Overview
In this section, you learn how to create a private connectivity configuration. This type of configuration contains information that Datastream uses to communicate with a data source over a private network (internally within Google Cloud, or with external sources connected over VPN or Interconnect). This communication happens through a Virtual Private Cloud (VPC) peering connection.
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using internal, private IPv4 addresses. You have a private connectivity-based solution to connect to your source database.
Before you begin
Before you create a private connectivity configuration, make sure that you:
- Have a VPC network that can peer to Datastream's private network and that doesn't have restrictions on it. For more information on creating this network, see Using VPC Network Peering.
- Have an available IP range (with a CIDR block of /29) on the VPC network. This can't be an IP range that already exists as a subnet, a Private Service Connection pre-allocated IP range, or any sort of pre-allocated route IP range. Datastream uses this IP range to create a subnet so that it can communicate with the source database. The following table describes valid IP ranges.
Range | Description |
---|---|
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
|
Private IP addresses RFC 1918 |
100.64.0.0/10 |
Shared address space RFC 6598 |
192.0.0.0/24 |
IETF protocol assignments RFC 6890 |
192.0.2.0/24 (TEST-NET-1)198.51.100.0/24 (TEST-NET-2)203.0.113.0/24 (TEST-NET-3) |
Documentation RFC 5737 |
192.88.99.0/24 |
IPv6 to IPv4 relay (deprecated) RFC 7526 |
198.18.0.0/15 |
Benchmark testing RFC 2544 |
- Verify that the Google Cloud Platform and/or on-premises firewall allows traffic from the selected IP range.
- If you're using a reverse proxy, verify that you allow ingress traffic from the proxy VM in your VPC network. If you don't, then create an ingress firewall rule that allows traffic on the source database port, and make sure that the IPv4 ranges in the firewall rule are the same as the IP address range allocated when creating the private connectivity resource. You might also need to create an identical egress firewall rule to allow traffic back to Datastream.
- Are assigned to a role that contains the
compute.networks.list
permission. This permission gives you the required IAM permissions to list VPC networks in your project. You can find which roles contain this permission by clicking here.
If you're using a Shared VPC, then you must complete the following actions:
On the service project:
- Enable the Datastream API.
Obtain the email address used for the Datastream service account. Datastream service accounts are created when you perform one of the following:
- You create a Datastream resource, such as a connection profile or a stream.
- You create a private connectivity configuration, select your shared VPC and click Create Datastream Service Account. The service account is created in the host project.
To obtain the email address used for the Datastream service account, find the Project number in the Google Cloud console home page. The email address of the service account is
service-[project_number]@gcp-sa-datastream.iam.gserviceaccount.com
.
On the host project:
- Grant the
COMPUTE.NETWORKADMIN
Identity and Access Management (IAM) role permission to Datastream's service account.
- Grant the
Create the configuration
Review the required prerequisites to reflect how the environment must be prepared for a private connectivity configuration. For more information about these prerequisites, see Before you begin.
Go to the Private connectivity configurations page in the Google Cloud Console.
Click CREATE CONFIGURATION.
Use the following table to populate the fields of the Configure private connectivity section of the Create private connectivity configuration page:
Field Description Configuration name Enter the display name of the private connectivity configuration. Configuration ID Datastream populates this field automatically based on the configuration name that you enter. You can keep the ID that's auto-generated or change it. Region Select the region where the private connectivity configuration is stored. Private connectivity configurations are saved in a region. Region selection can impact availability if the region experiences downtime.
Use the following table to populate the fields of the Set up connection section of the Create private connectivity configuration page:
Field Description Authorized VPC network Select the VPC network that you created in Before you begin. Allocate an IP range Enter an available IP range on the VPC network. You determined this IP range in Before you begin. Click CREATE.
After creating a private connectivity configuration, you can view high-level and detailed information about it.