Create and manage network attachments

This page describes how consumer network administrators can create and managePrivate Service Connect network attachments. Network attachments let service producer VPC networks initiate connections to consumer VPC networks.

Before you begin

  • You mustenabletheCompute Engine API in your project.
  • If you want to manually specify which projectscan connect to a network attachment, you need to know the IDs of the projects.

Roles

To get the permissions that you need to create, view, and delete network attachments, ask your administrator to grant you theCompute Network Admin (roles/compute.networkAdmin) IAM role on your project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create a subnet

When you create a network attachment, you assign it a singleregular subnet. This subnet must bein the same region as the network attachment. One subnet can be sharedacross multiple network attachments. Subnets with the dual-stack or IPv6-onlystack type must use internal IPv6 address ranges.

For more information about creating subnets, seeCreate and manage VPC networks.

Create network attachments

Network attachments are regional resources that represent the consumer side ofaPrivate Service Connect interfaceconnection. A network attachment must be in the same region as the associatedPrivate Service Connect interface's VM.

The network attachment'sauthorization policydetermines whether a network attachment can accept a connection from aPrivate Service Connect interface.

You can update the subnet, accept list, reject list, and description of anetwork attachment.

Create a network attachment that manually accepts connections

You can create a network attachment that manually accepts connections. Beforeyou create an attachment of this type, make sure that you know the IDs of theprojects that you want to accept.

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page:

    Go to Private Service Connect

  2. ClickNetwork attachments.

  3. ClickCreate network attachment.

  4. Enter aName.

  5. Select aNetwork.

  6. Select aRegion.

  7. Select aSubnetwork.

  8. ClickAccept connections for selected projects.

  9. ClickAdd accepted project, and then enter the ID of each projectthat you want to accept connections from.

  10. Optional: ClickAdd rejected project, and then enter the ID of eachproject that you want to explicitly deny connections from.

  11. ClickCreate network attachment.

gcloud

Use thenetwork-attachments create command.

gcloud compute network-attachments createATTACHMENT_NAME \    --region=REGION \    --connection-preference=ACCEPT_MANUAL \    --producer-accept-list=ACCEPTED_PROJECTS \    --producer-reject-list=REJECTED_PROJECTS \    --subnets=SUBNET_NAME

Replace the following:

  • ATTACHMENT_NAME: the name of the networkattachment.
  • REGION: the region of the network attachment.
  • ACCEPTED_PROJECTS: IDs of the projects thatcan connect to this network attachment. You can include multiple values ina comma-separated list.
  • REJECTED_PROJECTS: IDs of the projects thatcannot connect to this network attachment. You can include multiple valuesin a comma-separated list.
  • SUBNET_NAME: the name of the subnet to associatewith this network attachment.

API

Make aPOST request to thenetworkAttachments.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments{  "connectionPreference": "ACCEPT_MANUAL",  "name": "ATTACHMENT_NAME",  "producerAcceptLists": [    "ACCEPTED_PROJECT_LIST"  ],  "producerRejectLists": [    "REJECTED_PROJECT_LIST"  ],  "subnetworks": [    "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME"  ]}

Replace the following:

  • PROJECT_ID: the ID of the project to create thenetwork attachment in.
  • REGION: the region of the network attachment
  • ATTACHMENT_NAME: the name of the networkattachment
  • ACCEPTED_PROJECT_LIST: IDs of the projects thatcan connect to this network attachment. You can include multiple IDs inthe following form:"id-one", "id-two".
  • REJECTED_PROJECT_LIST: IDs of the projects thatcannot connect to this network attachment. You can include multiple IDs inthe following form:"id-one", "id-two".
  • SUBNET_NAME: the name of the subnet to associatewith the network attachment.

Create a network attachment that automatically accepts connections

You can create a network attachment that automatically accepts connections fromany Private Service Connect interface that refers to the networkattachment.

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page:

    Go to Private Service Connect

  2. ClickNetwork attachments.

  3. ClickCreate network attachment.

  4. Enter aName.

  5. Select aNetwork.

  6. Select aRegion.

  7. Select aSubnetwork.

  8. ClickAutomatically accept connections for all projects.

  9. ClickCreate network attachment.

gcloud

Use thenetwork-attachments create command.

gcloud compute network-attachments createATTACHMENT_NAME \    --region=REGION \    --connection-preference=ACCEPT_AUTOMATIC \    --subnets=SUBNET_NAME

Replace the following:

  • ATTACHMENT_NAME: the name of the networkattachment.
  • REGION: the region of the network attachment.
  • SUBNET_NAME: the name of the subnet to associatewith this network attachment.

