Use Google Cloud Private Service Connect with Astra Managed Clusters

This page explains how to configure Google Cloud Private Service Connect private endpoints in Astra. For AWS PrivateLink, see Use AWS PrivateLink with Astra Managed Clusters.

You can use private endpoints to establish a secure, private connection to your Astra Managed Clusters databases through a virtual private cloud (VPC) service offered by a cloud provider. With a private endpoint, all communication remains within the private network, ensuring that no information is transmitted over the public internet.

Astra private endpoint architecture

To ensure your private endpoints are configured efficiently, you must understand how Astra uses private endpoints:

Private endpoints apply to database connections

When you connect to a database through a private endpoint, your connection is routed through the private endpoint and the associated private network. Private endpoints don’t apply to higher level operations, such as Astra organization management.

You must configure private endpoints for each database separately. Private endpoint configurations cannot be applied in bulk.

Private endpoints are specific to a cloud provider and region

A private endpoint must exist in the same cloud provider and region as the database that uses the endpoint. For example, an AWS PrivateLink private endpoint in us-west-2 can only be used for a database in AWS us-west-2.

Multi-region databases require multiple private endpoints

For multi-region databases, you must configure an endpoint for each region.

Astra Managed Clusters databases cannot share private endpoints

Each Astra Managed Clusters database must have its own private endpoint. For example, if you deploy three databases to AWS us-west-2, then you need three separate AWS PrivateLink private endpoints in us-west-2.

For multi-region databases, each region must have its own private endpoint.

A Astra Managed Clusters database can connect to one or more private endpoints

  • Single endpoint: Create a private endpoint in your VPC, and then use it for one database.

  • Multiple endpoints: Create multiple private endpoints in your VPC, and then use them for the same database.

Your applications must use compatible connection methods

Your applications and scripts must use supported Astra DB connection methods that are compatible with private links. Examples include DevOps API requests and Apache Cassandra® drivers.

For application development, DataStax officially supports connections over private links for supported Cassandra drivers only. For unsupported connection methods, compatibility isn’t guaranteed, and DataStax provides no troubleshooting, configuration assistance, or other support.

Billed charges for premium runtime and cloud provider services

Private endpoints are a premium feature that requires a paid subscription plan.

Use of private endpoints incurs billed charges from both Astra and your cloud provider’s private endpoint services.

If you delete a private endpoint from Astra, it is your responsibility to delete the corresponding resources in your cloud provider.

Prerequisites

To configure and use Google Cloud Private Service Connect private endpoints for Astra Managed Clusters databases, you need the following:

Enable private endpoints

To use a private endpoint with a database, you must enable private endpoint connectivity for that database.

For multi-region databases, you must enable private endpoints in each applicable region.

Private endpoints must exist in the same region and cloud provider as the databases that use them. For example, a database in AWS us-west-2 can only use AWS PrivateLink private endpoints in us-west-2.

For multi-region databases, you must configure separate endpoints for each region where you want to use private endpoints.

For more information, see Astra private endpoint architecture.
Use the Astra Portal

  1. In the Astra Portal, click Managed clusters, and then click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the Private Endpoints section, click Configure Region for the region where you want to use a private endpoint.

  4. Enter the allowed principal. For Google Cloud regions, the allowed principal is your Google Cloud project ID.

  5. Click Configure Region.

  6. Copy the generated Service Name.

  7. For multi-region databases, repeat these steps for each region where you want to use private endpoints.

Next, create the private endpoint in your cloud provider.

Use the DevOps API

  1. Set an allowed principal for each database and region where you want to use private endpoints:

    curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "allowedPrincipals": [
    "ALLOWED_PRINCIPAL"
  ]
}'

    The DATACENTER_ID is the region identifier. To get the DATACENTER_ID and DATABASE_ID, see Get database details.

    To use Google Cloud Private Service Connect, the database must be deployed on Google Cloud. For Google Cloud regions, the allowed principal is your Google Cloud project ID.

  2. Get the serviceName from the response:

    {
  "serviceName": "projects/PROJECT_ID/regions/REGION/serviceAttachments/SERVICE_ATTACHMENT_NAME",
  "allowedPrincipals": [
    "GOOGLE_CLOUD_PROJECT_ID"
  ]
}

Next, create the private endpoint in your cloud provider.

