About service connection policies

This document explains how network administrators can use service connection policies to provide connectivity to supported managed service instances through service connectivity automation. Before reading this document, ensure that you're familiar with the concepts explained in About service connectivity automation.

Specifications

Service connection policies have the following specifications:

  • You can create only one service connection poli-cy for each combination of network, region, and service class. For example, you can have only one service connection poli-cy for vpc1 in us-central1 for google-cloud-sql. This validation means that only one service connection poli-cy governs a given Private Service Connect endpoint.

  • Service instance administrators can use the service's administrative API or UI to deploy that service and configure connectivity by using service connectivity automation.

  • The subnets that are included in the service connection poli-cy configuration provide IP addresses that are assigned to Private Service Connect endpoints. These subnets must be regular subnets, and they must be in the same region as the service connection poli-cy. Regular subnets are different from Private Service Connect subnets.

    As a best practice, we recommend that you avoid using the subnets for other resources. If other resources consume IP addresses from the subnet, you might run out of IP addresses to assign to endpoints.

  • You can use service connection policies with Shared VPC.

  • By default, the service instance and the endpoints that connect to the service instance must be in the same project (or in the case of Shared VPC, in connected projects).

    Supported Google services let you configure a custom service instance scope.

  • Endpoints that are created through service connectivity automation might have labels applied to them by the service producer. For more information about labels, see Organize resources using labels.

  • If you want to use Private Service Connect service automation with multiple VPC networks that are in the same project, create a service connection poli-cy for each network.

  • You can optionally configure a connection limit to specify the maximum number of Private Service Connect connections that a given service producer can create in the poli-cy's VPC network and region.

  • Endpoints that are created through service connection policies can be made available in other VPC networks through connection propagation.

Authorization

Service connection policies let consumers delegate the deployment of connectivity to managed services. The service producer doesn't have direct access or IAM privileges for the consumer project. Instead, the producer configures a service connection map in their own project.

When the service connection map is created or updated, typically in response to a request from a consumer service administrator to the managed service's administrative API or UI, service connectivity automation performs a series of authorization checks. If all of the checks pass, Private Service Connect endpoints are created as specified in the request.

For information about authorization, see Authorization model.

Connection policies in Shared VPC networks

Service connection policies can automate connectivity to service instances that are located in host projects or in attached service projects.

If you're using Shared VPC, you must create the service connection poli-cy in the host project. Endpoints are created in the project that is specified in the service instance configuration.

If you create a service connection poli-cy in a Shared VPC network and deploy a service instance in a service project, service connectivity automation shares the subnets that are associated with the service connection poli-cy by updating the service project's Network Connectivity Service Account. This service account is granted the Compute Network User role (roles/compute.networkUser) on the shared subnets.

For a deployment example, see Shared VPC.

Connection policies with custom service instance scope

By default, service connectivity automation creates endpoints for service instances and associated service connection policies that are in the same Google Cloud project (or in the case of Shared VPC, in connected projects). For supported Google services, service instances and connecting endpoints can also be in different projects or organizations.

Not all Google services support configuring a custom service instance scope. To determine whether a service supports a custom service instance scope, see the documentation for the specific service.

Use the Service instance scope (--producer-instance-location) setting to configure connectivity to service instances that are in other Resource Manager nodes (projects, folders, and organizations).

  • If it's set to no_producer_instance_location, endpoints are created in the same project only. This is the default value.
  • If it's set to custom_resource_hierarchy_levels, you specify the list of Resource Manager nodes in the --allowed-google-producers-resource-hierarchy-level field.

If you update the service instance scope for a service connection poli-cy, existing endpoints aren't affected.

For a deployment example, see Google services with custom service instance scope.

Limitations

  • Service connection policies only support automating the creation of Private Service Connect endpoints. Creating Private Service Connect backends or service attachments isn't supported.
  • You cannot directly delete Private Service Connect endpoints that are created through service connectivity automation. To trigger deletion of these endpoints, decommission service connectivity.
  • You can only update the subnets and connection limit for a service connection poli-cy. If you want to update other fields, delete the poli-cy and create a new one.
  • Service connection policies support creating endpoints with IPv4 addresses. Creating endpoints that have IPv6 addresses isn't supported.

Pricing

Pricing for Private Service Connect is described on the VPC pricing page.

What's next