This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Private Service Connect & Cloud Interconnect

Posted on 06-15-2022 11:14 AM
wdean
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm looking to understand the limitations of Cloud Interconnect, Private Service Connect and VLAN attachments to a consumer VPC network.

The application I'm working with has two services: 1) a HTTPS service, and 2) a custom protocol running over TCP.

The customer requires that traffic not traverse the public internet and that they have control over the IPv4 addressing and ACLs. They'll be using a cloud interconnect to reach GCP, terminating it as a VLAN attachment into a VPC network under their control.

To expose our services I configured an internal HTTPS loadbalancer, and an internal TCP loadbalancer. Then configured two private service connect published services. Below is a diagram of what this looks like.

PSC-Cloud-Interconnect.png

 

To test I substituted the cloud interconnect with a cloud VPN; everything seemed to work good. However, I'm concerned about this wording on a doc page covering PSC.

You cannot send requests from an on-premises environment that is connected to a VPC using Cloud Interconnect attachments (VLANs) to a Private Service Connect endpoint that is used to access services in another VPC network.

https://cloud.google.com/vpc/docs/configure-private-service-connect-services

This would indicate that I can't use the above architecture. Am I understanding this limitation correctly? Any good workarounds short of asking the customer to deploy VMs in their VPC network to act as set of loadbalancers or proxies.

Solved Solved
1 2 4,023
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
grobledo
Staff
Reply posted on --/--/---- --:-- AM

Yes, you are understanding the limitation correctly.

One workaround is to use VPC Network Peering instead of Private Service Connect. And at the firewall level, you can discriminate the traffic you want to send/receive between VPCs.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
grobledo
Staff
Reply posted on --/--/---- --:-- AM

Yes, you are understanding the limitation correctly.

One workaround is to use VPC Network Peering instead of Private Service Connect. And at the firewall level, you can discriminate the traffic you want to send/receive between VPCs.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
oscarfesa
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi, wdean.

It looks like that now is posible to do what you initially describe  (with some issues to take into consideration)

 

"Clients in networks that are connected to Google Cloud with VLAN attachments for Cloud Interconnect or Cloud VPN tunnels can reach Private Service Connect endpoints.

  • The VLAN attachment or Cloud VPN tunnel must terminate in the same VPC network as the endpoint. Clients in peered VPC networks cannot reach endpoints.

  • Client traffic from VLAN attachments or Cloud VPN tunnels can reach endpoints in another region if global access is configured.

  • The VLAN attachments must have dataplaneVersion: 2. Inspect your VLAN attachment to check what version it is on."

Jump to Solution
Top Labels in this Space
Top Solution Authors
View all