♊️ GemiNews 🗞️
(dev)
🏡
📰 Articles
🏷️ Tags
🧠 Queries
📈 Graphs
☁️ Stats
💁🏻 Assistant
💬
🎙️
Demo 1: Embeddings + Recommendation
Demo 2: Bella RAGa
Demo 3: NewRetriever
Demo 4: Assistant function calling
Editing article
Title
Summary
Content
<h3>Introduction</h3><p>When it comes to managed RDBMS solutions, Google Cloud Platform (GCP) offers two powerful solutions: Cloud SQL for managed relational databases and AlloyDB for PostgreSQL compatibility with high performance. Understanding how to connect to these databases is essential for any developer or administrator working with GCP.</p><p>This blog dives into the world of private connectivity for AlloyDB, focusing on the benefits of Private Service Connect (PSC). Before we delve into the specific steps of creating a PSC endpoint for non-PSC enabled instances, let’s explore the scenarios where utilizing PSC with AlloyDB proves advantageous. Understanding these use cases will equip you with the foundational knowledge necessary to grasp the methods employed in specific situations.</p><p>Firstly, we’ll differentiate between PSA (Private Service Access) and PSC, highlighting the evolution of private connectivity options for AlloyDB. This clarifies why PSC is the preferred approach for modern deployments.</p><blockquote>Note : For brevity, we’ll focus on AlloyDB, as networking concepts apply similarly to CloudSQL.</blockquote><h3><strong>Networking Essentials for Connecting Applications to AlloyDB</strong></h3><p>Connecting your applications to AlloyDB involves careful consideration of your network architecture. Let’s break down the key scenarios and how you can establish secure and reliable connections. We will only discuss methods to access the database using Private IP.</p><h4><strong>Scenario 1: Application and AlloyDB in the Same Customer VPC Network</strong></h4><p>This is the most straightforward setup. You can <a href="https://cloud.google.com/alloydb/docs/configure-connectivity#gcloud">use PSA to connect to your AlloyDB Instance</a>. <strong>Private services access</strong> is implemented as a <a href="https://cloud.google.com/vpc/docs/vpc-peering">VPC peering connection</a> between your <a href="https://cloud.google.com/vpc/docs/vpc">VPC network</a> and the <em>underlying Google Cloud VPC network</em> where your AlloyDB instance resides. Any service in Customer VPC network can use the Private IP of AlloyDB to connect to it.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/415/1*UwDvQ2oqjwyDWzPsJZFrpw.png" /><figcaption>Fig1: Simplified depiction of simplest Architecture</figcaption></figure><h4><strong>Scenario 2: Application and Cloud SQL in a Shared VPC Network</strong></h4><p><a href="https://cloud.google.com/vpc/docs/shared-vpc">Shared VPC networks</a> are designed to enable resource sharing across projects within an organization. This is the most commonly used network architecture in larger, multi-project environments.</p><p>This simplifies the network architecture. Similar to the same VPC scenario, PSA is configured and services within Customer Shared VPC network can use the Private IP address, language connectors or AlloyDB Auth Proxy.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/635/1*F6StsaFJAqoHXiGNAH9VJw.png" /><figcaption>Fig2: Shared VPC</figcaption></figure><p>From above Illustration, We can see that GKE which is a separate Customer project (AlloyDB is in separate customer project) is able to access the AlloyDB using Private IP (PSA) as we are using shared VPC network and Shared VPC network is Peered to Google Managed AlloyDB VPC network.</p><h4><strong>Scenario 3: Application and Cloud SQL in Different VPC Networks with VPC Peering</strong></h4><p>This is when you want to manage separate VPC networks for separate projects or may be multiple Shared VPC networks.</p><p>For example consider the diagram below</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*vCXHqR5GmzlItj9_uZ5tHw.png" /><figcaption>Fig 3 Separate customer VPC networks for Application and AlloyDB</figcaption></figure><p><strong>How would GKE in Customer GKE VPC connect to AlloyDB in AlloyDB VPC (PSA configured) ?</strong></p><p>The first solution that comes to mind to VPC Network peering.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*3vTqq8Mh8P4Tb1e_h3TdDA.png" /><figcaption>Fig 4 Transitive VPC Network Peering</figcaption></figure><p>Even If we peer Customer GKE VPC network to Customer AlloyDB VPC which is already peered to Google AlloyDB VPC through PSA, <strong>GKE pods using Customer GKE VPC network won’t be able to connect to AlloyDB Private IP because VPC Network Peering isn’t transitive</strong>.</p><p>In Such a setup (Fig4. ), you can use the following ways to connect your AlloyDB instance to multiple VPCs using private IP :</p><ul><li><a href="https://cloud.google.com/sql/docs/mysql/connect-multiple-vpcs#custom-route">Connect using custom route advertisements</a></li><li><a href="https://cloud.google.com/sql/docs/mysql/connect-multiple-vpcs#intermediate-proxy">Connect using an intermediate proxy (SOCKS5)</a> or Connect using a TCP proxy such as <a href="https://manpages.ubuntu.com/manpages/trusty/man1/simpleproxy.1.html">simpleproxy</a></li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/665/1*uz0NBlOxXS3LTy1EIbtgXQ.png" /><figcaption>Fig 5 TCP proxy on a VM hosted in Customer AlloyDB VPC</figcaption></figure><p>While setting up a proxy for PSC with AlloyDB is straightforward, managing a dedicated GCE VM within the customer’s AlloyDB project (VPC network) introduces additional operational overhead.</p><blockquote>You can’t use TCP Proxy if you intend to use AlloyDB Auth Proxy or language connectors for encryption and IAM authentication.