Create and manage network attachments

This page describes how consumer network administrators can create and manage Private Service Connect network attachments. Network attachments let service producer VPC networks initiate connections to consumer VPC networks.

Before you begin

  • You must enable the Compute Engine API in your project.
  • If you want to manually specify which projects can connect to a network attachment, you need to know the IDs of the projects.

Roles

To get the permissions that you need to create, view, and delete network attachments, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a subnet

When you create a network attachment, you assign it a single regular subnet. This subnet must be in the same region as the network attachment. One subnet can be shared across multiple network attachments. The subnet can be IPv4-only or dual-stack. Dual-stack subnets must use internal IPv6 ranges.

For more information on creating subnets, see Create and manage VPC networks.

Create network attachments

Network attachments are regional resources that represent the consumer side of a Private Service Connect interface connection. To successfully create a virtual machine (VM) instance, a network attachment must be in the same region as the associated Private Service Connect interface's VM.

The network attachment's connection policy determines whether a network attachment can accept a connection from a Private Service Connect interface.

You can update the subnet, accept list, reject list, and description of a network attachment.

Create a network attachment that manually accepts connections

You can create a network attachment that manually accepts connections. Before you create an attachment of this type, make sure that you know the IDs of the projects that you want to accept.

Console

  1. In the Google Cloud console, go to Private Service Connect.

    Go to Private Service Connect

  2. Click Network attachments.

  3. Click Create network attachment.

  4. Enter a Name.

  5. Select a Network.

  6. Select a Region.

  7. Select a Subnetwork.

  8. Click Accept connections for selected projects.

  9. Click Add accepted project, and then enter the ID of each project that you want to accept connections from.

  10. Optional: Click Add rejected project, and then enter the ID of each project that you want to explicitly deny connections from.

  11. Click Create network attachment.

gcloud

Use the network-attachments create command.

gcloud compute network-attachments create ATTACHMENT_NAME \
    --region=REGION \
    --connection-preference=ACCEPT_MANUAL \
    --producer-accept-list=ACCEPTED_PROJECTS \
    --producer-reject-list=REJECTED_PROJECTS \
    --subnets=SUBNET_NAME

Replace the following:

  • ATTACHMENT_NAME: the name of the network attachment.
  • REGION: the region of the network attachment.
  • ACCEPTED_PROJECTS: IDs of the projects that can connect to this network attachment. You can include multiple values in a comma-separated list.
  • REJECTED_PROJECTS: IDs of the projects that cannot connect to this network attachment. You can include multiple values in a comma-separated list.
  • SUBNET_NAME: the name of the subnet to associate with this network attachment.

API

Make a POST request to the networkAttachments.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments
{
  "connectionPreference": "ACCEPT_MANUAL",
  "name": "ATTACHMENT_NAME",
  "producerAcceptLists": [
    "ACCEPTED_PROJECT_LIST"
  ],
  "producerRejectLists": [
    "REJECTED_PROJECT_LIST"
  ],
  "subnetworks": [
    "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME"
  ]
}

Replace the following:

  • PROJECT_ID: the ID of the project to create the network attachment in.
  • REGION: the region of the network attachment
  • ATTACHMENT_NAME: the name of the network attachment
  • ACCEPTED_PROJECT_LIST: IDs of the projects that can connect to this network attachment. You can include multiple IDs in the following form: "id-one", "id-two".
  • REJECTED_PROJECT_LIST: IDs of the projects that cannot connect to this network attachment. You can include multiple IDs in the following form: "id-one", "id-two".
  • SUBNET_NAME: the name of the subnet to associate with the network attachment.

Create a network attachment that automatically accepts connections

You can create a network attachment that automatically accepts connections from any Private Service Connect interface that refers to the network attachment.

