Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
Implementa una instancia de servicio administrado con
las políticas de conexión de servicios
En esta página, se describe cómo un administrador de servicios de consumidor puede implementar una instancia
de un servicio administrado y configurar la conectividad a través de políticas de conexión
de servicios.
Antes de comenzar
Asegúrate de que el servicio administrado que quieres implementar admita las políticas de conexión de servicios. La capacidad de hacer que los servicios estén disponibles para su implementación usando mapas de conexión del servicio está disponible en una versión preliminar limitada. Para obtener más información de los servicios que admiten mapas de conexión de servicios, consulta Servicios compatibles.
Los administradores de servicios de consumidor no necesitan ningún permiso de IAM
para la red de VPC porque la política de conexión de servicio
delega estos permisos. Sin embargo, es posible que se
necesiten permisos de IAM para servicios administrados específicos que se implementan a través de políticas
de conexión de servicios. Para obtener información sobre los permisos de IAM que
requiere un servicio administrado específico, consulta la documentación del servicio.
Implementa una instancia de servicio administrado y configura la conectividad
Si existe una política de conexión de servicio para un servicio, un administrador de servicios
de consumidor puede implementar una instancia de servicio administrado y configurar la conectividad
directamente a través de la API administrativa o la IU del servicio administrado.
Para implementar la conectividad del servicio administrado, sigue estos pasos. Los pasos pueden variar según el servicio administrado.
En la API o la IU administrativa del servicio administrado, especifica
Private Service Connect como tu tipo de conectividad. Es posible que el servicio proporcione la opción de especificar la red de VPC en la que se implementarán los extremos de Private Service Connect.
Si todas las verificaciones de autorización
se aprueban, se implementa la conectividad. La
cuenta de servicio de Conectividad de red crea una dirección IP
interna y un extremo de Private Service Connect
en la red de VPC especificada.
El ciclo de vida del extremo coincide con el ciclo de vida de la instancia de servicio
administrado. El extremo permanece activo y estable, a menos que
vuelvas a configurar la conectividad o retires la instancia de servicio.
Después de que la cuenta de servicio de Conectividad de red crea el extremo, la
regla de reenvío del extremo es visible en el proyecto que configuraste en
el paso 1. Esta regla de reenvío indica que el productor aceptó la conexión
y, además, incluye la dirección IP que se asignó a
tu extremo.
Los nombres de todas las reglas de reenvío que se crean a través de las políticas de conexión de servicio comienzan con sca-auto-. El siguiente es un ejemplo de una regla de reenvío que se creó mediante una política de conexión de servicio.
Es posible que tu servicio proporcione información para conectarte al nuevo extremo, por ejemplo, con una dirección IP. Usa la dirección IP proporcionada para comunicarte con tu servicio a través de direcciones IP internas en Google Cloud.
Para obtener más información sobre cómo configurar un servicio específico, consulta la
documentación de ese servicio.
Retira la conectividad del servicio
Para retirar la conectividad del servicio o retirar una instancia de servicio administrado
que se implementa a través de las políticas de conexión de servicios, usa la API
o la IU administrativa del servicio administrado. Borra cada instancia de servicio asociada con el servicio administrado. Cuando se borran instancias de servicio, Google Cloud borra las conexiones y los extremos asociados.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2024-12-06 (UTC)"],[],[],null,["# Deploy a managed service instance by using service connection policies\n\nDeploy a managed service instance by using service\nconnection policies\n======================================================================\n\nThis page describes how a service instance administrator can deploy an instance\nof a managed service and configure connectivity by using service connection\npolicies.\n\nBefore you begin\n----------------\n\n- Make sure that the managed service that you want to deploy supports\n service connection policies. Making services available for deployment by\n using service connection maps is available in a limited Preview. For more\n information about services that support service connection maps, see\n [Supported services](/vpc/docs/about-service-connectivity-automation#supported-services).\n\n- You need a [service connection policy](/vpc/docs/about-service-connection-policies)\n for the VPC network, region, and managed service that you want\n to deploy.\n\n### Required roles\n\nService instance administrators don't need any IAM permissions\nfor the VPC network because these permissions are delegated\nby the service connection policy. However, IAM permissions might\nbe required for specific managed services that are deployed by using service\nconnection policies. For information about IAM permissions that\nare required by a specific managed service, check the service's documentation.