Private Service Connect overview

This page describes concepts related to Private Service Connect. You can use Private Service Connect for the following purposes:

  • Connect to an AlloyDB for PostgreSQL instance from multiple Virtual Private Cloud (VPC) networks that belong to different groups, teams, projects, or organizations.
  • Connect to either a primary instance or any of its read replicas, or connect to a secondary instance.

Private Service Connect lets you create a private and secure connection between your VPC networks and a Google Cloud service, such as AlloyDB.

Private Service Connect uses the concept of consumer and producer. For example, your VPC network is the consumer of the AlloyDB service published by the Google Cloud, which is the producer. For inbound connectivity, AlloyDB instances publish a service attachment URL, a unique identifier that is used to connect to an instance, and the allowed networks within the allowed projects create an endpoint to create a secure connection to the AlloyDB service.

For outbound connectivity, consumer networks create and manage Private Service Connect network attachments. AlloyDB instances use these network attachments to manage connectivity for outbound operations, such as migration or foreign data wrappers (FDW).

For detailed information about using Private Service Connect in AlloyDB, see Connect to an instance using Private Service Connect.

Service attachment

When you create any AlloyDB instance within a Private Service Connect-enabled cluster, AlloyDB creates a service attachment unique to that instance. For each primary instance, read pool instance, or secondary instance created, a unique service attachment URL is generated. This service attachment URL is used to create a Private Service Connect endpoint for your project or network.

Network attachment

To enable outbound connectivity from an AlloyDB instance to your consumer project, you need to create a network attachment within that VPC and project. This network attachment, which is a regional resource, acts as the connection point. You can create a network attachment that can accept connections automatically(ACCEPT_AUTOMATIC) or manually (ACCEPT_MANUAL). For more information about creating a network attachment, see Create and manage network attachments.

Private Service Connect endpoint

A Private Service Connect endpoint is a forwarding rule that's associated with an internal IP address. As part of creating the endpoint, you specify the service attachment that's associated with the AlloyDB instance. The VPC network can then access the instance through the endpoint.

DNS names and records

Since multiple endpoints can connect to a single service attachment, we recommend using a DNS name to consistently connect to the service attachment regardless of the network to which the endpoint belongs. The DNS name is used to create the DNS record in a private DNS zone for the corresponding VPC network.

Allowed Private Service Connect projects

When you create an AlloyDB instance, you can define which projects from your VPC network can access the AlloyDB instance within the AlloyDB cluster.

For each allowed project in your VPC network, create a unique Private Service Connect endpoint. If a project isn't allowed explicitly, then you can still create an endpoint for the instances in the project, but the endpoint remains in a PENDING state.

What's next