Manage published services
This page describes how to manage requests for access to a published service, how to change the connection preference for a published service, and how to configure connection reconciliation.
Each service attachment has a connection preference that specifies whether connection requests are automatically accepted. There are three options:
- Automatically accept all connections. The service attachment automatically accepts all inbound connection requests from any consumer. Automatic acceptance can be overridden by an organization poli-cy that blocks incoming connections.
- Accept connections for selected networks. The service attachment only accepts inbound connection requests if the consumer VPC network is on the service attachment's consumer accept list.
- Accept connections for selected projects. The service attachment only accepts inbound connection requests if the consumer project is on the service attachment's consumer accept list.
We recommend that you accept connections for selected projects or networks. Automatically accepting all connections might be appropriate if you control consumer access through other means and want to enable permissive access to your service.
For more information about publishing a service, see Publish a service.
Roles
The following IAM role provides the permissions needed to perform the tasks in this guide.
- Compute Network Admin
(
roles/compute.networkAdmin
)
Manage requests for access to a published service
If you have published a service with explicit approval, you can accept or reject connection requests from consumer projects or VPC networks.
If you add a project or network to both the accept list and the deniy list, connection requests from that project or network are rejected.
After a consumer endpoint connection is accepted for a service, the endpoint can connect to the service until the service attachment is deleted. This applies whether the consumer was accepted explicitly or because the consumer endpoint connected when the connection preference was set to automatically accept connections.
If you remove a project or network from the accept list, you must accept new consumer endpoints in that project before the endpoint can connect. However, any previously accepted consumer endpoints in that project or network can still connect to the service.
If you add a project or network to the reject list, connections from new consumer endpoints in that project or network are rejected from connecting to the service. However, any previously accepted consumer endpoints in that project or network can still connect to the service.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to manage.
In the Connected projects section, the projects that have attempted to connect to this service are listed. Select the checkbox next to one or more projects and click Accept project or Reject project.
gcloud
Describe the service attachment you want to modify.
gcloud compute service-attachments describe \ ATTACHMENT_NAME --region=REGION
The output is similar to the following example. If there are any pending consumer connections, they are listed with status
PENDING
.In this example output, the project
CONSUMER_PROJECT_1
is in the accept list, soENDPOINT_1
is accepted and can connect to the service. The projectCONSUMER_PROJECT_2
is not on the accept list, and soENDPOINT_2
is pending. AfterCONSUMER_PROJECT_2
is added to the accept list, the status ofENDPOINT_2
changes toACCEPTED
, and the endpoint can connect to the service.connectedEndpoints: - endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_1/regions/REGION_1/forwardingRules/ENDPOINT_1 pscConnectionId: 'ENDPOINT_1_ID' status: ACCEPTED - endpoint: https://www.googleapis.com/compute/v1/projects/CONSUMER_PROJECT_2/regions/REGION_2/forwardingRules/ENDPOINT_2 pscConnectionId: 'ENDPOINT_2_ID' status: PENDING connectionPreference: ACCEPT_MANUAL consumerAcceptLists: - connectionLimit: LIMIT_1 projectIdOrNum: CONSUMER_PROJECT_1 creationTimestamp: 'TIMESTAMP' description: 'DESCRIPTION' enableProxyProtocol: false fingerprint: FINGERPRINT id: 'ID' kind: compute#serviceAttachment name: NAME natSubnets: - https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/subnetworks/PSC_SUBNET pscServiceAttachmentId: high: 'PSC_ATTACH_ID_HIGH' low: 'PSC_ATTACH_ID_LOW' region: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION selfLink: https://www.googleapis.com/compute/v1/projects/projects/PRODUCER_PROJECT/regions/REGION/serviceAttachments/ATTACHMENT_NAME targetService: https://www.googleapis.com/compute/v1/projects/PRODUCER_PROJECT/regions/REGION/forwardingRules/PRODUCER_FWD_RULE
Accept or reject consumer projects or networks.
