Access published services through published service backends and endpoints

You can configure supported load balancers or regional Cloud Service Mesh to route traffic to published services through Private Service Connect endpoints. To do this, you associate a regional backend service with a service attachment. This configuration is known as a published service backend.

This page describes how to configure published service backends for load balancers. For information about configuring published service backends for regional Cloud Service Mesh, see Configure published service backends for Cloud Service Mesh.

Published service backends are only supported if both the producer and consumer VPC networks belong to the same organization.

Before you begin

  • Read about published service backends.
  • Make sure that the producer VPC network that hosts the service belongs to the same organization as the consumer network where you want to configure published service backends.
  • Identify the service attachment of the service that you want to access.
  • Identify or create a Private Service Connect endpoint that connects to the service you want to access. This endpoint must be in the same region as your consumer load balancer.
  • Identify or create a consumer load balancer that supports published service backends:
    • The load balancer's forwarding rule and backend service must be in the same region as the service attachment and the Private Service Connect endpoint that connects to the service.
    • If you create a new load balancer, don't add any backends to the load balancer's backend service. You will add them when you configure a published service backend.
  • Enable the Compute Engine API in your project.

Required roles

To get the permissions that you need to configure load balancing for Private Service Connect endpoints, ask your administrator to grant you the Compute Load Balancer Admin (roles/compute.loadBalancerAdmin) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Add a published service backend to a consumer load balancer

To create a published service backend, you associate a load balancer's regional backend service with a service attachment. You don't explicitly associate the load balancer with an endpoint. Instead, when a client sends a request to the load balancer, the load balancer routes traffic through an ACCEPTED Private Service Connect endpoint that connects to the service attachment.

gcloud

Use the gcloud beta compute backend-services add-backend command.

gcloud beta compute backend-services add-backend BACKEND_SERVICE \
    --region=REGION \
    --service=//compute.googleapis.com/projects/PROJECT_ID/locations/REGION/serviceAttachments/SERVICE_ATTACHMENT

Replace the following:

  • BACKEND_SERVICE: the name of the backend service
  • REGION: the region of the backend service, which must match the region of the service attachment
  • PROJECT_ID: the project ID of the service attachment's project
  • SERVICE_ATTACHMENT: the name of the service attachment to associate with the backend service

API

  1. You need to include the backend service's fingerprint when you update the backend service. To find the fingerprint, send a request to the regionBackendServices.get method.

    HTTP method and URL:

    GET https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/backendServices/BACKEND_SERVICE

    Replace the following:

    • PROJECT_ID: the ID of your project
    • REGION: the region of the backend service, which must match the region of the service attachment
    • BACKEND_SERVICE: the name of the backend service

    Note the fingerprint value in the response, which you need for the next step.

  2. Send a request to the regionBackendServices.patch method.

    The following request replaces any existing backends.

    HTTP method and URL:

    PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/backendServices/BACKEND_SERVICE

    Request JSON body:

    {
  "backends": [
    {
      "group": "https://www.googleapis.com/compute/beta/projects/PROJECT_ID/locations/REGION/serviceAttachments/SERVICE_ATTACHMENT"
    }
  ],
  "fingerprint": "FINGERPRINT"
}

    Replace the following:

    • SERVICE_ATTACHMENT: the name of the service attachment to associate with the backend service
    • FINGERPRINT: the fingerprint value that you noted in the previous step