This tutorial shows you how to make a load-balanced service available from other VPC networks by using Private Service Connect.
By default, the internal passthrough Network Load Balancer that you created in the previous tutorial is available only within its own VPC network. With Private Service Connect, you can publish the service to make it available to resources in other VPC networks.
This tutorial is intended for cloud architects, network architects, network administrators, and IT administrators.
In this document, you use the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage,
use the pricing calculator.
New Google Cloud users might be eligible for a free trial.
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.
PRODUCER_PROJECT)
that you selected or created in the previous tutorial. Use this project for the
steps in this tutorial.To make the service available from other VPC networks, you publish the service. To publish a service, create the following resources in the same network and region as the load balancer:
These instructions create a published service that is accessible from any project. In a production environment, you might instead choose to limit which networks or projects can access the service.
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click Publish service.
In the Target details section, select Load balancer.
Select Internal passthrough Network Load Balancer
Select the internal load balancer that you created, service-lb.
For Service name, enter published-service.
Create a Private Service Connect subnet for NAT:
nat-subnet.REGION.10.10.20.0/22.For Connection preference, select Automatically accept all connections.
Click Add service.
Create a Private Service Connect subnet by using the
gcloud compute networks subnets create
command.
gcloud compute networks subnets create nat-subnet \ --network=service-network \ --region=REGION \ --range=10.10.20.0/22 \ --purpose=PRIVATE_SERVICE_CONNECT
To publish the service, use the gcloud compute service-attachments
create command.
gcloud compute service-attachments create published-service \ --region=REGION \ --target-service=projects/PRODUCER_PROJECT/regions/REGION/forwardingRules/service-rule \ --connection-preference=ACCEPT_AUTOMATIC \ --nat-subnets=nat-subnet
Replace the following:
PRODUCER_PROJECT: the ID of the producer project.REGION: the region for the service attachment.
This must be the same region as the IP address of the target
forwarding rule.Create a firewall rule to let traffic from the Private Service Connect NAT subnet reach the load balancer's backend VMs.
In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policiesTo let traffic from the Private Service Connect NAT subnet reach the load balancer's backend VMs, click Create firewall rule and use the following settings:
fw-allow-nat.service-network.1000.allow-nat.10.10.20.0/22.Click Create.
Create the gcloud
fw-allow-nat firewall rule to allow communication
from the Private Service Connect NAT subnet to the
VM backends:
gcloud compute firewall-rules create fw-allow-nat \
--network=service-network \
--action=allow \
--direction=ingress \
--source-ranges=10.10.20.0/22 \
--rules=tcp,udp,icmp
You use the service attachment URI to configure the endpoint in the next tutorial, Access the service from another VPC network.
In the Google Cloud console, go to the Private Service Connect page.
Click the Published services tab.
Click the service that you want to view.
The Service attachment field contains the service attachment URI.
View details for the published service by using the gcloud compute
service-attachments describe
command.
The selfLink field contains the service attachment URI.
gcloud compute service-attachments describe \
published-service --region=REGION
Replace REGION with the region that contains the
service attachment.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-06-09 UTC.