Publish managed services using Private Service Connect
As a service producer, you can use Private Service Connect to publish services using internal IP addresses in your VPC network. Your published services are accessible to service consumers using internal IP addresses in their VPC networks.
This guide describes how to use Private Service Connect to publish a service that is hosted on an internal TCP/UDP load balancer or an internal HTTP(S) load balancer.
If you want to publish a service that is hosted on an internal TCP/UDP load balancer on Google Kubernetes Engine, see Creating an internal TCP/UDP load balancer with Private Service Connect in the GKE documentation.
To publish a service, you do the following:
Host the service using an internal TCP/UDP load balancer or internal HTTP(S) load balancer in the service producer VPC network.
Create a service attachment in the same region as the load balancer.
There are two types of Private Service Connect endpoints that can connect to a published service:
Private Service Connect endpoint (based on a forwarding rule)
Private Service Connect endpoint with consumer HTTP(S) service controls (based on a global external HTTP(S) load balancer) (Preview)
These endpoint types require slightly different producer configurations. For more information, see Specifications.
Roles
The following IAM role provides the permissions needed to perform the tasks in this guide.
- Compute Network Admin
(
roles/compute.networkAdmin
)
Before you begin
To publish a service using Private Service Connect, the service must be hosted on backends of one of the following load balancers:
Decide whether the service should be accessible from all projects, or if you want to control which projects can access your service.
Decide which endpoint types you want to support. For more information about the service configuration requirements, see Specifications. For more information about the endpoint types, see Using Private Service Connect to publish and consume managed services.
Limitations
Packet Mirroring can't mirror packets for Private Service Connect published services traffic.
Private Service Connect endpoints with consumer HTTP(S) service controls do not appear in the list of connected clients.
If you create the Private Service Connect subnet in a Shared VPC host project, and you want to create the service attachment in a service project, you must use the Google Cloud CLI or the API to create the service attachment.
See known issues for issues and workarounds.
Specifications
The two Private Service Connect endpoint types that can connect to published services have different configuration requirements. This table summarizes the configuration that is required for a published service to support each endpoint type.
Service producer configuration | Private Service Connect endpoint (based on a forwarding rule) | Private Service Connect endpoint with HTTP(S) service controls (based on global external HTTP(S) load balancer) | |
---|---|---|---|
Service producer load balancer | |||
Supported load balancer types | Internal TCP/UDP load balancer or internal HTTP(S) load balancer | Internal TCP/UDP load balancer only | |
Supported protocols | Any traffic supported by the load balancer | Internal TCP/UDP load balancer must serve HTTPS traffic | |
Internal TCP/UDP load balancer configuration | |||
Global access | Not supported | Required | |
Multiple forwarding rules using the same IP address |
Not supported | Not supported | |
Subsetting | Not supported | Not supported | |
Session
affinity set to 2-tuple or 3-tuple |
Not supported. Configure 5-tuple session affinity1. |
Not supported. Configure 5-tuple session affinity1. |
|
Packet Mirroring | Not supported | Not supported | |
Service attachments | |||
PROXY protocol | Supported for TCP services hosted by a internal TCP/UDP load balancer. Not supported for the following configurations:
|
Not supported | |
Publish mode | |||
Automatic project approval | Endpoints from any project can connect | Endpoints from any project can connect | |
Explicit approval | Consumer projects can be accepted before or after the endpoint is created | Consumer projects must be accepted before the endpoint is created |
NONE
or CLIENT_IP_PORT_PROTO
using the Google Cloud CLI
or the API.
DNS configuration
When you publish a service (create a service attachment), you can optionally configure a DNS domain name.
You must own the domain name that you are configuring. If you specify a domain
name, but you don't own the domain, publishing the service fails. To verify
ownership, go to the Google Search
Console. For more information
about verifying domains, see Add a website
property.
The domain name that you specify in the service attachment can be a subdomain
of the domain that you verify. For example, you can register example.com
and
then create a service attachment with a domain name of us-west1.p.example.com
.
