コンシューマ: プロデューサーから接続を受信するエンティティ(通常は VPC ネットワーク内の VM)。コンシューマが接続を受け入れると、Google Cloud は、ネットワーク アタッチメントで指定されたコンシューマ VPC ネットワーク内のサブネットの IP アドレスを Private Service Connect インターフェースに割り振ります。Private Service Connect インターフェースの VM には、プロデューサーの VPC ネットワークに接続する 2 つ目のネットワーク インターフェースがあります。
ネットワーク アタッチメント: プロデューサー VPC ネットワークが Private Service Connect インターフェースを介してコンシューマー VPC ネットワークへの接続を開始できるようにするリージョン リソース。コンシューマ VPC ネットワークでは、ネットワーク アタッチメントは、プロデューサー ネットワークの Private Service Connect インターフェースからの接続の指定されたエントリ ポイントとして機能します。ネットワーク アタッチメントに Private Service Connect インターフェースが確立されると、プロデューサー VM にはネットワーク アタッチメントのサブネットから IP が割り当てられます。Private Service Connect インターフェースの仮想マシン インスタンスには、プロデューサー サブネットに接続する通常のネットワーク インターフェースが 1 つ以上あります。詳細については、ネットワーク アタッチメントについてをご覧ください。
プロデューサー プロジェクト: Datastream を実行する仮想マシン(VM)がホストされている Google 所有のプロジェクト。Datastream VM は、お客様の VPC 内のリソースにアクセスするために、Private Service Connect ネットワーク インターフェースがサブネットから割り振る IP アドレスを使用します。
Private Service Connect の前提条件
Private Service Connect インターフェースを使用してプライベート接続の構成を作成する前に、次の手順を実施して Datastream がプロジェクトへの接続を確立できるようにする必要があります。
Datastream は接続にこの URL を必要とするため、この URL をメモしておきます。 Google Cloudを使用して Private Service Connect インターフェースのプライベート接続構成を作成する方法については、プライベート接続構成を管理するをご覧ください。
プライベート接続構成の作成
プロジェクトにネットワーク アタッチメントを作成したら、Private Service Connect インターフェースを使用してプライベート接続の構成を設定する必要があります。 Google Cloud 構成を作成するときに、Private Service Connect インターフェースをホストするプロジェクトを許可リストに登録します。次に、Private Service Connect リソースの一部として、ネットワーク アタッチメント URL を Datastream に指定します。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["# Configure Private Service Connect interfaces\n\nDatastream uses Private Service Connect interfaces\nto let you replicate data in a way that keeps the traffic entirely within\nGoogle Cloud.\n\nA Private Service Connect interface is a resource that lets a *producer*\nVirtual Private Cloud (VPC) network initiate connections to and receive connections from\na *network attachment* in a *consumer* VPC network. Producer and consumer\nnetworks can be in different projects and organizations.\n[](/static/datastream/docs/images/psc-overview-interface-overview.svg) **Figure 1.** Private Service Connect interfaces\nlet service producers initiate connections to service consumers.\n\nFor key term definitions, see the section that follows.\n\nFor more information about Private Service Connect, see the\n[Virtual Private Cloud documentation](/vpc/docs/private-service-connect).\n\nKey terms\n---------\n\nThis section provides an overview of key terms and concepts that apply to\nPrivate Service Connect.\n\n- **Producer**: an entity, typically a service or a VM within a VPC network,\n that initiates the connection to the consumer network. The producer delivers\n the service: in the Datastream context, it fetches and replicates\n data to a destination.\n\n- **Consumer**: an entity, typically a VM within a VPC network, that receives\n the connection from the producer. When the consumer accepts the connection,\n Google Cloud allocates the Private Service Connect interface an\n IP address from a subnet in the consumer VPC network that's specified by the\n network attachment. The VM of the Private Service Connect\n interface has a second network interface that connects to the producer's\n VPC network.\n\n- **Network attachment** : a regional resource that lets a producer VPC network\n initiate connections to a consumer VPC network through a\n Private Service Connect interface. In the consumer VPC network,\n the network attachment acts as a designated entry point for connections from\n Private Service Connect interfaces in the producer network. When\n a Private Service Connect interface is established on\n a network attachment, the producer VM is assigned an IP from the subnet of the\n network attachment. The virtual machine instance of the\n Private Service Connect interface has at least one more regular network\n interface that connects to a producer subnet. For more information, see\n [About network attachments](/vpc/docs/about-network-attachments).\n\n- **Producer project**: a Google-owned project where the virtual machines (VMs)\n running Datastream are hosted. To access resources in the customer\n VPC, the Datastream VMs use the IP address that the\n Private Service Connect network interface assigns from its subnet.\n\nPrivate Service Connect prerequisites\n-------------------------------------\n\nBefore you create a private connectivity configuration using a\nPrivate Service Connect interface, you need to take the following steps\nso that Datastream can establish a connection to your project:\n\n- Have a VPC network that you can connect to the Datastream\n private network. For more information about creating a VPC network, see\n [Create and manage VPC networks](/vpc/docs/create-modify-vpc-networks).\n\n- Create a [network attachment](/vpc/docs/create-manage-network-attachments#create-manual-accept)\n in your VPC project.\n\n- Verify that Google Cloud and the on-premises firewall allow traffic from the\n network attachment IP address range to the source database from which you want\n to stream data.\n\nPricing\n-------\n\nData ingress and egress through Private Service Connect is\ncharged. For more information, see the [Private Service Connect\npricing](/vpc/network-pricing#psc-network-attachment).