Manage published services

This page describes how to manage requests for access to a published service, how to change the connection preference for a published service, and how to configure connection reconciliation.

Each service attachment has a connection preference that specifies whether connection requests are automatically accepted. There are three options:

Automatically accept all connections. The service attachment automatically accepts all inbound connection requests from any consumer. Automatic acceptance can be overridden by an organization policy that blocks incoming connections.
Accept connections for selected networks. The service attachment only accepts inbound connection requests if the consumer VPC network is on the service attachment's consumer accept list.
Accept connections for selected projects. The service attachment only accepts inbound connection requests if the consumer project is on the service attachment's consumer accept list.

We recommend that you accept connections for selected projects or networks. Automatically accepting all connections might be appropriate if you control consumer access through other means and want to enable permissive access to your service.

For more information about publishing a service, see Publish a service.

Roles

The following IAM role provides the permissions needed to perform the tasks in this guide.

Compute Network Admin (roles/compute.networkAdmin)

Manage requests for access to a published service

If you have published a service with explicit approval, you can accept or reject connection requests from consumer projects or VPC networks.

If you add a project or network to both the accept list and the deny list, connection requests from that project or network are rejected.

After a consumer endpoint connection is accepted for a service, the endpoint can connect to the service until the service attachment is deleted. This applies whether the consumer was accepted explicitly or because the consumer endpoint connected when the connection preference was set to automatically accept connections.

If you remove a project or network from the accept list, you must accept new consumer endpoints in that project before the endpoint can connect. However, any previously accepted consumer endpoints in that project or network can still connect to the service.
If you add a project or network to the reject list, connections from new consumer endpoints in that project or network are rejected from connecting to the service. However, any previously accepted consumer endpoints in that project or network can still connect to the service.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.serviceAttachments.update

Roles

See Roles for role information.

Console

In the Google Cloud console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click the service that you want to manage.
In the Connected projects section, the projects that have attempted to connect to this service are listed. Select the checkbox next to one or more projects and click Accept project or Reject project.

gcloud

Describe the service attachment you want to modify.

gcloud compute service-attachments describe \
    ATTACHMENT_NAME --region=REGION

The output is similar to the following example. If there are any pending consumer connections, they are listed with status PENDING.

In this example output, the project CONSUMER_PROJECT_1 is in the accept list, so ENDPOINT_1 is accepted and can connect to the service. The project CONSUMER_PROJECT_2 is not on the accept list, and so ENDPOINT_2 is pending. After CONSUMER_PROJECT_2 is added to the accept list, the status of ENDPOINT_2 changes to ACCEPTED, and the endpoint can connect to the service.

connectedEndpoints:
- endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_1/regions/REGION_1/forwardingRules/ENDPOINT_1
  pscConnectionId: 'ENDPOINT_1_ID'
  status: ACCEPTED
- endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_2/regions/REGION_2/forwardingRules/ENDPOINT_2
  pscConnectionId: 'ENDPOINT_2_ID'
  status: PENDING
connectionPreference: ACCEPT_MANUAL
consumerAcceptLists:
- connectionLimit: LIMIT_1
  projectIdOrNum: CONSUMER_PROJECT_1
creationTimestamp: 'TIMESTAMP'
description: 'DESCRIPTION'
enableProxyProtocol: false
fingerprint: FINGERPRINT
id: 'ID'
kind: compute#serviceAttachment
name: NAME
natSubnets:
- https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/subnetworks/PSC_SUBNET
pscServiceAttachmentId:
  high: 'PSC_ATTACH_ID_HIGH'
  low: 'PSC_ATTACH_ID_LOW'
region: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION
selfLink: https://www.googleapis.com/compute/v1/projects/projects/PRODUCER_PROJECT/regions/REGION/serviceAttachments/ATTACHMENT_NAME
targetService: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/forwardingRules/PRODUCER_FWD_RULE

Accept or reject consumer projects or networks.