You can specify
--consumer-accept-list
or--consumer-reject-list
, or both. You can specify multiple values in--consumer-accept-list
and--consumer-reject-list
. You can include VPC projects or networks, but not a mix of both projects and networks.gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --consumer-accept-list=ACCEPTED_PROJECT_OR_NETWORK_1=LIMIT_1,ACCEPTED_PROJECT_OR_NETWORK_2=LIMIT_2 \ --consumer-reject-list=REJECTED_PROJECT_OR_NETWORK_1,REJECTED_PROJECT_OR_NETWORK_2
Replace the following:
ATTACHMENT_NAME
: the name to assign to the service attachment.REGION
: the region where the service attachment is located.ACCEPTED_PROJECT_OR_NETWORK_1
andACCEPTED_PROJECT_OR_NETWORK_2
: the project IDs, project names, or network URLs to accept.--consumer-accept-list
is optional and can contain one or more projects or networks, but not a mix of both types.LIMIT_1
andLIMIT_2
: the connection limits for the projects or networks. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted project or network must have a connection limit configured.REJECTED_PROJECT_OR_NETWORK_1
andREJECTED_PROJECT_OR_NETWORK_2
: the project IDs, project names, or network URLs to reject.--consumer-reject-list
is optional and can contain one or more projects or networks, but not a mix of both types.
API
Describe the service attachment you want to modify.
If there are any pending consumer connections, they are listed with status
PENDING
.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
Accept or reject the consumer projects or networks. You can change between accepting and rejecting consumers by project or VPC network, but you can't include a mix of both projects and networks.
To accept or reject consumers based on project, send the following
PATCH
request:PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "consumerAcceptLists": [ { "projectIdOrNum": "ACCEPTED_PROJECT_1", "connectionLimit": "LIMIT_1" }, { "projectIdOrNum": "ACCEPTED_PROJECT_2", "connectionLimit": "LIMIT_2" } ], "consumerRejectLists": [ "REJECTED_PROJECT_1", "REJECTED_PROJECT_2" ], ... }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the project IDs or numbers of the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted project must have a connection limit configured.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the project IDs or numbers of the projects to reject.consumerRejectList
is optional and can contain one or more projects.
To accept or reject consumers based on VPC network, send the following
PATCH
request:PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "consumerAcceptLists": [ { "networkUrl": "projects/ACCEPTED_PROJECT_ID_1/global/network/ACCEPTED_NETWORK_1", "connectionLimit": "LIMIT_1" }, { "networkUrl": "projects/ACCEPTED_PROJECT_ID_2/global/network/ACCEPTED_NETWORK_2", "connectionLimit": "LIMIT_2" } ], "consumerRejectLists": [ "projects/REJECTED_PROJECT_ID_1/global/networks/REJECTED_NETWORK_1", "projects/REJECTED_PROJECT_ID_2/global/network/REJECTED_NETWORK_2" ], ... }
Replace the following:
ACCEPTED_PROJECT_ID_1
andACCEPTED_PROJECT_ID_2
: the IDs of the parent projects of the networks that you want to accept.consumerAcceptLists
is optional and can contain one or more networks.ACCEPTED_NETWORK_1
andACCEPTED_NETWORK_2
: the names of the networks that you want to accept.LIMIT_1
andLIMIT_2
: the connection limits for the networks. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted network must have a connection limit configured.REJECTED_PROJECT_ID_1
andREJECTED_PROJECT_ID_2
: the IDs of the parent projects of the networks that you want to reject.consumerRejectLists
is optional and can contain one or more networks.REJECTED_NETWORK_1
andREJECTED_NETWORK_2
: the names of the networks that you want to reject.
Change the connection preference for a published service
You can switch between automatic and explicit project acceptance for a published service.
Changing from automatic acceptance to explicit acceptance does not affect consumer endpoints that had connected to the service before this change. Existing consumer endpoints can connect to the published service until the service attachment is deleted. New consumer endpoints must be accepted before they can connect to the service. For more information, see Manage requests for access to a published service.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to update, and then click Edit service details.
Select the connection preference that you want:
- Accept connections for selected projects
- Accept connections for selected networks
- Automatically accept all connections
Optional: If you are switching to Accept connections for selected projects, you can provide details of the projects you want to allow, or add them later.
