Connect to services on another VPC via Private Service Connect (PSC)
Вставка
- Опубліковано 7 лип 2023
- Connecting services that operate on different VPC networks in Google Cloud Platform (GCP) has always been a challenging task.
Typically, organisations either have to go through the cumbersome process of aligning IP spaces in advance, which is rarely done, or they face the problem of teams being unable to connect their services due to the use of private VPCs. Both shared VPC and private VPC have their respective purposes, making it difficult to predict whether team connectivity will be necessary in many scenarios. Additionally, it is hard to anticipate if a service will need to be exposed to a larger audience in the future.
This is where the PSC (Private Service Connect) feature comes into play. In my opinion, after testing it out, PSC represents a significant advancement in resolving this issue with an elegant design. In today's video, I will delve into the common issues I often encounter and explain in detail how PSC can effectively address them.
I am truly enthusiastic about the potential impact this solution can have on VPC networking in the GCP ecosystem as a whole.
Slides: docs.google.com/presentation/...
01:00 - The problem with cross VPC connectivity
04:12 - What is Private Service Connect (PSC)?
07:20 - Use PSC to connect to services on another VPC
10:39 - Demo
17:27 - The future design of microservices networking using PSC
19:51 - Summary - Наука та технологія
Finally a clear and well communicated explantion and demo! Subscribed!
Great Explanation of Private Service Connect, very concise and easy to understand
very well explained, congrats !!
Great material! thank you
Great explanation, thank you. Is it possible to use private service connect to access managed services like GKE's API server and so on?
I don’t see why not, PSC service attachment can be put on top of any internal load balancer, you can create one for the GKE cluster cloud.google.com/kubernetes-engine/docs/concepts/ingress-ilb I haven’t tried this myself but I can’t see why it won’t work
@@practicalgcp2780 Thanks for your feedback. I looked at the article and that will work for services that are deployed into the cluster and exposed using a load balancer. I was referring to the Kubernetes control plane itself (the same endpoint that is baked into a ~/.kube/config file). The requirement is to spin up a private GKE cluster with no public IP assigned to the API server, but being able to manage the cluster using it's private IP from another VPC.
When you said Team A GCP Project and Team B GCP Project, which on are these from the demo? I only saw one project, which is rocketech-de-pgcp-sandbox. Could you help me with this one? Thank you! Excellent video 👍
The sandbox project is one, and you can just have another one, it doesn't matter what it is. It's easier to see this that you have two GCP projects, A & B, you publish the service in A, and create the Endpoint in B to subscribe from it.
@@InvertThinkers-vs6le CMIIW, so all producer and consumer setups are configured in producer side only?
No, the producer side is configured in the producer GCP project, this is where you publish the service, on the consumer project, you create the endpoint. If you know how Cloud PubSub works with the topic on the publisher side, and the subscription on the consumer side, it’s very similar pattern based on the publisher, subscriber model. This is a very powerful setup, because the consumer side can create the endpoint themselves, without needing the producer side to get involved, which are typically managed by different teams
@@practicalgcp2780 But I didn't see him configure consumer setup in consumer project. I just saw one project which is rocketech-de-pgcp-sandbox in his video. I have the same use case as this video; I have Cloud Run in Project A, and would like to be able accessible by Project B.
Sorry both was me 😅, someone UA-cam decided to use a different account I also logged in. So I can’t remember if I used one project or two. But the concept is the same. See 14:13, there is a service attachment URI which is what you need to use when setting up the endpoint.
Can u explain how Service attachment exposes itself to consumer endpoint?
So when you create the service attachment, you can specify which other projects / or VPC networks within those projects can created their consumer endpoint to attached to the service attachment. This allows consumer to create this on their project hence establish the connection. You can have a look at this section here on the docs which I believe is well explained cloud.google.com/vpc/docs/private-service-connect#endpoints
Is this exclusive only if both side is using GCP environment? What if I want if my CloudRun service want to send outbound traffic to a VM (on-premise network), will PSC still work?
So my understanding is you don’t use PSC to do that instead you would need interconnect in order to send outbound traffic from GCP network to on-prem. So typically interconnect is deployed to a shared VPC and you can use VPC connector (or direct VPC egress currently in preview) to a subnet on the shared VPC then you can talk to on-Orem network given all the firewalls and routes are setup correctly
@@practicalgcp2780 what needs to check on the firewalls and routes to make sure these are all setup correctly? It works fine if the consumer is using a VM from a different project, but when I use serverless service (e.g CloudFunction and CloudRun) , i always get 'connection timed out'. Please help
How would you compare this to a service mesh like itsio or consul?
Not that familiar with either but arent these more geared towards to k8? PSC I think is more at VPC routing level to let you connect services on different networks together, I don’t think they are comparable.
this PSC is so unclear in the doc