You can specify --consumer-accept-list or --consumer-reject-list, or both. You can specify multiple values in --consumer-accept-list and --consumer-reject-list. You can include VPC projects or networks, but not a mix of both projects and networks.
```
gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --consumer-accept-list=ACCEPTED_PROJECT_OR_NETWORK_1=LIMIT_1,ACCEPTED_PROJECT_OR_NETWORK_2=LIMIT_2 \
    --consumer-reject-list=REJECTED_PROJECT_OR_NETWORK_1,REJECTED_PROJECT_OR_NETWORK_2
```
Replace the following:
- ATTACHMENT_NAME: the name to assign to the service attachment.
- REGION: the region where the service attachment is located.
- ACCEPTED_PROJECT_OR_NETWORK_1 and ACCEPTED_PROJECT_OR_NETWORK_2: the project IDs, project names, or network URLs to accept. --consumer-accept-list is optional and can contain one or more projects or networks, but not a mix of both types.
- LIMIT_1 and LIMIT_2: the connection limits for the projects or networks. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted project or network must have a connection limit configured.
- REJECTED_PROJECT_OR_NETWORK_1 and REJECTED_PROJECT_OR_NETWORK_2: the project IDs, project names, or network URLs to reject. --consumer-reject-list is optional and can contain one or more projects or networks, but not a mix of both types.

API

Describe the service attachment you want to modify.

If there are any pending consumer connections, they are listed with status PENDING.
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
Accept or reject the consumer projects or networks. You can change between accepting and rejecting consumers by project or VPC network, but you can't include a mix of both projects and networks.
- To accept or reject consumers based on project, send the following PATCH request:
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "consumerAcceptLists": [
    {
      "projectIdOrNum": "ACCEPTED_PROJECT_1",
      "connectionLimit": "LIMIT_1"
    },
    {
      "projectIdOrNum": "ACCEPTED_PROJECT_2",
      "connectionLimit": "LIMIT_2"
    }
  ],
  "consumerRejectLists": [
    "REJECTED_PROJECT_1",
    "REJECTED_PROJECT_2"
  ],
  ...
}
```
  Replace the following:
  - PROJECT_ID: the project for the service attachment.
  - REGION: the region for the service attachment.
  - ATTACHMENT_NAME: the name to assign to the service attachment.
  - ACCEPTED_PROJECT_1 and ACCEPTED_PROJECT_2: the project IDs or numbers of the projects to accept. consumerAcceptList is optional and can contain one or more projects.
  - LIMIT_1 and LIMIT_2: the connection limits for the projects. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted project must have a connection limit configured.
  - REJECTED_PROJECT_1 and REJECTED_PROJECT_2: the project IDs or numbers of the projects to reject. consumerRejectList is optional and can contain one or more projects.
- To accept or reject consumers based on VPC network, send the following PATCH request:
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "consumerAcceptLists": [
    {
      "networkUrl": "projects/ACCEPTED_PROJECT_ID_1/global/network/ACCEPTED_NETWORK_1",
      "connectionLimit": "LIMIT_1"
    },
    {
      "networkUrl": "projects/ACCEPTED_PROJECT_ID_2/global/network/ACCEPTED_NETWORK_2",
      "connectionLimit": "LIMIT_2"
    }
  ],
  "consumerRejectLists": [
    "projects/REJECTED_PROJECT_ID_1/global/networks/REJECTED_NETWORK_1",
    "projects/REJECTED_PROJECT_ID_2/global/network/REJECTED_NETWORK_2"
  ],
  ...
}
```
  Replace the following:
  - ACCEPTED_PROJECT_ID_1 and ACCEPTED_PROJECT_ID_2: the IDs of the parent projects of the networks that you want to accept. consumerAcceptLists is optional and can contain one or more networks.
  - ACCEPTED_NETWORK_1 and ACCEPTED_NETWORK_2: the names of the networks that you want to accept.
  - LIMIT_1 and LIMIT_2: the connection limits for the networks. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted network must have a connection limit configured.
  - REJECTED_PROJECT_ID_1 and REJECTED_PROJECT_ID_2: the IDs of the parent projects of the networks that you want to reject. consumerRejectLists is optional and can contain one or more networks.
  - REJECTED_NETWORK_1 and REJECTED_NETWORK_2: the names of the networks that you want to reject.

Change the connection preference for a published service

You can switch between automatic and explicit project acceptance for a published service.

Changing from automatic acceptance to explicit acceptance does not affect consumer endpoints that had connected to the service before this change. Existing consumer endpoints can connect to the published service until the service attachment is deleted. New consumer endpoints must be accepted before they can connect to the service. For more information, see Manage requests for access to a published service.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.serviceAttachments.update

Roles

See Roles for role information.

