Skip to main content
Feedback

Configuring Google private service connect

info

Google Private Service Connect is available to users on the Pro Plus plan.

You can use the Private Service Connect (PSC) to establish a connection to a Cloud SQL instance using Google Cloud's command-line interface (CLI).

With Private Service Connect, you can connect to a primary Cloud SQL instance or its read replicas from different Virtual Private Cloud (VPC) networks, regardless of whether they belong to other groups, teams, projects, or organizations.

Prerequisites

Install the gcloud CLI and configure it with the appropriate permissions.

Procedure

Step 1: Creating the database instance with PSC

Use the following command to connect to an instance via Private Service Connect using the Google Cloud CLI.

  gcloud sql instances create INSTANCE_NAME \
--project=PROJECT_ID \
--region=REGION_NAME \
--enable-private-service-connect \
--allowed-psc-projects=rivery-cloud-2017 \
--availability-type=REGIONAL \
--no-assign-ip \
--tier=MACHINE_TYPE \
--database-version=DATABASE_VERSION \
--enable-bin-log

Replace the following values:

  • --project: Specifies the Google Cloud project ID.
  • --region: Defines the region for the SQL instance (for example, us-east1).
  • --enable-private-service-connect: Enables Private Service Connect for the instance.
  • --allowed-psc-projects: Lets specific projects (For example, data-integration-cloud-2017) to connect via PSC.
  • --availability-type: Sets the availability type, ensuring redundancy with REGIONAL.
  • --no-assign-ip: Ensures the instance is created without an external IP.
  • --tier: Sets the instance tier, db-g1-small (a lightweight configuration).
  • --database-version: Defines the database version.
  • --enable-bin-log: Enables binary logging for replication and point-in-time recovery.

Step 2: Verify the instance creation

After creating the instance, confirm its successful creation by describing it:

gcloud sql instances describe INSTANCE_NAME \
--project=PROJECT_ID

This command retrieves the details of the pscdbmysql instance. Look for the pscServiceAttachmentLink in the output, which shows the service attachment link for the PSC.

Example output

pscServiceAttachmentLink: projects/b5c8238c9f342cf4cp-tp/regions/us-east1/serviceAttachments/a-3673e65382ff-psc-service-attachment-77c938123391f551

Step 3: Creating a forwarding rule for the PSC

A forwarding rule must be created to route traffic via Private Service Connect.

  • Create an address for the forwarding rule.
gcloud compute addresses create ADDRESS_NAME \
--project=PROJECT_ID \
--region=REGION_NAME \
--subnet=SUBNET_NAME \
--addresses=INTERNAL_IP_ADDRESS
  • Create the forwarding rule using the PSC service attachment link retrieved in Step 2.
gcloud compute forwarding-rules create ENDPOINT_NAME \
--address=ADDRESS_NAME \
--project=PROJECT_ID \
--region=REGION_NAME \
--network=NETWORK_NAME \
--target-service-attachment=SERVICE_ATTACHMENT_URI \
--allow-psc-global-access

Make the following replacements:

  • --address: Specifies the internal IP address created in the previous step.
  • --target-service-attachment: Links the forwarding rule to the PSC service attachment.
  • --allow-psc-global-access: Enables global access to the PSC.

Step 4: Firewall configuration

If you encounter issues connecting, ensure the firewall settings allow traffic between the relevant Virtual Private Clouds.

  • Navigate to VPC Network > Firewall in the Google Cloud console.
  • Create firewall rules to allow traffic between the necessary subnets or networks.

Set up these rules in both accounts if you work with different projects or VPCs.

Step 5: Configuring the private service connect

To proceed with the configuration of the Private Service Connect:

  1. Forward the output: After generating the pscServiceAttachmentLink(step 2), send this information to our support team for further configuration.
  2. Open a support ticket:
    • Navigate to the Help menu in the console.
    • Open a new "Support ticket" and include the full output of the pscServiceAttachmentLink. This information lets our Support team complete the Private Service Connect setup.
  3. Follow-up with support: After the ticket submission, the Support team will contact you and provide an IP address. You need to add this IP address to your source configuration.

After completing these steps, your "Private Service Connect" setup is ready for use within the Data Integration.

note

Google private service connect is supported only in the us-east-1 region.

On this Page