Private Service Connect overview

MySQL  |  PostgreSQL  |  SQL Server

This page describes concepts associated with Private Service Connect. You can use Private Service Connect for the following purposes:

  • Connect to a Cloud SQL instance from multiple VPC networks that belong to different groups, teams, projects, or organizations
  • Connect to either a primary instance or any of its read replicas

Private Service Connect endpoint

You can usePrivate Service Connect endpoints to access Cloud SQL instances privately from your consumer VPC networks. These endpoints are internal IP addresses that are associated with a forwarding rule that references aservice attachment of a Cloud SQL instance.

You can either have Cloud SQL create the endpoint for you automatically or you can create the endpoint manually.

To have Cloud SQL create the endpoint automatically, do the following:

  1. Create aservice connection policy in your VPC networks.

  2. Create aCloud SQL instance with Private Service Connect enabled for the instance and configure the instance to create an endpoint automatically. While creating the instance, specify auto-connection parameters such as VPC networks and projects.

    Cloud SQL locates the service connection policy in these networks and creates a Private Service Connect endpoint that points to the service attachment of the instance.

    After you create the instance and Cloud SQL creates the endpoint, the clients in the corresponding VPC networks can connect to the instance from the endpoint, either through an IP address or a DNS record.

To create the endpoint manually, do the following:

  1. Create aCloud SQL instance with Private Service Connect enabled for the instance.
  2. Get theservice attachment URI that you need to create the endpoint manually.

  3. Reserve an internal IP address in your VPC network for the endpoint andcreate an endpoint with that address.

    After you create the instance and Cloud SQL creates the endpoint, the clients in the corresponding VPC networks can connect to the instance from the endpoint, either through an IP address or aDNS record.

Note: To create a Private Service Connect endpoint, you need thecompute.networkAdmin role. This role grants full control over the VPC network that initiates a connection to a Cloud SQL instance.

You must create this endpoint in each VPC network where database access is needed. To access the endpoint from any region in that network, you mustconfigure global access for the endpoint.

Service connection policy

Aservice connection policy lets you authorize a specified service class to create a Private Service Connect connection between VPC networks. As a result, you can provisionPrivate Service Connect endpoints automatically.

You can create a maximum of one policy for each service class, region, and VPC network combination. A policy dictates service connectivity automation for that specific combination. When you configure a policy, you select a subnet. The subnet is used to allocate IP addresses for the endpoints that you create through the policy. If multiple service connection policies share the same region, then you can reuse the same subnet for all of the policies.

For example, if you want to use service connectivity automation with two services in three different regions, then create six policies. You can use a minimum of three subnets: one for each region.

After you create a service connection policy, you can only update the policy's subnets and connection limit. If you need to update other fields, then do the following:

  1. Remove all connections that use the policy.
  2. Delete the policy.
  3. Create a new policy.

Service attachment

When youcreate a Cloud SQL instance and configure the instance to use Private Service Connect, Cloud SQL creates a service attachment for the instance automatically. Aservice attachment is an attachment point that VPC networks use to access the instance.

You create aPrivate Service Connect endpoint that the VPC network uses to connect to the service attachment. This enables the network to access the instance.

Each Cloud SQL instance has one service attachment to which the Private Service Connect endpoint can connect through the VPC network. If there are multiple networks, then each network has its own endpoint.

DNS names and records

For instances with Private Service Connect enabled, we recommend that you use the DNS name because different networks can connect to the same instance and Private Service Connect endpoints in each network might have different IP addresses. Additionally, the Cloud SQL Auth Proxy requires DNS names to connect to these instances.

Cloud SQL doesn't createDNS records automatically. Instead, a suggested DNS name is provided from the instance lookup API response. We recommend that you create the DNS record in aprivate DNS zone in the corresponding VPC network. This provides a consistent way of connecting from different networks.

