Set up a Private Service Connect (GCP)
This guide demonstrates the procedure for setting up a private endpoint from a Zilliz Cloud cluster to your service hosted in different GCP VPCs.
This feature is exclusively available to Dedicated (Enterprise) clusters.
Zilliz Cloud does not charge you for private links. However, your cloud provider may charge you for each endpoint that you create to access Zilliz Cloud.
Before you start​
Make sure the following conditions are met:
-
You have signed up for Zilliz Cloud.
-
A cluster has been created. For information on how to create a cluster, see Create Cluster.
Add a private endpoint​
Zilliz Cloud offers you an intuitive wizard to add a private endpoint. On the Cluster Details tab of any dedicated cluster in your project, click + Private Endpoint and configure the settings.
Setting up a private link is project-level. When you configure a private link for a cluster, it applies to its neighboring clusters in the same project deployed in the same cloud region.
Select a cloud provider and region​
To create a private endpoint for a cluster deployed in a Google Cloud region, select Google Cloud from the Cloud Provider drop-down list. In Region, select the region that accommodates the cluster you want to access privately. For more information on available cloud providers and regions, see Cloud Providers & Regions.
Once you have created a private link in a project, it applies immediately to its member Dedicated (Enterprise) clusters that have been deployed in the specified region. For those clusters that undergo maintenance then, such as scaling or patch-fixing, the private link applies to them after maintenance.
Enter Your Google Cloud Project ID and Endpoint​
In the Create Private Endpoint dialog box, you also need to fill in Google Cloud project ID and Your Endpoint for us to establish private connections.
If you do not have this information, you can click Don't Have a VPC Endpoint? to follow the guidance on the console and guidance in the following sections. Otherwise, enter Your Endpoint and Google Cloud Project ID, click Create, and go to Obtain a private link.
Obtain a Google Cloud project ID​
-
Open the Google Cloud Dashboard.
-
Find the Project ID of your desire and copy its ID.
-
Enter this ID in Google Cloud Project ID on Zilliz Cloud.
Obtain a VPC name​
Before creating a VPC endpoint, you need to have a VPC on your GCP console. To view your VPCs, do as follows:
-
Open the Google Cloud VPC Dashboard.
-
In the navigation pane, choose VPC networks.
-
Find the VPC of your desire and copy its Name.
-
Enter this name in VPC Name on Zilliz Cloud.
To create a VPC network, see Create and manage VPC networks.
Obtain a subset name​
Subnets are sub-divisions of your VPC. You need to have a subnet that resides in the same region as the private link to be created. To view your subnets, do as follows:
-
Open your VPC network list.
-
In the navigation pane, choose VPC networks.
-
Click the name of the VPC of your desire.
-
Find the subnet of your desire and copy its name.
-
Enter this name in Subnet Name on Zilliz Cloud.
Set an endpoint prefix​
For your convenience, you are required to set an endpoint prefix in Private Service Connect Endpoint prefix so that any forwarding rules you create will have this prefix.
Obtain a private service endpoint​
Copy the command generated at the bottom of the Add Private Endpoint dialog box on Zilliz Cloud, and run this command in your GCP CloudShell to create a Private Service Connect Endpoint.
In the returned message, copy the endpoint name listed on this page.
Then, click Back to Create Private Endpoint and enter the copied name in Your Endpoint.
Obtain a private link​
After verifying and accepting the preceding attributes you have submitted, Zilliz Cloud allocates a private link for this endpoint. You can view it on the details tab of your cluster.
Set up firewall rules and a DNS record​
Before you can access your cluster via the private link allocated by Zilliz Cloud, it is necessary to create a CNAME record in your DNS zone to resolve the private link to the DNS name of your VPC endpoint.
Create firewall rules​
To allow private access to your managed cluster, add appropriate firewall rules. The following snippet shows how to allow traffic through TCP port 22. Note that you need to set VPC_NAME to the name of your VPC.
VPC_NAME={{vpc-name}};
gcloud compute firewall-rules create psclab-iap-consumer --network $VPC_NAME --allow tcp:22 --source-ranges=35.235.240.0/20 --enable-logging
Create a hosted zone using Cloud DNS​
Go to Cloud DNS in your GCP console and create a DNS zone.
-
Select Private in Zone type.
-
Set Zone name to
zilliz-privatelink-zoneor other values that you see fit. -
Set DNS name to the private link obtained in step 7.
A valid DNS name is similar to
in01-xxxxxxxxxxxxxxx.gcp-us-west1.vectordb.zillizcloud.com. -
Select the proper VPC network in Networks.
-
Click CREATE.
Create a record in the hosted zone​
-
In the zone created above, click ADD STANDARD in the RECORD SETS tab.
-
On the Create record set page, create an A record with the default settings.
-
Click SELECT IP ADDRESS in IPv4 Address, and select the IP address of your endpoint.
-
Click CREATE.
Manage internet access to your clusters​
After configuring your private endpoint, you can choose to disable the cluster public endpoints to restrict internet access to your project. Once you have disabled the public endpoint, users can only connect to the cluster using the private link.
To disable public endpoints:
-
Go to the Cluster Details page of your target cluster.
-
Navigate to the Connection section.
-
Click on the configurations icon next to the cluster public endpoint.
-
Read the information and click Disable in the Disable Public Endpoint dialog box.
Private endpoints only impact data plane access. Control plane can still be accessed over the public internet.
After you re-enable the public endpoint, you may need to wait until the local DNS cache to expire before you can access the public endpoint.
Troubleshooting​
Why does it always report Name or service not known when I ping the private link on GCP?​
Check your DNS settings by referring to Set up firewall rules and a DNS record.
-
If the configuration is correct, when you ping your private link, you should see
-
If the configuration is incorrect, when you ping your private link, you may see
