About propagated connections

This page provides an overview of Private Service Connect propagatedconnections.

With propagated connections, services that are accessible in oneconsumerVPC spoke throughPrivate Service Connect endpointscan be privately accessed by other consumer VPC spokes that areconnected to the same Network Connectivity Center hub. Propagated connections let consumerVPC spokes access managed services in producer VPCnetworks as if the two VPC networks were directly connectedthrough endpoints.

Propagated connections provide the following benefits:

  • You can use a common services VPC network to simplify thedeployment of Private Service Connect endpoints.
  • You can manage which services are accessible to individual VPCspokes through the NCC hub.

For an overview of propagated connections from the NCCperspective, seePrivate Service Connect propagated connections through Network Connectivity Center.

VPC networks use propagated connections to access published services that are connected to a common services VPC network (click to enlarge).

For example, in figure 1, the VPC spokeCommon services VPC contains two endpoints. Two other VPCspokes are attached to the same NCC hub asCommon services VPC.Because propagatedconnections are enabled for the hub, there are two propagated connections inConsumer VPC 2 and two propagated connections inConsumer VPC 3.These propagated connections let workloads inConsumer VPC 2 andConsumer VPC 3 access managed services inProducer VPC 1 as if they were directly connected through the endpoints.

No propagated connections are created forEndpoint 3 because the IP range ofthat endpoint's subnet is excluded from export and not advertised to otherVPC spokes.

Configuring propagated connections

Propagated connections are managed byNCC.You can't directly managepropagated connections by using Private Service Connect.

Triggering connection propagation

Propagated connections are automatically established when the following actionsoccur:

  • When a hub administratorenables connection propagation for a hub,NCC creates propagated connections for existingendpoints in the VPC spokes that are connected to the hub.
  • When a hub administratoradds a VPC spoke to a hub that has connection propagationenabled, NCC createspropagated connections in the new spoke for existing endpoints in otherVPC spokes that are connected to the same NCC hub. If the new spokehas existing endpoints, propagated connections are created for those endpointsin each connected spoke.
  • When a consumer service administratorcreates an endpointin a VPC spoke that is attached to a NCC hub with connectionpropagation enabled, NCC creates propagated connections for thatendpoint in other connected VPC spokes.
  • When a producer service administratorincreases a service attachment's propagated connection limit,NCC creates propagated connectionsthat were previously blocked by this limit, as long as the new connectionsdon't exceed the new limit.

Connections are propagated asynchronously and might not be immediatelyavailable.

Excluding subnets

When youcreate a VPC spoke, you canexclude the IP address ranges of subnets from being exported to the NCC hub.If you exclude a subnet from export, workloadsin that subnet can't access propagated connections, and propagated connectionsaren't created for endpoints in that subnet. For example, in figure 1,workloads inConsumer VPC 2 andConsumer VPC 3 can't access the serviceinProducer VPC 2, and workloads inSubnet 5 can't access the servicesinProducer VPC 1.

Terminating propagated connections

The following actions indirectly control the deletion of propagatedconnections:

When any of the previous actions happen, propagated connections are terminated.This process is asynchronous and might not happen immediately.

Specifications

  • The following Private Service Connect endpoint types can bemade available through connection propagation:

    Endpoints thataccess global Google APIscan't be made available through connection propagation.

  • Connections are propagated only if thePrivate Service Connect endpoint has theAcceptedconnectionstatus.

  • By default, propagated connections are accessible by workloads in thesame region and VPC network as the propagated connection.

  • You can configureglobal accesson an endpoint to make propagated connections for that endpoint available toworkloads in any region of the propagated connection's VPCspoke.

Quotas and limits

The following quotas and limits apply to Private Service Connectconnection propagation:

  • Consumer quota: thePSC propagated connections per VPCnetwork quota limitsthe number of propagated connections that can be made available in aconsumer VPC network.
  • Producer quota: thePSC ILB consumer forwarding rules per producerVPC network quota limits thenumber of endpoints and propagated connections that can connect to aproducer VPC network.
  • Producer connection limit: each published service (service attachment)has a propagated connection limit, which limits how many propagatedconnections can be established to the service from a single consumer. Formore information about this producer configuration, seePropagated connections.

If you can't access a propagated connection, one of these quotas or theconnection limit might be affecting your access. For more information, seeTroubleshooting.

Limitations

Propagated connections have the following limitations:

Troubleshooting

If you are a service consumer who can't access a propagated endpoint, ask theNCC hub administrator to help troubleshoot. The hub administratorhas the access required totroubleshoot Private Service Connect connection propagationerrors.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.