This repository contains examples and configurations for implementing Google Cloud's Private Service Connect (PSC) between GKE clusters in different VPC networks.
Private Service Connect (PSC) enables secure private connectivity between VPC networks, allowing services to communicate without exposing traffic to the public internet. This repository demonstrates two main patterns for using PSC with GKE:
- Direct workload connectivity - Expose individual Kubernetes services across VPC boundaries
- Istio ingress gateway connectivity - Expose multiple services through a single Istio ingress gateway
workload-psc.md- Example for connecting directly to a workload using PSCingressgateway-psc.md- Example for connecting to an Istio ingress gateway using PSCimages/- Diagrams and illustrations- Configuration examples for both producer and consumer sides
This pattern creates a PSC connection directly to a specific workload:
- Producer side publishes a service via service attachment
- Consumer side creates a PSC endpoint and forwarding rule
- Consumer side creates a Kubernetes service pointing to the PSC endpoint
- Traffic flows through the PSC connection to the target service
This pattern creates a PSC connection to an Istio ingress gateway:
- Producer side deploys an internal Istio ingress gateway with service attachment
- Consumer side creates a PSC endpoint and forwarding rule to the gateway
- Consumer side creates a Kubernetes service pointing to the PSC endpoint
- Consumer side creates VirtualServices routing to different applications based on hostnames
- Multiple services can be accessed through a single PSC connection
See the detailed instructions in:
- Two GKE clusters in different VPC networks
- Appropriate GCP permissions to create PSC resources
- Istio installed (for the gateway pattern)
This project is licensed under the terms of the MIT license.