Console

In the Google Cloud console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click the service that you want to update, and then click Edit service details.
Select the connection preference that you want:
- Accept connections for selected projects
- Accept connections for selected networks
- Automatically accept all connections
Optional: If you are switching to Accept connections for selected projects, you can provide details of the projects you want to allow, or add them later.
1. Click Add accepted project.
2. Enter the Project and the Connection limit.
Optional: If you are switching to Accept connections for selected networks, you can provide details of the networks you want to allow, or add them later.
1. Click Add accepted network.
2. Enter the Project, Network, and the Connection limit.
Click Save.

gcloud

Change the connection preference for the service attachment from ACCEPT_AUTOMATIC to ACCEPT_MANUAL.

You control which projects can connect to your service by using --consumer-accept-list and --consumer-reject-list. You can configure the accept and reject lists when you change the connection preference, or update the lists later.
```
gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --connection-preference=ACCEPT_MANUAL \
    [ --consumer-accept-list=ACCEPTED_PROJECT_OR_NETWORK_1=LIMIT_1,ACCEPTED_PROJECT_OR_NETWORK_2=LIMIT_2] \
    [ --consumer-reject-list=REJECTED_PROJECT_OR_NETWORK_1,REJECTED_PROJECT_OR_NETWORK_2 ]
```
Replace the following:
- ATTACHMENT_NAME: the name of the service attachment.
- REGION: the region where the service attachment is located.
- ACCEPTED_PROJECT_OR_NETWORK_1 and ACCEPTED_PROJECT_OR_NETWORK_2: the project IDs, project names, or network URLs to accept. --consumer-accept-list is optional and can contain one or more projects or networks, but not a mix of both types.
- LIMIT_1 and LIMIT_2: the connection limits for the projects. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted project must have a connection limit configured.
- REJECTED_PROJECT_OR_NETWORK_1 and REJECTED_PROJECT_OR_NETWORK_2: the project IDs, project names, or network URLs to reject. --consumer-reject-list is optional and can contain one or more projects or networks, but not a mix of both types.
Change the connection preference for the service attachment from ACCEPT_MANUAL to ACCEPT_AUTOMATIC.

If you have values in the accept list or reject list, set them to empty when you change the connection preference ("").
```
gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --connection-preference=ACCEPT_AUTOMATIC \
    --consumer-accept-list="" \
    --consumer-reject-list=""
```
Replace the following:
- ATTACHMENT_NAME: the name of the service attachment.
- REGION: the region where the service attachment is located.

API

Change the connection preference for the service attachment from ACCEPT_AUTOMATIC to ACCEPT_MANUAL.
- To update consumer accept and reject lists based on project, make the following request:
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "connectionPreference": "ACCEPT_MANUAL",
  "consumerAcceptLists": [
    {
      "projectIdOrNum": "ACCEPTED_PROJECT_1"
      "connectionLimit": "LIMIT_1",
    },
    {
      "projectIdOrNum": "ACCEPTED_PROJECT_2"
      "connectionLimit": "LIMIT_2",
    }
  ],
  "consumerRejectLists": [
    "REJECTED_PROJECT_1",
    "REJECTED_PROJECT_2",
  ],
  ...
}
```
  Replace the following:
  - PROJECT_ID: the project for the service attachment.
  - REGION: the region for the service attachment.
  - ATTACHMENT_NAME: the name to assign to the service attachment.
  - ACCEPTED_PROJECT_1 and ACCEPTED_PROJECT_2: the project IDs or numbers of the projects to accept. consumerAcceptList is optional and can contain one or more projects.
  - LIMIT_1 and LIMIT_2: the connection limits for the projects. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted project must have a connection limit configured.
  - REJECTED_PROJECT_1 and REJECTED_PROJECT_2: the project IDs or numbers of the projects to reject. consumerRejectList is optional and can contain one or more projects.
- To update consumer accept and reject lists based on VPC network, make the following request:
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "connectionPreference": "ACCEPT_MANUAL",
  "consumerAcceptLists": [
    {
      "networkUrl": "projects/ACCEPTED_PROJECT_ID_1/global/networks/ACCEPTED_NETWORK_1",
      "connectionLimit": "LIMIT_1"
    },
    {
      "networkUrl": "projects/ACCEPTED_PROJECT_ID_2/global/networks/ACCEPTED_NETWORK_2",
      "connectionLimit": "LIMIT_2"
    }
  ],
  "consumerRejectLists": [
    "projects/REJECTED_PROJECT_ID_1/global/networks/REJECTED_NETWORK_1",
    "projects/REJECTED_PROJECT_ID_2/global/network/REJECTED_NETWORK_2"
  ],
  ...
}
```
  Replace the following:
  - ACCEPTED_PROJECT_ID_1 and ACCEPTED_PROJECT_ID_2: the IDs of the parent projects of the networks that you want to accept. consumerAcceptLists is optional and can contain one or more networks.
  - ACCEPTED_NETWORK_1 and ACCEPTED_NETWORK_2: the names of the networks that you want to accept.
  - LIMIT_1 and LIMIT_2: the connection limits for the networks. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted network must have a connection limit configured.
  - REJECTED_PROJECT_ID_1 and REJECTED_PROJECT_ID_2: the IDs of the parent projects of the networks that you want to reject. consumerRejectLists is optional and can contain one or more networks.
  - REJECTED_NETWORK_1 and REJECTED_NETWORK_2: the names of the networks that you want to reject.
Change the connection preference for the service attachment from ACCEPT_MANUAL to ACCEPT_AUTOMATIC.

