Connect Confluence Data Center On-premises

This page describes how to create a Confluence Data Center data store and search app in Agentspace, syncing on-premises Confluence data with Agentspace.

After you set up your data source and import data the first time, you can choose how often the data store syncs with that source.

Before you begin

Before setting up your connection, do the following:

  1. Verify that you have the Confluence Administrator permission to fetch the Access Control List (ACL) information.

  2. Install the Permission Accessor for Confluence Data Center plugin. This plugin introduces REST endpoints that enable Google Agentspace to fetch space permissions, content restrictions, and licensed users' email addresses details to apply the correct permissions for the search experience in Google Agentspace.

  3. Make sure that you have the following details:

    • Service attachment (required for private destination type only): Configure a service attachment for secure data transfer.
    • Username and password: Obtain valid credentials for authentication from your Confluence administrator.
    • Domain URL:
      • For a private destination type, specify the URL of the Confluence Data Center instance.
      • For a public destination type, specify the public URL of the Confluence Data Center instance.
    • Optional. Base domain name: Provide the base domain name for the Confluence instance.
    • Optional. Destination port: Identify the port used for communication with the Confluence Data Center.

  4. (Required for private destination type only) Use the following configuration guidelines to establish connections with Private Service Connect. Make sure the service attachment is properly configured to connect to the private instance and meets the requirements for a published service. Adjust or add resources as needed to ensure the connection between your private instance and the service attachment.

    1. Configure network settings:

      1. Place the service attachment and load balancer in different subnets within the same Virtual Private Cloud network.

      2. The backend system must remain closed to the public network for security reasons. However, verify it can accept traffic from the following sources:

        • For proxy-based/HTTP(s) load balancers (L4 proxy ILB, L7 ILB), configure the backend to accept requests from the proxy subnet in the Virtual Private Cloud network.

        • For more information, see the Proxy-only subnets for Envoy-based load balancers documentation.

    2. Adjust firewall rules:

      1. Ingress rules:

        • Allow traffic from the service attachment subnet to the internal load balancer (ILB) subnet.
        • Make sure that the ILB can send traffic to the backend.
        • Permit health check probes to reach the backend.

      2. Egress rules: Enable egress traffic by default, unless specific deny rules apply.

Generate a service attachment

If your Confluence Data Center destination type is Private, proceed with the following steps to create a Private Service Connect based private connection to your backend:

Set up the environment

To set up network to support Private Service Connect for private endpoints, do the following:

  1. Create a new or use an existing Virtual Private Cloud (VPC) network in Google Cloud. This network will host your resources.
  2. Set up VPC subnets:
    • Configure the required subnets within your VPC.
    • Ensure these subnets are in the same region where your backend services will reside.
  3. Allocate a /29 subnet for Private Service Connect NAT: Allocate a dedicated /29 subnet specifically for Private Service Connect NAT. This subnet is essential for the proper functioning of Private Service Connect.

Configure the backend service

This step involves configuring the backend service, which represents your Confluence Data Center instance. This service will be exposed through Private Service Connect. You can choose between using a Hybrid Network Endpoint Group (NEG) with VPN/Interconnect or a Google Cloud VM as a proxy.

The following are the backend service options:

  • (Recommended) Hybrid NEG with VPN or Interconnect: For securely connecting on-premises workloads to Google Cloud, it's highly recommended to use a Hybrid NEG in conjunction with a VPN or Cloud Interconnect. To do this, follow these steps:
    1. Create and register your Hybrid NEG, linking it to your on-premises Confluence Data Center instances through your VPN tunnel or Cloud Interconnect.
    2. Ensure your Confluence Data Center application on-premises is properly installed and configured to receive traffic from the Hybrid NEG.
  • (Optional) Google Cloud VM as a proxy: If a Hybrid NEG setup is not feasible, you may configure a Google Cloud Virtual Machine (VM) to act as a proxy to your on-premises Confluence instance. To do this, follow these steps:
    1. Provision a Google Cloud VM instance that will serve as the proxy.
    2. Install and configure the necessary proxy software on this VM to forward traffic to your Confluence Data Center.
    3. For improved availability and scalability, consider deploying the VM within a Managed Instance Group (MIG).