\n\nDeploy a managed service instance and configure connectivity\n------------------------------------------------------------\n\nIf a service connection policy exists for a service, a consumer service\nadministrator can configure connectivity for the managed service instance that\nthey are deploying directly through the administrative API or UI of the managed\nservice.\n\nTo deploy managed service connectivity, follow these steps. The steps might\nvary depending on the managed service.\n\n1. Use the administrative API or UI of the managed service to deploy a service\n instance, specifying Private Service Connect as your connectivity\n type. The service might provide the option to specify the VPC\n network to deploy Private Service Connect endpoints in.\n\n For example, you can\n [deploy and configure connectivity for a Cloud SQL instance](/sql/docs/mysql/configure-private-service-connect#create-cloud-sql-instance-psc-enabled-2).\n | **Note:** A service connection policy must exist for this VPC network, region, and service class. Otherwise, the service producer that's represented by the service class is not authorized to deploy connectivity on your behalf.\n2. If all [authorization checks](/vpc/docs/about-service-connectivity-automation#authorization)\n pass, then connectivity is deployed. The\n Network Connectivity Service Account creates an internal IP\n address and Private Service Connect\n endpoint in the specified VPC network.\n\n The lifecycle of your endpoint matches the lifecycle of your managed\n service instance. The endpoint remains active and stable unless you\n reconfigure connectivity or [decommission the service instance](#decommission-service)\n3. After the Network Connectivity Service Account creates your endpoint, the\n endpoint's forwarding rule is visible in the project that you configured\n in step 1. This forwarding rule indicates that the connection has been\n accepted by the producer and includes the IP address that was assigned to\n your endpoint.\n\n The names of all forwarding rules that are created by using\n service connection policies start with `sca-auto-`. The following is an\n example of a forwarding rule that was created by using a service connection\n policy. \n\n ```\n\n kind: compute#forwardingRule\n name: sca-auto-ab3f45d\n IPAddress: 10.33.2.8\n allowPscGlobalAccess: true\n network: https://www.googleapis.com/compute/v1/projects/consumer-project/global/networks/vpc1\n pscConnectionStatus: ACCEPTED\n region: https://www.googleapis.com/compute/v1/projects/consumer-project/regions/us-central1\n selfLink: https://www.googleapis.com/compute/v1/projects/consumer-project/regions/us-central1/forwardingRules/sca-auto-ab3f45d\n serviceDirectoryRegistrations:\n -namespace: goog-psc-default\n target:\n https://www.googleapis.com/compute/v1/projects/producer-project/regions/us-central1/serviceAttachments/producer-sa\n\n ```\n4. Your service might provide information about how to connect to the\n new endpoint---for example, by providing an IP address. Use the\n provided IP address to communicate with your service through internal IP\n addresses within Google Cloud.\n\n For more information about how to configure a specific service, see that\n service's documentation.\n\n| **Caution:** The managed service fully controls the lifecycle of Private Service Connect endpoints and IP addresses that are deployed by using service connection policies. Don't directly delete or update these Google Cloud resources or else you risk losing connectivity to your managed service instance. All actions to add, remove, or update connectivity for a managed service instance should be taken directly through the administrative API or UI of the managed service.\n\nDecommission service connectivity\n---------------------------------\n\nTo decommission service connectivity or decommission a managed service instance\nthat's deployed by using service connection policies, use the administrative API\nor UI of the managed service. Delete each service instance that's associated\nwith the managed service. When service instances are deleted, service\nconnectivity automation deletes the associated connections and endpoints.\n\nTroubleshooting\n---------------\n\nThis section contains information about troubleshooting connections that are\ncreated through service connectivity automation.\n\n### Endpoint creation or deletion failure\n\nIf authorized endpoints are not created or deleted as you expect,\n[describe the service connection policy](/vpc/docs/configure-service-connection-policies#describe-policy).\nThe `pscConnections` field contains details about any blocking\nerrors and how you can resolve them.\n\nAfter any issues are resolved, the endpoint is created or deleted the next time\nservice connectivity automation automatically\n[retries the operation](/vpc/docs/about-service-connectivity-automation#endpoint-automation).\n\nAlternatively, if you don't want to wait for the retry process, you can use the\nadministrative API or UI of the managed service you are deploying to request\ndeployment and connectivity for another service instance, using a valid\nconfiguration."]]