If the consumerAcceptLists or consumerRejectLists fields specify any consumers, set them to empty when you change the connection preference to ACCEPT_AUTOMATIC.
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "connectionPreference": "ACCEPT_AUTOMATIC",
  "consumerAcceptLists": [ ],
  "consumerRejectLists": [ ],
  ...
}
```
Replace the following:
- PROJECT_ID: the project for the service attachment.
- REGION: the region for the service attachment.
- ATTACHMENT_NAME: the name of the service attachment.

Configure connection reconciliation

You can enable or disable connection reconciliation for existing service attachments.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.serviceAttachments.update

Roles

See Roles for role information.

Console

In the Google Cloud console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click the service that you want to update, and then click Edit service details.
Select or clear the Enable connection reconciliation checkbox, and then click Save.

gcloud

To enable connection reconciliation, use the following command:
```
gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --reconcile-connections
```
Replace the following:
- ATTACHMENT_NAME: the name of the service attachment.
- REGION: the region of the service attachment.

To disable connection reconciliation, use the following command:

gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --no-reconcile-connections

API

To enable connection reconciliation, send a PATCH request and include the following:
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
```
```
{
  ...
  "reconcileConnections": true
  ...
}
```
Replace the following:
- PROJECT_ID: the project for the service attachment.
- REGION: the region for the service attachment.
- ATTACHMENT_NAME: the name of the service attachment.

To disable connection reconciliation, send a PATCH request and include the following:

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME

{
 ...
 "reconcileConnections": false
  ...
}

Add or remove subnets from a published service

You can edit a published service to add Private Service Connect subnets.

For example, you might need to make more IP addresses available for an existing service. To add more addresses, do one of the following:

Create another Private Service Connect subnet, and edit the service attachment to add the new subnet.
Edit the subnet to expand the IPv4 range.

Similarly, you can edit a published service to remove Private Service Connect subnets. However, if any of the subnet's IP addresses are being used to perform SNAT for Private Service Connect, removing the subnet fails.

If you change the subnet configuration, update your firewall rules to allow requests from the new subnets to reach the backend VMs.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.serviceAttachments.update

Roles

See Roles for role information.

Console

In the Google Cloud console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click the service that you want to update, and then click Edit.
Modify the subnets used for this service.

If you want to add a new subnet, you can create one:
1. Click Reserve new subnet.
2. Enter a Name and optional Description for the subnet.
3. Select a Region for the subnet.
4. Enter the IP range to use for the subnet and click Add.
Click Save.

gcloud

Update the Private Service Connect subnets that are used for this service attachment.

gcloud compute service-attachments update ATTACHMENT_NAME \
    --region=REGION \
    --nat-subnets=PSC_SUBNET_LIST

Replace the following:

ATTACHMENT_NAME: the name of the service attachment.
REGION: the region where the service attachment is located.
PSC_SUBNET_LIST: a comma-separated list of one or more subnets to use with this service attachment.

API

Update the Private Service Connect subnets that are used for this service attachment.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME

{
  ...
  "natSubnets": [
    "PSC_SUBNET1_URI",
    "PSC_SUBNET2_URI",
  ],
  ...
}

Replace the following:

PROJECT_ID: the project for the service attachment.
REGION: the region for the service attachment.
ATTACHMENT_NAME: the name to assign to the service attachment.
PSC_SUBNET1_URI and PSC_SUBNET2_URI: URIs of the subnets that you want to use with this service attachment. You can specify one or more subnets.