Skip to main content
Skip to main content
Edit this page

GCP Private Networking Setup

ClickHouse BYOC on GCP supports two private connection options including VPC Peering and Private Service Connect. Traffic flows entirely within the GCP network, never traversing the public internet.

Prerequisites

Common steps required by both vpc peering and privatelink.

Enable private load balancer for ClickHouse BYOC

Contact ClickHouse Support to enable Private Load Balancer.

Setup VPC Peering

Please familiar yourself with GCP VPC peering feature and note the limitation of VPC peering (for example subnet IP ranges can't overlap across peered VPC networks). ClickHouse BYOC utilizes private load balancer to allow network connectivity through the peering to clickhouse services.

To create or delete VPC peering for ClickHouse BYOC, follow the steps:

The example steps are for a simple scenario, for advanced scenarios such as peering with on-premises connectivity, some adjustments may required.

Create a peering connection

In this example, we are setting up peering between the BYOC VPC network and another existing VPC network.

  1. Navigate to the "VPC Network" in ClickHouse BYOC Google Cloud Project.
  2. Select "VPC network peering".
  3. Click "Create connection".
  4. Input the necessary fields as per your requirements. Below is a screenshot for creating a peering within same GCP project.

GCP VPC peering requires 2 connections between the 2 network created to work (i.e. a connection from BYOC network to the existing VPC network and a connection from the existing VPC network to the BYOC network). So we need to similarly create 1 more connection in reverse direction, below is a screenshot for the second peering connection creation:

After both connections are created, the status of the 2 connections should become "Active" after refresh the google cloud console webpage:

The ClickHouse service should now be accessible from the peered VPC.

To access ClickHouse privately, a private load balancer and endpoint are provisioned for secure connectivity from the user's peered VPC. The private endpoint follows the public endpoint format with a -private suffix. For example:

  • Public endpoint: h5ju65kv87.mhp0y4dmph.us-east1.gcp.byoc.clickhouse.cloud
  • Private endpoint: h5ju65kv87-private.mhp0y4dmph.us-east1.gcp.byoc.clickhouse.cloud

Setup Private Service Connect

GCP Private Service Connect provides secure, private connectivity to your ClickHouse BYOC services without requiring VPC peering or internet gateways.