[DOC-4851] Document Private Service Connect for Dedicated clusters on GCP #18550
Conversation
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
|
||
| <h3 id="2024-05-20-security-updates"> Security updates </h3> | ||
|
|
||
| - [Configuring private connectivity using Google Cloud Private Service Connect]({% link cockroachcloud/connect-to-your-cluster.md %}#gcp-private-service-connect) is available in [preview](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/cockroachdb-feature-availability) for CockroachDB {{ site.data.products.dedicated }} clusters on GCP. [Private connectivity]({% link cockroachcloud/network-authorization.md %}#options-for-controlling-network-access) allows you to establish SQL access to a CockroachDB {{ site.data.products.dedicated }} cluster entirely through cloud provider private infrastructure, without exposing the cluster to the public internet, affording enhanced security and performance. |
There was a problem hiding this comment.
@devarshishah3 PTAL, this is modeled on the note we used for AWS PrivateLink on multi-region Serverless.
| @@ -72,29 +76,6 @@ Refer to: | |||
| - [Connect to a CockroachDB {{ site.data.products.serverless }} Cluster: Authorize your network]({% link cockroachcloud/connect-to-a-serverless-cluster.md %}#authorize-your-network). | |||
| - [Connect to a CockroachDB {{ site.data.products.dedicated }} Cluster: Authorize your network]({% link cockroachcloud/connect-to-your-cluster.md %}#authorize-your-network). | |||
|
|
|||
| ## VPC peering | |||
There was a problem hiding this comment.
The most important bits of this section are moved to connect-to-your-cluster.md.
| <td><a href="{% link cockroachcloud/network-authorization.md %}#gcp-vpc-peering">VPC Peering</a> for GCP clusters</td> | ||
| </tr> | ||
| <tr> | ||
| <td>✓<a href="#privatelink-multiregion-serverless"><sup>1</sup></a></td> |
There was a problem hiding this comment.
This and the below were misses when PrivateLink for Serverless launched.
| @@ -165,11 +165,11 @@ CockroachDB {{ site.data.products.core }} here refers to the situation of a user | |||
| <td>Network-level Configuration of allowed IP addresses</td> | |||
| </tr> | |||
| <tr> | |||
| <td> </td> | |||
| <td>✓<a href="#privatelink-multiregion-serverless"><sup>1</sup></a></td> | |||
There was a problem hiding this comment.
This and the below were misses when PrivateLink for Serverless launched. This table is a little different from the Cloud one.
… GCP Other changes: - Consolidate private connectivity info on network auth page - Move how-to info about VPC Peering from network auth to connection page - Add AWS PrivateLink heading to connection page, link to AWS PrivateLink page - Add missing info about AWS PrivateLink for multi-region Serverless
| @@ -21,8 +21,8 @@ By default, CockroachDB {{ site.data.products.dedicated }} clusters are locked d | |||
|
|
|||
| - Allowed IP address ranges on the internet. | |||
| - Cloud-provider-specific peer networking options: | |||
| - Google Cloud Platform (GCP) VPC Peering | |||
| - Amazon Web Services (AWS) Private link | |||
| - Google Cloud Platform (GCP) VPC Peering or Private Service Connect (Preview) | |||
There was a problem hiding this comment.
later on I'm seeing there are anchors these could link to: #gcp-private-service-connect etc
| {% include_cached feature-phases/preview.md %} | ||
| {{site.data.alerts.end}} | ||
|
|
||
| 1. Navigate to your cluster's **Networking > Private endpoint** tab. |
There was a problem hiding this comment.
