メインコンテンツまでスキップ
バージョン: User Guides (BYOC)

Configure a Customer-Managed VPC

The Zilliz Cloud Bring-Your-Own-Cloud (BYOC) solution enables you to set up a project within your own Virtual Private Cloud (VPC). With a Zilliz Cloud project running in a customer-managed VPC, you gain greater control over your network configurations, allowing you to meet specific cloud security and governance standards required by your organization.

This page enumerates the minimum requirements for hosting a Zilliz Cloud BYOC project in a customer-managed VPC that meets these requirements.

📘Notes

Zilliz BYOC is currently available in General Availability. For access and implementation details, please contact Zilliz Cloud sales.

VPC requirements

Your VPC must meet the requirements enumerated in this section to host a Zilliz Cloud project. If you prefer to use an existing VPC for your BYOC project, ensure that your VPC meets these requirements.

VPC regions

The following table lists the Google Cloud Platform (GCP) regions the Zilliz Cloud BYOC solution supports. If you cannot find your cloud regions on the Zilliz Cloud console, please contact us at support@zilliz.com.

GCP Region

Location

us-west1

Oregon

VPC IP address ranges

Zilliz Cloud recommends using the /18 netmask in IPv4 CIDR settings for the VPC, allowing a public subnet and three private subnets to be created from the CIDR block.

📘Notes

Zilliz Cloud currently supports only IPv4 CIDR blocks.

Subnets

A Zilliz Cloud BYOC project requires one primary subnet with a primary IPv4 range and two secondary IPv4 ranges, along with a separate load balancing subnet.

Cloud Router and NAT

A Google Cloud Router is required to allow dynamic route exchange between your VPC and other networks. You must also add a NAT gateway to allow the VMs and container pods on your VPC to communicate with Zilliz Cloud's VPC network.

Firewall Rules

You need to create two ingress firewall rules: One is for Zilliz Cloud to perform health checks against the clusters within your BYOC project, and the other is for the VM instances within your VPC network to communicate with each other.

Private Service Connect (PSC) endpoint

The PSC endpoint is optional and will be used when you configure private endpoints for your BYOC clusters.

Procedure

On the GCP dashboard, you can create the VPC and related resources enumerated in VPC requirements. Alternatively, you can use the Terraform script Zilliz Cloud provides to bootstrap the infrastructure for your Zilliz Cloud project on GCP. For details, refer to Terraform Provider.

Step 1: Create a VPC network and add the primary subnet

You will create a VPC network and add the primary subnet in this step. The primary subnet includes a primary IPv4 address range and two secondary IPv4 address ranges for container pods and services.

The steps to create a VPC network and add the primary subnet are as follows:

  1. On the GCP console, find and click VPC network.

  2. Click Create VPC network.

  3. Set a name for the VPC and the primary subnet to create.

    In this demo, you can set it to primary-subnet, or name the subnet according to your naming conventions.

  4. Select the region for the primary subnet.

    The region should be the same as your Zilliz BYOC project.

  5. Set the primary IPv4 range for the primary subnet.

    In this demo, you can set it to 10.7.0.0/18 or use the planned network segment.

  6. Set the name and IPv4 address range of the secondary IPv4 range for container pods.

    In this demo, you can set the name to pod-subnet and range to 10.7.64.0/18, or follow your naming conventions and networking plan.

  7. Click Add a Secondary IPv4 range to add a secondary IPv4 range for services, and set its name and range.

    In this demo, you can set the name to service-subnet and range 10.7.128.0/18, or follow your naming conventions and networking plan.

  8. Leave the rest in default settings and click Create.

Step 2: Add the load-balancing subnet

You will add a proxy-only subnet reserved for the regional Application Load Balancer in this step.

The steps for adding this subnet are as follows:

  1. On the GCP console, find and click VPC network.

  2. Filter the VPC network created in the previous step.

  3. Click its name to view its details.

  4. Switch to the Subnets tab, and click Add subnet.

  5. Set a name for the subnet to create.

    In this demo, you can set it to lb-subnet, or name the subnet according to your naming conventions.