You can also use the DevOps API to remove an allowed principal.

Add a private endpoint

After enabling private endpoints for a database, create a VPC endpoint in Google Cloud Private Service Connect, and then use the Astra Portal or the DevOps API to connect it to your database.

Create the endpoint in Google Cloud Private Service Connect

  1. Sign in to the Google Cloud Network Services console.

  2. Create an endpoint to access published services. The VPC endpoint’s Target service is the generated service name that you copied when you enabled private endpoints.

  3. After creating the endpoint, copy the PSC Connection ID from the endpoint details.

Connect the endpoint to your database

Use the PSC Connection ID to connect your Google Cloud Private Service Connect endpoint to your Astra database:

Use the Astra Portal

  1. In the Astra Portal, click Managed clusters, and then click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. Find the region where you previously enabled private endpoints, and then enter the PSC connection ID in the Endpoint ID field.

  4. Optional: Enter a description for the endpoint.

  5. Click Add Endpoint.

Your database is now connected to a private endpoint. Next, configure DNS mapping.

Use the DevOps API

Use the DevOps API to accept an endpoint to the private link service:

curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "endpointID": "PSC_CONNECTION_ID",
  "description": "OPTIONAL_STRING"
}'

Replace the following:

  • DATABASE_ID, DATACENTER_ID, APPLICATION_TOKEN: Use the same values that you used to enable private endpoints.

  • PSC_CONNECTION_ID: Your GCP Private Service Connect endpoint’s PSC connection ID.

  • DESCRIPTION: An optional string describing the endpoint. You can also use the DevOps API to update the private endpoint description at any time.

A successful response contains the private endpoint configuration for the specified database and region. Make sure the status is Accepted.

Result
{
  "datacenters": [
    {
      "serviceName": "projects/PROJECT_ID/regions/REGION/serviceAttachments/SERVICE_ATTACHMENT_NAME",
      "allowedPrincipals": [
        "GOOGLE_CLOUD_PROJECT_ID"
      ],
      "datacenterID": "DB_REGION_ID",
      "endpoints": [
        {
          "endpointID": "PSC_CONNECTION_ID",
          "description": "OPTIONAL_STRING",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

Your database is now connected to a private endpoint. Next, configure DNS mapping.

Create DNS entries for a private endpoint

To ensure proper name resolution for private endpoints, you must configure private DNS mapping for the *.astra.datastax.com domain and subdomains. This overrides the default resolution to the public IP address provided by Astra.

You must configure private DNS mapping for all databases that use private endpoints. For multi-region databases, you must create records for every region.

  1. In the Google Cloud console, create a private zone to route traffic to your Private Service Connect endpoint IP.

  2. Create Type A standard records for Astra subdomains.

    For each database, you must create records for both the .db. and .apps. domains. For multi-region databases, you must create records for every region where you use private endpoints.

    • DATABASE_ID-REGION.db.astra.datastax.com

    • DATABASE_ID-REGION.apps.astra.datastax.com

  3. Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

Connect to one database through multiple private endpoints

If needed, you can access the same database through multiple private endpoints. For example, if you need to replace an endpoint, you can add the new endpoint to your database before you remove the previous endpoint.

These steps assume you have already configured one private endpoint for your database. To add an additional private endpoint to the same database, do the following:

  1. Enable private endpoints if the additional endpoint belongs to a different region than the existing endpoint.

  2. Create the endpoint and add it to your database.

  3. Add DNS entries for the additional endpoint.

    DataStax recommends that you test the connection to verify the configuration, especially if you plan to remove the existing endpoint.

  4. If you configured the IP Access List, make sure the additional endpoints are included in the allowed IPs.

    If you need to replace an endpoint, it is critical that you add the new endpoint to the IP Access List before removing the previous endpoint to avoid losing connectivity to your database.

  5. Repeat these steps to add more endpoints to the same database.

Get private endpoint configurations

In the Astra Portal, you can find a database’s private endpoints on the database’s Settings tab.

To use the DevOps API to get information about private endpoints for all databases in your organization, use GET /v2/organizations/private-link or GET /v2/organizations/clusters:

Get private endpoints for all databases
curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

A successful response includes information about private endpoint configurations for all databases in the organization. If there are any multi-region databases, the response includes all regions.