If you configure a domain name for a service, when a Private Service Connect endpoint is created that connects to that service, the following configurations are made in the service consumer's VPC network:
A Service Directory DNS zone is created for the specified domain
A DNS entry for each Private Service Connect endpoint is created in the zone
The recommended format for the domain name is
REGION.p.DOMAIN
. Because this domain name is
used to create DNS entries in the service consumer's VPC network,
it's important to use a name that doesn't conflict with any existing DNS domain
names. Using this format reduces the risk of conflicts.
For example, if the service is configured with domain name
us-west1.p.example.com
, and the service consumer creates a
Private Service Connect endpoint with the name analytics
, a DNS
record for analytics.us-west1.p.example.com
is automatically created.
The load balancer that is hosting the service must be able to accept requests directed to this domain name. If you are using an internal HTTP(S) load balancer, you might need to update the load balancer configuration to reflect the domain names that you want service consumers to use. For example, update certificates or URL maps.
Create a subnet for Private Service Connect
Create one or more dedicated subnets to use with Private Service Connect. If you're using the Google Cloud console to publish a service, you can create the subnets during that procedure.
If you need to make more IP addresses available to an existing service, see Add or remove subnets from a published service.
You can create a Private Service Connect subnet in a Shared VPC host project. However, if you want to use a host project's subnet to create a service attachment in a service project, you must use the Google Cloud CLI or the API to create the service attachment.
Console
- Go to the VPC networks page.
Go to VPC networks - Click the name of a VPC network to show its VPC network details page.
- Click Add subnet. In the panel that appears:
- Provide a Name.
- Select a Region.
- In the Purpose section, select Private Service Connect.
- Enter an IP address range. For example,
10.10.10.0/24
. - Click Add.
gcloud
gcloud compute networks subnets create SUBNET_NAME \ --network=NETWORK_NAME --region=REGION \ --range=SUBNET_RANGE --purpose=PRIVATE_SERVICE_CONNECT
Replace the following:
SUBNET_NAME
: the name to assign to the subnet.NETWORK_NAME
: the name of the VPC for the new subnet.REGION
: the region for the new subnet. This must be the same region as the service you are publishing.SUBNET_RANGE
: the IP address range to use for the subnet. For example,10.10.10.0/24
.
API
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks { "ipCidrRange": "SUBNET_RANGE", "name": "SUBNET_NAME", "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME", "purpose": "PRIVATE_SERVICE_CONNECT", }
Replace the following:
PROJECT_ID
: the project for the subnet.SUBNET_NAME
: the name to assign to the subnet.NETWORK_NAME
: the name of the VPC network for the new subnet.REGION
: the region for the new subnet. This must be the same region as the service you are publishing.SUBNET_RANGE
: the IP address range to use for the subnet. For example,10.10.10.0/24
.
Configure firewall rules
Configure firewall rules to allow traffic between the Private Service Connect endpoints and the service attachment. Client requests originate from different locations depending on the Private Service Connect endpoint type.
Endpoint type | IP address ranges for client traffic | Details |
---|---|---|
Private Service Connect endpoint (based on a forwarding rule) | The IP address ranges of the Private Service Connect subnets associated with this service. | If you are using the default network, the pre-populated
default-allow-internal rule allows this traffic, unless there is a
higher priority rule that blocks it. |
Private Service Connect endpoints with consumer HTTP(S) service controls (based on a global external HTTP(S) load balancer) |
|
global external HTTP(S) load balancers are implemented on Google Front Ends (GFEs), which use these IP address ranges. |
If your firewall configuration doesn't already allow traffic from the appropriate endpoint type, configure firewall rules to allow it.
This example configuration lets you create VPC firewall rules to allow traffic from client IP address ranges to the backend VMs in the producer service load balancer. This configuration assumes that the backend VMs have been configured with a network tag.