API

Make aPOST request to thenetworkAttachments.insert method.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments{  "connectionPreference": "ACCEPT_AUTOMATIC",  "name": "ATTACHMENT_NAME",  "subnetworks": [    "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME"  ]}

Replace the following:

  • PROJECT_ID: the ID of the project to create thenetwork attachment in.
  • REGION: the region of the network attachment
  • ATTACHMENT_NAME: the name of the networkattachment
  • SUBNET_NAME: the name of the subnet to associatewith the network attachment.

List network attachments

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page:

    Go to Private Service Connect

  2. ClickNetwork attachments.

gcloud

  • To list all network attachments in a project, use thenetwork-attachments list command.

    gcloud compute network-attachments list

  • To list network attachments in a given region or regions, use thenetwork-attachments list command, and specify the regions.

    gcloud compute network-attachments list   --regions=REGIONS

    ReplaceREGIONS with the region or regions to listnetwork attachments in. You can include multiple regions in acomma-separated list.

API

To list network attachments in a given region, make aGET request to thenetworkAttachments.list method.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments

Replace the following:

  • PROJECT_ID: the ID of the project.
  • REGION: the region of the network attachment.

Describe network attachments

You can describe a network attachment to view its details, including theassociated Private Service Connect interface connections. Foreach connection, you can see the Private Service Connectinterface's assigned IP address.

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page:

    Go to Private Service Connect

  2. ClickNetwork attachments.

  3. Select a network attachment to view its details and a list of connectedprojects.

  4. To view individual Private Service Connect interfaceconnections for a project, click the name of the project.

    The connection status of a project does not necessarily determine thestatus of Private Service Connect interface connectionsfrom that project. For example, if you adda project to the reject list after you've accepted a connection from thatproject, the project status is rejected, but the existing connectionremains open. New connections from that project are rejected.

gcloud

Use thenetwork-attachments describe command.

gcloud compute network-attachments describeATTACHMENT_NAME \    --region=REGION

Replace the following:

  • ATTACHMENT_NAME: the name of the networkattachment to describe.
  • REGION: the region of the network attachment

Connected Private Service Connect interfaces are displayedin the following format:

connectionEndpoints:-ipAddress:10.6.0.59projectIdOrNum:'123456789'status:ACCEPTEDsubnetwork:https://www.googleapis.com/compute/v1/projects/consumer-project-id/regions/us-central1/subnetworks/consumer-subnet-ipAddress:10.6.0.11projectIdOrNum:'987654321'status:ACCEPTEDsubnetwork:https://www.googleapis.com/compute/v1/projects/consumer-project-id/regions/us-central1/subnetworks/consumer-subnet```

API

To describe a network attachment and view its details, make aGETrequest to thenetworkAttachments.get method.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments/ATTACHMENT_NAME

Replace the following:

  • PROJECT_ID: the ID of the project.
  • REGION: the region of the network attachment.
  • ATTACHMENT_NAME: the name of the networkattachment.

Connected Private Service Connect interfaces are displayedin the following format:

"connectionEndpoints":[{"status":"ACCEPTED","projectIdOrNum":"123456789","subnetwork":"https://www.googleapis.com/compute/v1/projects/consumer-project-id/regions/us-central1/subnetworks/consumer-subnet-1","ipAddress":"10.6.0.11"},{"status":"ACCEPTED","projectIdOrNum":"987654321","subnetwork":"https://www.googleapis.com/compute/v1/projects/consumer-project-id/regions/us-central1/subnetworks/consumer-subnet-2","ipAddress":"10.6.0.59"}]

Update network attachments

You can update a network attachment by replacing its subnet, description,or—for network attachments that were created to manually acceptconnections—the accept or reject lists. If you need to update otherfields, delete the network attachment, and then create a new one.

If you replace a network attachment's subnet, existing connections are notaffected. Connections that are created after the update use IP addresses fromthe new subnet.

If you replace a network attachment's accept or reject list, existingconnections are not affected. Connections that are created after the updateare accepted or rejected according to the updated lists.

