Configure VPC peering

You can useVPC Network Peering to letDatastream communicate with resources in your Virtual Private Cloud (VPC)network privately.

VPC Network Peering is a connection between your VPC networkand the Datastream private network, enabling Datastream tocommunicate with internal resources by using internal IP addresses. Usingprivate connectivity establishes a dedicated connection on theDatastream network, meaning no other customers can share it.

The VPC Network Peering connection between yourVPC network and the Datastream VPC networkallows Datastream to connect to:

Resources like virtual machines (VMs) and internal load balancers in yourVPC network.
Resources in other networks connected to your VPC network usingCloud VPNtunnels,Dedicated Interconnect VLANattachments,Partner Interconnect VLANattachments,andNetwork Connectivity CenterCloud Routers.

The VPC Network Peering connection between your VPC networkand the Datastream VPC network doesn't letDatastream connect to:

Private Service Connect endpoints located in your VPCnetwork.
Resources located in another VPC network, peered with yourVPC network, butnot peered with the DatastreamVPC network. (This is becauseVPC Network Peering doesn'tprovide transitive routing.)

To establish connectivity between Datastream and a resource that's onlyaccessible from your VPC network, you can use a network addresstranslation (NAT) VM in your VPC network. A common use case for aNAT VM is when Datastream needs to connect to a Cloud SQL instance.

This page describes an example NAT VM configuration that lets Datastreamprivately connect to a Cloud SQL instance.

Datastream user flow diagram

VPC peering prerequisites

Before you create a private connectivity configuration, you need to take the following steps so that Datastream can create the VPC peering connection to your project:

Have a VPC network that can peer to Datastream's private network and that meets the requirements described in theVPC Network Peering page. For more information about creating this network, seeUsing VPC Network Peering.
Identify an available IP range (with a CIDR block of /29) on the VPC network. This can't be an IP range that already exists as a subnet, a private services access pre-allocated IP range, or any route (other than the default 0.0.0.0 route) that includes the IP range. Datastream uses this IP range to create a subnet so that it can communicate with the source database. The following table describes valid IP ranges.

Range	Description
`10.0.0.0/8` `172.16.0.0/12` `192.168.0.0/16`	Private IP addressesRFC 1918
`100.64.0.0/10`	Shared address spaceRFC 6598
`192.0.0.0/24`	IETF protocol assignmentsRFC 6890
`192.0.2.0/24` (TEST-NET-1) `198.51.100.0/24` (TEST-NET-2) `203.0.113.0/24` (TEST-NET-3)	DocumentationRFC 5737
`192.88.99.0/24`	IPv6 to IPv4 relay (deprecated)RFC 7526
`198.18.0.0/15`	Benchmark testingRFC 2544

Verify that Google Cloud and the on-premises firewall allow traffic from theselected IP range. If they don't, then create an ingressfirewall rulethat allows traffic on the source database port, and make sure that the IPv4address range in the firewall rule is the same as the IP address rangeallocated when creating the private connectivity resource:
```
gcloudcomputefirewall-rulescreateFIREWALL-RULE-NAME\--direction=INGRESS\--priority=PRIORITY\--network=PRIVATE_CONNECTIVITY_VPC\--project=VPC_PROJECT\--action=ALLOW\--rules=FIREWALL_RULES\--source-ranges=IP-RANGE
```
Replace the following:
- FIREWALL-RULE-NAME: The name of the firewall rule to create.
- PRIORITY: The priority for the rule, expressed as an integerbetween 0 and 65535, inclusive. The value needs to be lower than thevalue set for the block traffic rule, if it exists. Lower priority valuesimply higher precedence.
- PRIVATE_CONNECTIVITY_VPC: The VPC network that can peer tothe Datastream private network and that meets the requirementsdescribed in theVPC Network Peeringpage. This is the VPC you specify when you create yourprivate connectivity configuration.
- VPC_PROJECT: The project of the VPC network.
- FIREWALL_RULES: The list of protocols and ports to which thefirewall rule applies, for exampletcp:80. The rule needs to allow TCPtraffic to the IP address and the port of the source database, or of theproxy. Because private connectivity can support multiple databases, therule needs to consider the actual usage of your configuration.
- IP-RANGE: The range of IP addresses that Datastreamuses to communicate with the source database. This is the same range youindicate in theAllocate an IP range field when you create yourprivateconnectivity configuration.
  You might also need to create an identical egress firewall rule to allowtraffic back to Datastream.
Are assigned to a role that contains thecompute.networks.list permission. This permission gives you the required IAM permissions to list VPC networks in your project. You can find which roles contain this permission by viewingIAM permissions reference.