Example ingress rule:
gcloud compute firewall-rules create NAME \ --network=NETWORK_NAME \ --direction=ingress \ --action=allow \ --target-tags=TAG \ --source-ranges=CLIENT_IP_RANGES_LIST \ --rules=RULES
Replace the following:
NETWORK_NAME
: the network that contains the service and Private Service Connect subnet.TAG
: the target tag that is applied to the backend VMs in the producer service load balancer.CLIENT_IP_RANGES_LIST
: the IP address ranges where client traffic originates from. For more information, see the preceding table.RULES_LIST
: a comma-separated list of protocols and destination ports to which the rule applies. For example,tcp,udp
.
Example egress rule:
gcloud compute firewall-rules create NAME \ --network=NETWORK_NAME \ --direction=egress \ --action=allow \ --target-tags=TAG \ --destination-ranges=CLIENT_IP_RANGES_LIST \ --rules=RULES
Replace the following:
NETWORK_NAME
: the network that contains the service and Private Service Connect subnet.TAG
: the target tag that is applied to the backend VMs in the producer service load balancer.CLIENT_IP_RANGES_LIST
: the IP address ranges where client traffic originates from. For more information, see the preceding table.RULES_LIST
: a comma-separated list of protocols and destination ports to which the rule applies. For example,tcp,udp
.
For more information about configuring VPC firewall rules, see VPC firewall rules overview. If you want to configure hierarchical firewall rules to allow this traffic, see Hierarchical firewall policies overview.
Publish a service with automatic project approval
Use these instructions to publish a service and automatically let any consumer connect to this service. If you want to approve consumer connections explicitly, see publishing a service with explicit project approval.
When you publish a service, you create a service attachment. Service consumers use the service attachment details to connect to your service.
If you want to view consumer connection information, you can enable PROXY protocol on supported services. For information about supported services, see Specifications. For more information about PROXY protocol, see Viewing consumer connection information.
If you create a service attachment in a project that is protected by a
VPC Service Controls perimeter that restricts compute.googleapis.com
,
servicedirectory.googleapis.com
, or dns.googleapis.com
, additional
configuration is needed. For more information, see Configuring ingress and
egress rules for VPC Service Controls.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click Publish service.
Select the Load balancer type: Internal TCP/UDP Load Balancer or Internal HTTP(S) Load Balancer.
Select the Internal load balancer that hosts the service that you want to publish.
The network and region fields are populated with the details for the selected internal load balancer.
If prompted, select the Forwarding rule associated with the service that you want to publish.
For Service name, enter a name for the service attachment.
Select one or more Subnets for the service. If you want to add a new subnet, you can create one:
- Click Reserve new subnet
- Enter a Name and optional Description for the subnet.
- Select a Region for the subnet.
- Enter the IP range to use for the subnet and click Add.
If you want to view consumer connection information, select Use Proxy Protocol.
If you want to configure a domain name, enter a Domain name, including a trailing dot.
The recommended format for the domain name is
REGION.p.DOMAIN.
You must own the domain name. For more information, see DNS configuration.
Select Automatically accept connections for all projects.
Click Add service.
gcloud
gcloud compute service-attachments create ATTACHMENT_NAME \ --region=REGION \ --producer-forwarding-rule=RULE_NAME \ --connection-preference=ACCEPT_AUTOMATIC \ --nat-subnets=PSC_SUBNET_LIST \ [ --enable-proxy-protocol ] \ [ --domain-names=DOMAIN_NAME ]
Replace the following:
ATTACHMENT_NAME
: the name to assign to the service attachment.REGION
: the region for the new service attachment. This must be the same region as the service you are publishing.RULE_NAME
: the name of the forwarding rule associated with the service you are publishing.PSC_SUBNET_LIST
: a comma-separated of one or more subnets to use with this service attachment.DOMAIN_NAME
: a DNS domain name for the service, including a trailing dot. Recommended format:REGION.p.DOMAIN.
For more information, see DNS configuration.