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page:

    Go to Private Service Connect

  2. ClickNetwork attachments.

  3. Click the network attachment that you want to update, and then clickEdit.

  4. To replace the network attachment's subnetwork, clickSubnetwork,and then select the new subnetwork.

  5. To update the accept list, do the following:

    1. To add a project to the accept list, clickAdd accepted project,and then enter the project ID or project number of the project toaccept.
    2. To remove a project from the accept list, hold the pointer over theproject, and then clickDelete accepted project.

  6. To update the reject list, do the following:

    1. To add a project to the reject list, clickAdd rejected project, andthen enter the project ID or project number of the project to reject.
    2. To remove a project from the reject list, hold the pointer over theproject, and then clickDelete rejected project.

  7. ClickUpdate network attachment.

gcloud

Use thenetwork-attachments update command.You can update one or moreof the fields listed here, except for region, which is used to identify thenetwork attachment. If you update a networkattachment's accept or reject lists, you must replace the entire list inone update.

gcloud compute network-attachments updateATTACHMENT_NAME \    --region=REGION \    --subnets=SUBNET \    --producer-accept-list=ACCEPTED_PROJECTS \    --producer-reject-list=REJECTED_PROJECTS \    --description=DESCRIPTION

Replace the following:

  • ATTACHMENT_NAME: the name of the networkattachment.
  • REGION: the region of the network attachment. Thisflag is used to identify the network attachment. You can't update theregion of a network attachment.
  • SUBNET: the name of the subnet to associatewith this network attachment.
  • ACCEPTED_PROJECTS: IDs of the projects thatcan connect to this network attachment. You can include multiple values ina comma-separated list. The list that you specify here replaces theexisting accept list.
  • REJECTED_PROJECTS: IDs of the projects thatcannot connect to this network attachment. You can include multiple valuesin a comma-separated list. The list that you specify here replaces theexisting reject list.
  • DESCRIPTION: a description of the networkattachment.

API

  1. Send an API request todescribe the network attachment thatyou want to update.
  2. Note the value for thefingerprint field of the network attachment.

  3. Make aPATCH request to thenetworkAttachments.patch method. Omit any fields from the request body that you don't want toreplace, except forfingerprint.

    PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments/ATTACHMENT_NAME{  "fingerprint": "FINGERPRINT",  "producerAcceptLists": [    "ACCEPTED_PROJECT_LIST"  ],  "producerRejectLists": [    "REJECTED_PROJECT_LIST"  ],  "subnetworks": [    "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME"  ],  "description": "DESCRIPTION"}

    Replace the following:

    • PROJECT_ID: the ID of the project.
    • REGION: the region of the network attachment.
    • ATTACHMENT_NAME: the name of the networkattachment.
    • FINGERPRINT: the value for the fingerprintfield that you found in step 2.
    • ACCEPTED_PROJECT_LIST: IDs of the projectsthat can connect to this network attachment. You can include multipleIDs in the following form:"id-one", "id-two". Updates to this listreplace any previous accepted projects list.
    • REJECTED_PROJECT_LIST: IDs of the projectsthat cannot connect to this network attachment. You can includemultiple IDs in the following form:"id-one", "id-two". Updates tothis list replace any previous rejected projects list.
    • SUBNET_NAME: the name of the new subnet toassociate with the network attachment.
    • DESCRIPTION: an updated description for thenetwork attachment.

Delete network attachments

You can delete a network attachment if it does not have any connections. If youwant to delete a network attachment that has connections, the producer mustfirst delete the associated Private Service Connect interface.

If you delete a network attachment and then create a new one with the same name,Google Cloud treats the network attachments as two separate resources.

Console

  1. In the Google Cloud console, go to thePrivate Service Connect page:

    Go to Private Service Connect

  2. ClickNetwork attachments.

  3. Select a network attachment, and then clickDelete.

  4. ClickDelete again to confirm.

gcloud

Use thenetwork-attachments delete command.

gcloud compute network-attachments deleteATTACHMENT_NAME \    --region=REGION

Replace the following:

  • ATTACHMENT_NAME: the name of the networkattachment to describe.
  • REGION: the region of the network attachment

API

Make aDELETE request to thenetworkAttachments.delete method.

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/networkAttachments/ATTACHMENT_NAME

Replace the following:

  • PROJECT_ID: the ID of the project.
  • REGION: the region of the network attachment.
  • ATTACHMENT_NAME: the name of the networkattachment.

What's next?

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.