
  • Service connection policies can only be created in the same project as the VPC network that the policy applies to.

Producer configuration

The following sections describe resources that are used by service producers to configure service connectivity automation.

Service connection map

A service connection map is a producer-side resource that lets a producer specify a mapping between service attachments and Private Service Connect endpoints. This map contains a list of VPC network and project combinations that can be mapped to a list of service attachments.

Producers use service connection maps to define which consumer projects and Private Service Connect networks to use when endpoints are created through service automation.

When a consumer service administrator makes a request for a service instance to be deployed through service connectivity automation, the administrator specifies a VPC network. The managed service uses this information to update the corresponding service connection map and specify which service attachment to connect the consumer to.

Service class

A service class is a globally unique representation of a managed service type. Each producer exclusively owns their service class. Consumers reference the service class in their service connection policies, authorizing deployment and delegating connectivity to the producer.

Service classes can exist for Google services, third-party services, and internal managed services that are self-hosted. Service connection policies can only be created for specific services that have a service class.

Authorization model

Service connection policies let consumers delegate the deployment of connectivity to producers. The producer does not have direct access or IAM privileges for the consumer project. Instead, the producer configures a service connection map in their own project. This lets the producer specify the consumer projects and VPC networks to deploy endpoints in.

When a service connection map is created or updated by a producer, Google Cloud makes the following authorization checks:

  • The producer user who creates or updates the connection map has IAM ownership of the associated service class. This check helps prevent false representations of a public service class.
  • The consumer network has a valid service connection policy that authorizes the VPC network, region, and service class that are specified by the service connection map. This check ensures that an administrator with IAM permissions to the VPC network explicitly delegates the ability to create Private Service Connect endpoints for the specified service type.
  • The project that the consumer specified for connectivity in the managed service's UI or API is associated with the managed service instance. This check helps prevent spoofing or tricking a managed service into creating connectivity for unauthorized projects.

If each condition is met, then a Google-managed service account creates the requested endpoints in the consumer network.

Limitations

  • Service connection policies only support the automation of Private Service Connect endpoints within a consumer VPC network. Private Service Connect backends or service attachments are not supported.
  • Service connection policies cannot be updated. If you want to update a service connection policy, delete the policy and create a new one.
  • You can delete Private Service Connect endpoints that are created by using service connection maps, but the endpoints are not automatically recreated.

Pricing

Pricing for Private Service Connect is described on the VPC pricing page.

What's next