API
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments { "name": "ATTACHMENT_NAME", "connectionPreference": "ACCEPT_AUTOMATIC", "targetService": "RULE_URI", "enableProxyProtocol": false, "natSubnets": [ "PSC_SUBNET_1_URI", "PSC_SUBNET_2_URI", ], "domainNames": [ "DOMAIN_NAME", ], }
Replace the following:
PROJECT_ID
: the project for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.REGION
: the region for the new service attachment. This must be the same region as the service you are publishing.RULE_URI
: the name of the forwarding rule associated with the service you are publishing.PSC_SUBNET_1_URI
andPSC_SUBNET_2_URI
: the subnet URIs to use for this service attachment. You can specify one or more subnets by URI.DOMAIN_NAME
: a DNS domain name for the service, including a trailing dot. Recommended format:REGION.p.DOMAIN.
For more information, see DNS configuration.
Publish a service with explicit project approval
Use these instructions to publish a service such that you must explicitly approve consumers who want to connect to this service. If you want to approve consumer connections automatically, see publishing a service with automatic project approval.
When you publish a service, you create a service attachment. Service consumers use the service attachment details to connect to your service.
If you add a project to both the accept list and the deny list, connection requests from that project are rejected.
If you want to view consumer connection information, you can enable PROXY protocol on supported services. For information about supported services, see Specifications. For more information about PROXY protocol, see Viewing consumer connection information.
If you create a service attachment in a project that is protected by a
VPC Service Controls perimeter that restricts compute.googleapis.com
,
servicedirectory.googleapis.com
, or dns.googleapis.com
, additional
configuration is needed. For more information, see Configuring ingress and
egress rules for VPC Service Controls.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click Publish service.
Select the Load balancer type: Internal TCP/UDP Load Balancer or Internal HTTP(S) Load Balancer.
Select the Internal load balancer that hosts the service that you want to publish.
The network and region fields are populated with the details for the selected internal load balancer.
If prompted, select the Forwarding rule associated with the service you want to publish.
For Service name, enter a name for the service attachment.
Select one or more Subnets for the service.
If you want to add a new subnet, you can create one:
- Click Reserve new subnet
- Enter a Name and optional Description for the subnet.
- Select a Region for the subnet.
- Enter the IP range to use for the subnet and click Add.
If you want to view consumer connection information, select the Protocols checkbox.
If you want to configure a domain name, enter a Domain name, including a trailing dot.
The recommended format for the domain name is
REGION.p.DOMAIN.
You must own the domain name. For more information, see DNS configuration.
Select Accept connections for selected projects.
Click Add accepted project and enter the details of the projects you want to allow to connect to this service:
- Project name: name of the project to allow connections from.
- Connection limit: the number of connections to allow from this project.
Click Add service.
gcloud
gcloud compute service-attachments create ATTACHMENT_NAME \ --region=REGION \ --producer-forwarding-rule=RULE_NAME \ --connection-preference=ACCEPT_MANUAL \ --consumer-accept-list=ACCEPTED_PROJECT_1=LIMIT_1,ACCEPTED_PROJECT_2=LIMIT_2 \ --consumer-reject-list=REJECTED_PROJECT_1,REJECTED_PROJECT_2 \ --nat-subnets=PSC_SUBNET_LIST \ [ --enable-proxy-protocol ] \ [--domain-names=DOMAIN_NAME]
Replace the following:
ATTACHMENT_NAME
: the name to assign to the service attachment.REGION
: the region for the new service attachment. This must be the same region as the service you are publishing.RULE_NAME
: the name of the forwarding rule associated with the service you are publishing.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.--consumer-accept-list
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.--consumer-reject-list
is optional and can contain one or more projects.PSC_SUBNET_LIST
: a comma-separated list of one or more subnets to use with this service attachment.DOMAIN_NAME
: a DNS domain name for the service, including a trailing dot. Recommended format:REGION.p.DOMAIN.
For more information, see DNS configuration.