You can use private connectivity to connect Datastream to any source. However, only VPC networks that are peered directly can communicate with each other.

Transitive peering isn't supported. If the network that Datastream is peered with isn't the network where your source is hosted, you're using a fully managed database (for example, Cloud SQL), or if Datastream doesn't run on the region where your source exists, then a reverse proxy is required.

For more information, see Private connectivity.

Shared VPC prerequisites

If you're usingShared VPC, then you must complete the following actions in addition to the steps described in theVPC prerequisites section:

On the service project:
1. Enable theDatastream API.
2. Obtain the email address used for the Datastreamservice account. Datastream service accounts are created when you perform one of the following:
  - You create a Datastream resource, such as a connection profile or a stream.
  - You create a private connectivity configuration, select your shared VPC and clickCreate Datastream Service Account. The service account is created in the host project.
  To obtain the email address used for the Datastream service account, find theProject number in the Google Cloud console home page. The email address of the service account isservice-[project_number]@gcp-sa-datastream.iam.gserviceaccount.com.
On the host project:
1. Grant thecompute.networkAdmin Identity and Access Management (IAM) role permission to the Datastream service account. This role is only required when you create the VPC peering. After the peering is established, you no longer need the role.
  If your organization doesn't allow granting the permission, create a custom role with the following minimum permissions to create and delete private connection resources:
  compute.globalAddresses.*
  - compute.globalAddresses.create
  - compute.globalAddresses.createInternal
  - compute.globalAddresses.delete
  - compute.globalAddresses.deleteInternal
  - compute.globalAddresses.get
  compute.globalOperations.*
  - compute.globalOperations.get
  compute.networks.*
  - compute.networks.addPeering
  - compute.networks.get
  - compute.networks.listPeeringRoutes
  - compute.networks.removePeering
  - compute.networks.use
  compute.routes.*
  - compute.routes.get
  - compute.routes.list
  compute.subnetworks.*
  - compute.subnetworks.get
  - compute.subnetworks.list
For more information about custom roles, seeCreate and manage custom roles.

Set up a NAT VM

Identify the IP address of the Cloud SQL instance to whichDatastream needs to connect.
Identifyyour VPC network. This is the VPCnetwork that's connected to the Datastream VPCnetwork using VPC Network Peering.
If you haven't already,create a private connectivityconfigurationin Datastream. This creates the VPC Network Peering connectionthat connects your VPC network and the DatastreamVPC network. Take note of the IP address range used by theDatastream private connectivity configuration.
Choose a machine type to use for the NAT VM that you create in the next step.Google Cloud enforces a per-instance maximum egress bandwidth limit,for packets routed by next hops within a VPC network,according to the machine type of the VM instance. For more information,seeEgress to destinations routable within a VPCnetwork andPer-instancemaximum egress bandwidth.

Create the NAT VM in your VPC network. If yourVPC network is a Shared VPC network, you can createthe NAT VM in either the host project or any service project, as long as thenetwork interface of the NAT VM is in the Shared VPC network.

To minimize network round-trip time, create the NAT VM in the same regionas Datastream.
This example assumes that the NAT VM has a single network interface.
Run the script in a Linux distribution—for example, Debian 12.
Use the followingstartupscript. The startup scriptis executed by root each time the VM starts up. This script includescomments explaining what each line of the script does. In the script,replaceCLOUD_SQL_INSTANCE_IP with the IP address of theCloud SQL instance andDATABASE_PORT with the destinationport used by the database software.

