Private Service Connect
GCP PSC is available in the Scale and Enterprise plans. To upgrade, visit the Plans page in the cloud console.
Private Service Connect(PSC) is a Google Cloud networking feature that allows consumers to access managed services privately inside their virtual private cloud (VPC) network. Similarly, it allows managed service producers to host these services in their own separate VPC networks and offer a private connection to their consumers.
Service producers publish their applications to consumers by creating Private Service Connect services. Service consumers access those Private Service Connect services directly through one of these Private Service Connect types.
By default, a ClickHouse service is not available over a Private Service connection even if the PSC connection is approved and established; you need explicitly add the PSC ID to the allow list on an instance level by completing step below.
Important considerations for using Private Service Connect Global Access:
- Regions utilizing Global Access must belong to the same VPC.
- Global Access must be explicitly enabled at the PSC level (refer to the screenshot below).
- Ensure that your firewall settings do not block access to PSC from other regions.
- Be aware that you may incur GCP inter-region data transfer charges.
Cross-region connectivity is not supported. The producer and consumer regions must be the same. However, you can connect from other regions within your VPC by enabling Global Access at the Private Service Connect (PSC) level.
Please complete the following to enable GCP PSC:
- Obtain GCP service attachment for Private Service Connect.
- Create a service endpoint.
- Add "Endpoint ID" to ClickHouse Cloud service.
- Add "Endpoint ID" to ClickHouse service allow list.
Attention
ClickHouse attempts to group your services to reuse the same published PSC endpoint within the GCP region. However, this grouping is not guaranteed, especially if you spread your services across multiple ClickHouse organizations. If you already have PSC configured for other services in your ClickHouse organization, you can often skip most of the steps because of that grouping and proceed directly to the final step: Add "Endpoint ID" to ClickHouse service allow list.
Find Terraform examples here.
Before you get started
Code examples are provided below to show how to set up Private Service Connect within a ClickHouse Cloud service. In our examples below, we will use:
- GCP region:
us-central1 - GCP project (customer GCP project):
my-gcp-project - GCP private IP address in customer GCP project:
10.128.0.2 - GCP VPC in customer GCP project:
default
You’ll need to retrieve information about your ClickHouse Cloud service. You can do this either via the ClickHouse Cloud Console or the ClickHouse API. If you are going to use the ClickHouse API, please set the following environment variables before proceeding:
You can create a new key ClickHouse Cloud API key or use an existing one.
Get your ClickHouse INSTANCE_ID by filtering by region, provider and service name:
- You can retrieve your Organization ID from ClickHouse console(Organization -> Organization Details).
- You can create a new key or use an existing one.
Obtain GCP service attachment and DNS name for Private Service Connect
Option 1: ClickHouse Cloud console
In the ClickHouse Cloud console, open the service that you would like to connect via Private Service Connect, then open the Settings menu. Click on the Set up private endpoint button. Make a note of the Service name ( endpointServiceId) and DNS name (privateDnsHostname). You'll use them in the next steps.
Option 2: API
You need at least one instance deployed in the region to perform this step.
Obtain GCP service attachment and DNS name for Private Service Connect:
Make a note of the endpointServiceId and privateDnsHostname. You'll use them in the next steps.
Create service endpoint
This section covers ClickHouse-specific details for configuring ClickHouse via GCP PSC(Private Service Connect). GCP-specific steps are provided as a reference to guide you on where to look, but they may change over time without notice from the GCP cloud provider. Please consider GCP configuration based on your specific use case.
Please note that ClickHouse is not responsible for configuring the required GCP PSC endpoints, DNS records.
For any issues related to GCP configuration tasks, contact GCP Support directly.
In this section, we're going to create a service endpoint.
Adding a Private Service Connection
First up, we're going to create a Private Service Connection.
Option 1: Using Google Cloud console
In the Google Cloud console, navigate to Network services -> Private Service Connect.
Open the Private Service Connect creation dialog by clicking on the Connect Endpoint button.
- Target: use Published service
- Target service: use
endpointServiceIdAPI orService nameconsole from Obtain GCP service attachment for Private Service Connect step. - Endpoint name: set a name for the PSC Endpoint name.
- Network/Subnetwork/IP address: Choose the network you want to use for the connection. You will need to create an IP address or use an existing one for the Private Service Connect endpoint. In our example, we pre-created an address with the name your-ip-address and assigned IP address
10.128.0.2 - To make the endpoint available from any region, you can enable the Enable global access checkbox.
