Add a GCP Private Service Connection
- Capella Operational
- how-to
Add a GCP Private Service Connection that connects your GCP network with a Capella cluster using GCP as its cloud provider. This connection can reduce latency and egress costs for applications hosted in the same region.
| GCP Private Service Connections do not support Cross Datacenter Replication (XDCR) or Prometheus metrics. If you require XDCR or Prometheus metrics, use VPC Peering. |
Prerequisites
To use GCP Private Service Connect with Capella, you need:
-
A project in your organization.
For more information about projects in Capella, see Projects Overview.
-
The
Project Ownerrole assigned to your user account. -
A cluster in your project with:
-
GCP as its cloud provider.
-
The region set to the same region as your GCP VPC.
-
The Developer Pro or Enterprise plan.
-
-
Information about your GCP VPC, including:
-
The Network name.
-
The Subnetwork name.
-
-
One of the following:
-
A BASH-like shell environment with the Google Cloud Command Line Interface (CLI) installed and configured.
-
The Terraform command-line tool downloaded and installed. For more information, see the Install Terraform Documentation.
-
Procedure
To add a GCP Private Service Connection, you need the Capella UI and the Google Cloud CLI or Google Terraform Provider.
-
In Capella, enable private endpoints:
Enabling private endpoints bills your account hourly for GCP Private Service Connect unless you turn off this option. As this feature is resource-intensive, it can result in increased costs. -
View the cluster where you want to add a GCP Private Service Connection.
-
Go to .
-
Click Enable Private Endpoints Services.
It can take 10 or more minutes for Capella to enable private endpoints. You can leave and return to the Private Endpoints page at any time.
-
-
Click Add Private Endpoint.
-
In the Provide Private Endpoint Details section, add the following information about your GCP network:
Field Value Virtual Private Cloud Name
Enter the GCP network name.
Subnet Name
Enter the GCP subnet name. Your VM must reside in this subnet.
-
Click Next.
-
Choose one of the following options:
-
Shell Script
-
Google Terraform Provider
Use a shell script to create the private endpoint:
-
Download and run the configuration shell script provided by Capella.
This script contains commands to create the required related resources in your chosen GCP network. When successful, the provisioning details are output. It can take several minutes for this script to complete.
If you add a subnet to your network after completing this procedure in GCP, you must re-run the configuration shell script to provision all the required resources in your network.
Use Google Terraform Provider commands to create the private endpoint:
The Google Terraform configuration files are not available for download through Capella. -
Create 2 Terraform configuration files:
-
A
variables.tfvarsfile to assign values to the input variables. -
A
main.tffile to define the input variables and create the related resources.
-
-
Copy the following variables in your
variables.tfvarsfile. Update the values to match your environment, then save the file.project = "YOUR_PROJECT_NAME" region = "YOUR_REGION" network = "YOUR_VPC_NETWORK_NAME" subnet = "YOUR_SUBNET_NAME" cluster = "YOUR_CLUSTER_ID" base_dns_name = "YOUR_BASE_DNS_NAME." #Include the trailing period ( . ) service_attachment = "SERVICE_ATTACHMENT_URI" bootstrap_service_attachment = "BOOTSTRAP_SERVICE_ATTACHMENT_URI"You can download the script.shconfiguration shell script provided through Capella and use it as a reference for these value inputs. -
Copy and save the following Terraform configuration into your
main.tffile. Do not make any modifications.terraform { required_providers { google = { source = "hashicorp/google" version = ">= 6.38.0" } } } provider "google" { project = var.project region = var.region } variable "project" {} variable "region" {} variable "network" {} variable "subnet" {} variable "cluster" {} variable "base_dns_name" {} variable "service_attachment" {} variable "bootstrap_service_attachment" {} locals { network_short = substr(var.network, 0, 15) cluster_short = substr(var.cluster, 0, 15) zone_name = "${local.network_short}-${local.cluster_short}" } resource "google_compute_address" "pe" { name = "pe-address-${local.zone_name}" region = var.region subnetwork = var.subnet address_type = "INTERNAL" purpose = "GCE_ENDPOINT" } resource "google_compute_address" "bootstrap" { name = "pe-address-bootstrap-${local.zone_name}" region = var.region subnetwork = var.subnet address_type = "INTERNAL" purpose = "GCE_ENDPOINT" } resource "google_compute_forwarding_rule" "pe" { name = "endpoint-${local.zone_name}" region = var.region network = var.network ip_address = google_compute_address.pe.self_link target = var.service_attachment load_balancing_scheme = "" } resource "google_compute_forwarding_rule" "bootstrap" { name = "endpoint-bootstrap-${local.zone_name}" region = var.region network = var.network ip_address = google_compute_address.bootstrap.self_link target = var.bootstrap_service_attachment load_balancing_scheme = "" } resource "google_dns_managed_zone" "pe_zone" { name = local.zone_name dns_name = var.base_dns_name description = "Private Endpoint for Capella cluster" visibility = "private" private_visibility_config { networks { network_url = "projects/${var.project}/global/networks/${var.network}" } } } resource "google_dns_record_set" "pe" { name = "pe.${var.base_dns_name}" type = "A" ttl = 300 managed_zone = google_dns_managed_zone.pe_zone.name rrdatas = [google_compute_address.pe.address] } resource "google_dns_record_set" "bootstrap" { name = "private-endpoint.${var.base_dns_name}" type = "A" ttl = 300 managed_zone = google_dns_managed_zone.pe_zone.name rrdatas = [google_compute_address.bootstrap.address] } -
Run the Google Terraform Provider commands:
-
Initialize Terraform to set up your configuration:
terraform init -
Review the Terraform plan to see what changes will be made to the private endpoint:
terraform plan -var-file="variables.tfvars" -out=tfplan -
Apply the Terraform configuration to create the private endpoint:
terraform apply "tfplan"
-
-
-
Once complete, verify the creation of the related endpoints by visiting Private Service Connect in the Google Cloud Console. These endpoints show a Pending status until you accept the connection.
-
In Capella, enter the
gcp-project-idfor your project and accept the connection.The acceptance process takes several minutes when you accept a connection to your project for the first time.
|
When connecting an SDK to a cluster with a GCP Private Service Connection, you must add For example, This is only required for Java, Scala, Kotlin, C++, Node.js, Python, Ruby, and PHP SDKs. |
Verifying the Connection
To verify that the connection is complete:
-
In Capella, open the Private Endpoints page and review the connection status for the new private endpoint.
-
In the GCP console, check that the endpoints for this new Private Server Connection show an Accepted status.
Disable Private Endpoints
Disabling private endpoints deletes all private endpoints in a cluster. At the bottom of the Private Endpoints page, turn off private endpoints for your cluster by clicking Disable Private Endpoints.
It can take several minutes for Capella to complete this process.
|
Disabling private endpoints only cleans up the infrastructure deployed in Capella. You must manually clean up any resources deployed to your GCP VPC that were supporting private endpoints. Do not remove GCP resources until the disabling process in Capella is complete. |