Connect to Google Cloud private endpoints via Astra DB console

To better protect your database connection, you can connect to a private endpoint using the Astra DB console.

For details about using API calls instead, see Connect to Google Cloud Private Service Connect with the DevOps API.

This information applies to only serverless databases.

Also, private endpoints are available for only intra-region use. The region for your private endpoint in Google Cloud and your Astra DB database must match.

For pricing related to using private endpoints, see Pricing and billing.

The following roles can manage private endpoints:

  • Organization Administrator

  • Database Administrator

Alternatively, you can use a custom role with permissions to manage private endpoints.

Prerequisites

  1. Access to your existing Google Cloud project.

  2. Create your Astra DB database using the Astra DB console.

  3. Ensure you have permission to manage private endpoints.

  4. From the Google Cloud Console, get your Project ID.

  5. Create a Google Cloud Console network, subnetwork, and IP address for your private endpoint. For more, see Creating networks. The steps for private endpoints and sample values are listed below.

  6. Take note of which region your Google Cloud project and Google Cloud based Astra DB use (the chosen region must match).

To increase your security, restrict public access to your database using the access list.

Creating and referencing endpoint values between Google Cloud and Astra DB consoles

Setting up the connection between Google Cloud and Astra DB private endpoints involves a few steps in both consoles.

Let’s start in Astra DB console

  1. On your organization’s Astra DB dashboard, click the link for your active, Google Cloud based database.

  2. Navigate to your database’s Settings tab, and notice the Private Endpoints section. At this point, no endpoints have been linked. Example:

    Astra DB console Settings tab with Private Endpoints section
  3. Click Configure Region and enter your Google Cloud Project ID as listed in Google Cloud Console.

  4. After entering your Google Cloud project-ID, click Configure Region.

  5. Astra DB console displays an updated Private Endpoints section, which includes a newly generated Service Name.

  6. Click Add Endpoint.

  7. On Add Private Endpoint, copy the generated Service Name. Example:

    Astra DB Add Private Endpoint copy Service Name

    In Astra DB console, keep the Add Private Endpoint dialog open. We’ll return here with an Endpoint ID after creating it in Google Cloud Console. Also note the region defined for your database. In this example, it is us-east4.

Switch over to Google Cloud Console

Ensure you’re in the Google Cloud project you identified above. Then:

  1. Navigate to Private Service Connect.

  2. So far in this example, no Google Cloud endpoint has been created:

    Google Cloud Private Connect Service with no endpoint created yet
  3. Click + CONNECT ENDPOINT.

  4. On the Connect Endpoint dialog, choose or enter:

    1. Target: Published service.

    2. Target service: Paste in the Service Name value that you copied in Astra DB console.

    3. Endpoint name: Enter any name, such as astra-google-cloud-endpoint. The name must start with a lowercase letter followed by up to 19 lowercase letters and numbers.

    4. Network: Enter a network value. In this example, we entered default.

    5. Subnetwork: Enter a subnetwork value, such as default.

    6. IP address: If not already assigned, click CREATE IP ADDRESS. On the form, enter a name such as static-address. Have Google Cloud assign the IP address automatically, or choose your own value.

      Google Cloud Connect Endpoint with Reserve Static IP Address dialog

      Click RESERVE.

    7. Region: Google Cloud sets the region from a portion of the Service Name that you pasted into the Target service field above. (Verify that the specified region is what you intended!) In this example, we’re using us-east4.

  5. Click ADD ENDPOINT.

Once accepted, Google Cloud displays data for the added endpoint. Example:

Google Cloud Private Service Connect added Endpoint example

Click the linked name of your newly added Endpoint to display the details screen in Google Cloud Console, and copy the Private Service Connect (PSC) ID. Example:

Google Cloud Private Service Connect details

You’ll need to paste in that PCS ID value in Astra DB console.

Return to Astra DB console

Back in Astra DB console, return to the Add Private Endpoint dialog that’s available from your databases’s Settings.

  1. In the Endpoint ID field, paste in the copied PSC ID value. Also enter a brief description of your Astra DB / Google Cloud endpoint.

  2. Click Add Endpoint.

    Astra DB displays the result. Example:

    Astra DB Settings Private Endpoint details

Your private endpoint is defined. However, notice the warning message if you have not taken further action in your Astra DB Settings.

You’ve set up a private endpoint for this database, but access to your database is still open to the public. Learn how to Manage access lists for public access by using the IP Access List options in Astra DB console Settings. You can enable the Restrict public access toggle, and you can manage endpoints with one or more access lists.

Create a DNS entry for your private endpoint

You can alias your private endpoint with a DNS record to use as your hostname in the Astra DB secure connect bundle. Here are the steps:

  1. Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.

  2. Unzip the secure connect bundle.

  3. In config.json, copy the host key’s value.

  4. In Google Cloud Console, create a private zone to route traffic to your endpoint IP. Update the domains to use REST and CQL. Examples:

    • REST

    • CQL

    efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.apps.astra.datastax.com
    efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.db.astra.datastax.com

Once those steps are completed, you can connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra DB.

Remove a private endpoint

In Google Cloud Console:

  1. Go to Private Service Connect.

  2. Choose the endpoint you want to remove.

  3. Choose Delete.

In Astra DB console:

  1. Go to the Settings tab for your database.

  2. Choose the endpoint you want to remove.

  3. Click Delete.

What’s next?