Private Service Connect overview

MySQL | PostgreSQL | SQL Server

This page describes concepts associated with Private Service Connect. You can use Private Service Connect for the following purposes:

Connect to a Cloud SQL instance from multiple VPC networks that belong to different groups, teams, projects, or organizations
Connect to either a primary instance or any of its read replicas

Service attachment

When you create a Cloud SQL instance and configure the instance to use Private Service Connect, Cloud SQL creates a service attachment for the instance automatically. A service attachment is an attachment point that VPC networks use to access the instance.

You create a Private Service Connect endpoint that the VPC network uses to connect to the service attachment. This enables the network to access the instance.

Each Cloud SQL instance has one service attachment to which the Private Service Connect endpoint can connect through the VPC network. If there are multiple networks, then each network has its own endpoint.

Private Service Connect endpoint

A Private Service Connect endpoint is a forwarding rule that's associated with an internal IP address. As part of creating the endpoint, you specify the service attachment that's associated with the Cloud SQL instance. The network can then access the instance through the endpoint.

In addition to specifying the service attachment, you provide an IP address in the VPC network and a service attachment URI. To obtain this URI, use the Cloud SQL Admin API. The network can access the Cloud SQL instance from the IP address that's associated with the endpoint.

DNS names and records

For instances with Private Service Connect enabled, we recommend that you use the DNS name because different networks can connect to the same instance and Private Service Connect endpoints in each network might have different IP addresses. Additionally, the Cloud SQL Auth Proxy requires DNS names to connect to these instances.

Cloud SQL doesn't create DNS records automatically. Instead, a suggested DNS name is provided from the instance lookup API response. We recommend that you create the DNS record in a private DNS zone in the corresponding VPC network. This provides a consistent way of connecting from different networks.

Allowed Private Service Connect projects

Allowed projects are associated with VPC networks and are specific to each Cloud SQL instance. If an instance isn't contained in any allowed projects, then you can't enable Private Service Connect for the instance.

For these projects, you can create Private Service Connect endpoints for each instance. If a project isn't allowed explicitly, then you can still create an endpoint for the instances in the project, but the endpoint remains in a PENDING state.

What's next

Learn more about private IP.
Learn more about connecting to an instance using Private Service Connect.