</blockquote><h4>Scenario 4: Application and Cloud SQL in Different VPC Networks without VPC Peering</h4><p>This scenario is the main motivation for this post. PSC solves this challenge for us. PSC provides another connectivity option for AlloyDB users, with improvements on the legacy Service Networking (or PSA) framework, such as:</p><ul><li>Ability to make direct connections from multiple projects easily into AlloyDB resources, enabling new architectures.</li><li>Efficient use of IP address space, as a single IP address is required from a consumer VPC to connect to an AlloyDB instance. PSA requires a minimum of a /24 IP range.</li><li>More secure as consumer and producer VPCs are isolated, and only inbound connectivity to AlloyDB is allowed. PSA requires bidirectional connectivity between the consumer VPC and AlloyDB by default, which is a blocker for some customer use cases.</li></ul><p><strong>Private Service Connect (PSC) for AlloyDB</strong></p><p><a href="https://cloud.google.com/vpc/docs/private-service-connect">Private Service Connect</a> provides a powerful way to consume Google-managed services privately, even if they reside in a different project or network. PSC creates an internal DNS alias for your Cloud SQL instance. Your application can access it using this alias, and traffic is routed securely over Google’s private network.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/685/1*x6NJv3NHKO2mf97BZ-oeFA.png" /><figcaption>Fig6 Connect to AlloyDB using Private service connect</figcaption></figure><p>In Fig6, You can see resources from Customer GKE VPC network and Customer AlloyDB VPC network can connect to AlloyDB using a Private service connect endpoints (forwarding rules) in respective VPC networks. These forwarding rules use the service attachment which is created as part of Private service connect. We can whitelist projects where our applications or clients will reside, in the AlloyDB service attachment.</p><p>This doesn’t requires Private service Access setup in Customer AlloyDB Project. AlloyDB Instance can be created with either PSC or PSA enabled.</p><p>As of May 2024, both methods of private connectivity can’t be configured simultaneously. Same is true for CloudSQL as well. You can’t switch between PSC and PSA as of May 2024.</p><blockquote>You can also use <a href="https://cloud.google.com/alloydb/docs/configure-private-service-connect">Private service connect for AlloyDB</a> when Customer VPC networks don’t have PSA configured i.e. for all the above scenarios.</blockquote><p>You must create this endpoint in each customer VPC network where database access is needed.</p><p>Private Service Connect endpoints that are used to access services are regional resources. However, you can make an endpoint available in other regions by <a href="https://cloud.google.com/vpc/docs/manage-endpoints-published-services#enable-global-access">configuring global access</a>.</p><p><strong>Can you enable PSC for existing AlloyDB Instance?</strong></p><p>So if you have an existing AlloyDB Instance with PSA enabled and you have an application in a separate VPC which is not peered to Customer AlloyDB VPC network. And you want to connect to AlloyDB using private IP, what options you do have?</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*vCXHqR5GmzlItj9_uZ5tHw.png" /><figcaption>Fig 7 (same as Fig3)</figcaption></figure><p>You may do what we did in Scenario 3 i.e. create VPC peering between Customer GKE VPC and Customer AlloyDB VPC and use TCP Proxy or use custom route advertisements. But there is an overhead of managing routes or GCE VM running proxy.</p><p>A solution like PSC enabled AlloyDB would be a good fit for such a scenario. As you can’t simply switch between PSA and PSC, you have below options:</p><ul><li>You can create a DMS job to migrate data between PSA enabled AlloyDB to PSC enabled AlloyDB. That means some extra work in setting up DMS and a small downtime as well.</li><li>You can export all you data and import into a new PSC enabled Instance and that means downtime.</li><li><strong>You can create a PSC endpoint for a Non-PSC (PSA enabled) AlloyDB Instance. That will require some work but you will be able to use both PSA and PSC endpoints to connect the you AlloyDB Instance.</strong></li></ul><h3>Create PSC endpoint for a Non-PSC (PSA enabled) AlloyDB Instance</h3><p>In this section, we will discuss what are the ways we can use to<strong> create a PSC endpoint for a PSA enabled AlloyDB Instance</strong>.</p><h4>Two Methods</h4><ul><li><strong>Method 1</strong>: Create a service attachment in Customer AlloyDB VPC network which already has PSA enabled. This service attachment will use a producer forwarding rule in Customer AlloyDB VPC network that has a “target instance” as backend and that target instance points to the VM where we have a TCP proxy or SOCKS Proxy running (Fig 8.). Create a forwarding rule in Customer GKE VPC network with service attachment in Customer AlloyDB VPC network as target. Applications deployed on GCE/GKE in Customer GKE VPC network can connect to AlloyDB Instance using the private IP assigned to outgoing fowarding rule.</li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*kgYwDyuLFp8jyBz8ik4L6Q.png" /><figcaption>Fig 8 Service attachment with tcp proxy running on a VM</figcaption></figure><ul><li><strong>Method 2</strong>: Create a service attachment in Customer AlloyDB VPC network which already has PSA enabled. This service attachment will use a producer forwarding rule in Customer AlloyDB VPC network which has a backend service with Zonal hybrid network endpoint groups as targets. Zonal NEG has AlloyDB Private IP and port as endpoint. Create a forwarding rule in Customer GKE VPC network with service attachment in Customer AlloyDB VPC network as target. Applications deployed on GCE/GKE in Customer GKE VPC network can connect to AlloyDB Instance using the private IP assigned to outgoing fowarding rule.