not for this PR thoughts:
as a user I'd love these "your cluster's FOO tab" mentions to all be links to CC console things
maybe not possible unless we have some kind of SSO across docs site / console
one day maybe we'll ship these docs IN console and solve this
| @@ -16,19 +16,23 @@ You can authorize network access to your cluster by: | |||
| - [Adding an authorized range of public IP addresses](#ip-allowlisting). | |||
| - Setting up private connectivity so that inbound connections to your cluster from your cloud tenant are made over the cloud provider's private network rather than over the public internet, for enhanced network security and reduced network latency. If you use IP allowlisting rules together with private connectivity, private networks do not need to be added to that allowlist. | |||
|
|
|||
| For CockroachDB {{ site.data.products.dedicated }} clusters deployed on GCP, refer to [Google Cloud Platform (GCP) Virtual Private Cloud (VPC) peering](#vpc-peering). For CockroachDB {{ site.data.products.dedicated }} clusters or multi-region CockroachDB {{ site.data.products.serverless }} clusters deployed on AWS, refer to [Amazon Web Service (AWS) PrivateLink](#aws-privatelink). | |||
| - <a id="gcp-private-service-connect"></a><a id="gcp-vpc-peering"></a><a id="vpc-peering"></a>CockroachDB {{ site.data.products.dedicated }} clusters deployed on GCP can connect privately using GCP Private Service Connect (PSC) (Preview) or GCP VPC peering. PSC allows you to selectively connect your cluster to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC managed by Cockroach Cloud's VPC with a VPC within your Google Cloud project. | |||
There was a problem hiding this comment.
these mentions of GCP private connect and VPC peering could link to the named sections on the 'connect to your cluster' page for user convenience
| @@ -129,12 +129,17 @@ The following table summarizes the CockroachDB {{ site.data.products.cloud }} se | |||
| <tr> | |||
| <td> </td> | |||
| <td>✓</td> | |||
| <td><a href="{% link cockroachcloud/network-authorization.md %}#vpc-peering">VPC Peering</a> for GCP clusters</td> | |||
| <td><a href="{% link cockroachcloud/network-authorization.md %}#gcp-private-service-connect">Private Service Connect (PSC) (Preview)</a> for GCP clusters</td> | |||
There was a problem hiding this comment.
non-blocking comment:
I think attaching the word 'Preview' to every mention of this feels a bit excessive and unnecessary from a writing POV and adds maintenance burden when sprinkled everywhere but maybe it's our preferred practice from a Product POV
personally I'd lean toward the linked docs having a thing that says "this is in preview" and calling it good
but that may not be the best thing for our users, idk
take my comment FWIW etc tho b/c I am a knee-jerk anti-preview person 🤷
I translate "preview" (fka "experimental") as "you can just take this away or change it so I'm not gonna rely on it"
There was a problem hiding this comment.
In Cloud, Preview means you can try it self-service but things might change. Private preview and Limited Access you need to be enrolled first. Good idea about removing it from these links.
| @@ -154,3 +159,5 @@ The following table summarizes the CockroachDB {{ site.data.products.cloud }} se | |||
| <td>CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See <a href="https://www.cockroachlabs.com/docs/{{ site.current_cloud_version }}/demo-fault-tolerance-and-recovery">Disaster Recovery.</a></td> | |||
| </tr> | |||
| </table> | |||
|
|
|||
| <a id="privatelink-multiregion-serverless">1</a>: AWS PrivateLink is in preview for multi-region Serverless clusters, and is not supported for single-region Serverless clusters. Refer to <a href="https://www.cockroachlabs.com/docs/cockroachcloud/aws-privatelink?filters=serverless">Manage AWS PrivateLink</a>. | |||
There was a problem hiding this comment.
'preview' mention could link to our definition of what 'preview' means
| <td>✓</td> | ||
| <td>✓</td> | ||
| <td>✓</td> | ||
| <td><a href="https://www.cockroachlabs.com/docs/cockroachcloud/create-your-cluster.html#step-8-enable-vpc-peering-optional">VPC Peering</a> for GCP clusters and <a href="https://www.cockroachlabs.com/docs/cockroachcloud/aws-privatelink">AWS PrivateLink</a> for AWS clusters </td> | ||
| <td><a href="https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster.html#private-service-connect">Private Service Connect (PSC) (Preview)</a> or <a href="https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster.html#vpc-peering">VPC Peering</a> for GCP clusters and <a href="https://www.cockroachlabs.com/docs/cockroachcloud/aws-privatelink">AWS PrivateLink</a> for AWS clusters </td> |
There was a problem hiding this comment.
I believe this syntax can be {% link cockroachcloud/connect-to-your-cluster.md %}#the-anchor however writing that out is such a faff and doesn't save many characters anyway so I leave it to your conscience / perfectionism or lack thereof (or how much of a rush you're in)
| @@ -188,3 +188,5 @@ CockroachDB {{ site.data.products.core }} here refers to the situation of a user | |||
| <td>CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See <a href="{% link {{ page.version.version }}/demo-fault-tolerance-and-recovery.md %}">Disaster Recovery.</a></td> | |||
| </tr> | |||
| </table> | |||
|
|
|||
| <a id="privatelink-multiregion-serverless">1</a>: AWS PrivateLink is in preview for multi-region Serverless clusters, and is not supported for single-region Serverless clusters. Refer to <a href="https://www.cockroachlabs.com/docs/cockroachcloud/aws-privatelink?filters=serverless">Manage AWS PrivateLink</a>. | |||
There was a problem hiding this comment.
same as above re: mention of preview can link to docs defining that
| <td>✓</td> | ||
| <td>✓</td> | ||
| <td>✓</td> | ||
| <td><a href="https://www.cockroachlabs.com/docs/cockroachcloud/create-your-cluster.html#step-8-enable-vpc-peering-optional">VPC Peering</a> for GCP clusters and <a href="https://www.cockroachlabs.com/docs/cockroachcloud/aws-privatelink">AWS PrivateLink</a> for AWS clusters </td> | ||
| <td><a href="https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster.html#private-service-connect">Private Service Connect (PSC) (Preview)</a> or <a href="https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster.html#vpc-peering">VPC Peering</a> for GCP clusters and <a href="https://www.cockroachlabs.com/docs/cockroachcloud/aws-privatelink">AWS PrivateLink</a> for AWS clusters </td> |
| <td>✓</td> | ||
| <td>✓</td> | ||
| <td>✓</td> | ||
| <td><a href="https://www.cockroachlabs.com/docs/cockroachcloud/create-your-cluster.html#step-8-enable-vpc-peering-optional">VPC Peering</a> for GCP clusters and <a href="https://www.cockroachlabs.com/docs/cockroachcloud/aws-privatelink">AWS PrivateLink</a> for AWS clusters </td> | ||
| <td><a href="https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster.html#gcp-private-service-connect">GCP Private Service Connect (PSC) (Preview)</a> or <a href="https://www.cockroachlabs.com/docs/cockroachcloud/connect-to-your-cluster.html#vpc-peering">VPC Peering</a> for GCP clusters and <a href="https://www.cockroachlabs.com/docs/cockroachcloud/aws-privatelink">AWS PrivateLink</a> for AWS clusters </td> |
There was a problem hiding this comment.
same comments as above re: link syntax and link to definition of 'preview'
[DOC-4851] Document Private Service Connect for Dedicated clusters on GCP
Previews
Cloud release note: [releases/cloud.md](https://deploy-preview-18550--cockroachdb-docs.netlify.app/docs/releases/cloud.html#2024-05-20
24.1.0 feature highlight: Not part of this PR, being drafted in https://docs.google.com/spreadsheets/d/1uufzdRz9PjD3hzDUVJV8piFBsjQM2XZcnhK7MYiBOd8/edit?disco=AAABM8eo7xo
Major:
src/current/cockroachcloud/connect-to-your-cluster.md
src/current/cockroachcloud/network-authorization.md
src/current/cockroachcloud/create-your-cluster.md
Minor:
src/current/cockroachcloud/aws-privatelink.md
src/current/cockroachcloud/security-overview.md
src/current/v23.1/security-reference/security-overview.md
src/current/v23.2/security-reference/security-overview.md
src/current/v24.1/security-reference/security-overview.md