Set up the internal load balancer (ILB)

To set up an internal load balancer, do the following:

  1. In the Google Cloud console, go to Network Services > Load Balancing.
  2. Click Create Load Balancer.
  3. Configure the load balancer with the following settings:
    • Load balancer type: Select Network Load Balancer (TCP/UDP/SSL).
    • Proxy or passthrough: Choose Passthrough load balancer.
    • External or internal facing: Select Internal.
    • Click Configure to proceed.
  4. Configure backend section:
    • In the Backend configuration section, under new backends, select IPv4 stack type.
    • In the Instance group section, select the instance group containing your proxy VMs (or NEG) and click Done.
  5. Configure health check:
    • From the Health check list, select Create a health check.
    • Configure the health check to allow probes from 130.211.0.0/22 and 35.191.0.0/16.
    • Ensure the health check protocol and port align with your backend service.

Configure firewall rules

Configure appropriate firewall rules to allow traffic flow to and from your backend.

  • Ingress rules: Create firewall ingress rules to do the following:
    • Allow traffic from the Private Service Connect NAT subnet to the internal load balancer (ILB) subnet.
    • Allow traffic from the ILB to your backend instances (VMs or NEG endpoints).
    • Allow health check probes to reach your backend instances.
  • Egress rules: Create firewall egress rules to enable egress traffic by default, unless specific deny rules are in place. If specific deny rules exist, create exceptions for the necessary outbound communication.

Create and publish the Private Service Connect service attachment

This is the final step where you create and make your Private Service Connect discoverable.

  1. Verify that the Private Service Connect API is enabled in your Google Cloud project.
  2. Create the Private Service Connect service attachment:
    1. Navigate to Network Services > Private Service Connect.
    2. Click Publish service.
    3. In the Load balancer list, select the internal load balancer that you configured.
    4. Configure the producer forwarding rule to point to your internal load balancer.
    5. Make sure that the service attachment is discoverable by the Agentspace environment.

Create a Confluence Data Center user and set up permissions

To enable Agentspace to obtain data from Confluence, you need to create a new user and assign administrator permission to the user. This is because only Confluence administrators can view and manage permissions across all spaces.

  1. Sign in as an administrator:

    1. Go to your Atlassian domain site and open the Confluence Data Center instance.
    2. Enter the administrator username and password.
    3. Click Log In.

  2. Create a new user:

    When creating a data store, you must create a user to obtain data from the third-party instance.

    1. Click the settings icon.
    2. Select User management.
    3. Enter the administrator credentials, if prompted.
    4. In the Administration page, click Create user.
    5. Enter the email address, full name, username, and password.
    6. Click Create user.

  3. Configure user permissions:

    1. In the Confluence administration page, navigate to the Users and security tab and click Groups.
    2. Search for the confluence-administrators group and add the newly created user to this group.

Create a Confluence Data Center On-premises data store

Console

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for Confluence data center to connect your third-party source.

  5. Enter your authentication information and click Continue.

  6. From the Destination type drop-down list, select Public or Private.

    1. For Public destination type, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console.

    2. For Private destination type, enter all the required information:

      1. If the region of the service attachment is different from the region of your data connector, select Enable PSC Global Access.

      2. For instance with the Domain URL:

        • Service attachment: Enter your service attachment.
        • Optional: Base domain name: Enter your base domain.
        • Domain URL: Enter your domain URL.
        • Optional: Destination port: Enter your destination port.

      3. For instance without Domain URL:

        • Service attachment: Enter your service attachment.
        • Optional: Destination port: Enter your destination port.

  7. Click Continue.

  8. Optional: Advanced options: Select and enable Proxy settings and SSL settings, if required.

  9. Under the Entities to sync, select all the required entities to sync and click Continue.

  10. Select the Sync frequency for Full sync and the Incremental sync frequency for Incremental data sync. For more information, see Sync frequency.

    If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options.

    Custom options for full data sync.
    Setting separate schedules for full entity sync and full identity sync.

  11. Select a region for your data connector and enter a name for your data connector.

For Private destination type, after you submit the details for the connector, VAIS sends a connection request to your Private Service Connect. Navigate to your connector to see a message to allowlist a projectId in the Private Service Connect. The connector remains in the Error state until you allow the connection in Private Service Connect. When you accept the connection request, the connector moves to the Active state during the next sync run. If you configure your Private Service Connect to accept all connections, the connector automatically moves to the Active state after creation.

For Public destination type, the connector automatically moves to the Active state after submission.

To verify the state of the data store and the ingestion activity, do the following:

  1. Navigate to the connector in the data store list and monitor its state until it changes to Active.

  2. After the connector state changes to Active, click the required entity and confirm that all selected entities are ingested. The data store state transitions from Creating to Running when synchronization begins and changes to Active once ingestion completes, indicating that the data store is set up. Depending on the size of your data, ingestion can take several hours.

Next steps