</li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*pFwi78U_e74ckZSczhOMdg.png" /><figcaption>Fig 9 Service attachment connected to LB with zonal NEG as backend</figcaption></figure><p><strong>Method 2</strong> is a better option because</p><ul><li>It uses all the managed services rather than a Proxy running on VM.</li><li>You can use AlloyDB Auth proxy for encryption and IAM authentication</li></ul><h4>Assumptions before Implementation</h4><ul><li>You have a AlloyDB Cluster with primary Instance in Customer AlloyDB project which has PSA enabled</li><li>You have a customer AlloyDB project with customer AlloyDB VPC network and a Customer GKE/GCE project with Customer GKE/GCE VPC network</li><li>Your account has appropriate privileges to create and managed resources</li></ul><h4>Steps to implement Method 2</h4><ul><li>Read for environment variables</li></ul><pre><br>read -p "region : " REGION<br>read -p "projectid : " DB_PROJECT<br>read -p "GCE_SUBNET : " GCE_SUBNET<br>read -p "DB_VPC_NET : " DB_VPC_NET<br>read -p "CIDR_TCPNAT : " CIDR_TCPNAT<br>read -p "clientprojectid : " CLIENT_PROJECT<br>read -p "AlloyDB Cluster : " ADB_CLUSTER<br>read -p "AlloyDB Instance : " ADB_INSTANCE<br>read -p "CLIENT_VPC_NET : " CLIENT_VPC_NET<br>read -p "GCE_SUBNET_CLIENT : " GCE_SUBNET_CLIENT<br>read -p "Resrverip : " ADDR<br>read -p "PORT :" PORT</pre><p><em>DB_VPC_NET — Customer AlloyDB VPC Network name <br>DB_PROJECT — Customer AlloyDB VPC Project ID<br>GCE_SUBNET — Subnet in Customer AlloyDB VPC Network<br>CIDR_TCPNAT — CIDR for PSC subnet in Customer AlloyDB VPC Network<br>CLIENT_PROJECT — Customer GKE/GCE VPC Project ID<br>ADB_CLUSTER — AlloyDB Cluster name<br>ADB_INSTANCE — AlloyDB Instance<br>REGION — Region in which your AlloyDB Instance is created<br>CLIENT_VPC_NET — Customer GKE/GCE VPC Network name <br>GCE_SUBNET_CLIENT — Subnet in Customer AlloyDB VPC Network <br>ADDR — IP address to be used by outgoing Forwarding rule<br>PORT — PORT on which DB or Auth proxy is listening</em></p><ul><li>Authenticate and create a subnet for Private service connect in Customer AlloyDB VPC Network</li></ul><pre><br># Authenticate <br>gcloud auth login<br><br># Create a TCP NAT subnet.<br>gcloud compute networks subnets create dms-psc-nat-${REGION}-tcp \<br>--network=${DB_VPC_NET} \<br>--project=${DB_PROJECT} \<br>--region=${REGION} \<br>--range=${CIDR_TCPNAT} \<br>--purpose=private-service-connect</pre><ul><li>Create a Zonal Network endpoint group of Hybrid type and add an endpoint which is private IP of the AlloyDB Instance. Port can be either be AlloyDB port (5432) or AlloyDB Auth proxy port(5433).</li><li>For Cloud SQL ports would be different. Cloud SQL Auth Proxy uses 3307.</li></ul><pre>### create NEG<br>gcloud compute network-endpoint-groups create neg-$(date +%d%m%Y) --default-port=$PORT --network=${DB_VPC_NET} \<br>--network-endpoint-type=non-gcp-private-ip-port \<br>--project=${DB_PROJECT} \<br>--zone=${REGION}-a <br><br>### get private IP for AlloyDB or cloudSQL<br>DB_PRIVATE_IP=$(gcloud beta alloydb instances describe $ADB_INSTANCE --cluster=$ADB_CLUSTER --region=$REGION --format json --project=${DB_PROJECT} | jq .ipAddress|tr -d '"')<br><br>#neg endpoint<br>gcloud compute network-endpoint-groups update neg-$(date +%d%m%Y) \<br> --zone=${REGION}-a \<br>--add-endpoint="ip="${DB_PRIVATE_IP}",port="$PORT --project=${DB_PROJECT}</pre><ul><li>Configure the load balancer i.e. a backend service with Hybrid NEG as backend, TCP proxy, and regional health check for the backends.</li></ul><pre><br>### Health check probes for hybrid NEG backends originate from Envoy proxies in the proxy-only subnet.<br>gcloud compute health-checks create tcp lb-hc-$(date +%d%m%Y) \<br> --region=${REGION} \<br> --use-serving-port --project=${DB_PROJECT}<br><br>##### Create a backend service.<br><br>gcloud compute backend-services create bs-lb-$(date +%d%m%Y) \<br> --load-balancing-scheme=INTERNAL_MANAGED \<br> --protocol=TCP \<br> --region=${REGION} \<br> --health-checks=lb-hc-$(date +%d%m%Y) \<br> --health-checks-region=${REGION} --project=${DB_PROJECT}<br> <br> <br>## Add the hybrid NEG backend to the backend service.<br><br>gcloud compute backend-services add-backend bs-lb-$(date +%d%m%Y) \<br> --network-endpoint-group=neg-$(date +%d%m%Y) \<br> --network-endpoint-group-zone=${REGION}-a \<br> --region=${REGION} \<br> --balancing-mode=CONNECTION \<br> --max-connections=100 --project=${DB_PROJECT}<br> <br>### For MAX_CONNECTIONS, enter the maximum concurrent connections <br>### that the backend should handle.<br><br>###Create the target TCP proxy.<br><br>gcloud compute target-tcp-proxies create tcp-proxy-$(date +%d%m%Y) \<br> --backend-service=bs-lb-$(date +%d%m%Y) \<br> --region=${REGION} \<br> --project=${DB_PROJECT}<br><br></pre><ul><li>Create the forwarding rule which has target tcp proxy which we created in previous step. The forwarding rule only forwards packets with a matching destination port.</li></ul><pre>## create incoming forwarding rule which acts a frontend for LB<br>gcloud compute forwarding-rules create fr-psc-$(date +%d%m%Y) \<br> --load-balancing-scheme=INTERNAL_MANAGED \<br> --network=${DB_VPC_NET} \<br> --subnet=${GCE_SUBNET} \<br> --ports=$PORT \<br> --region=${REGION} \<br> --target-tcp-proxy=tcp-proxy-$(date +%d%m%Y) \<br> --target-tcp-proxy-region=${REGION} --project=${DB_PROJECT}</pre><ul><li>Create Service attachment in Customer AlloyDB VPC network which points to the forwarding rule we created in previous step. We whitelisted Customer AlloyDB VPC network and Customer GCE/GKE VPC network for the service attachment.