This page describes concepts related to Private Service Connect. You can use Private Service Connect for the following purposes:
- Connect to an AlloyDB for PostgreSQL instance from multiple Virtual Private Cloud (VPC) networks that belong to different groups, teams, projects, or organizations.
- Connect to either a primary instance or any of its read replicas, or connect to a secondary instance.
Private Service Connect lets you create a private and secure connection between your VPC networks and a Google Cloud service, such as AlloyDB.
Private Service Connect uses the concept of consumer and producer. For example, your VPC network is the consumer of the AlloyDB service published by the Google Cloud, which is the producer. For inbound connectivity, AlloyDB instances publish a service attachment URL, a unique identifier that is used to connect to an instance, and the allowed networks within the allowed projects create an endpoint to create a secure connection to the AlloyDB service.
For outbound connectivity, consumer networks create and manage Private Service Connect network attachments. AlloyDB instances use these network attachments to manage connectivity for outbound operations, such as migration or foreign data wrappers (FDW).
For detailed information about using Private Service Connect in AlloyDB, see Connect to an instance using Private Service Connect.
Service attachment
When you create any AlloyDB instance within a Private Service Connect-enabled cluster, AlloyDB creates a service attachment unique to that instance. For each primary instance, read pool instance, or secondary instance created, a unique service attachment URL is generated. This service attachment URL is used to create a Private Service Connect endpoint for your project or network.
Network attachment
To enable outbound connectivity from an AlloyDB instance to your
consumer project, you need to create a network attachment within that VPC and
project. This network attachment, which is a regional resource, acts as the
connection point. You can create a network attachment that can accept
connections automatically(ACCEPT_AUTOMATIC
) or manually (ACCEPT_MANUAL
). For
more information about creating a network attachment, see Create and manage
network attachments.
Private Service Connect endpoint
A Private Service Connect endpoint is a forwarding rule that's associated with an internal IP address. As part of creating the endpoint, you specify the service attachment that's associated with the AlloyDB instance. The VPC network can then access the instance through the endpoint.
DNS names and records
Since multiple endpoints can connect to a single service attachment, we recommend using a DNS name to consistently connect to the service attachment regardless of the network to which the endpoint belongs. The DNS name is used to create the DNS record in a private DNS zone for the corresponding VPC network.
Allowed Private Service Connect projects
When you create an AlloyDB instance, you can define which projects from your VPC network can access the AlloyDB instance within the AlloyDB cluster.
For each allowed project in your VPC network, create a unique
Private Service Connect endpoint. If a project isn't allowed
explicitly, then you can still create an endpoint for the instances in the
project, but the endpoint remains in a PENDING
state.
What's next
- Learn about Private Service Connect in AlloyDB networking.
- Learn more about connecting to an instance using Private Service Connect.