Setting up GCP Private Service Connect

Google Private Service Connect (PSC) is a Google Cloud service that enables secure and private connectivity between Virtual Private Clouds (VPCs) and third-party services. By using PSC with MariaDB Cloud services, traffic does not traverse the public internet, which enhances security and reduces exposure to potential threats.

For detailed information about Google PSC, see "Private Service Connect" (Google documentation).

Considerations

PSC is used for private connections within the same Google Cloud region. The MariaDB Cloud service and the connection VPC must be in the same region.
When using MariaDB Cloud with PSC, all connections occur through private endpoints. If you need to connect to the service from outside your VPC, you will need to use a VPN or other mechanism to go through the connected VPC. Alternatively, MariaDB Cloud can be configured to provide a second, public endpoint for an additional fee.
A list of Google Cloud project IDs that will be allowed to connect to the MariaDB Cloud service must be provided when enabling PSC. This list can be updated at any time.
The MariaDB Cloud IP Allowlist is not used with PSC connections. Access to the MariaDB Cloud service can be controlled by setting up firewall rules inside the connecting VPC.
Connections to MariaDB Cloud services by features such as MariaDB Cloud backups, and monitoring do not depend on PSC.
Query Editor is not supported when PSC is enabled.
PSC has connection limits which refer to the number of endpoints that can be created to a single PSC service within Google Cloud. Database connection limits are independent from PSC connection limits. The limit for PSC connections is 10.

Enable Private Service Connect on Service Launch

Enable Google PSC via the MariaDB Cloud Portal

To enable PSC when launching a new service via the MariaDB Cloud Portal select the 'Google Private Service Connect' option in the 'Security' section. After the service completes provisioning, you will see a new option to "Manage Google Private Service Connect" in the service's context menu. Click this option to add one or more Google project IDs to the allowlist.

Enable Google PSC via the MariaDB Cloud DBaaS API

To enable Google PSC when launching a new service via the MariaDB Cloud DBaaS API, add the endpoint_mechanism and endpoint_allowed_accounts attributes to service creation JSON payload.

{
  "name": "my-skysql-service",
  ...
  "endpoint_mechanism": "privateconnect",
  "allowed_accounts": [
    "GCP-PROJECT-ID-1",
    "GCP-PROJECT-ID-2"
  ]
}

The endpoint_mechanism field must be set to privateconnect
The endpoint_allowed_accounts field must be set to a JSON array of one or more client project IDs in Google Cloud that will be allowed to establish a private connection to the MariaDB Cloud service.

For more information on using the MariaDB Cloud DBaaS API, see "MariaDB Cloud DBaaS API".

Enable Google PSC via the MariaDB Cloud Terraform Provider

To enable Google PSC when launching a new service via the MariaDB Cloud DBaaS API, set the endpoint_mechanism and endpoint_allowed_accounts attributes on the skysql_service resource.

resource "skysql_service" "example" {
  name                      = "my-skysql-service"
  ...
  endpoint_mechanism        = "privateconnect"
  endpoint_allowed_accounts = ["GCP-PROJECT-ID-1", "GCP-PROJECT-ID-2"]
}

The endpoint_mechanism field must be set to privateconnect
The endpoint_allowed_accounts field must be set to a list of one or more customer project IDs in Google Cloud that will be allowed to establish a private connection to the MariaDB Cloud service.

A complete example Terraform template that creates a new MariaDB Cloud service with Google PSC enabled can be found in the terraform provider examples.

For more information on using the MariaDB Cloud Terraform Provider, see "MariaDB Cloud Terraform Provider".

For the next step, see the PSC Endpoint Setup section on this page.

Enable Google PSC on an Existing MariaDB Cloud Service

[!CAUTION] Enabling PSC on an existing service will cause all existing connections to be dropped. The service will be unavailable for a short period of time while the public endpoint is replaced with the new PSC endpoint.

Enable Google PSC on an existing service via the MariaDB Cloud Portal:

Log in to the MariaDB Cloud Portal
Click the "MANAGE" button (on the right) for the desired service.
In the context menu, choose the "Set up Google Private Service Connect" menu item.
In the popup window, add one or more GCP project IDs.
Click the "OK" button to confirm this operation.

Enable Google PSC on an existing service via the MariaDB Cloud DBaaS API:

To enable Google PSC on an existing service, you will need to update the service endpoints with a payload similar to the following:

[
  {
    "mechanism": "privateconnect",
    "allowed_accounts": [
      "GOOGLE-PROJECT-ID-1",
      "GOOGLE-PROJECT-ID-2"
    ]
  }
]

This payload should then be sent to the API PATCH https://api.skysql.com/provisioning/v1/services/{SERVICE_ID}/endpoints where {SERVICE_ID} is the ID of the service you are updating. For more information on using the MariaDB Cloud DBaaS API, see "MariaDB Cloud DBaaS API".

