Connect to Google Cloud Private Service Connect with the DevOps API
To better protect your database connection, you can connect to a private endpoint using the Astra DB private endpoint. Private endpoints are available for only intra-region use. The region for your private endpoint in the Google Cloud Console and your Astra DB database must match.
For pricing related to using private endpoints, see Pricing and billing.
The following roles can manage private endpoints:
-
Organization Administrator
-
Database Administrator
Alternatively, you can use a custom role with permissions to manage private endpoints.
For more, see Google Cloud Private Service Connect.
Prerequisites
-
Create your Astra DB database using Astra Portal.
-
Ensure you have permission to manage private endpoints.
-
From your Google Cloud Console, get your Project ID. For example,
valiant-ocean-258751
. -
Create a Google Cloud Console network, subnetwork, and IP address for your private endpoint. For more, see Creating neworks.
To increase your security, restrict public access to your database using the access list. |
If you are using Postman for your API calls, ensure you use the |
Connect to your Google Cloud Private Service Connect endpoint
-
Enter the Project ID as your allowed principal for your private endpoints to Astra DB:
curl --request POST \ --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/private-link' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' \ --data '{ "allowedPrincipals": [ "valiant-ocean-258751" ] }'
To confirm your datacenter ID, see your database Dashboard or use the DevOps API to get all datacenter IDs within your database.
{ "serviceName": "projects/<projectID>/regions/<regionName>/serviceAttachments/<serviceAttachmentName>", "allowedPrincipals": [ "valiant-ocean-258751" ] }
-
Create the endpoint in your Google Cloud Console.
-
In the Google Cloud Console, go to Private Service Connect.
-
Select Connect endpoint.
-
Select Published service as the Target.
-
Enter the 'serviceName' from the DevOps API result as the Target service.
-
Enter a name for the Endpoint name.
-
Select your Network and Subnetwork for the endpoint.
-
Select an IP address for the endpoint.
-
Select Add endpoint.
The status for the endpoint will show as Accepted. This does not mean that the endpoint is ready for use and must be accepted in the Astra DB DevOps API.
-
-
Using the PSC Connection ID from your Google Cloud Console as your endpoint ID, accept your Google Cloud private endpoint connection:
curl --request POST \ --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/endpoints' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' \ --data '{ "endpointID": "2755639674399101", "description": "project-desc-dev-app" }' .sh[]
{ "datacenters": [ { "serviceName": "projects/<projectID>/regions/<regionName>/serviceAttachments/<serviceAttachmentName>", "allowedPrincipals": [ "valiant-ocean-258751" ], "datacenterID": "string", "endpoints": [ { "endpointID": "2755639674399101", "description": "project-desc-dev-app", "status": "Accepted", "createdDateTime": "2021-04-10T23:00:00" } ] } ] }
Your Google Private Service Connect menu will show the private endpoint.
-
Create a DNS entry for your private endpoint.
-
Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.
-
Unzip the secure connect bundle.
-
In
config.json
, copy thehost
key’s value. -
In the Google Cloud Console, create a private zone to route traffic to your endpoint IP. Update the following domains to use REST and CQL:
efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.apps.astra.datastax.com
efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.db.astra.datastax.com
For more, see Create a private zone.
-
You can now connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra.
Remove a private endpoint
-
Delete a private endpoint from your Astra DB:
-
In the Google Cloud Console, go to Private Service Connect.
-
Select the endpoint you want to remove.
-
Select Delete.