API
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments { "name": "ATTACHMENT_NAME", "region": "REGION", "connectionPreference": "ACCEPT_MANUAL", "targetService": "RULE_URI", "enableProxyProtocol": false, "natSubnets": [ "PSC_SUBNET_1_URI", "PSC_SUBNET_2_URI", ], "consumerRejectList": [ "REJECTED_PROJECT_1", "REJECTED_PROJECT_2", ], "consumerAcceptList": [ "consumerProjectLimit": { "projectId": "ACCEPTED_PROJECT_1", "connectionsLimit": "LIMIT_2", }, "consumerProjectLimit": { "projectId": "ACCEPTED_PROJECT_2", "connectionsLimit": "LIMIT_2", }, ], "domainNames": [ "DOMAIN_NAME", ], }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.RULE_URI
: the URI of the forwarding rule associated with the service you are publishing.PSC_SUBNET_1_URI
andPSC_SUBNET_2_URI
: the subnet URIs to use for this service attachment. You can specify one or more subnets by URI.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.consumerRejectList
is optional and can contain one or more projects.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.DOMAIN_NAME
: a DNS domain name for the service, including a trailing dot. Recommended format:REGION.p.DOMAIN.
For more information, see DNS configuration.
Configure ingress and egress rules for VPC Service Controls
If you create a service attachment in a project that is protected by a
VPC Service Controls perimeter that restricts compute.googleapis.com
,
servicedirectory.googleapis.com
, or dns.googleapis.com
, additional
configuration is needed.
Ask the service consumer for the following information before they create a Private Service Connect endpoint:
CONSUMER_PROJECT_NUMBER
: the project number of the project where they will create the Private Service Connect endpoint.CONSUMER_SERVICE_ACCOUNT
(optional): the service account that will be used to create the Private Service Connect endpoint, if you want to configure an ingress rule that restricts access by account.
Use this information to create ingress and egress rules to allow the connection between the Private Service Connect endpoint and the service attachment to be established.
For information about configuring ingress and egress rules, see Configuring ingress and egress policies.
Configure an egress rule that allows egress from the producer project to the consumer project
CONSUMER_PROJECT_NUMBER
.- egressFrom: identityType: ANY_IDENTITY egressTo: operations: - serviceName: 'compute.googleapis.com' methodSelectors: - method: 'ServiceAttachmentsService.Insert' - method: 'ServiceAttachmentsService.Patch' - method: 'RegionForwardingRulesService.Insert' - serviceName: 'servicedirectory.googleapis.com' methodSelectors: - method: '*' - serviceName: 'dns.googleapis.com' methodSelectors: - method: '*' resources: - 'projects/CONSUMER_PROJECT_NUMBER'
Configure one of the following ingress rules:
This example ingress rule allows consumer endpoints created by
CONSUMER_SERVICE_ACCOUNT
to attempt to connect to the service attachment.- ingressFrom: sources: - accessLevel: '*' # All Sources identities: serviceAccount: CONSUMER_SERVICE_ACCOUNT ingressTo: operations: - serviceName: 'compute.googleapis.com' methodSelectors: - method: 'RegionForwardingRulesService.Insert' - serviceName: 'servicedirectory.googleapis.com' methodSelectors: - method: '*' - serviceName: 'dns.googleapis.com' methodSelectors: - method: '*' resources: - '*'
This example ingress rule allows consumer endpoints created by any account to attempt to connect to the service attachment.
- ingressFrom: sources: - accessLevel: '*' # All Sources identityType: ANY_IDENTITY ingressTo: operations: - serviceName: 'compute.googleapis.com' methodSelectors: - method: 'RegionForwardingRulesService.Insert' - serviceName: 'servicedirectory.googleapis.com' methodSelectors: - method: '*' - serviceName: 'dns.googleapis.com' methodSelectors: - method: '*' resources: - '*'
After the ingress and egress rules are configured, inform the service
consumer that they can now create a Private Service Connect
endpoint in project CONSUMER_PROJECT_NUMBER
that connects to
your service attachment.
View consumer connection information
By default, Private Service Connect translates the consumer's source IP address to an address in one of the Private Service Connect subnets in the service producer's VPC network. If you want to see the consumer's original source IP address, you can enable PROXY protocol.
Not all services support PROXY protocol. For more information, see Specifications.