Allowed Private Service Connect projects

Allowed projects are associated with VPC networks and are specific to each Cloud SQL instance. If an instance isn't contained in any allowed projects, then you can't enable Private Service Connect for the instance.

For these projects, you can create Private Service Connect endpoints for each instance. If a project isn't allowed explicitly, then you can still create an endpoint for the instances in the project, but the endpoint remains in aPENDING state.

Private Service Connect endpoint propagation

By default, Private Service Connect connections aren't transitivefrom peered VPC networks. You must create aPrivate Service Connect endpoint in eachVPC network that needs to connect to your Cloud SQLinstance. For example, if you have three VPC networks that haveto connect to your instance, then you must create three Private Service Connect endpoints—one endpoint for each VPC network.

However, by propagating Private Service Connect endpoints throughtheNetwork Connectivity Center hub, these endpoints can be reachable by anyotherspoke VPC network in the same hub. Thehub provides a centralized connectivity management model to interconnect spoke VPC networks to Private Service Connect endpoints.

The connection propagation feature in Network Connectivity Center benefits the followinguse case for Private Service Connect deployments:

You can use a common services VPC network to create multiple Private Service Connect endpoints. By adding a single commonservices VPC network to the Network Connectivity Center hub, all Private Service Connect endpoints in the VPCnetwork become accessible transitively to other spoke VPCnetworks through the hub. This connectivity eliminates the need to manage each Private Service Connect endpoint in each VPCnetwork individually.

To learn how to use the Network Connectivity Center hub to propagate Private Service Connect endpoints to spoke VPCnetworks, see theNetwork Connectivity Center—Private Service Connect propagation codelab.

Private Service Connect backend

You can usePrivate Service Connect backends, as an alternative toPrivate Service Connect endpoints, to access Cloud SQL instances.For ease of use, we recommend connecting to your Cloud SQL instances using Private Service Connect endpoints. For additional control and visibility, you can connect using Private Service Connect backends.

To use Private Service Connect backends, you must setup the following resources for each serving port on which you want to access a given Cloud SQL instance:

The supported serving ports for PostgreSQL are as follows:

Private Service Connect outbound connections

You can attach a Private Service Connect interface to yourexisting Cloud SQL Private Service Connect-enabledinstances using anetwork attachmentto allow your Cloud SQL instance to make outbound connections to yournetwork. To connect to your network's Private Service Connectinterface, you either need a new or existing network attachmentwithin your Google Cloud project.

You can use outbound connectivity to migrate data from an external server withinyour network, use PostgreSQL extensions that require anoutbound connection to your Cloud SQL instance, or do ahomogeneous migrationusing Database Migration Service.

When using a Private Service Connect interface with anetwork attachment to create outbound connections to your network from yourCloud SQL instance, note the following limitations:

  • Enabling or disabling Private Service Connect outboundconnectivity requires downtime. You can expect this operation to takeabout 8 minutes to complete with an approximate downtime of 3 minutes.
  • If you're using a hostname or DNS for your outbound connection, then the DNSname must be publicly resolvable and resolved to a RFC-1918 IP range.
  • IPv6 addresses aren't supported.
  • Public IP addresses aren't supported.
  • Private Service Connect outbound connectivity can't beenabled on a read replica instance.
  • Switchoverisn't supported for instances with Private Service Connectoutbound connectivity enabled.
  • You can't enable Private Service Connect outbound connectivityfor an instance that has aDR replica.
  • You can't convert the replica of an instance that hasPrivate Service Connect outbound connectivity-enabled toaDR replica.
  • If the outbound connectivity IP address conflicts with theeth0 IP orthe Private Service Connect forwarding rule, then theIP address might not connect correctly. For more information, seePrivate Service Connect overview.
  • If your instance is configured forboth private service access and Private Service Connect,then you can't enable Private Service Connect outboundconnectivity for your instance.

For more information on how to setup outbound connectivity for yourCloud SQL instance, seeConfigure outbound connectivity.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.