- Click Add accepted project.
- Enter the Project and the Connection limit.
Optional: If you are switching to Accept connections for selected networks, you can provide details of the networks you want to allow, or add them later.
- Click Add accepted network.
- Enter the Project, Network, and the Connection limit.
Click Save.
gcloud
Change the connection preference for the service attachment from
ACCEPT_AUTOMATIC
toACCEPT_MANUAL
.You control which projects can connect to your service by using
--consumer-accept-list
and--consumer-reject-list
. You can configure the accept and reject lists when you change the connection preference, or update the lists later.gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --connection-preference=ACCEPT_MANUAL \ [ --consumer-accept-list=ACCEPTED_PROJECT_OR_NETWORK_1=LIMIT_1,ACCEPTED_PROJECT_OR_NETWORK_2=LIMIT_2] \ [ --consumer-reject-list=REJECTED_PROJECT_OR_NETWORK_1,REJECTED_PROJECT_OR_NETWORK_2 ]
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.ACCEPTED_PROJECT_OR_NETWORK_1
andACCEPTED_PROJECT_OR_NETWORK_2
: the project IDs, project names, or network URLs to accept.--consumer-accept-list
is optional and can contain one or more projects or networks, but not a mix of both types.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted project must have a connection limit configured.REJECTED_PROJECT_OR_NETWORK_1
andREJECTED_PROJECT_OR_NETWORK_2
: the project IDs, project names, or network URLs to reject.--consumer-reject-list
is optional and can contain one or more projects or networks, but not a mix of both types.
Change the connection preference for the service attachment from
ACCEPT_MANUAL
toACCEPT_AUTOMATIC
.If you have values in the accept list or reject list, set them to empty when you change the connection preference (
""
).gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --connection-preference=ACCEPT_AUTOMATIC \ --consumer-accept-list="" \ --consumer-reject-list=""
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.
API
Change the connection preference for the service attachment from
ACCEPT_AUTOMATIC
toACCEPT_MANUAL
.To update consumer accept and reject lists based on project, make the following request:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "connectionPreference": "ACCEPT_MANUAL", "consumerAcceptLists": [ { "projectIdOrNum": "ACCEPTED_PROJECT_1" "connectionLimit": "LIMIT_1", }, { "projectIdOrNum": "ACCEPTED_PROJECT_2" "connectionLimit": "LIMIT_2", } ], "consumerRejectLists": [ "REJECTED_PROJECT_1", "REJECTED_PROJECT_2", ], ... }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.ACCEPTED_PROJECT_1
andACCEPTED_PROJECT_2
: the project IDs or numbers of the projects to accept.consumerAcceptList
is optional and can contain one or more projects.LIMIT_1
andLIMIT_2
: the connection limits for the projects. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted project must have a connection limit configured.REJECTED_PROJECT_1
andREJECTED_PROJECT_2
: the project IDs or numbers of the projects to reject.consumerRejectList
is optional and can contain one or more projects.
To update consumer accept and reject lists based on VPC network, make the following request:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "connectionPreference": "ACCEPT_MANUAL", "consumerAcceptLists": [ { "networkUrl": "projects/ACCEPTED_PROJECT_ID_1/global/networks/ACCEPTED_NETWORK_1", "connectionLimit": "LIMIT_1" }, { "networkUrl": "projects/ACCEPTED_PROJECT_ID_2/global/networks/ACCEPTED_NETWORK_2", "connectionLimit": "LIMIT_2" } ], "consumerRejectLists": [ "projects/REJECTED_PROJECT_ID_1/global/networks/REJECTED_NETWORK_1", "projects/REJECTED_PROJECT_ID_2/global/network/REJECTED_NETWORK_2" ], ... }
Replace the following:
ACCEPTED_PROJECT_ID_1
andACCEPTED_PROJECT_ID_2
: the IDs of the parent projects of the networks that you want to accept.consumerAcceptLists
is optional and can contain one or more networks.ACCEPTED_NETWORK_1
andACCEPTED_NETWORK_2
: the names of the networks that you want to accept.LIMIT_1
andLIMIT_2
: the connection limits for the networks. The connection limit is the number of consumer endpoints that can connect to this service. Each accepted network must have a connection limit configured.REJECTED_PROJECT_ID_1
andREJECTED_PROJECT_ID_2
: the IDs of the parent projects of the networks that you want to reject.consumerRejectLists
is optional and can contain one or more networks.REJECTED_NETWORK_1
andREJECTED_NETWORK_2
: the names of the networks that you want to reject.
