Manage published services
This page describes how to manage requests for access to a published service and how to change the connection preference for a published service.
When you publish a service, you can control which consumers can connect to that service by configuring the connection preference for the service. The connection preference can be one of the following:
Automatically accept connections for all projects (
ACCEPT_AUTOMATIC
): any consumer can connect to the service.Accept connections for selected projects (
ACCEPT_MANUAL
): you control which consumers can connect to the service.
For more information about publishing a service, see Publish managed services using Private Service Connect.
Roles
The following IAM role provides the permissions needed to perform the tasks in this guide.
- Compute Network Admin
(
roles/compute.networkAdmin
)
Manage requests for access to a published service
If you have published a service with explicit project approval, you can accept or reject connection requests from consumer projects.
If you add a project to both the accept list and the deny list, connection requests from that project are rejected.
After a consumer endpoint connection is accepted for a service, the endpoint can connect to the service until the service attachment is deleted. This applies whether the project was accepted explicit or because the consumer endpoint connected when the connection preference was set to automatically accept connections.
If you remove a project from the accept list, any previously accepted consumer endpoints in that project can connect to the service. Connections from new consumer endpoints in that project must be accepted before the endpoint can connect.
If you add a project to the reject list, any previously accepted consumer endpoints in that project can connect to the service. Connections from new consumer endpoints in that project are rejected from connecting to the service.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to manage.
In the Connected projects section, the projects that have attempted to connect to this service are listed. Select the checkbox next to one or more projects and click Accept or Reject.
gcloud
Describe the service attachment you want to modify.
gcloud compute service-attachments describe \ ATTACHMENT_NAME --region=REGION
The output is similar to the following example. If there are any pending consumer connections, they are listed with status
PENDING
.In this example output, the project
CONSUMER_PROJECT_1
is in the accept list, soENDPOINT_1
is accepted and can connect to the service. The projectCONSUMER_PROJECT_2
is not on the accept list, and soENDPOINT_2
is pending. AfterCONSUMER_PROJECT_2
is added to the accept list, the status ofENDPOINT_2
changes toACCEPTED
, and the endpoint can connect to the service.connectedEndpoints: - endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_1/regions/REGION_1/forwardingRules/ENDPOINT_1 pscConnectionId: 'ENDPOINT_1_ID' status: ACCEPTED - endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_2/regions/REGION_2/forwardingRules/ENDPOINT_2 pscConnectionId: 'ENDPOINT_2_ID' status: PENDING connectionPreference: ACCEPT_MANUAL consumerAcceptLists: - connectionLimit: LIMIT_1 projectIdOrNum: CONSUMER_PROJECT_1 creationTimestamp: 'TIMESTAMP' description: 'DESCRIPTION' enableProxyProtocol: false fingerprint: FINGERPRINT id: 'ID' kind: compute#serviceAttachment name: NAME natSubnets: - https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/subnetworks/PSC_SUBNET pscServiceAttachmentId: high: 'PSC_ATTACH_ID_HIGH' low: 'PSC_ATTACH_ID_LOW' region: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION selfLink: https://www.googleapis.com/compute/v1/projects/projects/PRODUCER_PROJECT/regions/REGION/serviceAttachments/ATTACHMENT_NAME targetService: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/forwardingRules/PRODUCER_FWD_RULE
Accept or reject consumer projects.
You can specify
--consumer-accept-list
or--consumer-reject-list
, or both. You can specify multiple values in--consumer-accept-list
and--consumer-reject-list
.gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --consumer-accept-list=ACCEPTED_PROJECT_1=LIMIT_1,ACCEPTED_PROJECT_2=LIMIT_2 \ --consumer-reject-list=REJECTED_PROJECT_1,REJECTED_PROJECT_2
Replace the following:
ATTACHMENT_NAME
: the name to assign to the service attachment.REGION
: the region where the service attachment is located.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.--consumer-reject-list
is optional and can contain one or more projects.
API
Describe the service attachment you want to modify.
If there are any pending consumer connections, they are listed with status
PENDING
.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
Accept or reject the consumer projects.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "consumerAcceptLists": [ { "projectIdOrNum": "ACCEPTED_PROJECT_1" "connectionLimit": "LIMIT_1", }, { "projectIdOrNum": "ACCEPTED_PROJECT_2" "connectionLimit": "LIMIT_2", } ], "consumerRejectLists": [ "REJECTED_PROJECT_1", "REJECTED_PROJECT_2", ], ... }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.consumerRejectList
is optional and can contain one or more projects.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.