If PROXY protocol is enabled, you can
get the consumer's source IP address and PSC connection ID (pscConnectionId
)
from the PROXY protocol header.
If you enable PROXY protocol, check the documentation for your backend web server software for information about parsing and processing incoming PROXY protocol headers in the client connection TCP payloads. If PROXY protocol is enabled on the service attachment, but the backend web server is not configured to process PROXY protocol headers, web requests might be malformed. If requests are malformed, the server can't interpret the request.
The pscConnectionId
is encoded in the PROXY protocol header in
Type-Length-Value
(TLV) format.
Field | Field Length | Field Value |
---|---|---|
Type | 1 byte | 0xE0 (PP2_TYPE_GCP)
|
Length | 2 bytes | 0x8 (8 bytes) |
Value | 8 bytes | The 8-byte pscConnectionId in network order |
You can view the 8-byte pscConnectionId
from the consumer forwarding
rule or
the producer service
attachment.
The pscConnectionId
is globally unique for all active connections at a given
point in time. However, over time, a pscConnectionId
might be reused in these
scenarios:
Within a given VPC network, if you delete a Private Service Connect endpoint (forwarding rule), and create a new endpoint using the same IP address, the same
pscConnectionId
might be used.If you delete a VPC network that contained Private Service Connect endpoints (forwarding rules), after a seven day waiting period, the
pscConnectionId
used for those endpoints might be used for a different endpoint in another VPC network.
You can use pscConnectionId
for debugging and to trace the source of
packets.
Also, a 16-byte PSC attachment ID is available from the producer service attachment. The PSC attachment ID is a globally unique ID that identifies a Private Service Connect service attachment. You can use the PSC attachment ID for visibility and debugging. The PSC attachment ID is not included in the PROXY protocol header.
Manage requests for access to a published service
If you have published a service with explicit project approval, you can accept or reject connection requests from consumer projects.
If you add a project to both the accept list and the deny list, connection requests from that project are rejected.
After a consumer endpoint connection is accepted for a service, the endpoint can connect to the service until the service attachment is deleted. This applies whether the project was accepted explicit or because the consumer endpoint connected when the connection preference was set to automatically accept connections.
If you remove a project from the accept list, any previously accepted consumer endpoints in that project can connect to the service. Connections from new consumer endpoints in that project must be accepted before the endpoint can connect.
If you add a project to the reject list, any previously accepted consumer endpoints in that project can connect to the service. Connections from new consumer endpoints in that project are rejected from connecting to the service.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to manage.
In the Connected projects section, the projects that have attempted to connect to this service are listed. Select the checkbox next to one or more projects and click Accept or Reject.
gcloud
Describe the service attachment you want to modify.
gcloud compute service-attachments describe \ ATTACHMENT_NAME --region=REGION
The output is similar to the following example. If there are any pending consumer connections, they are listed with status
PENDING
.In this example output, the project
CONSUMER_PROJECT_1
is in the accept list, soENDPOINT_1
is accepted and can connect to the service. The projectCONSUMER_PROJECT_2
is not on the accept list, and soENDPOINT_2
is pending. AfterCONSUMER_PROJECT_2
is added to the accept list, the status ofENDPOINT_2
changes toACCEPTED
, and the endpoint can connect to the service.connectedEndpoints: - endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_1/regions/REGION_1/forwardingRules/ENDPOINT_1 pscConnectionId: 'ENDPOINT_1_ID' status: ACCEPTED - endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_2/regions/REGION_2/forwardingRules/ENDPOINT_2 pscConnectionId: 'ENDPOINT_2_ID' status: PENDING connectionPreference: ACCEPT_MANUAL consumerAcceptLists: - connectionLimit: LIMIT_1 projectIdOrNum: CONSUMER_PROJECT_1 creationTimestamp: 'TIMESTAMP' description: 'DESCRIPTION' enableProxyProtocol: false fingerprint: FINGERPRINT id: 'ID' kind: compute#serviceAttachment name: NAME natSubnets: - https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/subnetworks/PSC_SUBNET pscServiceAttachmentId: high: 'PSC_ATTACH_ID_HIGH' low: 'PSC_ATTACH_ID_LOW' region: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION selfLink: https://www.googleapis.com/compute/v1/projects/projects/PRODUCER_PROJECT/regions/REGION/serviceAttachments/ATTACHMENT_NAME targetService: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/forwardingRules/PRODUCER_FWD_RULE
Accept or reject consumer projects.