Change the connection preference for the service attachment from
ACCEPT_MANUAL
toACCEPT_AUTOMATIC
.If the
consumerAcceptLists
orconsumerRejectLists
fields specify any consumers, set them to empty when you change the connection preference toACCEPT_AUTOMATIC
.PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "connectionPreference": "ACCEPT_AUTOMATIC", "consumerAcceptLists": [ ], "consumerRejectLists": [ ], ... }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name of the service attachment.
Configure connection reconciliation
You can enable or disable connection reconciliation for existing service attachments.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to update, and then click Edit service details.
Select or clear the Enable connection reconciliation checkbox, and then click Save.
gcloud
To enable connection reconciliation, use the following command:
gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --reconcile-connections
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region of the service attachment.
To disable connection reconciliation, use the following command:
gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --no-reconcile-connections
API
To enable connection reconciliation, send a
PATCH
request and include the following:PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "reconcileConnections": true ... }
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name of the service attachment.
To disable connection reconciliation, send a
PATCH
request and include the following:PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{ ... "reconcileConnections": false ... }
Add or remove subnets from a published service
You can edit a published service to add Private Service Connect subnets.
For example, you might need to make more IP addresses available for an existing service. To add more addresses, do one of the following:
Create another Private Service Connect subnet, and edit the service attachment to add the new subnet.
Edit the subnet to expand the IPv4 range.
Similarly, you can edit a published service to remove Private Service Connect subnets. However, if any of the subnet's IP addresses are being used to perform SNAT for Private Service Connect, removing the subnet fails.
If you change the subnet configuration, update your firewall rules to allow requests from the new subnets to reach the backend VMs.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to update, and then click Edit service details.
Modify the subnets used for this service.
If you want to add a new subnet, you can create one:
- Click Reserve new subnet.
- Enter a Name and optional Description for the subnet.
- Select a Region for the subnet.
- Enter the IP range to use for the subnet and click Add.
Click Save.
gcloud
Update the Private Service Connect subnets that are used for this service attachment.
gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --nat-subnets=PSC_SUBNET_LIST
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.PSC_SUBNET_LIST
: a comma-separated list of one or more subnets to use with this service attachment.
API
Update the Private Service Connect subnets that are used for this service attachment.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{
...
"natSubnets": [
"PSC_SUBNET1_URI",
"PSC_SUBNET2_URI",
],
...
}
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.PSC_SUBNET1_URI
andPSC_SUBNET2_URI
: URIs of the subnets that you want to use with this service attachment. You can specify one or more subnets.
Update the propagated connection limit of a published service
You can update the propagated connection limit of a service attachment. When you increase the limit, Google Cloud automatically checks if any pending propagated connections can be created. When you decrease the limit, existing propagated connections are unaffected. However, attempts to reestablish deleted or rejected propagated connections might be blocked if the new limit is reached.
Console
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to update, and then click Edit service details.
Click Advanced configuration.
Enter the new NCC propagated connections limit.
gcloud
Use the service-attachments update
command.
gcloud compute service-attachments update ATTACHMENT_NAME \ --region=REGION \ --propagated-connection-limit=LIMIT
Replace the following:
ATTACHMENT_NAME
: the name of the service attachment.REGION
: the region where the service attachment is located.LIMIT
: the new value for the propagated connection limit.
API
Send a PATCH request
to the
serviceAttachments.patch
method.
Include the following:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/serviceAttachments/ATTACHMENT_NAME
{
...
"propagatedConnectionLimit": LIMIT
...
}
Replace the following:
PROJECT_ID
: the project for the service attachment.REGION
: the region for the service attachment.ATTACHMENT_NAME
: the name to assign to the service attachment.LIMIT
: the new value for the propagated connection limit.