Set up a Private Service Connect (GCP)
This guide demonstrates the procedure for setting up a private link from a Zilliz Cloud cluster to your service hosted in different GCP VPCs.
This feature is exclusively available to Dedicated (Enterprise) clusters.
A private link is set up at the project level and is effective for all clusters deployed within the same cloud provider and region under this project.
Zilliz Cloud does not charge you for private links. However, your cloud provider may charge you for each endpoint that you create to access Zilliz Cloud.
Before you start​
Make sure the following condition is met:
- A Dedicated (Enterprise) cluster has been created. For information on how to create a cluster, see Create Cluster.
Create private endpoint​
Zilliz Cloud offers you an intuitive web console to add a private endpoint. Navigate to your target project and click Network > Private Endpoint in the left navigation. Click + Private Endpoint.
Select a cloud provider and region​
To create a private endpoint for a cluster deployed in a GCP region, select GCP from the Cloud Provider drop-down list. In Region, select the region that accommodates the cluster you want to access privately. Click Next.
For more information on available cloud providers and regions, see Cloud Providers & Regions.
Create an endpoint​
You need to complete this step on your cloud provider console using either the UI console or CLI.
-
Via UI console
To create an endpoint on the Google Cloud UI console, refer to this documentation for step-by-step instructions.
Note that for Step 5 in the doc above, use as the service attachment URI you copied from Zilliz Cloud console.
-
Via CLI
-
Switch to the Via CLI tab.
-
Enter the Project ID.
To obtain a Google Cloud project ID,
-
Open the Google Cloud Dashboard.
-
Find the Project ID of your desire and copy its ID.
-
Enter this ID in Google Cloud Project ID on Zilliz Cloud.
-
-
Enter the VPC Name.
Before creating a VPC endpoint, you need to have a VPC on your GCP console. To view your VPCs, do as follows:
-
Open the Google Cloud VPC Dashboard.
-
In the navigation pane, choose VPC networks.
-
Find the VPC of your desire and copy its Name.
-
Enter this name in VPC Name on Zilliz Cloud.
To create a VPC network, see Create and manage VPC networks.
-
-
Enter the Subnet Name.
Subnets are sub-divisions of your VPC. You need to have a subnet that resides in the same region as the private link to be created. To view your subnets, do as follows:
-
Open your VPC network list.
-
In the navigation pane, choose VPC networks.
-
Click the name of the VPC of your desire.
-
Find the subnet of your desire and copy its name.
-
Enter this name in Subnet Name on Zilliz Cloud.
-
-
Enter the Private Service Connect Endpoint Prefix.
For your convenience, you are required to set an endpoint prefix in Private Service Connect Endpoint prefix so that any forwarding rules you create will have this prefix.
-
Click Copy and Go.
You will be redirected to your cloud provider console. In the top navigation, activated the Google Cloud Cloud Shell. Run the CLI command you just copied from Zilliz Cloud in the Cloud Shell.
When the endpoint is created, navigate to the Google Cloud Private Service Connect page and copy the name of the endpoint you just created.
-
Authorize your endpoint​
Obtain a private link​
After verifying and accepting the preceding attributes you have submitted, Zilliz Cloud allocates a private link for this endpoint. This process takes about 5 minutes.
When the private link is ready, you can view it on the Private Link page on Zilliz Cloud.
Set up firewall rules and a DNS record​
Before you can access your cluster via the private link allocated by Zilliz Cloud, it is necessary to create a CNAME record in your DNS zone to resolve the private link to the DNS name of your VPC endpoint.
Create firewall rules​
To allow private access to your managed cluster, add appropriate firewall rules. The following snippet shows how to allow traffic through TCP port 22. Note that you need to set VPC_NAME to the name of your VPC.
VPC_NAME={{vpc-name}};
gcloud compute firewall-rules create psclab-iap-consumer --network $VPC_NAME --allow tcp:22 --source-ranges=35.235.240.0/20 --enable-logging
Create a hosted zone using Cloud DNS​
Go to Cloud DNS in your GCP console and create a DNS zone.
-
Select Private in Zone type.
-
Set Zone name to
zilliz-privatelink-zoneor other values that you see fit. -
Set DNS name to the private link obtained in step 7.
A valid DNS name is similar to
in01-xxxxxxxxxxxxxxx.gcp-us-west1.vectordb.zillizcloud.com. -
Select the proper VPC network in Networks.
-
Click CREATE.
Create a record in the hosted zone​
-
In the zone created above, click ADD STANDARD in the RECORD SETS tab.
-
On the Create record set page, create an A record with the default settings.
-
Click SELECT IP ADDRESS in IPv4 Address, and select the IP address of your endpoint.
-
Click CREATE.
Manage internet access to your clusters​
After configuring your private endpoint, you can choose to disable the cluster public endpoints to restrict internet access to your project. Once you have disabled the public endpoint, users can only connect to the cluster using the private link.
To disable public endpoints:
-
Go to the Cluster Details page of your target cluster.
-
Navigate to the Connection section.
-
Click on the configurations icon next to the cluster public endpoint.
-
Read the information and click Disable in the Disable Public Endpoint dialog box.
Private endpoints only impact data plane access. Control plane can still be accessed over the public internet.
After you re-enable the public endpoint, you may need to wait until the local DNS cache to expire before you can access the public endpoint.
Troubleshooting​
Why does it always report Name or service not known when I ping the private link on GCP?​
Check your DNS settings by referring to Set up firewall rules and a DNS record.
-
If the configuration is correct, when you ping your private link, you should see
-
If the configuration is incorrect, when you ping your private link, you may see
