After researching so much on this topic, finally, a video that explains clearly especially motivations and the problem that we are going to solve with PSC.
I don’t see why not, PSC service attachment can be put on top of any internal load balancer, you can create one for the GKE cluster cloud.google.com/kubernetes-engine/docs/concepts/ingress-ilb I haven’t tried this myself but I can’t see why it won’t work
@@practicalgcp2780 Thanks for your feedback. I looked at the article and that will work for services that are deployed into the cluster and exposed using a load balancer. I was referring to the Kubernetes control plane itself (the same endpoint that is baked into a ~/.kube/config file). The requirement is to spin up a private GKE cluster with no public IP assigned to the API server, but being able to manage the cluster using it's private IP from another VPC.
When you said Team A GCP Project and Team B GCP Project, which on are these from the demo? I only saw one project, which is rocketech-de-pgcp-sandbox. Could you help me with this one? Thank you! Excellent video 👍
The sandbox project is one, and you can just have another one, it doesn't matter what it is. It's easier to see this that you have two GCP projects, A & B, you publish the service in A, and create the Endpoint in B to subscribe from it.
No, the producer side is configured in the producer GCP project, this is where you publish the service, on the consumer project, you create the endpoint. If you know how Cloud PubSub works with the topic on the publisher side, and the subscription on the consumer side, it’s very similar pattern based on the publisher, subscriber model. This is a very powerful setup, because the consumer side can create the endpoint themselves, without needing the producer side to get involved, which are typically managed by different teams
@@practicalgcp2780 But I didn't see him configure consumer setup in consumer project. I just saw one project which is rocketech-de-pgcp-sandbox in his video. I have the same use case as this video; I have Cloud Run in Project A, and would like to be able accessible by Project B.
Sorry both was me 😅, someone RUclips decided to use a different account I also logged in. So I can’t remember if I used one project or two. But the concept is the same. See 14:13, there is a service attachment URI which is what you need to use when setting up the endpoint.
So when you create the service attachment, you can specify which other projects / or VPC networks within those projects can created their consumer endpoint to attached to the service attachment. This allows consumer to create this on their project hence establish the connection. You can have a look at this section here on the docs which I believe is well explained cloud.google.com/vpc/docs/private-service-connect#endpoints
Is this exclusive only if both side is using GCP environment? What if I want if my CloudRun service want to send outbound traffic to a VM (on-premise network), will PSC still work?
So my understanding is you don’t use PSC to do that instead you would need interconnect in order to send outbound traffic from GCP network to on-prem. So typically interconnect is deployed to a shared VPC and you can use VPC connector (or direct VPC egress currently in preview) to a subnet on the shared VPC then you can talk to on-Orem network given all the firewalls and routes are setup correctly
@@practicalgcp2780 what needs to check on the firewalls and routes to make sure these are all setup correctly? It works fine if the consumer is using a VM from a different project, but when I use serverless service (e.g CloudFunction and CloudRun) , i always get 'connection timed out'. Please help
Not that familiar with either but arent these more geared towards to k8? PSC I think is more at VPC routing level to let you connect services on different networks together, I don’t think they are comparable.
Finally a clear and well communicated explantion and demo! Subscribed!
After researching so much on this topic, finally, a video that explains clearly especially motivations and the problem that we are going to solve with PSC.
Comments like this is what keeps me going mate ❤ thanks for the feedback
Great Explanation of Private Service Connect, very concise and easy to understand
very well explained, congrats !!
Great explanation, thank you. Is it possible to use private service connect to access managed services like GKE's API server and so on?
I don’t see why not, PSC service attachment can be put on top of any internal load balancer, you can create one for the GKE cluster cloud.google.com/kubernetes-engine/docs/concepts/ingress-ilb I haven’t tried this myself but I can’t see why it won’t work
@@practicalgcp2780 Thanks for your feedback. I looked at the article and that will work for services that are deployed into the cluster and exposed using a load balancer. I was referring to the Kubernetes control plane itself (the same endpoint that is baked into a ~/.kube/config file). The requirement is to spin up a private GKE cluster with no public IP assigned to the API server, but being able to manage the cluster using it's private IP from another VPC.
When you said Team A GCP Project and Team B GCP Project, which on are these from the demo? I only saw one project, which is rocketech-de-pgcp-sandbox. Could you help me with this one? Thank you! Excellent video 👍
The sandbox project is one, and you can just have another one, it doesn't matter what it is. It's easier to see this that you have two GCP projects, A & B, you publish the service in A, and create the Endpoint in B to subscribe from it.
@@InvertThinkers-vs6le CMIIW, so all producer and consumer setups are configured in producer side only?
No, the producer side is configured in the producer GCP project, this is where you publish the service, on the consumer project, you create the endpoint. If you know how Cloud PubSub works with the topic on the publisher side, and the subscription on the consumer side, it’s very similar pattern based on the publisher, subscriber model. This is a very powerful setup, because the consumer side can create the endpoint themselves, without needing the producer side to get involved, which are typically managed by different teams
@@practicalgcp2780 But I didn't see him configure consumer setup in consumer project. I just saw one project which is rocketech-de-pgcp-sandbox in his video. I have the same use case as this video; I have Cloud Run in Project A, and would like to be able accessible by Project B.
Sorry both was me 😅, someone RUclips decided to use a different account I also logged in. So I can’t remember if I used one project or two. But the concept is the same. See 14:13, there is a service attachment URI which is what you need to use when setting up the endpoint.
Can u explain how Service attachment exposes itself to consumer endpoint?
So when you create the service attachment, you can specify which other projects / or VPC networks within those projects can created their consumer endpoint to attached to the service attachment. This allows consumer to create this on their project hence establish the connection. You can have a look at this section here on the docs which I believe is well explained cloud.google.com/vpc/docs/private-service-connect#endpoints
Is this exclusive only if both side is using GCP environment? What if I want if my CloudRun service want to send outbound traffic to a VM (on-premise network), will PSC still work?
So my understanding is you don’t use PSC to do that instead you would need interconnect in order to send outbound traffic from GCP network to on-prem. So typically interconnect is deployed to a shared VPC and you can use VPC connector (or direct VPC egress currently in preview) to a subnet on the shared VPC then you can talk to on-Orem network given all the firewalls and routes are setup correctly
@@practicalgcp2780 what needs to check on the firewalls and routes to make sure these are all setup correctly? It works fine if the consumer is using a VM from a different project, but when I use serverless service (e.g CloudFunction and CloudRun) , i always get 'connection timed out'. Please help
How would you compare this to a service mesh like itsio or consul?
Not that familiar with either but arent these more geared towards to k8? PSC I think is more at VPC routing level to let you connect services on different networks together, I don’t think they are comparable.
this PSC is so unclear in the doc
Great material! thank you