Configure routing for Private Service Connect interfaces

This page describes how to configure routing for both virtual and dynamicPrivate Service Connect interfaces.

Route traffic through a Private Service Connect interface

After you create a Private Service Connect interface, you needto route traffic through the interface by configuring theguest operating system (guest OS) on the interface's VM.

Allow SSH connectivity

Make sure that firewall rules are configured toallow ingress SSH connectionsto your Private Service Connect interface's VM.

Find the Google Cloud name of your Private Service Connect interface

To configure routing, you need to know the Google Cloud name of yourPrivate Service Connect interface.

To find the Google Cloud name of a dynamicPrivate Service Connect interface, use theGoogle Cloud CLI.

Configure automatic management of dynamic Private Service Connect interfaces

If you are configuring routing for a dynamicPrivate Service Connect interface,Enable automatic management of Dynamic Network Interfaces.You only need to do this once per VM.

Find the guest OS name of your Private Service Connect interface

To configure routing, you need to know the guest OS name of yourPrivate Service Connect interface, which is different than theinterface's name in Google Cloud.

To find the interface's name on a Debian VM, do the following. For VMs withother operating systems, consult the public documentation of the operatingsystem.

1. Connect to yourPrivate Service Connect interface's VM.

2. Run the following command:

   ip address

   In the list of network interfaces, find and note the interface name that isassociated with your Private Service Connect interface's IPaddress. For example, if theLinux guest agent managesyour VM's network interfaces, the names have the following forms:

   • Virtual Private Service Connect interfaces:ens[number]—for example,ens5.
   • Dynamic Private Service Connect interfaces:gcp.ens[parent_interface_number].[VLAN_ID]—for example,gcp.ens5.10.

Find the gateway IP address of your Private Service Connect interface

To configure routing, you need to know the IP address of yourPrivate Service Connect interface's default gateway.

1. Connect to yourPrivate Service Connect interface's VM.

2. Send aGET request from your interface's VM to the associatedmetadata server.

   • For virtual Private Service Connect interfaces, sendthe following request:

     curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/INTERFACE_NUMBER/gateway -H "Metadata-Flavor: Google" && echo

     ReplaceINTERFACE_NUMBER with the index of yourinterface. For example, if theGoogle Cloud name for your Private Service Connect interfaceisnic1, use a value of1.

   • For dynamic Private Service Connect interfaces, sendthe following request:

     curl http://metadata.google.internal/computeMetadata/v1/instance/vlan-network-interfaces/PARENT_INTERFACE_NUMBER/VLAN_ID/gateway -H "Metadata-Flavor: Google" && echo

     Replace the following:

     • PARENT_INTERFACE_NUMBER: the index of thedynamic Private Service Connect interface's parentvNIC

       For example, if theGoogle Cloud name for your Private Service Connect interfaceisnic1.5, use a value of1.

     • VLAN_ID: the VLAN ID of your dynamicPrivate Service Connect interface

       For example, if the Google Cloud name for yourPrivate Service Connect interface isnic1.5, use avalue of5.

   The request's output displays the gateway IP address.

Add routes for consumer subnets

You must add a route to your Private Service Connect interface'sdefault gateway for each consumer subnet that connects to yourPrivate Service Connect interface. This letstraffic that is bound for the consumer network flow through thePrivate Service Connect interface.

The following steps describe how to temporarily update the routing table for aVM that uses the Debian operating system. To update the table permanently, or toupdate the route on a different operating system, consult the operating system'spublic documentation.

1. Connect to yourPrivate Service Connect interface's VM.

2. Run the following command for each consumer subnet that connects to yourPrivate Service Connect interface:

   sudo ip route addCONSUMER_SUBNET_RANGE viaGATEWAY_IP devOS_INTERFACE_NAME

   Replace the following:

   • CONSUMER_SUBNET_RANGE: the IP address range of yourconsumer subnet
   • GATEWAY_IP: theIP address of the default gatewayfor your interface's subnet
   • OS_INTERFACE_NAME: theguest OS name for your Private Service Connect interface—for example,ens5 orgcp.ens5.10

3. Run the following command to remove all entries from the cache route table.This might be necessary if you are using an existing instance with previouslyconfigured route tables.

   sudo ip route flush cache

Use a Private Service Connect interface with VPC Service Controls

You can use Private Service Connect interfaces withVPC Service Controls. This lets aproducer VPC network access Google APIs and services through aconsumer VPC network, while the consumer organization can applythe security benefits of VPC Service Controls.

You can implement this configuration by using one of the following approaches,which are described in the following sections:

• Configure guest OS routing
• Isolate the Private Service Connect interface with networknamespaces or VRF and then configure routing

Configure guest OS routing

To use a Private Service Connect interface withVPC Service Controls, configure routing in the guest OS of theinterface's VM. Direct traffic that is destined for Google APIs and servicesthrough your Private Service Connect interface.

The following steps describe how to temporarily update the routing table for aVM that uses the Debian operating system. To update the table permanently, or toupdate the route on a different operating system, consult the operating system'spublic documentation.

To configure routing, do the following:

1. Allow SSH connectivityto your Private Service Connect interface's VM.
2. Connect to the VM.

3. To create a custom route table for yourPrivate Service Connect interface, run the following command:

   echo "1ROUTE_TABLE_NAME" | sudo tee -a /etc/iproute2/rt_tables

   ReplaceROUTE_TABLE_NAME with a name for the route table.

4. Add a route to your route table for traffic to Google APIsand services. For example, to add a route for traffic to therestricted.googleapis.com virtual IP (VIP), use the following command,which specifies theIPv4 address range for restricted.googleapis.com:

   sudo ip route add 199.36.153.4/30 devOS_INTERFACE_NAME tableROUTE_TABLE_NAME

   ReplaceOS_INTERFACE_NAME with theguest OS name for your Private Service Connect interface—for example,ens5 orgcp.ens5.10

5. To add a routing rule that uses the custom route table forpackets that originate from yourPrivate Service Connect interface, use the following command:

   sudo ip rule add fromINTERFACE_IP tableROUTE_TABLE_NAME

   ReplaceINTERFACE_IP with the IP address of yourPrivate Service Connect interface. You can find theinterface's IP address bydescribing the interface's VM.

6. Run the following command to remove all entries from the cache route table.This might be necessary if you are using an existing instance with previouslyconfigured route tables.

   sudo ip route flush cache

Isolate Private Service Connect interfaces with namespaces or VRF

Alternatively, you can configure your VM to use network namespaces orvirtual routing and forwarding (VRF) to isolate thePrivate Service Connect interface. This approach is helpfulfor containerized workloads, such as those running inGoogle Kubernetes Engine pods.

Configure routing using the same context that you used for isolating theinterface, and make sure that workloads that use yourPrivate Service Connect interface exist within this same context.