#! /bin/bashexportDB_ADDR=CLOUD_SQL_INSTANCE_IPexportDB_PORT=DATABASE_PORT# Enable the VM to receive packets whose destinations do# not match any running process local to the VMecho1>/proc/sys/net/ipv4/ip_forward# Ask the Metadata server for the IP address of the VM nic0# network interface:md_url_prefix="http://169.254.169.254/computeMetadata/v1/instance"vm_nic_ip="$(curl-H"Metadata-Flavor: Google"${md_url_prefix}/network-interfaces/0/ip)"# Clear any existing iptables NAT table entries (all chains):iptables-tnat-F# Create a NAT table entry in the prerouting chain, matching# any packets with destination database port, changing the destination# IP address of the packet to the SQL instance IP address:iptables-tnat-APREROUTING\-ptcp--dport$DB_PORT\-jDNAT\--to-destination$DB_ADDR# Create a NAT table entry in the postrouting chain, matching# any packets with destination database port, changing the source IP# address of the packet to the NAT VM's primary internal IPv4 address:iptables-tnat-APOSTROUTING\-ptcp--dport$DB_PORT\-jSNAT\--to-source$vm_nic_ip# Save iptables configuration:iptables-save

Create an ingress allowfirewallrule (or rule in aglobal network firewallpolicy,regional networkfirewall policy orhierarchical firewall policy) withthese characteristics:
- Direction: ingress
- Action: allow
- Target parameter: at least the NAT VM
- Source parameter: the IP address range used by the Datastreamprivate connectivity configuration
- Protocol: TCP
- Port: must at least include theDATABASE_PORT
Theimplied allow egress firewallrule allows the NAT VM tosend packets to any destination. If your VPC network usesegress deny firewall rules, you might have to create an egress allow firewallrule to permit the NAT VM to send packets to the Cloud SQL instance. If anegress allow rule is necessary, use these parameters:
- Direction: egress
- Action: allow
- Target parameter: at least the NAT VM
- Destination parameter: the Cloud SQL instance IP address
- Protocol: TCP
- Port: must at least include theDATABASE_PORT
Ensure that you've configured your Cloud SQL instance to acceptconnections from the primary internal IPv4 address used by the networkinterface of your NAT VM. For directions, seeAuthorize with authorizednetworks in the Cloud SQLdocumentation.
Create a connection profile inDatastream. In the connection details of the profile, specify theprimary internal IPv4 address of the NAT VM that you created. Enter the portof the source database in the connection profile's port field.

Set up a pair of NAT VMs and an internal passthrough Network Load Balancer

To enhance the reliability of a NAT VM solution, consider the followingarchitecture, which uses a pair of NAT VMs and an internal passthrough Network Load Balancer:

Create two NAT VMs in different zones of the same region. Follow theSet upa NAT VM instructions to create each VM, and placeeach VM in its own zonal unmanaged instance group.
Alternatively, you cancreate a regional managed instancegroup.In the managed instance group template, include a startup script like theexample startup script in theSet up a NAT VMinstructions.
Create an internal passthrough Network Load Balancer whose backend service uses the instance group orgroups from the previous step as its backends. For an internal passthrough Network Load Balancer example,seeSet up an internal passthrough Network Load Balancer with VM instance groupbackends.
When configuring the load balancer health check, you can use a TCP healthcheck that uses a destination TCP port matching theDATABASE_PORT. Health check packets are routed to theCLOUD_SQL_INSTANCE_IP according to the NAT VM configuration.Alternatively, you could run a local process on the NAT VM which answers aTCP or HTTP health check on a custom port.
Create firewall rules and configure Cloud SQL authorized networks asdescribed in theSet up a NAT VM instructions.Ensure the Cloud SQL authorized networks include the primary internalIPv4 address of both NAT VMs.
When youcreate a Datastream connectionprofile, specify the IP addressof the internal passthrough Network Load Balancer's forwarding rule in the profile's connection details.

What's next

Learn how tocreate a private connectivity configuration.
Learn how toview your private connectivity configuration.
Find out how todelete a private connectivity configuration.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換