Private Service Connect (PSC) is a Google Cloud networking feature that enables private access to services across different VPCs, projects, and even organizations. It offers a modern alternative to traditional methods, such as exposing services via public IP addresses, managing complex VPC network peering configurations, or relying on VPNs. PSC simplifies networking by allowing consumers to access services using a private IP address from their own VPC, with all traffic staying securely within Google’s network.
Private Service Connect refresher
The producer publishes a service by placing an internal load balancer in front of it. They then create a service attachment in a dedicated PSC subnet. This attachment acts as a private, secure entry point for the service.
The consumer can then create a private endpoint — a forwarding rule with an internal IP address — within their own VPC. This endpoint connects directly to the producer’s service attachment, allowing the consumer to access the service privately.
While it might seem similar to VPC peering, PSC has a key advantage: it allows the consumer and producer VPCs to have overlapping IP address ranges. This is because PSC doesn’t connect the entire networks together. The consumer only sees the private endpoint they connect to, not the producer’s entire VPC network. This isolation is a major benefit for network design and security.
How PSC works in Cloud SQL
The good news for Cloud SQL users is because Cloud SQL does not run within a customer VPC, there’s nothing that you need to (or can) configure in the Google-managed provider VPC. The dedicated PSC subnet would also be managed by Google.
To enable PSC in Cloud SQL, you simply need to enable the setting in its configuration and provide a list of projects that are allowed-listed for connections to the instance.
On the consumer end, you will need to get the service attachment URI in order to create the endpoint within their VPC.
Connecting with PSC
To establish a private connection from your application to the Cloud SQL instance, you’ll use the Cloud SQL Auth Proxy alongside a private Managed DNS Zone configuration.
- DNS Setup: To connect securely, you must configure a private managed DNS zone within your VPC. You’ll then create a DNS “A” record that maps the Cloud SQL instance’s DNS name (e.g.,
INSTANCE_UID.PROJECT_DNS_LABEL.REGION.sql.goog.) to the private IP address of your PSC endpoint. The proxy relies on this DNS record to find the correct internal network path to your instance. - Connecting with the Proxy: When running the Cloud SQL Auth Proxy, you must use the
--pscflag. This flag instructs the proxy to use the instance’s private DNS name to find the correct network path to your Cloud SQL instance without traversing the public internet.
This may seem like a lot of steps, but it is something you can easily automate using Infrastructure as Code (IaC) tooling. Alternatively, you can connect to the private IP address of the PSC endpoint directly.
When to get “Fancy” with your connectivity
Private Service Connect should be used in any scenario you need to access (or share) a service privately and securely from within your Google Cloud VPC, without exposing traffic to the public internet.
PSC is also an excellent solution for large organizations that have services traditionally siloed in different projects and managed by separate teams. For example, a database team can publish a production Cloud SQL database from their project, allowing a frontend application team in a different project to consume it privately. Networking is simplified by decoupling projects and not having to worry about overlapping CIDR ranges like you would with VPC peering.
Operational overhead is reduced while enhancing security as there is little need to manage cross-team IAM permissions — especially great if you have compliance regulations to adhere to like PCI-DSS, which require strict controls and encryption for data access.
IMPORTANT: currently if you have PSC configured, you cannot enforce connector usage if you also have read replicas
Source Credit: https://medium.com/google-cloud/why-cant-i-connect-to-cloud-sql-demystifying-networking-for-your-database-44075c61d6e9?source=rss—-e52cf94d98af—4