For the next step, see the PSC Endpoint Setup section on this page.

Private Service Connect Endpoint Setup

To connect to a MariaDB Cloud service using Google PSC, you must create an endpoint in your VPC that connects to the MariaDB Cloud service. The endpoint will be used by clients in your VPC to connect to the MariaDB Cloud service.

Pre-requisites

You must have a VPC in the same region as the MariaDB Cloud service.
You will need to lookup the Endpoint Service ID that MariaDB Cloud provisioned for you when you created your MariaDB Cloud Service.
- This ID can be found in the "Connect" window of the MariaDB Cloud portal.
- If using the MariaDB Cloud DBaaS API, the ID can be found in the response of the service details API call.
```
curl https://api.skysql.com/provisioning/v1/services/{SERVICE_ID} | jq ".endpoints[0].endpoint_service"
```

Create a Subnet

This step is optional.

We recommend use of a subnet dedicated to Private Service Connect endpoints in the same VPC where the application is running.

In the GCP console, navigate VPC network → VPC networks → → SUBNETS → ADD SUBNET.
- Replace with the name of the VPC where the application is running.
Configure the subnet:
- Name
- Region: select the same region as the one where the application runs
- Purpose: None
- IP address range: Set a CIDR block that doesn't overlap with the CIDR blocks of the existing subnets in the same VPC.
- Optionally configure Private Google Access
- Optionally configure Flow logs
- Click "ADD".

Create a Static Internal IP Address

In the GCP console, navigate VPC network → VPC networks → → STATIC INTERNAL IP ADDRESSES → RESERVE STATIC ADDRESS.
- Replace with the name of the VPC where the application is running.
Configure the static internal IP address:
- Name: set to the Database ID (dbxxxxxxxx) from MariaDB Cloud.
- Subnet: select the subnet where to reserve the static IP address.
- Static IP address: optionally choose the address.
- Purpose: Non-shared
- Click "RESERVE".

VPC Endpoint Creation Steps

In the GCP console, navigate Network services → Private Service Connect → CONNECTED ENDPOINTS → CONNECT ENDPOINT.
Configure the endpoint connection:
- Target: Published service
- Target service: the value of the Endpoint Service ID. See Pre-requisites for more information on how to find this ID.
- Endpoint name: set to the Database ID from MariaDB Cloud (dbxxxxxxxx)
- Network: select the VPC network where the application is running
- Subnetwork: select the subnet where the static internal IP address is reserved
- IP address: select the reserved internal IP address from the prior step
- Click "ADD ENDPOINT".

After creation, the Endpoint should have a status of Accepted. If this status is not present, please ensure your Google Project ID is added to the list of allowed accounts in the MariaDB Cloud portal for this service.

Connecting to MariaDB Cloud Service

After creating your PSC endpoint, your service should be available within your VPC at the Private IP Address you assigned to the endpoint.

DNS propagation from MariaDB Cloud to the Private IP address is not supported when using PSC.
The hostname when connecting to your MariaDB Cloud service should always be the Private IP address of the PSC endpoint.

When using PSC with SSL/TLS, there will be a hostname mismatch since the hostname provisioned by MariaDB Cloud will not match your internal IP Address. This can be ignored as the connection is still secure.

Disabling Google PSC

Disabling PSC on an existing service will cause all existing connections to be dropped. The service will be unavailable for a short period of time while the private endpoint is replaced with the new public endpoint.

Disable Google PSC via the MariaDB Cloud Portal

Visit the MariaDB Cloud Portal
Find the service that you would like to modify.
Click "MANAGE" on the far right side of the service listing.
In the context menu, select "Manage your Private Service Connect".
In the popup window, click "I want to disconnect my Private Service Connect".
In the popup window, select "Disconnect".
Since the service's allowlist was cleared when Goolge PSC was previously enabled, you will need to update the allowlist to allow clients to connect after disabling PSC.

Disable Google PSC via the MariaDB Cloud DBaaS API

To disable Google PSC on an existing service, you will need to update the service endpoints with a payload similar to the following:

[
  {
    "mechanism": "nlb"
  }
]

PreviousSetting up AWS Private Link NextSetting up Azure Private Link

Last updated 2 hours ago

Was this helpful?