Manage published services

This page describes how to manage requests for access to a published service and how to change the connection preference for a published service.

When you publish a service, you can control which consumers can connect to that service by configuring the connection preference for the service. The connection preference can be one of the following:

Automatically accept connections for all projects (ACCEPT_AUTOMATIC): any consumer can connect to the service.
Accept connections for selected projects (ACCEPT_MANUAL): you control which consumers can connect to the service.

For more information about publishing a service, see Publish managed services using Private Service Connect.

Roles

The following IAM role provides the permissions needed to perform the tasks in this guide.

Compute Network Admin (roles/compute.networkAdmin)

Manage requests for access to a published service

If you have published a service with explicit project approval, you can accept or reject connection requests from consumer projects.

If you add a project to both the accept list and the deny list, connection requests from that project are rejected.

After a consumer endpoint connection is accepted for a service, the endpoint can connect to the service until the service attachment is deleted. This applies whether the project was accepted explicit or because the consumer endpoint connected when the connection preference was set to automatically accept connections.

If you remove a project from the accept list, any previously accepted consumer endpoints in that project can connect to the service. Connections from new consumer endpoints in that project must be accepted before the endpoint can connect.
If you add a project to the reject list, any previously accepted consumer endpoints in that project can connect to the service. Connections from new consumer endpoints in that project are rejected from connecting to the service.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.serviceAttachments.update

Roles

See Roles for role information.

Console

In the Google Cloud console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click the service that you want to manage.
In the Connected projects section, the projects that have attempted to connect to this service are listed. Select the checkbox next to one or more projects and click Accept or Reject.

gcloud

Describe the service attachment you want to modify.

gcloud compute service-attachments describe \
    ATTACHMENT_NAME --region=REGION

The output is similar to the following example. If there are any pending consumer connections, they are listed with status PENDING.

In this example output, the project CONSUMER_PROJECT_1 is in the accept list, so ENDPOINT_1 is accepted and can connect to the service. The project CONSUMER_PROJECT_2 is not on the accept list, and so ENDPOINT_2 is pending. After CONSUMER_PROJECT_2 is added to the accept list, the status of ENDPOINT_2 changes to ACCEPTED, and the endpoint can connect to the service.

connectedEndpoints:
- endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_1/regions/REGION_1/forwardingRules/ENDPOINT_1
  pscConnectionId: 'ENDPOINT_1_ID'
  status: ACCEPTED
- endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_2/regions/REGION_2/forwardingRules/ENDPOINT_2
  pscConnectionId: 'ENDPOINT_2_ID'
  status: PENDING
connectionPreference: ACCEPT_MANUAL
consumerAcceptLists:
- connectionLimit: LIMIT_1
  projectIdOrNum: CONSUMER_PROJECT_1
creationTimestamp: 'TIMESTAMP'
description: 'DESCRIPTION'
enableProxyProtocol: false
fingerprint: FINGERPRINT
id: 'ID'
kind: compute#serviceAttachment
name: NAME
natSubnets:
- https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/subnetworks/PSC_SUBNET
pscServiceAttachmentId:
  high: 'PSC_ATTACH_ID_HIGH'
  low: 'PSC_ATTACH_ID_LOW'
region: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION
selfLink: https://www.googleapis.com/compute/v1/projects/projects/PRODUCER_PROJECT/regions/REGION/serviceAttachments/ATTACHMENT_NAME
targetService: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/forwardingRules/PRODUCER_FWD_RULE

Accept or reject consumer projects.

You can specify --consumer-accept-list or --consumer-reject-list, or both. You can specify multiple values in --consumer-accept-list and --consumer-reject-list.
```
gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --consumer-accept-list=ACCEPTED_PROJECT_1=LIMIT_1,ACCEPTED_PROJECT_2=LIMIT_2 \
    --consumer-reject-list=REJECTED_PROJECT_1,REJECTED_PROJECT_2
```
Replace the following:
- ATTACHMENT_NAME: the name to assign to the service attachment.
- REGION: the region where the service attachment is located.
- ACCEPTED_PROJECT_1 and ACCEPTED_PROJECT_2: the projects to accept. consumerAcceptList is optional and can contain one or more projects.
- LIMIT_1 and LIMIT_2: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.
- REJECTED_PROJECT_1 and REJECTED_PROJECT_2: the projects to reject. --consumer-reject-list is optional and can contain one or more projects.

API

Describe the service attachment you want to modify.

