Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Make the service accessible from other VPC networks

This tutorial shows you how to make a load-balanced service available from other VPC networks by using Private Service Connect.

By default, the internal passthrough Network Load Balancer that you created in the previous tutorial is available only within its own VPC network. With Private Service Connect, you can publish the service to make it available to resources in other VPC networks.

This tutorial is intended for cloud architects, network architects, network administrators, and IT administrators.

Objectives

Create the published service
Create a firewall rule for published service traffic
Get the service attachment URI

Costs

In this document, you use the following billable components of Cloud de Confiance by S3NS:

Virtual Private Cloud

When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.

Before you begin

Complete the steps in the previous tutorial, Create a load-balanced service.
Select the service producer project (PRODUCER_PROJECT) that you selected or created in the previous tutorial. Use this project for the steps in this tutorial.

Create the published service

To make the service available from other VPC networks, you publish the service. To publish a service, create the following resources in the same network and region as the load balancer:

A Private Service Connect subnet that provides IP addresses for network address translation (NAT) between the producer and consumer networks.
A service attachment.

These instructions create a published service that is accessible from any project. In a production environment, you might instead choose to limit which networks or projects can access the service.

Console

In the Cloud de Confiance console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click Publish service.
In the Target details section, select Load balancer.
Select Internal passthrough Network Load Balancer
Select the internal load balancer that you created, service-lb.
For Service name, enter published-service.
Create a Private Service Connect subnet for NAT:
1. Click Subnets, and then click Reserve new subnet.
2. For Name, enter nat-subnet.
3. For Region, select REGION.
4. For IPv4 range, enter 10.10.20.0/22.
5. Click Add.
For Connection preference, select Automatically accept all connections.
Click Add service.

gcloud

Create a Private Service Connect subnet by using the gcloud compute networks subnets create command.

gcloud compute networks subnets create nat-subnet \
  --network=service-network \
  --region=REGION \
  --range=10.10.20.0/22 \
  --purpose=PRIVATE_SERVICE_CONNECT

To publish the service, use the gcloud compute service-attachments create command.
```
gcloud compute service-attachments create published-service \
  --region=REGION \
  --target-service=projects/PRODUCER_PROJECT/regions/REGION/forwardingRules/service-rule \
  --connection-preference=ACCEPT_AUTOMATIC \
  --nat-subnets=nat-subnet
```
Replace the following:
- PRODUCER_PROJECT: the ID of the producer project.
- REGION: the region for the service attachment. This must be the same region as the IP address of the target forwarding rule.

Create a firewall rule for published service traffic

Create a firewall rule to let traffic from the Private Service Connect NAT subnet reach the load balancer's backend VMs.

Console

In the Cloud de Confiance console, go to the Firewall policies page.

Go to Firewall policies
To let traffic from the Private Service Connect NAT subnet reach the load balancer's backend VMs, click Create firewall rule and use the following settings:
- For Name, enter fw-allow-nat.
- For Network, select service-network.
- For Priority, enter 1000.
- For Direction of traffic, select Ingress.
- For Action on match, select Allow.
- For Targets, select Specified target tags.
- For Target tags, enter allow-nat.
- For Source filter, select IPv4 ranges.
- For Source IPv4 ranges, enter 10.10.20.0/22.
- For Protocols and ports, select Allow all.
Click Create.

gcloud

Create the fw-allow-nat firewall rule to allow communication from the Private Service Connect NAT subnet to the VM backends:

gcloud compute firewall-rules create fw-allow-nat \
    --network=service-network \
    --action=allow \
    --direction=ingress \
    --source-ranges=10.10.20.0/22 \
    --rules=tcp,udp,icmp

Get the service attachment URI

You use the service attachment URI to configure the endpoint in the next tutorial, Access the service from another VPC network.

Console

In the Cloud de Confiance console, go to the Private Service Connect page.

Go to Private Service Connect
Click the Published services tab.
Click the service that you want to view.

The Service attachment field contains the service attachment URI.

gcloud

View details for the published service by using the gcloud compute service-attachments describe command.

The selfLink field contains the service attachment URI.
```
gcloud compute service-attachments describe \
    published-service --region=REGION
```
Replace REGION with the region that contains the service attachment.

What's next

Access the service from another VPC network