Skip to main content
Skip to main content
Edit this page

BYOC GCP private networking setup

ClickHouse BYOC on GCP supports two private connection options including VPC Peering and PSC (Private Service Connect).

Prerequisites

Common steps required by both VPC peering and PSC.

Enable private load balancer for ClickHouse BYOC

Set up VPC peering

Please familiarize yourself with GCP VPC peering feature and note the limitations of VPC peering (for example subnet IP ranges can't overlap across peered VPC networks). ClickHouse BYOC utilizes a private load balancer to allow network connectivity through the peering to ClickHouse services.

To create or delete VPC peering for ClickHouse BYOC, follow the steps:

Note

The example steps are for a simple scenario, for advanced scenarios such as peering with on-premises connectivity, some adjustments may be required.

Create a peering connection

In this example, we are setting up peering between the BYOC VPC network and another existing VPC network.

  1. Navigate to the "VPC Network" in ClickHouse BYOC Google Cloud Project.
  2. Select "VPC network peering".
  3. Click "Create connection".
  4. Input the necessary fields as per your requirements. Below is a screenshot for creating a peering within same GCP project.

GCP VPC peering requires 2 connections between the 2 networks to work (i.e. a connection from BYOC network to the existing VPC network and a connection from the existing VPC network to the BYOC network). So you need to similarly create 1 more connection in reverse direction, below is a screenshot for the second peering connection creation:

After both connections are created, the status of the 2 connections should become "Active" after refreshing the Google Cloud Console webpage:

The ClickHouse service should now be accessible from the peered VPC.

Access ClickHouse service via peering connection

To access ClickHouse privately, a private load balancer and endpoint are provisioned for secure connectivity from the user's peered VPC. The private endpoint follows the public endpoint format with a -private suffix. For example:

  • Public endpoint: h5ju65kv87.mhp0y4dmph.us-east1.gcp.byoc.clickhouse.cloud
  • Private endpoint: h5ju65kv87-private.mhp0y4dmph.us-east1.gcp.byoc.clickhouse.cloud

Set up PSC (Private Service Connect)

GCP PSC (Private Service Connect) provides a secure and private connection to your ClickHouse BYOC services without the need for VPC peering or internet gateways. All traffic flows within the GCP network, ensuring that it never traverses the public internet.

Note

Make sure the private load balancer is turned on as a prerequisite.

Obtain endpoint "Service name"

  1. Open your BYOC GCP console (i.e. the GCP account where BYOC infrastructure is created) → Network Services → Private Service Connect → Published services
  2. Find the service starting with clickhouse-cloud-infra and navigate to its details page.

Create endpoint in your network

  1. Open your own GCP console (i.e. the GCP account where your client application is) → Network Services → Private Service Connect → Connected Endpoints.

  2. Open the Private Service Connect creation dialog by clicking the "Connect Endpoint" button.

  3. Input the following fields:

    • Target: use Published service
    • Target service: use Service name obtained from the last step
    • Endpoint name: input a valid endpoint name
    • Network/Subnetwork: choose the network you want to use for the connection; this is the network where your client application will be connecting from
    • IP address: choose or create a new IP address for the endpoint; the IP address needs to be used by step Set private DNS name for endpoint
    • (optional) Enable global access: enable it if you want to make the endpoint available from any region
    • Click "ADD ENDPOINT" button to create the endpoint.

  4. The Status column will change from Pending to Accepted once the connection is approved.

  5. After creating the endpoint, take a note of the PSC Connection ID value. You'll need it for the upcoming step.

Add "Endpoint ID" to ClickHouse service allow list

  1. In the ClickHouse Cloud console, navigate to the service's Settings page that you would like to connect to via PSC.
  2. Click "Set up private endpoint".
  3. In the opened flyout, enter the Endpoint ID obtained from the last step with an optional description.
  4. Click "Create endpoint".
Note

If you want to allow access from an existing PSC connection, use the existing endpoint dropdown menu. The dropdown will show the existing PSC connections to the services within the same infrastructure.

Set private DNS name for endpoint

Note

There are various ways to configure DNS. Please set up DNS according to your specific use case.

You need to point all subdomains (wildcard) of the "DNS name" to GCP PSC endpoint IP address. This ensures that services/components within your VPC/Network can resolve it properly.

Access an instance using PSC

  1. In the ClickHouse Cloud console, navigate to service's Settings page.
  2. Click "Set up private endpoint".
  3. In the opened flyout, copy the DNS name.
    Access to ClickHouse services via PSC is controlled at two levels:
    1. Istio Authorization Policy: ClickHouse Cloud's service-level authorization policies
    2. VPC Endpoint Security Group: The security group attached to your VPC endpoint controls which resources in your VPC can use the endpoint