Console

  1. In the Google Cloud console, go to Private Service Connect.

    Go to Private Service Connect

  2. Click Network attachments.

  3. Click Create network attachment.

  4. Enter a Name.

  5. Select a Network.

  6. Select a Region.

  7. Select a Subnetwork.

  8. Click Automatically accept connections for all projects.

  9. Click Create network attachment.

gcloud

Use the network-attachments create command.

gcloud compute network-attachments create ATTACHMENT_NAME \
    --region=REGION \
    --connection-preference=ACCEPT_AUTOMATIC \
    --subnets=SUBNET_NAME

Replace the following:

  • ATTACHMENT_NAME: the name of the network attachment.
  • REGION: the region of the network attachment.
  • SUBNET_NAME: the name of the subnet to associate with this network attachment.

API

Make a POST request to the networkAttachments.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments
{
  "connectionPreference": "ACCEPT_AUTOMATIC",
  "name": "ATTACHMENT_NAME",
  "subnetworks": [
    "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME"
  ]
}

Replace the following:

  • PROJECT_ID: the ID of the project to create the network attachment in.
  • REGION: the region of the network attachment
  • ATTACHMENT_NAME: the name of the network attachment
  • SUBNET_NAME: the name of the subnet to associate with the network attachment.

List network attachments

Console

  1. In the Google Cloud console, go to Private Service Connect.

    Go to Private Service Connect

  2. Click Network attachments.

gcloud

  • To list all network attachments in a project, use the network-attachments list command.

    gcloud compute network-attachments list
    
  • To list network attachments in a given region or regions, use the network-attachments list command, and specify the regions.

    gcloud compute network-attachments list
       --regions=REGIONS
    

    Replace REGIONS with the region or regions to list network attachments in. You can include multiple regions in a comma-separated list.

API

To list network attachments in a given region, make a GET request to the networkAttachments.list method.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments

Replace the following:

  • PROJECT_ID: the ID of the project.
  • REGION: the region of the network attachment.

Describe network attachments

You can describe a network attachment to view its details, including the associated Private Service Connect interface connections. For each connection, you can see the Private Service Connect interface's assigned IP address.

Console

  1. In the Google Cloud console, go to Private Service Connect.

    Go to Private Service Connect

  2. Click Network attachments.

  3. Select a network attachment to view its details and a list of connected projects.

  4. To view individual Private Service Connect interface connections for a project, click the name of the project.

    The connection status of a project does not necessarily determine the status of Private Service Connect interface connections from that project. For example, if you add a project to the reject list after you've accepted a connection from that project, the project status is rejected, but the existing connection remains open. New connections from that project are rejected.

gcloud

Use the network-attachments describe command.

gcloud compute network-attachments describe ATTACHMENT_NAME \
    --region=REGION

Replace the following:

  • ATTACHMENT_NAME: the name of the network attachment to describe.
  • REGION: the region of the network attachment

API

To describe a network attachment and view its details, make a GET request to the networkAttachments.get method.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments/ATTACHMENT_NAME

Replace the following:

  • PROJECT_ID: the ID of the project.
  • REGION: the region of the network attachment.
  • ATTACHMENT_NAME: the name of the network attachment.

Update network attachments

You can update a network attachment by replacing its subnet, description, or—for network attachments that were created to manually accept connections—the accept or reject lists. If you need to update other fields, delete the network attachment, and then create a new one.

If you replace a network attachment's subnet, existing connections are not affected. Connections that are created after the update use IP addresses from the new subnet.

If you replace a network attachment's accept or reject list, existing connections are not affected. Connections that are created after the update are accepted or rejected according to the updated lists.