\n\nRequired roles and permissions\n------------------------------\n\nTo get the permissions that you need to create a network attachment, ask your\nadministrator to grant you the following Identity and Access Management (IAM) roles on\nyour project:\n\n- Create, view, and delete network attachments: [Compute Network Admin](/compute/docs/access/iam#compute.networkAdmin) (`roles/compute.networkAdmin`)\n\nIf your network attachment is in a different project than Datastream,\nthen you need to grant the following role to the\n`service-`\u003cvar translate=\"no\"\u003eDATASTREAM-PROJECT-NUMBER\u003c/var\u003e`@gcp-sa-datastream.iam.gserviceaccount.com`\nservice account:\n\n- Read-only access to networking resources:\n [Compute Network Viewer](/compute/docs/access/iam#compute.networkViewer)\n (`roles/compute.networkViewer`)\n\n Grant the role on the project where your network attachment is, and replace\n \u003cvar translate=\"no\"\u003eDATASTREAM-PROJECT-NUMBER\u003c/var\u003e with the number of the project where\n Datastream is deployed.\n\nFor more information about granting roles, see\n[Manage access](/iam/docs/granting-changing-revoking-access).\n\nYou might also be able to get the required permissions through\n[custom roles](/iam/docs/creating-custom-roles) or other\n[predefined roles](/iam/docs/understanding-roles).\n\nFor more information about access control options in Datastream,\nsee [Access control with IAM](/data-fusion/docs/access-control).\n\nConfigure Private Service Connect\n---------------------------------\n\nTo let Datastream establish outbound connectivity to your network\nusing a Private Service Connect interface:\n\n1. Create a network attachment in your project.\n2. Create a private connectivity configuration.\n\n### Create a network attachment\n\nTo configure Private Service Connect in Datastream, you\nmust first create a network attachment. \n\n### Console\n\n1. In the Google Cloud console, go to the **Network attachments** page:\n\n [Go to Network attachments](https://console.cloud.google.com/net-services/psc/list/networkAttachments)\n2. Click **Create network attachment**.\n\n3. In the **Name** field, enter a name for your network attachment.\n\n4. From the **Network** list, select a VPC or a Shared VPC\n network.\n\n5. From the **Region** list, select a Google Cloud region. This region\n must be the same as the region used for the subnet of the VPC network\n peered to the Datastream private network. For more\n information, see [Private Service Connect prerequisites](#psci-prereqs).\n\n6. From the **Subnetwork** list, select a subnetwork range.\n\n7. In **Connection preference** , select\n **Accept connections for selected projects**.\n\n Datastream automatically adds the producer project to the\n **Accepted projects** list when you create the Datastream\n private connectivity resource.\n | **Caution:** The option **Automatically accept connections for all projects** is less secure because it allows any service to obtain IP addresses from your subnet. We don't recommend using this option.\n8. Don't add **Accepted projects** or **Rejected projects**.\n\n9. Click **Create network attachment**.\n\n### gcloud\n\n1. Create one or more subnetworks. For example:\n\n gcloud compute networks subnets create subnet-1 --network=network-0 --range=10.10.1.0/24 --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\n The network attachment uses these subnetworks in the subsequent steps.\n2. Create a network attachment resource in the same region as the\n Datastream project, with the `connection-preference` property\n set to `ACCEPT_MANUAL`:\n\n gcloud compute network-attachments create \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n --connection-preference=ACCEPT_MANUAL\n --subnets=\u003cvar translate=\"no\"\u003eSUBNET\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: the name for your network attachment.\n - \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the name of the Google Cloud region. This region must be the same as the Datastream private network.\n - \u003cvar translate=\"no\"\u003eSUBNET\u003c/var\u003e: the name of the subnet.\n\n The output of this command is a network attachment URL of the following\n format:\n\n `projects/`\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e`/locations/`\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e`/network-attachments/`\u003cvar translate=\"no\"\u003eNETWORK_ATTACHMENT_ID\u003c/var\u003e.\n\n Make a note of this URL as Datastream needs it for\n connectivity. For information about how to create a\n Private Service Connect interface private\n connectivity configuration using Google Cloud, see\n [Manage private connectivity configurations](/datastream/docs/manage-private-connectivity-configurations#create-a-private-connectivity-configuration).\n | **Caution:** Specifying `connection-preference` as `ACCEPT_AUTOMATIC` is less secure because it allows any service to obtain IP addresses from your subnet. We don't recommend using this option.\n\n### Create a private connectivity configuration\n\nAfter you create a network attachment in your Google Cloud project, you need\nto set up your private connectivity configuration using\nPrivate Service Connect interfaces. When you create the configuration,\nyou allowlist the project that hosts the Private Service Connect\ninterface. You then provide the network attachment URL to\nDatastream as part of the Private Service Connect\nresource.\n\nFor more information, see\n[Create a private connectivity configuration](/datastream/docs/create-a-private-connectivity-configuration#create-the-configuration).\n\nWhat's next\n-----------\n\n- Learn how to [view your private connectivity configuration](/datastream/docs/view-a-private-connectivity-configuration).\n- Find out how to [delete a private connectivity configuration](/datastream/docs/delete-a-private-connectivity-configuration)."]]