Deploy a managed service instance by using serviceconnection policies

This page describes how a service instance administrator can deploy an instanceof a managed service and configure connectivity by using service connectionpolicies.

Before you begin

  • Make sure that the managed service that you want to deploy supportsservice connection policies. Making services available for deployment byusing service connection maps is available in a limited Preview. For moreinformation about services that support service connection maps, seeSupported services.

  • You need aservice connection policyfor the VPC network, region, and managed service that you wantto deploy.

Required roles

Service instance administrators don't need any IAM permissionsfor the VPC network because these permissions are delegatedby the service connection policy. However, IAM permissions mightbe required for specific managed services that are deployed by using serviceconnection policies. For information about IAM permissions thatare required by a specific managed service, check the service's documentation.

Deploy a managed service instance and configure connectivity

If a service connection policy exists for a service, a consumer serviceadministrator can configure connectivity for the managed service instance thatthey are deploying directly through the administrative API or UI of the managedservice.

To deploy managed service connectivity, follow these steps. The steps mightvary depending on the managed service.

  1. Use the administrative API or UI of the managed service to deploy a serviceinstance, specifying Private Service Connect as your connectivitytype. The service might provide the option to specify the VPCnetwork to deploy Private Service Connect endpoints in.

    For example, you candeploy and configure connectivity for a Cloud SQL instance.

    Note: A service connection policy must exist for this VPCnetwork, region, and service class. Otherwise, the service producerthat's represented by the service class is not authorized to deployconnectivity on your behalf.

  2. If allauthorization checkspass, then connectivity is deployed. TheNetwork Connectivity Service Account creates an internal IPaddress and Private Service Connectendpoint in the specified VPC network.

    The lifecycle of your endpoint matches the lifecycle of your managedservice instance. The endpoint remains active and stable unless youreconfigure connectivity ordecommission the service instance

  3. After the Network Connectivity Service Account creates your endpoint, theendpoint's forwarding rule is visible in the project that you configuredin step 1. This forwarding rule indicates that the connection has beenaccepted by the producer and includes the IP address that was assigned toyour endpoint.

    The names of all forwarding rules that are created by usingservice connection policies start withsca-auto-. The following is anexample of a forwarding rule that was created by using a service connectionpolicy.

    kind: compute#forwardingRulename: sca-auto-ab3f45dIPAddress: 10.33.2.8allowPscGlobalAccess: truenetwork: https://www.googleapis.com/compute/v1/projects/consumer-project/global/networks/vpc1pscConnectionStatus: ACCEPTEDregion: https://www.googleapis.com/compute/v1/projects/consumer-project/regions/us-central1selfLink: https://www.googleapis.com/compute/v1/projects/consumer-project/regions/us-central1/forwardingRules/sca-auto-ab3f45dserviceDirectoryRegistrations:-namespace: goog-psc-defaulttarget:https://www.googleapis.com/compute/v1/projects/producer-project/regions/us-central1/serviceAttachments/producer-sa

  4. Your service might provide information about how to connect to thenew endpoint—for example, by providing an IP address. Use theprovided IP address to communicate with your service through internal IPaddresses within Google Cloud.

    For more information about how to configure a specific service, see thatservice's documentation.

Caution: The managed service fully controls the lifecycle ofPrivate Service Connect endpoints and IP addresses that are deployedby using service connection policies. Don't directly delete or update theseGoogle Cloud resources or else you risk losing connectivity to your managedservice instance. All actions to add, remove, or update connectivity for amanaged service instance should be taken directly through the administrativeAPI or UI of the managed service.

Decommission service connectivity

To decommission service connectivity or decommission a managed service instancethat's deployed by using service connection policies, use the administrative APIor UI of the managed service. Delete each service instance that's associatedwith the managed service. When service instances are deleted, serviceconnectivity automation deletes the associated connections and endpoints.

Troubleshooting

This section contains information about troubleshooting connections that arecreated through service connectivity automation.

Endpoint creation or deletion failure

If authorized endpoints are not created or deleted as you expect,describe the service connection policy.ThepscConnections field contains details about any blockingerrors and how you can resolve them.

After any issues are resolved, the endpoint is created or deleted the next timeservice connectivity automation automaticallyretries the operation.

Alternatively, if you don't want to wait for the retry process, you can use theadministrative API or UI of the managed service you are deploying to requestdeployment and connectivity for another service instance, using a validconfiguration.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.