The following example includes an AWS PrivateLink endpoint. The format of certain values, such as the serviceName, depends on the cloud provider.

Result
{
  "clusters": [
    {
      "clusterID": "string",
      "datacenters": [
        {
          "serviceName": "com.amazonaws.vpce.us-east-2.vpce-svc-1148ea04af491da11",
          "allowedPrincipals": [
            "arn:aws:iam::123456789012:role/admin"
          ],
          "datacenterID": "string",
          "endpoints": [
            {
              "endpointID": "vpce-svc-1148ea04af491da11",
              "description": "ecomm-team-billing-app",
              "linkID": "126845687",
              "status": "Accepted",
              "createdDateTime": "2009-11-10T23:00:00"
            }
          ]
        }
      ]
    }
  ]
}
Get private endpoints for one database
curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

To get the DATABASE_ID, see Get database details.

A successful response includes information about private endpoint configurations for one database. For a multi-region database, the response includes all regions. Compared with the previous method, this method returns only one object from the clusters array.

The following example includes an AWS PrivateLink endpoint. The format of certain values, such as the serviceName, depends on the cloud provider.

Result
{
  "clusterID": "string",
  "datacenters": [
    {
      "serviceName": "com.amazonaws.vpce.us-east-2.vpce-svc-1148ea04af491da11",
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:role/admin"
      ],
      "datacenterID": "string",
      "endpoints": [
        {
          "endpointID": "vpce-svc-1148ea04af491da11",
          "description": "ecomm-team-billing-app",
          "linkID": "126845687",
          "status": "Accepted",
          "createdDateTime": "2009-11-10T23:00:00"
        }
      ]
    }
  ]
}
Get private endpoints for one region of a multi-region database
curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

The DATACENTER_ID is the region identifier. To get the DATACENTER_ID and DATABASE_ID, see Get database details.

A successful response includes information about private endpoint configurations for one region of one database. Compared with the previous methods, this method returns only one object from the datacenters array.

The following example includes an AWS PrivateLink endpoint. The format of certain values, such as the serviceName, depends on the cloud provider.

Result
{
  "serviceName": "com.amazonaws.vpce.us-east-2.vpce-svc-1148ea04af491da11",
  "allowedPrincipals": [
    "arn:aws:iam::123456789012:role/admin"
  ],
  "datacenterID": "string",
  "endpoints": [
    {
      "endpointID": "vpce-svc-1148ea04af491da11",
      "description": "ecomm-team-billing-app",
      "linkID": "126845687",
      "status": "Accepted",
      "createdDateTime": "2009-11-10T23:00:00"
    }
  ]
}
Get information about one endpoint in one region of one database
curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints/ENDPOINT_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

To get the endpoint ID, use one of the other GET /v2/organizations/clusters methods. However, the other methods return the same information as this method.

Delete a private endpoint

To delete a private endpoint, you must delete the private endpoint from Astra and AWS PrivateLink.

Astra cannot manage your cloud provider’s private endpoint configuration. You are responsible for removing unused private endpoint connections in your cloud provider.
Use the Astra Portal

  1. In the Astra Portal, click Managed clusters, and then click the name of the database that you want to modify.

  2. Click the Settings tab.

  3. In the Private Endpoints section, click the endpoint that you want to delete, click Delete, and then confirm the deletion.

  4. Remove or modify DNS entries as needed.

  5. Delete the Google Cloud Private Service Connect endpoint.

Use the DevOps API

  1. Use the DevOps API to reject a private endpoint:

    curl -sS -L -X DELETE "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints/ENDPOINT_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    This request removes a specific endpoint from a specific database and region. To remove multiple endpoints, send a separate request for each endpoint with the corresponding query parameters. For example, to remove all private endpoints for a multi-region database, send a separate request for each region (specified by DATACENTER_ID and ENDPOINT_ID).

    To get the ENDPOINT_ID, see Get private endpoint configurations.

    To get the DATACENTER_ID and DATABASE_ID, see Get database details.

  2. Remove or modify DNS entries as needed.

  3. Delete the Google Cloud Private Service Connect endpoint.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM