Configure Private Service Connect interfaces
Stay organized with collections Save and categorize content based on your preferences.

Datastream uses Private Service Connect interfaces to let you replicate data in a way that keeps the traffic entirely within Google Cloud.

A Private Service Connect interface is a resource that lets a producer Virtual Private Cloud (VPC) network initiate connections to and receive connections from a network attachment in a consumer VPC network. Producer and consumer networks can be in different projects and organizations.

Figure 1. Private Service Connect interfaces let service producers initiate connections to service consumers.

For key term definitions, see the section that follows.

For more information about Private Service Connect, see the Virtual Private Cloud documentation.

Key terms

This section provides an overview of key terms and concepts that apply to Private Service Connect.

Producer: an entity, typically a service or a VM within a VPC network, that initiates the connection to the consumer network. The producer delivers the service: in the Datastream context, it fetches and replicates data to a destination.
Consumer: an entity, typically a VM within a VPC network, that receives the connection from the producer. When the consumer accepts the connection, Google Cloud allocates the Private Service Connect interface an IP address from a subnet in the consumer VPC network that's specified by the network attachment. The VM of the Private Service Connect interface has a second network interface that connects to the producer's VPC network.
Network attachment: a regional resource that lets a producer VPC network initiate connections to a consumer VPC network through a Private Service Connect interface. In the consumer VPC network, the network attachment acts as a designated entry point for connections from Private Service Connect interfaces in the producer network. When a Private Service Connect interface is established on a network attachment, the producer VM is assigned an IP from the subnet of the network attachment. The virtual machine instance of the Private Service Connect interface has at least one more regular network interface that connects to a producer subnet. For more information, see About network attachments.
Producer project: a Google-owned project where the virtual machines (VMs) running Datastream are hosted. To access resources in the customer VPC, the Datastream VMs use the IP address that the Private Service Connect network interface assigns from its subnet.

Private Service Connect prerequisites

Before you create a private connectivity configuration using a Private Service Connect interface, you need to take the following steps so that Datastream can establish a connection to your project:

Have a VPC network that you can connect to the Datastream private network. For more information about creating a VPC network, see Create and manage VPC networks.
Create a network attachment in your VPC project.
Verify that Google Cloud and the on-premises firewall allow traffic from the network attachment IP address range to the source database from which you want to stream data.

Pricing

Data ingress and egress through Private Service Connect is charged. For more information, see the Private Service Connect pricing.

Required roles and permissions

To get the permissions that you need to create a network attachment, ask your administrator to grant you the following Identity and Access Management (IAM) roles on your project:

Create, view, and delete network attachments: Compute Network Admin (roles/compute.networkAdmin)

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

For more information about access control options in Datastream, see Access control with IAM.