Understanding customer and service producer VPC networks in Private Service Access

Question

I am building a Cloud SQL instance without a public IP address. While I was able to successfully setup the private service access for the instance, I did not understand the distinction between "Customer VPC network" and "Service producer VPC network" in the following diagram shown in this page: https://cloud.google.com/sql/docs/postgres/private-ip

The same page explains:

Private services access lets you create private connections between your VPC network and the underlying Google service producer's VPC network

My question is, why is there a difference between the two VPC networks? Since both customer and service producer VPC are ultimately resources owned by Google Cloud, why can't they put it in the same VPC network dedicated to my project?

I wasn't able to find an explanation for why my VM needs to live in the "Customer VPC network", while my Cloud SQL instance cannot.

Answer 1

Your question is great, and it's only a matter of responsibility. There is 2 sides:

• Yours, with your VPC, your VM, your code, your ops team, your update and backup procedure
• Google ones, with the pretty same constraints

Since you use managed service, managed by Google, Google has a total access to the VPC, VM and all the stuff (true for Cloud SQL, but also for GKE (control plane), filestore,...).

Like this, Google has only access to the Google Managed VPC, and you, you have only access to your VM. No risk to interfere

Therefore, the only way to access Google Managed resource is :

• To set a VPC peering (old way, but with constraints, especially the limited number of peering per VPC (24) and the non-transitivity of the peering)
• To define a PSC (Private Service Connect) between a producer (Google) and a consumer (you) The only way to access the resources managed by Google, is to