GCP private networking setup

ClickHouse BYOC on GCP supports two private connection options including VPC Peering and Private Service Connect. Traffic flows entirely within the GCP network, never traversing the public internet.

Prerequisites

Common steps required by both vpc peering and Private Service Connect.

Enable private load balancer for ClickHouse BYOC

Contact ClickHouse Support to enable Private Load Balancer.

Setup VPC peering

Please familiar yourself with GCP VPC peering feature and note the limitation of VPC peering (for example subnet IP ranges can't overlap across peered VPC networks). ClickHouse BYOC utilizes private load balancer to allow network connectivity through the peering to clickhouse services.

To create or delete VPC peering for ClickHouse BYOC, follow the steps:

The example steps are for a simple scenario, for advanced scenarios such as peering with on-premises connectivity, some adjustments may required.

Create a peering connection

In this example, we are setting up peering between the BYOC VPC network and another existing VPC network.

Navigate to the "VPC Network" in ClickHouse BYOC Google Cloud Project.
Select "VPC network peering".
Click "Create connection".
Input the necessary fields as per your requirements. Below is a screenshot for creating a peering within same GCP project.

GCP VPC peering requires 2 connections between the 2 network created to work (i.e. a connection from BYOC network to the existing VPC network and a connection from the existing VPC network to the BYOC network). So we need to similarly create 1 more connection in reverse direction, below is a screenshot for the second peering connection creation:

After both connections are created, the status of the 2 connections should become "Active" after refresh the google cloud console webpage:

The ClickHouse service should now be accessible from the peered VPC.

To access ClickHouse privately, a private load balancer and endpoint are provisioned for secure connectivity from the user's peered VPC. The private endpoint follows the public endpoint format with a -private suffix. For example:

Public endpoint: h5ju65kv87.mhp0y4dmph.us-east1.gcp.byoc.clickhouse.cloud
Private endpoint: h5ju65kv87-private.mhp0y4dmph.us-east1.gcp.byoc.clickhouse.cloud

Setup PSC (Private Service Connect)

GCP PSC (Private Service Connect) provides secure, private connectivity to your ClickHouse BYOC services without requiring VPC peering or internet gateways.

Request PSC service setup

Contact ClickHouse Support to request PSC service setup for your BYOC deployment. No specific information is required at this stage—simply indicate that you want to set up PSC connectivity.

ClickHouse Support will enable the necessary infrastructure components, including the private load balancer and PSC Service.

Obtain GCP PSC service name and DNS name

ClickHouse Support will provide you with the PSC Service name. You can also obtain it in the ClickHouse Cloud console, under "Orgainzation" -> "Infrastructure", click into the infra name to see the details.

You can also find the PSC service name in the GCP Private Service Connect console under "Published services" (filter by service name or look for ClickHouse services)

Create an PSC endpoint in your Network

After ClickHouse Support has enabled PSC service on their side, you need to create a PSC endpoint in your client application network to connect to the ClickHouse PSC service.

Create the PSC Endpoint:

Navigate to the GCP Console -> Network Services → Private Service Connect → Connect Endpoint
Select "Published service" for "Target" and input the PSC service name obtained at last step to "Target details"
Input a valid endpoint name
Choose your network and select subnets (This is the network where your client application will be connecting from)
Choose or create a new IP address for the endpoint, the IP address needs to be used by step Set private DNS name for endpoint
Click "Add Endpoint", wait a momemt for the endpoint to be created.
The endpoint status should become "Accpeted", contact ClickHouse support if it's not auto-accepted.

Obtain PSC Connection ID:

Click into the endpoint detail and obtain the "PSC Connection ID" to be used by step Add endpoint's PSC Connection ID to service allowlist

Set private DNS name for endpoint

Note

There are various ways to configure DNS. Please set up DNS according to your specific use case.

You need to point all subdomains (wildcard) of the "DNS name", taken from Obtain GCP PSC service name and DNS name step, to GCP PSC endpoint IP address. This ensures that services/components within your VPC/Network can resolve it properly.

Add endpoint's PSC Connection ID to service allowlist

Once your PSC endpoint is created and the status is "Accepted", you need to add the Endpoint's PSC Connection ID to the allowlist for each ClickHouse service you want to access via PSC.

Contact ClickHouse Support:

Provide the Endpoint's PSC Connection IDs to ClickHouse Support
Specify which ClickHouse services should allow access from this endpoint
ClickHouse Support will add the Endpoint Connection IDs to the service allowlist

Connect to ClickHouse via PSC

After the Endpoint Connection IDs is added to the allowlist, you can connect to your ClickHouse service using the PSC endpoint.

The PSC endpoint format is similar to the public endpoint, but includes a p subdomain. For example:

Public endpoint: h5ju65kv87.mhp0y4dmph.us-east1.gcp.clickhouse-byoc.com
PrivateLink endpoint: h5ju65kv87.p.mhp0y4dmph.us-east1.gcp.clickhouse-byoc.com

Prerequisites​

Enable private load balancer for ClickHouse BYOC​

Setup VPC peering​

Create a peering connection​

Setup PSC (Private Service Connect)​

Request PSC service setup​

Obtain GCP PSC service name and DNS name​

Create an PSC endpoint in your Network​

Set private DNS name for endpoint​

Add endpoint's PSC Connection ID to service allowlist​

Connect to ClickHouse via PSC​