</li></ul><pre># Create a service attachment.<br>gcloud compute service-attachments create dms-psc-svc-att-${REGION} \<br>--project=${DB_PROJECT} \<br>--region=${REGION} \<br>--producer-forwarding-rule=fr-psc-$(date +%d%m%Y) \<br>--connection-preference=ACCEPT_MANUAL \<br>--nat-subnets=dms-psc-nat-${REGION}-tcp \<br>--consumer-accept-list=${DB_PROJECT}=2000,${CLIENT_PROJECT}=2000</pre><ul><li>Create Firewall rule to allow ingress from service attachment subnet</li></ul><pre>gcloud compute \<br>--project=${DB_PROJECT} firewall-rules create fwr-dms-allow-psc-tcp \<br>--direction=INGRESS \<br>--priority=1000 \<br>--network=${DB_VPC_NET} \<br>--action=ALLOW \<br>--rules=all \<br>--source-ranges=${CIDR_TCPNAT} \<br>--enable-logging</pre><ul><li>Reserve an internal IP from GCE_SUBNET_CLIENT subnet. This will be used by forwarding rule. This IP will be used by client in Customer GCE/GKE VPC network to connect to AlloyDB.</li></ul><blockquote>If you want to use AlloyDB Auth proxy or language connector then this IP has to be same as PSA Private IP. That means you need to have a Subnet in Customer GCE VPC network with CIDR overlapping with part of your Private Service Access Allocated IP range in your Customer AlloyDB VPC network.</blockquote><pre>### Reserve a Private IP address<br>gcloud compute addresses create addr-$(date +%d%m%Y) \<br>--project=${CLIENT_PROJECT} \<br>--region=${REGION} \<br>--subnet=${GCE_SUBNET_CLIENT} \<br>--addresses=${ADDR}</pre><ul><li>Create a forwarding rule in Customer GCE/GKE VPC network with target as service attachment in Customer AlloyDB VPC network</li></ul><pre>## create PSC endpoint (forwarding rule)<br>gcloud compute forwarding-rules create fr-client-$(date +%d%m%Y) \<br>--address=addr-$(date +%d%m%Y) \<br>--project=${CLIENT_PROJECT} \<br>--region=${REGION} \<br>--network=${CLIENT_VPC_NET} \<br>--target-service-attachment=projects/${DB_PROJECT}/regions/${REGION}/serviceAttachments/dms-psc-svc-att-${REGION}</pre><ul><li>To test connectivity, Create a GCE VM in Customer GCE/GKE project using GCE_SUBNET_CLIENT of Customer GCE/GKE VPC network. Install postgresql-client</li></ul><pre>## create a Client VM <br>gcloud compute instances create instance-$(date +%d%m%Y) \<br> --project=${CLIENT_PROJECT} \<br> --zone=${REGION}-a \<br> --image-family=debian-12 \<br> --image-project=debian-cloud \<br> --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=${GCE_SUBNET_CLIENT} \<br> --metadata=startup-script='#! /bin/bash<br>apt-get install postgresql-client wget -y<br>wget https://storage.googleapis.com/alloydb-auth-proxy/v1.7.1/alloydb-auth-proxy.linux.amd64 -O alloydb-auth-proxy<br>chmod +x alloydb-auth-proxy<br>'</pre><ul><li>On the GCE VM in Customer GKE/GCE VPC network</li></ul><pre>### If Using AlloyDB Auth Proxy<br>gcloud beta alloydb instances describe alloydb-ins-primary-$(date +%d%m%Y) --project=${DB_PROJECT} --cluster=alloydb-cls-001 --region=${REGION} --format json | jq .name<br><br>./alloydb-auth-proxy INST_URI </pre><ul><li>If you are configuring for Cloud SQL, <a href="https://cloud.google.com/sql/docs/postgres/connect-auth-proxy#start-proxy">use this public document to start Cloud SQL Auth Proxy</a>.</li><li>On the GCE VM in Customer GKE/GCE VPC network</li></ul><pre>### If using AlloyDB Auth Proxy<br>psql -h 127.0.0.1 -U postgres postgres<br><br>### If using Private IP<br>psql -h <Private IP of forwarding rule in Customer GCE/GKE VPC network> -U postgres postgres</pre><p>This method works well. I have tested this multiple times.</p><p>Performance testing is advised before production deployment.</p><h3>Other notable key points</h3><ul><li>Prefer managed PSC enabled AlloyDB over such a manual solution</li><li>NEG used are hybrid zonal NEG, so in case of a failover you have to add new zonal NEG to backend service of load balancer.</li><li>You can use DMS service to migrate a PSA enabled AlloyDB to PSC AlloyDB.</li></ul><h3>References</h3><ul><li><a href="https://cloud.google.com/alloydb/docs/connect-external">Connect to a cluster from outside its VPC | AlloyDB for PostgreSQL | Google Cloud</a></li><li><a href="https://cloud.google.com/sql/docs/mysql/connect-multiple-vpcs">Connect your instance to multiple VPCs | Cloud SQL for MySQL | Google Cloud</a></li><li><a href="https://cloud.google.com/sql/docs/mysql/configure-private-service-connect">Connect to an instance using Private Service Connect | Cloud SQL for MySQL | Google Cloud</a></li></ul><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=3f8eeed51d2a" width="1" height="1" alt=""><hr><p><a href="https://medium.com/google-cloud/connect-to-non-psc-alloydb-or-non-psc-cloud-sql-from-a-different-vpc-3f8eeed51d2a">Connect to Non-PSC AlloyDB or Non-PSC Cloud SQL from a different VPC</a> was originally published in <a href="https://medium.com/google-cloud">Google Cloud - Community</a> on Medium, where people are continuing the conversation by highlighting and responding to this story.</p>
Author
Link
Published date
Image url
Feed url
Guid
Hidden blurb