If there are any pending consumer connections, they are listed with status PENDING.
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
Accept or reject the consumer projects.
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "consumerAcceptLists": [
    {
      "projectIdOrNum": "ACCEPTED_PROJECT_1"
      "connectionLimit": "LIMIT_1",
    },
    {
      "projectIdOrNum": "ACCEPTED_PROJECT_2"
      "connectionLimit": "LIMIT_2",
    }
  ],
  "consumerRejectLists": [
    "REJECTED_PROJECT_1",
    "REJECTED_PROJECT_2",
  ],
  ...
}
```
Replace the following:
- PROJECT_ID: the project for the service attachment.
- REGION: the region for the service attachment.
- ATTACHMENT_NAME: the name to assign to the service attachment.
- REJECTED_PROJECT_1 and REJECTED_PROJECT_2: the projects to reject. consumerRejectList is optional and can contain one or more projects.
- ACCEPTED_PROJECT_1 and ACCEPTED_PROJECT_2: the projects to accept. consumerAcceptList is optional and can contain one or more projects.
- LIMIT_1 and LIMIT_2: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.

Change the connection preference for a published service

You can switch between automatic and explicit project acceptance for a published service.

Changing from automatic acceptance to explicit acceptance does not affect consumer endpoints that had connected to the service before this change. Existing consumer endpoints can connect to the published service until the service attachment is deleted. New consumer endpoints must be accepted before they can connect to the service. See Managing requests for access to a published service for more information.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.serviceAttachments.update

Roles

See Roles for role information.

Console

In the Google Cloud console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click the service that you want to update and click Edit.
Select the connection preference that you want:
- Accept connections for selected projects
- Automatically accept connections for all projects
If you are switching to Accept connections for selected projects, you can provide details of the projects you want to allow, or add them later.
1. Click Add accepted project.
2. Enter the Project and the Connection limit.
Click Save.

gcloud

Change the connection preference for the service attachment from ACCEPT_AUTOMATIC to ACCEPT_MANUAL.

You control which projects can connect to your service using --consumer-accept-list and --consumer-reject-list. You can configure the accept and reject lists when you change the connection preference, or update the lists later.
```
gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --connection-preference=ACCEPT_MANUAL \
    [ --consumer-accept-list=ACCEPTED_PROJECT_1=LIMIT_1,ACCEPTED_PROJECT_2=LIMIT_2] \
    [ --consumer-reject-list=REJECTED_PROJECT_1,REJECTED_PROJECT_2 ]
```
Replace the following:
- ATTACHMENT_NAME: the name of the service attachment.
- REGION: the region where the service attachment is located.
- ACCEPTED_PROJECT_1 and ACCEPTED_PROJECT_2: the projects to accept. --consumer-accept-list is optional and can contain one or more projects.
- LIMIT_1 and LIMIT_2: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.
- REJECTED_PROJECT_1 and REJECTED_PROJECT_2: the projects to reject. --consumer-reject-list is optional and can contain one or more projects.
Change the connection preference for the service attachment from ACCEPT_MANUAL to ACCEPT_AUTOMATIC.

If you have values in the accept list or reject list, set them to empty when you change the connection preference ("").
```
gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --connection-preference=ACCEPT_AUTOMATIC \
    --consumer-accept-list="" \
    --consumer-reject-list=""
```
Replace the following:
- ATTACHMENT_NAME: the name of the service attachment.
- REGION: the region where the service attachment is located.

API

Change the connection preference for the service attachment from ACCEPT_AUTOMATIC to ACCEPT_MANUAL.
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "connectionPreference": "ACCEPT_MANUAL",
  "consumerAcceptLists": [
    {
      "projectIdOrNum": "ACCEPTED_PROJECT_1"
      "connectionLimit": "LIMIT_1",
    },
    {
      "projectIdOrNum": "ACCEPTED_PROJECT_2"
      "connectionLimit": "LIMIT_2",
    }
  ],
  "consumerRejectLists": [
    "REJECTED_PROJECT_1",
    "REJECTED_PROJECT_2",
  ],
  ...
}
```
Replace the following:
- PROJECT_ID: the project for the service attachment.
- REGION: the region for the service attachment.
- ATTACHMENT_NAME: the name to assign to the service attachment.
- REJECTED_PROJECT_1 and REJECTED_PROJECT_2: the projects to reject. consumerRejectList is optional and can contain one or more projects.
- ACCEPTED_PROJECT_1 and ACCEPTED_PROJECT_2: the projects to accept. consumerAcceptList is optional and can contain one or more projects.
- LIMIT_1 and LIMIT_2: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.
Change the connection preference for the service attachment from ACCEPT_MANUAL to ACCEPT_AUTOMATIC.

If the consumerAcceptLists or consumerRejectLists fields specify any projects, set them to empty when you change the connection preference to ACCEPT_AUTOMATIC.
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "connectionPreference": "ACCEPT_AUTOMATIC",
  "consumerAcceptLists": [ ],
  "consumerRejectLists": [ ],
  ...
}
```
Replace the following:
- PROJECT_ID: the project for the service attachment.
- REGION: the region for the service attachment.
- ATTACHMENT_NAME: the name of the service attachment.

Add or remove subnets from a published service

You can edit a published service to add or remove Private Service Connect subnets from the configuration.

For example, you might need to make more IP addresses available for an existing service. To add more addresses, do one of the following:

Create another Private Service Connect subnet, and edit the service attachment to add the new subnet.
Edit the subnet to expand the IPv4 range.

If you remove a Private Service Connect subnet from a published service, the IP addresses in the subnet are not released. The IP addresses are released only when the consumer Private Service Connect endpoints are deleted, or the client VMs that access the Private Service Connect endpoints are deleted.

If you change the subnet configuration, update your firewall rules to allow requests from the new subnets to reach the backend VMs.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.serviceAttachments.update

Roles

See Roles for role information.

Console

In the Google Cloud console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click the service that you want to update and click Edit.
Modify the subnets used for this service.

If you want to add a new subnet, you can create one:
1. Click Reserve new subnet
2. Enter a Name and optional Description for the subnet.
3. Select a Region for the subnet.
4. Enter the IP range to use for the subnet and click Add.
Click Save.

gcloud

Update the Private Service Connect subnets that are used for this service attachment.

gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --nat-subnets=PSC_SUBNET_LIST

Replace the following:

ATTACHMENT_NAME: the name of the service attachment.
REGION: the region where the service attachment is located.
PSC_SUBNET_LIST: a comma-separated of one or more subnets to use with this service attachment.

API

Update the Private Service Connect subnets that are used for this service attachment.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME

{
  ...
  "natSubnets": [
    "PSC_SUBNET1_URI",
    "PSC_SUBNET2_URI",
  ],
  ...
}

Replace the following:

PROJECT_ID: the project for the service attachment.
REGION: the region for the service attachment.
ATTACHMENT_NAME: the name to assign to the service attachment.
PSC_SUBNET1_URI and PSC_SUBNET2_URI: URIs of the subnets that you want to use with this service attachment. You can specify one or more subnets.