Private Service Connect architecture and performance

This page explains how Private Service Connect works.

Private Service Connect is implemented by using software-defined networking (SDN) from Google Cloud called Andromeda (PDF). Andromeda is the distributed control plane and data plane for Google Cloud networking that enables networking for Virtual Private Cloud (VPC) networks. The Andromeda networking fabric processes packets on the physical servers that host VMs. As a result, the data plane is fully distributed and has no centralized bottlenecks on intermediate proxies or appliances.

Because Private Service Connect traffic is processed fully on the physical hosts, it has significant performance benefits over a proxy-oriented model:

  • There are no additional bandwidth limits imposed by Private Service Connect. The combined bandwidth of the source and destination VM interfaces is effectively the bandwidth limit of Private Service Connect.
  • Private Service Connect adds minimal latency to traffic. The traffic path is the same as VM-to-VM traffic within a single VPC network. Network address translation of traffic is the only additional traffic processing step which is done entirely on the destination host.

The following diagram shows a typical traffic path for Private Service Connect traffic between a consumer VPC network and a producer VPC network.

Figure 1. Physical hosts perform client-side load balancing to determine which target host to send the traffic to.

From a logical perspective, there are consumer Private Service Connect endpoints and producer load balancers. However, from a physical perspective traffic goes directly from the physical server that hosts the client VM to the physical server that hosts the producer load balancer VM.

Andromeda applies functions to Private Service Connect traffic as shown in the following diagram:

  • Client-side load balancing is applied on the source host (Host 1) which decides which target host to send the traffic to. This decision is based on location, load and health.
  • The inner packet from VPC1 is encapsulated in an Andromeda header with the destination network of VPC2.
  • The destination host (Host 2) applies SNAT and DNAT to the packet, using the NAT subnet as the source IP address range of the packet and the producer load balancer IP address as the destination IP address.

There are exceptions where traffic is processed by intermediate routing hosts, such as inter-regional traffic or very small or intermittent traffic flows. However, Andromeda dynamically offloads traffic flows for direct, host-to-host networking whenever possible to optimize for best latency and throughput.

What's next