--- !ruby/object:Feedjira::Parser::RSSEntry title: Connect to Non-PSC AlloyDB or Non-PSC Cloud SQL from a different VPC url: https://medium.com/google-cloud/connect-to-non-psc-alloydb-or-non-psc-cloud-sql-from-a-different-vpc-3f8eeed51d2a?source=rss----e52cf94d98af---4 author: Harinderjit Singh categories: - data - alloydb - cloud-sql - google-cloud-platform - infrastructure published: 2024-05-14 04:21:54.000000000 Z entry_id: !ruby/object:Feedjira::Parser::GloballyUniqueIdentifier is_perma_link: 'false' guid: https://medium.com/p/3f8eeed51d2a carlessian_info: news_filer_version: 2 newspaper: Google Cloud - Medium macro_region: Blogs rss_fields: - title - url - author - categories - published - entry_id - content content: '<h3>Introduction</h3><p>When it comes to managed RDBMS solutions, Google Cloud Platform (GCP) offers two powerful solutions: Cloud SQL for managed relational databases and AlloyDB for PostgreSQL compatibility with high performance. Understanding how to connect to these databases is essential for any developer or administrator working with GCP.</p><p>This blog dives into the world of private connectivity for AlloyDB, focusing on the benefits of Private Service Connect (PSC). Before we delve into the specific steps of creating a PSC endpoint for non-PSC enabled instances, let’s explore the scenarios where utilizing PSC with AlloyDB proves advantageous. Understanding these use cases will equip you with the foundational knowledge necessary to grasp the methods employed in specific situations.</p><p>Firstly, we’ll differentiate between PSA (Private Service Access) and PSC, highlighting the evolution of private connectivity options for AlloyDB. This clarifies why PSC is the preferred approach for modern deployments.</p><blockquote>Note : For brevity, we’ll focus on AlloyDB, as networking concepts apply similarly to CloudSQL.</blockquote><h3><strong>Networking Essentials for Connecting Applications to AlloyDB</strong></h3><p>Connecting your applications to AlloyDB involves careful consideration of your network architecture. Let’s break down the key scenarios and how you can establish secure and reliable connections. We will only discuss methods to access the database using Private IP.</p><h4><strong>Scenario 1: Application and AlloyDB in the Same Customer VPC Network</strong></h4><p>This is the most straightforward setup. You can <a href="https://cloud.google.com/alloydb/docs/configure-connectivity#gcloud">use PSA to connect to your AlloyDB Instance</a>. <strong>Private services access</strong> is implemented as a <a href="https://cloud.google.com/vpc/docs/vpc-peering">VPC peering connection</a> between your <a href="https://cloud.google.com/vpc/docs/vpc">VPC network</a> and the <em>underlying Google Cloud VPC network</em> where your AlloyDB instance resides. Any service in Customer VPC network can use the Private IP of AlloyDB to connect to it.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/415/1*UwDvQ2oqjwyDWzPsJZFrpw.png" /><figcaption>Fig1: Simplified depiction of simplest Architecture</figcaption></figure><h4><strong>Scenario 2: Application and Cloud SQL in a Shared VPC Network</strong></h4><p><a href="https://cloud.google.com/vpc/docs/shared-vpc">Shared VPC networks</a> are designed to enable resource sharing across projects within an organization. This is the most commonly used network architecture in larger, multi-project environments.</p><p>This simplifies the network architecture. Similar to the same VPC scenario, PSA is configured and services within Customer Shared VPC network can use the Private IP address, language connectors or AlloyDB Auth Proxy.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/635/1*F6StsaFJAqoHXiGNAH9VJw.png" /><figcaption>Fig2: Shared VPC</figcaption></figure><p>From above Illustration, We can see that GKE which is a separate Customer project (AlloyDB is in separate customer project) is able to access the AlloyDB using Private IP (PSA) as we are using shared VPC network and Shared VPC network is Peered to Google Managed AlloyDB VPC network.</p><h4><strong>Scenario 3: Application and Cloud SQL in Different VPC Networks with VPC Peering</strong></h4><p>This is when you want to manage separate VPC networks for separate projects or may be multiple Shared VPC networks.</p><p>For example consider the diagram below</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*vCXHqR5GmzlItj9_uZ5tHw.png" /><figcaption>Fig 3 Separate customer VPC networks for Application and AlloyDB</figcaption></figure><p><strong>How would GKE in Customer GKE VPC connect to AlloyDB in AlloyDB VPC (PSA configured) ?</strong></p><p>The first solution that comes to mind to VPC Network peering.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*3vTqq8Mh8P4Tb1e_h3TdDA.png" /><figcaption>Fig 4 Transitive VPC Network Peering</figcaption></figure><p>Even If we peer Customer GKE VPC network to Customer AlloyDB VPC which is already peered to Google AlloyDB VPC through PSA, <strong>GKE pods using Customer GKE VPC network won’t be able to connect to AlloyDB Private IP because VPC Network Peering isn’t transitive</strong>.</p><p>In Such a setup (Fig4. ), you can use the following ways to connect your AlloyDB instance to multiple VPCs using private IP :</p><ul><li><a href="https://cloud.google.com/sql/docs/mysql/connect-multiple-vpcs#custom-route">Connect using custom route advertisements</a></li><li><a href="https://cloud.google.com/sql/docs/mysql/connect-multiple-vpcs#intermediate-proxy">Connect using an intermediate proxy (SOCKS5)</a> or Connect using a TCP proxy such as <a href="https://manpages.ubuntu.com/manpages/trusty/man1/simpleproxy.1.html">simpleproxy</a></li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/665/1*uz0NBlOxXS3LTy1EIbtgXQ.png" /><figcaption>Fig 5 TCP proxy on a VM hosted in Customer AlloyDB VPC</figcaption></figure><p>While setting up a proxy for PSC with AlloyDB is straightforward, managing a dedicated GCE VM within the customer’s AlloyDB project (VPC network) introduces additional operational overhead.</p><blockquote>You can’t use TCP Proxy if you intend to use AlloyDB Auth Proxy or language connectors for encryption and IAM authentication.