This repository has been archived by the owner on Jan 29, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Google Private Service Connect setup instructions
- Loading branch information
1 parent
564a4bf
commit d9518ef
Showing
3 changed files
with
189 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
186 changes: 186 additions & 0 deletions
186
docs/platform/howto/use-google-private-service-connect.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,186 @@ | ||
| Use Google Private Service Connect with Aiven services |beta| | ||
| ============================================================= | ||
|
|
||
| Discover Google Private Service Connect and benefits of using it with your Aiven services. Learn how to enable Google Private Service Connect for Aiven services. | ||
|
|
||
| .. important:: | ||
|
|
||
| Google Private Service Connect is in beta, and it is currently supported for Aiven for Apache Kafka®. Contact [email protected] to enable it on your Aiven projects. | ||
|
|
||
| About Private Service Connect | ||
| ----------------------------- | ||
|
|
||
| Private Service Connect lets you bring your Aiven services into your networks (virtual private clouds) over a private endpoint. The endpoint receives a private IP address from a range that you assign. Next, connectivity over the private endpoint is routed to your Aiven service. | ||
|
|
||
| .. note:: | ||
|
|
||
| For consistency, Google Private Service Connect is called *privatelink* in Aiven tools. This applies to all clouds, including Google Cloud. | ||
|
|
||
| Prerequisites | ||
| ------------- | ||
|
|
||
| Your Aiven service is hosted in :doc:`a project virtual private cloud (VPC) </docs/platform/howto/manage-vpc-peering>` in the region where the connecting endpoint will be created. | ||
|
|
||
| .. note:: | ||
| Private Service Connect endpoints are service specific. For each service you wish to connect to, you need to create a separate endpoint. | ||
|
|
||
| Set up a Private Service Connect connection | ||
| ------------------------------------------- | ||
|
|
||
| Step 1: Enable Private Service Connect for a service | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| Using the Aiven CLI, enable a Private Service Connect for your Aiven service: | ||
|
|
||
| .. code:: shell | ||
| avn service privatelink google create MY_SERVICE_NAME | ||
| .. note:: | ||
| For publishing a service over Private Service Connect, a dedicated address range needs to be allocated at the publishing / Aiven end. Aiven reserves network 172.24.0.0/16 for this purpose and forbids creating project VPCs in Google Cloud overlapping with this range. | ||
|
|
||
| Creating a privatelink usually takes a minute or two. | ||
|
|
||
| You can use the following command to see the current state: | ||
|
|
||
| .. code:: shell | ||
| avn service privatelink google get MY_SERVICE_NAME | ||
| When the state has changed from ``creating`` to ``active``, resources at Aiven end have been allocated, and it's possible to create connections. | ||
|
|
||
| When the privatelink has been successfully created, you can expect an output similar to the following: | ||
|
|
||
| .. code:: shell | ||
| GOOGLE_SERVICE_ATTACHMENT STATE | ||
| ==================================================================================== ====== | ||
| projects/aivenprod/regions/europe-west1/serviceAttachments/privatelink-s3fd836dfc60 active | ||
| .. note:: | ||
| The GOOGLE_SERVICE_ATTACHMENT value is used to connect an endpoint on the client side to the Aiven service. | ||
|
|
||
| Step 2: Create a Private Service Connect connection | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| You can now create an PSC endpoint and connection to the Aiven service within the `Google Console <https://console.cloud.google.com/net-services/psc/addConsumer>`_. | ||
|
|
||
| 1. Select **Published service** as **Target type**. | ||
|
|
||
| .. note:: | ||
| **Target service** should be the GOOGLE_SERVICE_ATTACHMENT value/URI from the previous step. | ||
|
|
||
| 2. Select an existing subnet hosting your side of the endpoint. | ||
|
|
||
| After the endpoint is created, it initially exists in the ``pending`` state. To allow connections via the endpoint, it needs to be accepted at the service publisher (Aiven) end. | ||
|
|
||
| .. tip:: | ||
| If you use an automatically-assigned IP address, note the IP address associated with the endpoint so that you can use it the next step. | ||
|
|
||
| Step 3: Approve the created connection | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| 1. Update the state of Private Service Connect connections for your Aiven service by running | ||
|
|
||
| .. code:: shell | ||
| avn service privatelink google refresh MY_SERVICE_NAME | ||
| 2. Retry the following command until it returns the pending-user-approval status: | ||
|
|
||
| .. code:: shell | ||
