About Private Service Connect interfaces

This page provides an overview of Private Service Connect interfaces.

A Private Service Connect interface is a resource that lets a producer Virtual Private Cloud (VPC) network initiate connections to various destinations in a consumer VPC network. Producer and consumer networks can be in different projects and organizations.

When you create a Private Service Connect interface, you create a virtual machine (VM) instance that has at least two network interfaces. The first interface connects to a subnet in a producer VPC network. The second interface is a Private Service Connect interface that requests a connection to a network attachment in a consumer network. If the connection is accepted, Google Cloud assigns the Private Service Connect interface an internal IP address from the consumer subnet that is specified by the network attachment.

This Private Service Connect interface connection lets producer and consumer organizations configure their VPC networks so that the two networks are connected and can communicate by using internal IP addresses. For example, the producer organization can update the producer VPC network to add routes for consumer subnets.

Figure 1. Vm-1 in a producer VPC network has two network interfaces. One standard network interface connects to a subnet in the producer network, while the other is a Private Service Connect interface that is connected to a network attachment in a consumer network (click to enlarge).

A connection between a Private Service Connect interface and a network attachment is similar to the connection between a Private Service Connect endpoint and a service attachment, but it has two key differences:

  • A Private Service Connect interface lets a producer VPC network initiate connections to a consumer VPC network (managed service egress). An endpoint works in the reverse direction, letting a consumer VPC network initiate connections to a producer VPC network (managed service ingress).
  • A Private Service Connect interface connection is transitive. This means that workloads in a producer network can initiate connections to other workloads that are connected to the consumer VPC network. Private Service Connect endpoints can only initiate connections to the producer VPC network.

Figure 2. Private Service Connect endpoints let service consumers initiate connections to service producers, while Private Service Connect interfaces let service producers initiate connections to service consumers (click to enlarge).

Connecting to workloads in other networks

Because Private Service Connect interface connections are transitive, if the consumer VPC network configuration allows it, resources in producer VPC networks can communicate with workloads that are connected to the consumer network. This includes the following:

Figure 3. A producer VPC network that's connected to a consumer VPC network through a Private Service Connect interface connection can communicate with workloads that are connected to the consumer VPC (click to enlarge).

Example use cases

An example use case for Private Service Connect interfaces is a managed service that needs to initiate connections to a consumer VPC network to access consumer data. The service might also need access to data or services that are available in a consumer's on-premises network, through a VPN or Cloud Interconnect connection, or from a third-party service. A Private Service Connect interface connection can fulfill all of these requirements.

Another use case is a managed service that provides an API gateway. As the service receives calls for different APIs, it uses Private Service Connect interfaces to initiate connections to consumer VPC networks. The gateway service sends API requests to backend targets that process the requests.

Private Service Connect interfaces and Private Service Connect endpoints are complementary and can be used together in the same VPC network.

For example, figure 4 describes the network configuration of a managed service that provides analytics. The analytics service can initiate connections to the consumer VPC network by using a Private Service Connect interface. A Private Service Connect endpoint in the consumer network lets the analytics service initiate connections to a database service in another VPC network. Traffic from the analytics service to the database service passes through the consumer network, which lets the consumer monitor and provide security for traffic between the two services.

Figure 4. Private Service Connect interfaces and Private Service Connect endpoints are complementary in this example configuration. The interface lets the analytics service initiate connections to the consumer VPC network. The endpoint lets the analytics service initiate connections from the consumer VPC network to the database service (click to enlarge).

Specifications

  • A Private Service Connect interface is a special type of network interface that connects to a network attachment. Network interface specifications also apply to Private Service Connect interfaces.
  • When you create a VM for Private Service Connect interfaces, you create at least two network interfaces. The first network interface is always the default network interface, named nic0. This interface connects to a producer subnet. The second interface is a Private Service Connect interface that requests a connection to a consumer subnet. You can include up to seven Private Service Connect interfaces on a single VM.
  • When a consumer project accepts a connection from a Private Service Connect interface, Google Cloud configures the interface with IP addresses from the network attachment's subnet:
    • An internal IPv4 address is assigned from the subnet's primary IP address range.
    • If the network attachment's subnet is dual-stack, and the Private Service Connect interface is dual-stack, an internal IPv6 address is assigned from the subnet's IPv6 range.
    • You can't use IPv6-only subnets (Preview) for network attachments.
  • Private Service Connect interfaces support alias IP ranges. Alias IP ranges must come from the primary IPv4 address range of the network attachment's subnet.
  • Google Cloud ensures that IP addresses that are allocated to a Private Service Connect interface don't overlap with the address ranges of subnets that are connected to the VM's other network interfaces. If there aren't enough addresses available, the creation of the VM fails.
  • A Private Service Connect interface communicates in the same way as a network interface.
  • A connection between a network attachment and a Private Service Connect interface is bi-directional and transitive. Workloads in the producer VPC network can initiate connections to workloads that are connected to the consumer VPC network.

Limitations

  • A Private Service Connect interface connection can only be terminated in the following ways:

    • A producer deletes the interface's VM.
    • A consumer deletes a project that is connected to a Private Service Connect interface. This action stops the interface's VM.
    • A consumer disables the Compute Engine API in a project that is connected to a Private Service Connect interface. This action stops the interface's VM.
  • Private Service Connect interfaces don't support external IP addresses.

  • A Private Service Connect interface can't be the next hop of an internal forwarding rule.

  • You can't directly associate Private Service Connect interfaces with Google Kubernetes Engine (GKE) nodes or Pods. However, service egress is possible with GKE through Private Service Connect interfaces that are configured on proxy VMs.

Pricing

Pricing for Private Service Connect interfaces is described on the VPC pricing page.

What's next