Private Service Connect
Expose your deployment as a Private Service Connect service attachment for private connectivity on GCP
GCP Private Service Connect (PSC) lets you expose your LaserData Managed deployment as a service attachment. Consumers in your GCP project (or other authorized projects) create PSC endpoints to connect privately — traffic stays within the Google network and never touches the public internet.
Private Service Connect is available for Managed deployments on GCP only. BYOC deployments run in your VPC and do not need PSC. Requires the Pro or Enterprise plan.
Why Private Service Connect
PSC is the GCP equivalent of AWS PrivateLink. Instead of connecting two VPCs, the deployment is exposed as a service that consumers connect to through endpoints in their own VPCs:
- No VPC CIDR coordination — no need to worry about overlapping IP ranges
- Cross-project access — authorize other GCP projects to connect without sharing VPCs
- Unidirectional — consumers connect to your deployment, but the deployment cannot reach into consumer VPCs
- Scalable — multiple consumers can connect independently
How It Works
- You create a service attachment on your LaserData deployment
- LaserData provisions a GCP PSC Service Attachment backed by the deployment's internal load balancer
- Consumers create PSC endpoints in their own VPCs, pointing to the service attachment URI
- Traffic flows privately from consumer VPCs to the deployment through the Google network
Prerequisites
- A running Managed deployment on GCP
- Pro or Enterprise plan
Creating a Service Attachment
From the Console
- Navigate to your deployment and open the Networking tab
- Click Add Private Service Connect
- Enter a name for the service attachment (must be unique within the deployment)
- Choose a connection preference:
- Manual acceptance (default) — new connections must be manually approved before traffic can flow
- Automatic acceptance — connections are accepted automatically
- Optionally add a consumer accept list — GCP project IDs that are permitted to connect. If left empty, any GCP project can request a connection (subject to the connection preference).
- Optionally enable proxy protocol to include the original client IP in the connection header
- Click Create
LaserData provisions the GCP service attachment and returns the service attachment URI (e.g. projects/ld-prod/regions/us-central1/serviceAttachments/my-attachment). Consumers use this URI to create their PSC endpoints.
What Gets Created
When you create a service attachment, LaserData automatically:
- Creates a GCP PSC Service Attachment linked to the deployment's internal load balancer
- Allocates NAT subnets for the service attachment
- Configures the connection preference and consumer accept lists
- Returns the service attachment URI that consumers need
Connecting as a Consumer
Once the service attachment is created, consumers create PSC endpoints in their own GCP project:
Step 1 — Create the PSC Endpoint
- Open the Google Cloud Console in the consumer project
- Navigate to Network services → Private Service Connect
- Click Connect to a published service
- Enter the service attachment URI provided by the service attachment owner
- Select a subnet and IP address in your VPC for the PSC endpoint
- Click Add endpoint to create the PSC connection
Step 2 — Accept the Connection (if manual)
If the connection preference is accept_manual, the connection will be pending until accepted:
- The service attachment owner sees pending connections in the Console
- Accept the connection to allow traffic to flow
Step 3 — Connect
Once the connection status is ACCEPTED, applications in the consumer VPC can reach the deployment through the assigned private IP address. No internet gateway or NAT is required.
Managing Service Attachments
From the Networking tab, you can view all PSC service attachments for the deployment, including:
- Service attachment URI
- Connection preference
- Consumer accept lists
- NAT subnets
- Connected endpoints and their status
Deleting a service attachment removes the underlying GCP service attachment. Any active PSC endpoints connected to it will stop working — consumers will need to clean up their side.
Plan Limits
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| Service attachments per deployment | - | 1 | 5 |
| Private networking | - | Available | Available |
Audit
All PSC operations are recorded in the audit log:
- Service attachment created — who created it, configuration details
- Service attachment deleted — who removed it and when
API Reference
For programmatic access via API keys, the following endpoints are available.
Required permission: deployment:network:manage (create, delete) or deployment:network:read (list, instructions, connections)
Create a Service Attachment
curl -X POST {supervisor_url}/deployments/{deployment_id}/network/gcp/psc \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "iggy-psc-attachment",
"connection_preference": "accept_manual",
"consumer_accept_lists": [
"my-gcp-project-123"
],
"enable_proxy_protocol": false,
"remarks": "PSC for production consumers"
}'| Field | Required | Description |
|---|---|---|
name | Yes | Unique name for the service attachment |
connection_preference | No | accept_manual (default) or accept_automatic |
consumer_accept_lists | No | GCP project IDs allowed to connect |
enable_proxy_protocol | No | Include original client IP in header (default false) |
remarks | No | Optional description |
Returns 204 No Content.
List Service Attachments
curl {supervisor_url}/deployments/{deployment_id}/network/gcp/psc \
-H "ld-api-key: YOUR_API_KEY"[
{
"id": 1,
"name": "iggy-psc-attachment",
"attachment_id": "psc-abc123def456",
"service_attachment_uri": "projects/ld-prod/regions/us-central1/serviceAttachments/iggy-psc-attachment",
"target_service": "projects/ld-prod/regions/us-central1/backendServices/ld-backend",
"connection_preference": "accept_manual",
"consumer_accept_lists": ["my-gcp-project-123"],
"nat_subnets": ["projects/ld-prod/regions/us-central1/subnetworks/psc-nat-subnet"],
"enable_proxy_protocol": false,
"state": "active",
"remarks": "PSC for production consumers",
"created_at": "2026-03-20T10:30:00Z",
"updated_at": "2026-03-20T10:30:00Z"
}
]Service attachment states: pending, active, closed.
Get Setup Instructions
Returns step-by-step instructions for consumers to connect to the service attachment.
curl {supervisor_url}/deployments/{deployment_id}/network/gcp/psc/{attachment_id}/instructions \
-H "ld-api-key: YOUR_API_KEY"{
"service_attachment_uri": "projects/ld-prod/regions/us-central1/serviceAttachments/iggy-psc-attachment",
"connection_preference": "accept_manual",
"instructions": [
"In your GCP project, navigate to Network services → Private Service Connect",
"Click 'Connect to a published service' and enter the target service: projects/ld-prod/regions/us-central1/serviceAttachments/iggy-psc-attachment",
"Select a subnet and IP address in your VPC for the PSC endpoint",
"Click 'Add endpoint' to create the PSC connection",
"The connection preference is ACCEPT_MANUAL — your connection will be pending until accepted by the service producer",
"Once the connection status is ACCEPTED, use the assigned private IP to reach the service"
]
}List Connections
Returns the current PSC endpoint connections to a service attachment.
curl {supervisor_url}/deployments/{deployment_id}/network/gcp/psc/{attachment_id}/connections \
-H "ld-api-key: YOUR_API_KEY"[
{
"id": 1,
"connection_id": "psc-conn-xyz789",
"consumer_project_id": "my-gcp-project-123",
"consumer_network": "projects/my-gcp-project-123/global/networks/default",
"consumer_forwarding_rule": "projects/my-gcp-project-123/regions/us-central1/forwardingRules/psc-fr-1",
"status": "ACCEPTED",
"error_info": null,
"created_at": "2026-03-21T14:00:00Z",
"updated_at": "2026-03-21T14:05:00Z"
}
]Delete a Service Attachment
curl -X DELETE {supervisor_url}/deployments/{deployment_id}/network/gcp/psc/{attachment_id} \
-H "ld-api-key: YOUR_API_KEY"Returns 204 No Content.