Console

  1. In the Google Cloud console, go to Private Service Connect.

    Go to Private Service Connect

  2. Click Network attachments.

  3. Click the network attachment that you want to update, and then click Edit.

  4. To replace the network attachment's subnetwork, click Subnetwork, and then select the new subnetwork.

  5. To update the accept list, do the following:

    1. To add a project to the accept list, click Add accepted project, and then enter the project ID or project number of the project to accept.
    2. To remove a project from the accept list, hold the pointer over the project, and then click Delete accepted project.
  6. To update the reject list, do the following:

    1. To add a project to the reject list, click Add rejected project, and then enter the project ID or project number of the project to reject.
    2. To remove a project from the reject list, hold the pointer over the project, and then click Delete rejected project.
  7. Click Update network attachment.

gcloud

Use the network-attachments update command. You can update one or more of the fields listed here, except for region, which is used to identify the network attachment. If you update a network attachment's accept or reject lists, you must replace the entire list in one update.

gcloud compute network-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --subnets=SUBNET \
    --producer-accept-list=ACCEPTED_PROJECTS \
    --producer-reject-list=REJECTED_PROJECTS \
    --description=DESCRIPTION

Replace the following:

  • ATTACHMENT_NAME: the name of the network attachment.
  • REGION: the region of the network attachment. This flag is used to identify the network attachment. You can't update the region of a network attachment.
  • SUBNET: the name of the subnet to associate with this network attachment.
  • ACCEPTED_PROJECTS: IDs of the projects that can connect to this network attachment. You can include multiple values in a comma-separated list. The list that you specify here replaces the existing accept list.
  • REJECTED_PROJECTS: IDs of the projects that cannot connect to this network attachment. You can include multiple values in a comma-separated list. The list that you specify here replaces the existing reject list.
  • DESCRIPTION: a description of the network attachment.

API

  1. Send an API request to describe the network attachment that you want to update.
  2. Note the value for the fingerprint field of the network attachment.
  3. Make a PATCH request to the networkAttachments.patch method. Omit any fields from the request body that you don't want to replace, except for fingerprint.

    PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments/ATTACHMENT_NAME
    {
      "fingerprint": "FINGERPRINT",
      "producerAcceptLists": [
        "ACCEPTED_PROJECT_LIST"
      ],
      "producerRejectLists": [
        "REJECTED_PROJECT_LIST"
      ],
      "subnetworks": [
        "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME"
      ],
      "description": "DESCRIPTION"
    }
    

    Replace the following:

    • PROJECT_ID: the ID of the project.
    • REGION: the region of the network attachment.
    • ATTACHMENT_NAME: the name of the network attachment.
    • FINGERPRINT: the value for the fingerprint field that you found in step 2.
    • ACCEPTED_PROJECT_LIST: IDs of the projects that can connect to this network attachment. You can include multiple IDs in the following form: "id-one", "id-two". Updates to this list replace any previous accepted projects list.
    • REJECTED_PROJECT_LIST: IDs of the projects that cannot connect to this network attachment. You can include multiple IDs in the following form: "id-one", "id-two". Updates to this list replace any previous rejected projects list.
    • SUBNET_NAME: the name of the new subnet to associate with the network attachment.
    • DESCRIPTION: an updated description for the network attachment.

Delete network attachments

You can delete a network attachment if it does not have any connections. If you want to delete a network attachment that has connections, the producer must first delete the associated Private Service Connect interface.

If you delete a network attachment and then create a new one with the same name, Google Cloud treats the network attachments as two separate resources.

Console

  1. In the Google Cloud console, go to Private Service Connect.

    Go to Private Service Connect

  2. Click Network attachments.

  3. Select a network attachment, and then click Delete.

  4. Click Delete again to confirm.

gcloud

Use the network-attachments delete command.

gcloud compute network-attachments delete ATTACHMENT_NAME \
    --region=REGION

Replace the following:

  • ATTACHMENT_NAME: the name of the network attachment to describe.
  • REGION: the region of the network attachment

API

Make a DELETE request to the networkAttachments.delete method.

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments/ATTACHMENT_NAME

Replace the following:

  • PROJECT_ID: the ID of the project.
  • REGION: the region of the network attachment.
  • ATTACHMENT_NAME: the name of the network attachment.

What's next?