To create the PSC Endpoint, use the ADD ENDPOINT button.
The Status column will change from Pending to Accepted once the connection is approved.
Copy PSC Connection ID, we are going to use it as Endpoint ID in the next steps.
Option 2: Using Terraform
use endpointServiceIdAPI or Service nameconsole from Obtain GCP service attachment for Private Service Connect step
Set Private DNS Name for Endpoint
There are various ways to configure DNS. Please set up DNS according to your specific use case.
You need to point "DNS name", taken from Obtain GCP service attachment for Private Service Connect step, to GCP Private Service Connect endpoint IP address. This ensures that services/components within your VPC/Network can resolve it properly.
Add Endpoint ID to ClickHouse Cloud organization
Option 1: ClickHouse Cloud console
To add an endpoint to your organization, proceed to the Add "Endpoint ID" to ClickHouse service allow list step. Adding the PSC Connection ID using the ClickHouse Cloud console to services allow list automatically adds it to organization.
To remove an endpoint, open Organization details -> Private Endpoints and click the delete button to remove the endpoint.
Option 2: API
Set these environment variables before running any commands:
Replace ENDPOINT_ID below by value from Endpoint ID from Adding a Private Service Connection step
To add an endpoint, run:
To remove an endpoint, run:
Add/remove Private Endpoint to an organization:
Add "Endpoint ID" to ClickHouse service allow list
You need to add an Endpoint ID to the allow-list for each instance that should be available using Private Service Connect.
Option 1: ClickHouse Cloud console
In the ClickHouse Cloud console, open the service that you would like to connect via Private Service Connect, then navigate to Settings. Enter the Endpoint ID retrieved from the Adding a Private Service Connection step. Click Create endpoint.
If you want to allow access from an existing Private Service Connect connection, use the existing endpoint drop-down menu.
Option 2: API
Set these environment variables before running any commands:
Replace ENDPOINT_ID below by value from Endpoint ID from Adding a Private Service Connection step
Execute it for each service that should be available using Private Service Connect.
To add:
To remove:
Accessing instance using Private Service Connect
Each service with Private Link enabled has a public and private endpoint. In order to connect using Private Link, you need to use a private endpoint which will be privateDnsHostname taken from Obtain GCP service attachment for Private Service Connect.
Getting Private DNS Hostname
Option 1: ClickHouse Cloud console
In the ClickHouse Cloud console, navigate to Settings. Click on the Set up private endpoint button. In the opened flyout, copy the DNS Name.
Option 2: API
In this example, connection to the xxxxxxx.yy-xxxxN.p.gcp.clickhouse.cloud hostname will be routed to Private Service Connect. Meanwhile, xxxxxxx.yy-xxxxN.gcp.clickhouse.cloud will be routed over the internet.
Troubleshooting
Test DNS setup
DNS_NAME - Use privateDnsHostname from Obtain GCP service attachment for Private Service Connect step
Connection reset by peer
- Most likely, the Endpoint ID was not added to the service allow-list. Revisit the Add endpoint ID to services allow-list step.
Test connectivity
If you have problems with connecting using PSC link, check your connectivity using openssl. Make sure the Private Service Connect endpoint status is Accepted:
OpenSSL should be able to connect (see CONNECTED in the output). errno=104 is expected.
DNS_NAME - Use privateDnsHostname from Obtain GCP service attachment for Private Service Connect step
Checking Endpoint filters
REST API
Connecting to a remote database
Let's say you are trying to use the MySQL or PostgreSQL table functions in ClickHouse Cloud and connect to your database hosted in GCP. GCP PSC cannot be used to enable this connection securely. PSC is a one-way, unidirectional connection. It allows your internal network or GCP VPC to connect securely to ClickHouse Cloud, but it does not allow ClickHouse Cloud to connect to your internal network.
According to the GCP Private Service Connect documentation:
Service-oriented design: Producer services are published through load balancers that expose a single IP address to the consumer VPC network. Consumer traffic that accesses producer services is unidirectional and can only access the service IP address, rather than having access to an entire peered VPC network.
To do this, configure your GCP VPC firewall rules to allow connections from ClickHouse Cloud to your internal/private database service. Check the default egress IP addresses for ClickHouse Cloud regions, along with the available static IP addresses.
More information
For more detailed information, visit cloud.google.com/vpc/docs/configure-private-service-connect-services.