</blockquote><h4>Scenario 4: Application and Cloud SQL in Different VPC Networks without VPC Peering</h4><p>This scenario is the main motivation for this post. PSC solves this challenge for us. PSC provides another connectivity option for AlloyDB users, with improvements on the legacy Service Networking (or PSA) framework, such as:</p><ul><li>Ability to make direct connections from multiple projects easily into AlloyDB resources, enabling new architectures.</li><li>Efficient use of IP address space, as a single IP address is required from a consumer VPC to connect to an AlloyDB instance. PSA requires a minimum of a /24 IP range.</li><li>More secure as consumer and producer VPCs are isolated, and only inbound connectivity to AlloyDB is allowed. PSA requires bidirectional connectivity between the consumer VPC and AlloyDB by default, which is a blocker for some customer use cases.</li></ul><p><strong>Private Service Connect (PSC) for AlloyDB</strong></p><p><a href="https://cloud.google.com/vpc/docs/private-service-connect">Private Service Connect</a> provides a powerful way to consume Google-managed services privately, even if they reside in a different project or network. PSC creates an internal DNS alias for your Cloud SQL instance. Your application can access it using this alias, and traffic is routed securely over Google’s private network.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/685/1*x6NJv3NHKO2mf97BZ-oeFA.png" /><figcaption>Fig6 Connect to AlloyDB using Private service connect</figcaption></figure><p>In Fig6, You can see resources from Customer GKE VPC network and Customer AlloyDB VPC network can connect to AlloyDB using a Private service connect endpoints (forwarding rules) in respective VPC networks. These forwarding rules use the service attachment which is created as part of Private service connect. We can whitelist projects where our applications or clients will reside, in the AlloyDB service attachment.</p><p>This doesn’t requires Private service Access setup in Customer AlloyDB Project. AlloyDB Instance can be created with either PSC or PSA enabled.</p><p>As of May 2024, both methods of private connectivity can’t be configured simultaneously. Same is true for CloudSQL as well. You can’t switch between PSC and PSA as of May 2024.</p><blockquote>You can also use <a href="https://cloud.google.com/alloydb/docs/configure-private-service-connect">Private service connect for AlloyDB</a> when Customer VPC networks don’t have PSA configured i.e. for all the above scenarios.</blockquote><p>You must create this endpoint in each customer VPC network where database access is needed.</p><p>Private Service Connect endpoints that are used to access services are regional resources. However, you can make an endpoint available in other regions by <a href="https://cloud.google.com/vpc/docs/manage-endpoints-published-services#enable-global-access">configuring global access</a>.</p><p><strong>Can you enable PSC for existing AlloyDB Instance?</strong></p><p>So if you have an existing AlloyDB Instance with PSA enabled and you have an application in a separate VPC which is not peered to Customer AlloyDB VPC network. And you want to connect to AlloyDB using private IP, what options you do have?</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*vCXHqR5GmzlItj9_uZ5tHw.png" /><figcaption>Fig 7 (same as Fig3)</figcaption></figure><p>You may do what we did in Scenario 3 i.e. create VPC peering between Customer GKE VPC and Customer AlloyDB VPC and use TCP Proxy or use custom route advertisements. But there is an overhead of managing routes or GCE VM running proxy.</p><p>A solution like PSC enabled AlloyDB would be a good fit for such a scenario. As you can’t simply switch between PSA and PSC, you have below options:</p><ul><li>You can create a DMS job to migrate data between PSA enabled AlloyDB to PSC enabled AlloyDB. That means some extra work in setting up DMS and a small downtime as well.</li><li>You can export all you data and import into a new PSC enabled Instance and that means downtime.</li><li><strong>You can create a PSC endpoint for a Non-PSC (PSA enabled) AlloyDB Instance. That will require some work but you will be able to use both PSA and PSC endpoints to connect the you AlloyDB Instance.</strong></li></ul><h3>Create PSC endpoint for a Non-PSC (PSA enabled) AlloyDB Instance</h3><p>In this section, we will discuss what are the ways we can use to<strong> create a PSC endpoint for a PSA enabled AlloyDB Instance</strong>.</p><h4>Two Methods</h4><ul><li><strong>Method 1</strong>: Create a service attachment in Customer AlloyDB VPC network which already has PSA enabled. This service attachment will use a producer forwarding rule in Customer AlloyDB VPC network that has a “target instance” as backend and that target instance points to the VM where we have a TCP proxy or SOCKS Proxy running (Fig 8.). Create a forwarding rule in Customer GKE VPC network with service attachment in Customer AlloyDB VPC network as target. Applications deployed on GCE/GKE in Customer GKE VPC network can connect to AlloyDB Instance using the private IP assigned to outgoing fowarding rule.</li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*kgYwDyuLFp8jyBz8ik4L6Q.png" /><figcaption>Fig 8 Service attachment with tcp proxy running on a VM</figcaption></figure><ul><li><strong>Method 2</strong>: Create a service attachment in Customer AlloyDB VPC network which already has PSA enabled. This service attachment will use a producer forwarding rule in Customer AlloyDB VPC network which has a backend service with Zonal hybrid network endpoint groups as targets. Zonal NEG has AlloyDB Private IP and port as endpoint. Create a forwarding rule in Customer GKE VPC network with service attachment in Customer AlloyDB VPC network as target. Applications deployed on GCE/GKE in Customer GKE VPC network can connect to AlloyDB Instance using the private IP assigned to outgoing fowarding rule.