You can specify
--consumer-accept-list
or--consumer-reject-list
, or both. You can specify multiple values in--consumer-accept-list
and--consumer-reject-list
.gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --consumer-accept-list=ACCEPTED_PROJECT_1=LIMIT_1,ACCEPTED_PROJECT_2=LIMIT_2 \ --consumer-reject-list=REJECTED_PROJECT_1,REJECTED_PROJECT_2
Replace the following:
ATTACHMENT_NAME
: the name to assign to the service attachment.REGION
: the region where the service attachment is located.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.--consumer-reject-list
is optional and can contain one or more projects.
API
Describe the service attachment you want to modify.
If there are any pending consumer connections, they are listed with status
PENDING
.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
Accept or reject the consumer projects.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME { ... "consumerAcceptLists": [ { "projectIdOrNum": "ACCEPTED_PROJECT_1" "connectionLimit": "LIMIT_1", }, { "projectIdOrNum": "ACCEPTED_PROJECT_2" "connectionLimit": "LIMIT_2", } ], "consumerRejectLists": [ "REJECTED_PROJECT_1", "REJECTED_PROJECT_2", ], ... }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.consumerRejectList
is optional and can contain one or more projects.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.
Change the connection preference for a published service
You can switch between automatic and explicit project acceptance for a published service.
Changing from automatic acceptance to explicit acceptance does not affect consumer endpoints that had connected to the service before this change. Existing consumer endpoints can connect to the published service until the service attachment is deleted. New consumer endpoints must be accepted before they can connect to the service. See Managing requests for access to a published service for more information.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to update and click Edit.
Select the connection preference that you want:
- Accept connections for selected projects
- Automatically accept connections for all projects
If you are switching to Accept connections for selected projects, you can provide details of the projects you want to allow, or add them later.
- Click Add accepted project.
- Enter the Project and the Connection limit.
Click Save.
gcloud
Change the connection preference for the service attachment from
ACCEPT_AUTOMATIC
toACCEPT_MANUAL
.You control which projects can connect to your service using
--consumer-accept-list
and--consumer-reject-list
. You can configure the accept and reject lists when you change the connection preference, or update the lists later.gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --connection-preference=ACCEPT_MANUAL \ [ --consumer-accept-list=ACCEPTED_PROJECT_1=LIMIT_1,ACCEPTED_PROJECT_2=LIMIT_2] \ [ --consumer-reject-list=REJECTED_PROJECT_1,REJECTED_PROJECT_2 ]
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.--consumer-accept-list
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.--consumer-reject-list
is optional and can contain one or more projects.
Change the connection preference for the service attachment from
ACCEPT_MANUAL
toACCEPT_AUTOMATIC
.If you have values in the accept list or reject list, set them to empty when you change the connection preference (
""
).gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --connection-preference=ACCEPT_AUTOMATIC \ --consumer-accept-list="" \ --consumer-reject-list=""
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.
API
- Change the connection preference for the service attachment from
ACCEPT_AUTOMATIC
toACCEPT_MANUAL
.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{
...
"connectionPreference": "ACCEPT_MANUAL",
"consumerAcceptLists": [
{
"projectIdOrNum": "ACCEPTED_PROJECT_1"
"connectionLimit": "LIMIT_1",
},
{
"projectIdOrNum": "ACCEPTED_PROJECT_2"
"connectionLimit": "LIMIT_2",
}
],
"consumerRejectLists": [
"REJECTED_PROJECT_1",
"REJECTED_PROJECT_2",
],
...
