Connecting GCP VPC Networks — Using Private Service Connect

Consider a scenario where a company has two GCP projects, each with a different VPC Network.

Now for services in these VPC’s to talk to the services in the other VPC the easiest approach to open up the visibility to the service is using VPC peering

VPC peering however is way too broad, all ip’s across the both the VPC’s are visible to each other. In this instance, since the intention is to selectively expose a service, a better mechanism is Private Service Connect.

Producer Service

As an example consider a service deployed to a GKE cluster in the Producer VPC, exposed through an internal loadbalancer

Now, to expose this Internal Loadbalancer to another VPC, the configuration looks something like this, with the target pointing to the internal loadbalancer:

Consumer View

Now, from a Consumer VPC perspective, a “Connected Endpoint” has to be created pointing to the Published service on the Producer side:

and a private ip is assigned to this connection in the Consumer VPC space! This is so clean, there are no issues around ip conflicts, it doesn’t really matter what the Producer’s ip range is or if it even conflicts with the Consumers range.

The full end to end flow looks something like this:

Conclusion

Private Service connect provides a clean way to selectively expose services into a private space of a consuming service. It is an elegant solution on how to connect two disparate VPC’s together. Private Service connect is becoming a go to solution for certain fully managed services like GKE, Apigee etc in integrating with a customers VPC, as well for services like Confluent Cloud, MongoDB Atlas etc.