</li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/625/1*pFwi78U_e74ckZSczhOMdg.png" /><figcaption>Fig 9 Service attachment connected to LB with zonal NEG as backend</figcaption></figure><p><strong>Method 2</strong> is a better option because</p><ul><li>It uses all the managed services rather than a Proxy running on VM.</li><li>You can use AlloyDB Auth proxy for encryption and IAM authentication</li></ul><h4>Assumptions before Implementation</h4><ul><li>You have a AlloyDB Cluster with primary Instance in Customer AlloyDB project which has PSA enabled</li><li>You have a customer AlloyDB project with customer AlloyDB VPC network and a Customer GKE/GCE project with Customer GKE/GCE VPC network</li><li>Your account has appropriate privileges to create and managed resources</li></ul><h4>Steps to implement Method 2</h4><ul><li>Read for environment variables</li></ul><pre><br>read -p "region : " REGION<br>read -p "projectid : " DB_PROJECT<br>read -p "GCE_SUBNET : " GCE_SUBNET<br>read -p "DB_VPC_NET : " DB_VPC_NET<br>read -p "CIDR_TCPNAT : " CIDR_TCPNAT<br>read -p "clientprojectid : " CLIENT_PROJECT<br>read -p "AlloyDB Cluster : " ADB_CLUSTER<br>read -p "AlloyDB Instance : " ADB_INSTANCE<br>read -p "CLIENT_VPC_NET : " CLIENT_VPC_NET<br>read -p "GCE_SUBNET_CLIENT : " GCE_SUBNET_CLIENT<br>read -p "Resrverip : " ADDR<br>read -p "PORT :" PORT</pre><p><em>DB_VPC_NET — Customer AlloyDB VPC Network name <br>DB_PROJECT — Customer AlloyDB VPC Project ID<br>GCE_SUBNET — Subnet in Customer AlloyDB VPC Network<br>CIDR_TCPNAT — CIDR for PSC subnet in Customer AlloyDB VPC Network<br>CLIENT_PROJECT — Customer GKE/GCE VPC Project ID<br>ADB_CLUSTER — AlloyDB Cluster name<br>ADB_INSTANCE — AlloyDB Instance<br>REGION — Region in which your AlloyDB Instance is created<br>CLIENT_VPC_NET — Customer GKE/GCE VPC Network name <br>GCE_SUBNET_CLIENT — Subnet in Customer AlloyDB VPC Network <br>ADDR — IP address to be used by outgoing Forwarding rule<br>PORT — PORT on which DB or Auth proxy is listening</em></p><ul><li>Authenticate and create a subnet for Private service connect in Customer AlloyDB VPC Network</li></ul><pre><br># Authenticate <br>gcloud auth login<br><br># Create a TCP NAT subnet.<br>gcloud compute networks subnets create dms-psc-nat-${REGION}-tcp \<br>--network=${DB_VPC_NET} \<br>--project=${DB_PROJECT} \<br>--region=${REGION} \<br>--range=${CIDR_TCPNAT} \<br>--purpose=private-service-connect</pre><ul><li>Create a Zonal Network endpoint group of Hybrid type and add an endpoint which is private IP of the AlloyDB Instance. Port can be either be AlloyDB port (5432) or AlloyDB Auth proxy port(5433).</li><li>For Cloud SQL ports would be different. Cloud SQL Auth Proxy uses 3307.</li></ul><pre>### create NEG<br>gcloud compute network-endpoint-groups create neg-$(date +%d%m%Y) --default-port=$PORT --network=${DB_VPC_NET} \<br>--network-endpoint-type=non-gcp-private-ip-port \<br>--project=${DB_PROJECT} \<br>--zone=${REGION}-a <br><br>### get private IP for AlloyDB or cloudSQL<br>DB_PRIVATE_IP=$(gcloud beta alloydb instances describe $ADB_INSTANCE --cluster=$ADB_CLUSTER --region=$REGION --format json --project=${DB_PROJECT} | jq .ipAddress|tr -d '"')<br><br>#neg endpoint<br>gcloud compute network-endpoint-groups update neg-$(date +%d%m%Y) \<br> --zone=${REGION}-a \<br>--add-endpoint="ip="${DB_PRIVATE_IP}",port="$PORT --project=${DB_PROJECT}</pre><ul><li>Configure the load balancer i.e. a backend service with Hybrid NEG as backend, TCP proxy, and regional health check for the backends.</li></ul><pre><br>### Health check probes for hybrid NEG backends originate from Envoy proxies in the proxy-only subnet.<br>gcloud compute health-checks create tcp lb-hc-$(date +%d%m%Y) \<br> --region=${REGION} \<br> --use-serving-port --project=${DB_PROJECT}<br><br>##### Create a backend service.<br><br>gcloud compute backend-services create bs-lb-$(date +%d%m%Y) \<br> --load-balancing-scheme=INTERNAL_MANAGED \<br> --protocol=TCP \<br> --region=${REGION} \<br> --health-checks=lb-hc-$(date +%d%m%Y) \<br> --health-checks-region=${REGION} --project=${DB_PROJECT}<br> <br> <br>## Add the hybrid NEG backend to the backend service.<br><br>gcloud compute backend-services add-backend bs-lb-$(date +%d%m%Y) \<br> --network-endpoint-group=neg-$(date +%d%m%Y) \<br> --network-endpoint-group-zone=${REGION}-a \<br> --region=${REGION} \<br> --balancing-mode=CONNECTION \<br> --max-connections=100 --project=${DB_PROJECT}<br> <br>### For MAX_CONNECTIONS, enter the maximum concurrent connections <br>### that the backend should handle.<br><br>###Create the target TCP proxy.<br><br>gcloud compute target-tcp-proxies create tcp-proxy-$(date +%d%m%Y) \<br> --backend-service=bs-lb-$(date +%d%m%Y) \<br> --region=${REGION} \<br> --project=${DB_PROJECT}<br><br></pre><ul><li>Create the forwarding rule which has target tcp proxy which we created in previous step. The forwarding rule only forwards packets with a matching destination port.</li></ul><pre>## create incoming forwarding rule which acts a frontend for LB<br>gcloud compute forwarding-rules create fr-psc-$(date +%d%m%Y) \<br> --load-balancing-scheme=INTERNAL_MANAGED \<br> --network=${DB_VPC_NET} \<br> --subnet=${GCE_SUBNET} \<br> --ports=$PORT \<br> --region=${REGION} \<br> --target-tcp-proxy=tcp-proxy-$(date +%d%m%Y) \<br> --target-tcp-proxy-region=${REGION} --project=${DB_PROJECT}</pre><ul><li>Create Service attachment in Customer AlloyDB VPC network which points to the forwarding rule we created in previous step. We whitelisted Customer AlloyDB VPC network and Customer GCE/GKE VPC network for the service attachment.