}
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.consumerRejectList
is optional and can contain one or more projects.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.Change the connection preference for the service attachment from
ACCEPT_MANUAL
toACCEPT_AUTOMATIC
.If the
consumerAcceptLists
orconsumerRejectLists
fields specify any projects, set them to empty when you change the connection preference toACCEPT_AUTOMATIC
.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{
...
"connectionPreference": "ACCEPT_AUTOMATIC",
"consumerAcceptLists": [ ],
"consumerRejectLists": [ ],
...
}
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name of the service attachment.
Add or remove subnets from a published service
You can edit a published service to add or remove Private Service Connect subnets from the configuration.
For example, you might need to make more IP addresses available for an existing service. To add more addresses, do one of the following:
Create another Private Service Connect subnet, and edit the service attachment to add the new subnet.
Edit the subnet to expand the IPv4 range.
If you remove a Private Service Connect subnet from a published service, the IP addresses in the subnet are not released. The IP addresses are released only when the consumer Private Service Connect endpoints are deleted, or the client VMs that access the Private Service Connect endpoints are deleted.
If you change the subnet configuration, update your firewall rules to allow requests from the new subnets to reach the backend VMs.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to update and click Edit.
Modify the subnets used for this service.
If you want to add a new subnet, you can create one:
- Click Reserve new subnet
- Enter a Name and optional Description for the subnet.
- Select a Region for the subnet.
- Enter the IP range to use for the subnet and click Add.
Click Save.
gcloud
Update the Private Service Connect subnets that are used for this service attachment.
gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --nat-subnets=PSC_SUBNET_LIST
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.PSC_SUBNET_LIST
: a comma-separated of one or more subnets to use with this service attachment.
API
Update the Private Service Connect subnets that are used for this service attachment.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{
...
"natSubnets": [
"PSC_SUBNET1_URI",
"PSC_SUBNET2_URI",
],
...
}
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.PSC_SUBNET1_URI
andPSC_SUBNET2_URI
: URIs of the subnets that you want to use with this service attachment. You can specify one or more subnets.
List published services
You can list all services.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
The Private Service Connect service attachments are displayed.
gcloud
List service attachments.
gcloud compute service-attachments list [--regions=REGION_LIST]
Replace the following:
REGION_LIST
: a comma-separated list of one or more regions that you want to view service attachments for. For example,us-central1
orus-west1,us-central1
.
API
You can view all service attachments in a given region or in all regions.
View all service attachments in a region:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments
View all service attachments in all regions:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/serviceAttachments
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name of the service attachment.
View details for a published service
You can view the configuration details of a published service. You can view some
configuration details in the Cloud console, for example, the service
attachment URI that service consumers need to connect to your service. To view
all details, including the pscConnectionId
values for the service attachment's
consumers, use the Google Cloud CLI or the API.
Console
You can view details for a published service. The Service attachment field contains the service attachment URI.
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to view.
gcloud
You can view details for a published service. The selfLink
field contains
the service attachment URI.
gcloud compute service-attachments describe \ ATTACHMENT_NAME --region=REGION
API
You can view details for a published service. The selfLink
field contains
the service attachment URI.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name of the service attachment.
Delete a published service
You can delete a published service, even if there are consumer connections to the service attachment. Deleting the published service removes the service attachment only. The associated load balancer is not deleted. When you delete a published service, the following applies:
Traffic from Private Service Connect endpoints (based on forwarding rules) is no longer sent to the load balancer.
Traffic from Private Service Connect endpoints with consumer HTTP(S) service controls (based on global external HTTP(S) load balancers) is sent to the load balancer until the load balancer is deleted.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to delete.
Click Delete.
gcloud
gcloud compute service-attachments delete \ ATTACHMENT_NAME --region=REGION
API
DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name of the service attachment.
Logging
You can enable VPC Flow Logs on the subnets that contain the backend VMs. The logs show flows between the backend VMs and IP addresses in the Private Service Connect subnet.
Known issues
- When you update a service attachment using the
PATCH
API, you must provide all fields for the service attachment in the request body, not only the fields you are updating. UseserviceAttachments.get
to retrieve all fields.