  6. Select the region for the primary subnet.

    The region should be the same as your Zilliz BYOC project.

  7. Select Regional Managed Proxy in Purpose.

    For details about this option and proxy-only subnets, refer to this doc.

  8. Set the primary IPv4 range for this subnet.

    In this demo, you can set it to 10.7.192.0/18 or use the planned network segment.

  9. Click Add.

Step 3: Set up the Cloud Router and NAT gateway

You will configure a Cloud Router and a NAT gateway to enable network address translation for the traffic between your VPC and that of Zilliz Cloud.

The steps to set up the Cloud Router and NAT gateway are as follows:

  1. On the GCP console, find and click Network Connectivity.

  2. Choose Cloud Router in the left navigation pane.

  3. Click Create router.

  4. Set the name for the router to create.

    Set it to your-org-byoc-router in this demo, or follow your naming conventions.

  5. Select the VPC network created in the previous step.

    In this demo, select your-org-byoc-vpc.

  6. Select the region for the router to create.

    In this demo, select us-west1 (Oregon).

  7. Click Create.

  8. Click the name of the router listed in the Routers list.

  9. Scroll down and click Add Cloud NAT gateway.

  10. Set the name for the NAT gateway to create.

    Set it to your-org-byoc-nat in this demo, or follow your naming conventions.

  11. Select Manual in Cloud NAT IP address.

    You need to create a new IP address as follows:

    1. Select Create IP address from the drop-down list in IP address 1.

    2. In the prompted dialog box, set a name for the IP address to reserve and click Reserve.

      Set it to your-org-byoc-nat-ip in this demo, or follow your naming conventions.

  12. Once the new IP address has been reserved for the NAT gateway, click Create.

Step 4: Add firewall rules

You will add two firewall rules in this step. The first rule is to enable health checks against BYOC clusters deployed on your VPC network, and the second is to enable communications between all VMs with the target tag zilliz-byoc.

The steps to add these firewall rules are as follows:

  1. On the GCP console, find and click VPC network.

  2. Filter the VPC network created in the previous step.

  3. Click the name of the VPC network to view its details.

  4. Switch to the Firewalls tab.

  5. Click Add Firewall rule.

    • The firewall rule for health checks against BYOC clusters.

      Name

      Ingress-rule-for-health-checks

      Targets

      All instances in the network

      Source IPv4 ranges

      130.211.0.0/22, 35.191.0.0/16

      Protocols and ports

      Specified protocols and ports

      TCP

      19530

    • The firewall rule for local traffic between tagged VMs on the VPC network

      Name

      Ingress-rule-for-local-traffic

      Targets

      Specified target tags

      Target tags

      zilliz-byoc

      Source IPv4 ranges

      IPv4 address range of the primary subnet

      Protocols and ports

      Allow all

Step 5: (Optional) Create a PSC endpoint

You will add a PSC endpoint to ensure that communications between your VPC and Zilliz Cloud are off the Internet.

The steps for creating the PSC endpoint are as follows:

  1. On the GCP console, find and click Network Services.

  2. Choose Private Service Connect from the left navigation pane.

  3. Click Connect Endpoint.

  4. Select Published service in Target.

  5. Enter the service attachment ID that Zilliz Cloud provides.

    The following table lists the service attachment ID specific to each available cloud regions.

    Region

    Service Attachment ID

    us-west1

    projects/vdc-prod/regions/us-west1/serviceAttachments/zilliz-byoc-psc-service

  6. Set a name for the endpoint service.

  7. Select the VPC network and its primary subnet created in the previous step.

  8. Assign an IP address to the endpoint.

    In the prompted dialog box, do as follows:

    1. Set a name for the IP address.

    2. Select Assign automatically in Static IP address.

    3. Create Reserve.

  9. Click Add endpoint.