Change the connection preference for a published service
You can switch between automatic and explicit project acceptance for a published service.
Changing from automatic acceptance to explicit acceptance does not affect consumer endpoints that had connected to the service before this change. Existing consumer endpoints can connect to the published service until the service attachment is deleted. New consumer endpoints must be accepted before they can connect to the service. See Managing requests for access to a published service for more information.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to update and click Edit.
Select the connection preference that you want:
- Accept connections for selected projects
- Automatically accept connections for all projects
If you are switching to Accept connections for selected projects, you can provide details of the projects you want to allow, or add them later.
- Click Add accepted project.
- Enter the Project and the Connection limit.
Click Save.
gcloud
Change the connection preference for the service attachment from
ACCEPT_AUTOMATIC
toACCEPT_MANUAL
.You control which projects can connect to your service using
--consumer-accept-list
and--consumer-reject-list
. You can configure the accept and reject lists when you change the connection preference, or update the lists later.gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --connection-preference=ACCEPT_MANUAL \ [ --consumer-accept-list=ACCEPTED_PROJECT_1=LIMIT_1,ACCEPTED_PROJECT_2=LIMIT_2] \ [ --consumer-reject-list=REJECTED_PROJECT_1,REJECTED_PROJECT_2 ]
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.--consumer-accept-list
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.--consumer-reject-list
is optional and can contain one or more projects.
Change the connection preference for the service attachment from
ACCEPT_MANUAL
toACCEPT_AUTOMATIC
.If you have values in the accept list or reject list, set them to empty when you change the connection preference (
""
).gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --connection-preference=ACCEPT_AUTOMATIC \ --consumer-accept-list="" \ --consumer-reject-list=""
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.
API
Change the connection preference for the service attachment from
ACCEPT_AUTOMATIC
toACCEPT_MANUAL
.PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "connectionPreference": "ACCEPT_MANUAL", "consumerAcceptLists": [ { "projectIdOrNum": "ACCEPTED_PROJECT_1" "connectionLimit": "LIMIT_1", }, { "projectIdOrNum": "ACCEPTED_PROJECT_2" "connectionLimit": "LIMIT_2", } ], "consumerRejectLists": [ "REJECTED_PROJECT_1", "REJECTED_PROJECT_2", ], ... }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the projects to reject.consumerRejectList
is optional and can contain one or more projects.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer Private Service Connect endpoints that can connect to this service. Each accepted project must have a connection limit configured.
Change the connection preference for the service attachment from
ACCEPT_MANUAL
toACCEPT_AUTOMATIC
.If the
consumerAcceptLists
orconsumerRejectLists
fields specify any projects, set them to empty when you change the connection preference toACCEPT_AUTOMATIC
.PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "connectionPreference": "ACCEPT_AUTOMATIC", "consumerAcceptLists": [ ], "consumerRejectLists": [ ], ... }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name of the service attachment.
Add or remove subnets from a published service
You can edit a published service to add or remove Private Service Connect subnets from the configuration.
For example, you might need to make more IP addresses available for an existing service. To add more addresses, do one of the following:
Create another Private Service Connect subnet, and edit the service attachment to add the new subnet.
Edit the subnet to expand the IPv4 range.
If you remove a Private Service Connect subnet from a published service, the IP addresses in the subnet are not released. The IP addresses are released only when the consumer Private Service Connect endpoints are deleted, or the client VMs that access the Private Service Connect endpoints are deleted.
If you change the subnet configuration, update your firewall rules to allow requests from the new subnets to reach the backend VMs.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to update and click Edit.
Modify the subnets used for this service.
If you want to add a new subnet, you can create one:
- Click Reserve new subnet
- Enter a Name and optional Description for the subnet.
- Select a Region for the subnet.
- Enter the IP range to use for the subnet and click Add.
Click Save.
gcloud
Update the Private Service Connect subnets that are used for this service attachment.
gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --nat-subnets=PSC_SUBNET_LIST
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.PSC_SUBNET_LIST
: a comma-separated of one or more subnets to use with this service attachment.
API
Update the Private Service Connect subnets that are used for this service attachment.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{
...
"natSubnets": [
"PSC_SUBNET1_URI",
"PSC_SUBNET2_URI",
],
...
}
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.PSC_SUBNET1_URI
andPSC_SUBNET2_URI
: URIs of the subnets that you want to use with this service attachment. You can specify one or more subnets.