</li></ul><pre># Create a service attachment.<br>gcloud compute service-attachments create dms-psc-svc-att-${REGION} \<br>--project=${DB_PROJECT} \<br>--region=${REGION} \<br>--producer-forwarding-rule=fr-psc-$(date +%d%m%Y) \<br>--connection-preference=ACCEPT_MANUAL \<br>--nat-subnets=dms-psc-nat-${REGION}-tcp \<br>--consumer-accept-list=${DB_PROJECT}=2000,${CLIENT_PROJECT}=2000</pre><ul><li>Create Firewall rule to allow ingress from service attachment subnet</li></ul><pre>gcloud compute \<br>--project=${DB_PROJECT} firewall-rules create fwr-dms-allow-psc-tcp \<br>--direction=INGRESS \<br>--priority=1000 \<br>--network=${DB_VPC_NET} \<br>--action=ALLOW \<br>--rules=all \<br>--source-ranges=${CIDR_TCPNAT} \<br>--enable-logging</pre><ul><li>Reserve an internal IP from GCE_SUBNET_CLIENT subnet. This will be used by forwarding rule. This IP will be used by client in Customer GCE/GKE VPC network to connect to AlloyDB.</li></ul><blockquote>If you want to use AlloyDB Auth proxy or language connector then this IP has to be same as PSA Private IP. That means you need to have a Subnet in Customer GCE VPC network with CIDR overlapping with part of your Private Service Access Allocated IP range in your Customer AlloyDB VPC network.</blockquote><pre>### Reserve a Private IP address<br>gcloud compute addresses create addr-$(date +%d%m%Y) \<br>--project=${CLIENT_PROJECT} \<br>--region=${REGION} \<br>--subnet=${GCE_SUBNET_CLIENT} \<br>--addresses=${ADDR}</pre><ul><li>Create a forwarding rule in Customer GCE/GKE VPC network with target as service attachment in Customer AlloyDB VPC network</li></ul><pre>## create PSC endpoint (forwarding rule)<br>gcloud compute forwarding-rules create fr-client-$(date +%d%m%Y) \<br>--address=addr-$(date +%d%m%Y) \<br>--project=${CLIENT_PROJECT} \<br>--region=${REGION} \<br>--network=${CLIENT_VPC_NET} \<br>--target-service-attachment=projects/${DB_PROJECT}/regions/${REGION}/serviceAttachments/dms-psc-svc-att-${REGION}</pre><ul><li>To test connectivity, Create a GCE VM in Customer GCE/GKE project using GCE_SUBNET_CLIENT of Customer GCE/GKE VPC network. Install postgresql-client</li></ul><pre>## create a Client VM <br>gcloud compute instances create instance-$(date +%d%m%Y) \<br> --project=${CLIENT_PROJECT} \<br> --zone=${REGION}-a \<br> --image-family=debian-12 \<br> --image-project=debian-cloud \<br> --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=${GCE_SUBNET_CLIENT} \<br> --metadata=startup-script='#! /bin/bash<br>apt-get install postgresql-client wget -y<br>wget https://storage.googleapis.com/alloydb-auth-proxy/v1.7.1/alloydb-auth-proxy.linux.amd64 -O alloydb-auth-proxy<br>chmod +x alloydb-auth-proxy<br>'</pre><ul><li>On the GCE VM in Customer GKE/GCE VPC network</li></ul><pre>### If Using AlloyDB Auth Proxy<br>gcloud beta alloydb instances describe alloydb-ins-primary-$(date +%d%m%Y) --project=${DB_PROJECT} --cluster=alloydb-cls-001 --region=${REGION} --format json | jq .name<br><br>./alloydb-auth-proxy INST_URI </pre><ul><li>If you are configuring for Cloud SQL, <a href="https://cloud.google.com/sql/docs/postgres/connect-auth-proxy#start-proxy">use this public document to start Cloud SQL Auth Proxy</a>.</li><li>On the GCE VM in Customer GKE/GCE VPC network</li></ul><pre>### If using AlloyDB Auth Proxy<br>psql -h 127.0.0.1 -U postgres postgres<br><br>### If using Private IP<br>psql -h <Private IP of forwarding rule in Customer GCE/GKE VPC network> -U postgres postgres</pre><p>This method works well. I have tested this multiple times.</p><p>Performance testing is advised before production deployment.</p><h3>Other notable key points</h3><ul><li>Prefer managed PSC enabled AlloyDB over such a manual solution</li><li>NEG used are hybrid zonal NEG, so in case of a failover you have to add new zonal NEG to backend service of load balancer.</li><li>You can use DMS service to migrate a PSA enabled AlloyDB to PSC AlloyDB.</li></ul><h3>References</h3><ul><li><a href="https://cloud.google.com/alloydb/docs/connect-external">Connect to a cluster from outside its VPC | AlloyDB for PostgreSQL | Google Cloud</a></li><li><a href="https://cloud.google.com/sql/docs/mysql/connect-multiple-vpcs">Connect your instance to multiple VPCs | Cloud SQL for MySQL | Google Cloud</a></li><li><a href="https://cloud.google.com/sql/docs/mysql/configure-private-service-connect">Connect to an instance using Private Service Connect | Cloud SQL for MySQL | Google Cloud</a></li></ul><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=3f8eeed51d2a" width="1" height="1" alt=""><hr><p><a href="https://medium.com/google-cloud/connect-to-non-psc-alloydb-or-non-psc-cloud-sql-from-a-different-vpc-3f8eeed51d2a">Connect to Non-PSC AlloyDB or Non-PSC Cloud SQL from a different VPC</a> was originally published in <a href="https://medium.com/google-cloud">Google Cloud - Community</a> on Medium, where people are continuing the conversation by highlighting and responding to this story.</p>'
Language
Active
Ricc internal notes
Imported via /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/import-feedjira.rb on 2024-05-14 06:31:41 +0200. Content is EMPTY here. Entried: title,url,author,categories,published,entry_id,content. TODO add Newspaper: filename = /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/../../../crawler/out/feedjira/Blogs/Google Cloud - Medium/2024-05-14-Connect_to_Non-PSC_AlloyDB_or_Non-PSC_Cloud_SQL_from_a_different-v2.yaml
Ricc source
Show this article
Back to articles