| avn service privatelink google connection list MY_SERVICE_NAME | ||
| .. code:: shell | ||
| PRIVATELINK_CONNECTION_ID PSC_CONNECTION_ID STATE USER_IP_ADDRESS | ||
| ========================= ================= ===================== =============== | ||
| plc3fd852bec98 12870921937223780 pending-user-approval null | ||
| .. note:: | ||
| * PSC_CONNECTION_ID is the identifier assigned to Google for the connection, and you can use it to verify that the connection is indeed matching your Private Service Connect endpoint. | ||
| * PRIVATELINK_CONNECTION_ID is an Aiven internal identifier for the connection, which is needed in the final connection approval step. | ||
|
|
||
| 3. To enable a connection, approve it. | ||
|
|
||
| .. note:: | ||
| By approving the connection, you provide the IP address assigned to your PSC endpoint - whether automatically assigned or static. Aiven uses this IP address for pointing the service DNS records necessary for the clients to reach the Aiven service through the Private Service Connect connection. | ||
|
|
||
| To approve the connection, run the following approval command: | ||
|
|
||
| .. code:: shell | ||
| avn privatelink google connection approve MY_SERVICE_NAME --privatelink-connection-id PRIVATELINK_CONNECTION_ID --user-ip-address PSC_ENDPOINT_IP_ADDRESS | ||
| As a result, the connection initially transitions to the user-approved state. | ||
|
|
||
| .. code:: shell | ||
| avn service privatelink google connection list MY_SERVICE_NAME | ||
| .. code:: shell | ||
| PRIVATELINK_CONNECTION_ID PSC_CONNECTION_ID STATE USER_IP_ADDRESS | ||
| ========================= ================= ============= =============== | ||
| plc3fd852bec98 12870921937223780 user-approved 10.0.0.100 | ||
| You may be need to run the ``avn service privatelink google refresh`` command at this point since updates to service attachment accept lists are not immediately reflected in the states of returned connected endpoints. | ||
|
|
||
| .. code:: shell | ||
| avn service privatelink google refresh MY_SERVICE_NAME | ||
| After establishing the connection and populating DNS records , the connection appears as ``active``. | ||
|
|
||
| .. code:: shell | ||
| avn service privatelink google connection list MY_SERVICE_NAME | ||
| .. code:: shell | ||
| PRIVATELINK_CONNECTION_ID PSC_CONNECTION_ID STATE USER_IP_ADDRESS | ||
| ========================= ================= ====== =============== | ||
| plc3fd852bec98 12870921937223780 active 10.0.0.100 | ||
| The state of your Private Service Connect endpoint should have transitioned from ``pending`` to ``accepted`` at this point. Private Service Connect connectivity has been established now. | ||
|
|
||
| As the final step, you need to allow connectivity using the Private Service Connect endpoint. | ||
|
|
||
| Step 4: Enable Private Link access service components | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| Finally, enable Private Link access on your Aiven services using either the :doc:`Aiven CLI </docs/tools/cli>` or `Aiven Console <https://console.aiven.io/>`_. | ||
|
|
||
| **Aiven CLI** | ||
|
|
||
| To enable Private Service Connect access for your service in the Aiven CLI, set ``user_config.privatelink_access.<service component>`` to ``true`` for the components you want to enable. Take the following command as an example for Apache Kafka: | ||
|
|
||
| .. code:: shell | ||
| avn service update -c privatelink_access.kafka=true MY_SERVICE_NAME | ||
| **Aiven Console** | ||
|
|
||
| To enable Private Link access in the `Aiven Console <https://console.aiven.io/>`_, take the following steps: | ||
|
|
||
| 1. Select the service that you want to enable access to. | ||
| 2. On the **Overview** tab, in the **Advanced configuration** section, select **Change**. | ||
| 3. Select **Add configuration option** and select the ``privatelink_access.<service component>`` option for the components that you want to enable. | ||
| 4. Toggle the switch next to the components to set the values to ``true``. | ||
| 5. Select **Save advanced configuration**. | ||
|
|
||
| .. Tip:: | ||
|
|
||
| Each service component can be controlled separately. For example, you can enable Private Service Connect access for your Aiven for Apache Kafka® service while allowing Kafka® Connect to only be connected via VNet peering. | ||
|
|
||
| .. note:: | ||
| Connection information, such as the service URI or hostname and port to access the service through the private endpoint, is available on the service's **Overview** page in the `Aiven Console <https://console.aiven.io/>`_. | ||
|
|
||
| Delete a Private Link service | ||
| ------------------------------ | ||
| Use the :doc:`Aiven CLI </docs/tools/cli>` to delete the Private Service Connect connection for a service: | ||
|
|
||
| .. code:: shell | ||
| avn service privatelink google delete MY_SERVICE_NAME |